[Security] channel bindings

Eric Rescorla ekr at rtfm.com
Wed Feb 11 09:06:44 CST 2009


On Wed, Feb 11, 2009 at 4:37 AM, Dave Cridland <dave at cridland.net> wrote
> This is the trick - you have a shared secret, agreed between the endpoints,
> in such a way that the MITM cannot know it.
>
> DIGEST-MD5 will prove that the endpoints which exchanged the shared secret
> are the same as the endpoints of the authentication.
>
> SCRAM - because it does Channel Binding - proves that *and* that the
> endpoints of the secure channel are also the same - this prevents there
> being a passive MITM.
>
> In a sense, this is all about ensuring that one channel has the security
> properties of another.
>
> I'm suggesting using SCRAM here a lot rather than making our own, primarily
> because making our own seems significantly more prone to error, and I'm
> anticipating that SCRAM will end up being a popular choice for a password
> mechanism on server and client alike anyway.

It's worth observing that if you're really going to standardize on one
news  password
based mechanism, it would be more efficient to simply use TLS-PSK or
TLS-SRP. The
rationale for channel bindings is to retain some existing application level auth
infrastructure.

-Ekr


More information about the Security mailing list