Re: [Cfrg] 答复: Re: [saag] New draft: Hashed Password Exchange

"Rose, Greg" <ggr@qualcomm.com> Wed, 01 February 2012 17:11 UTC

Return-Path: <ggr@qualcomm.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A217B11E8132 for <cfrg@ietfa.amsl.com>; Wed, 1 Feb 2012 09:11:50 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -103.099
X-Spam-Level:
X-Spam-Status: No, score=-103.099 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, CHARSET_FARAWAY_HEADER=3.2, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id n93khn93a2OZ for <cfrg@ietfa.amsl.com>; Wed, 1 Feb 2012 09:11:49 -0800 (PST)
Received: from wolverine01.qualcomm.com (wolverine01.qualcomm.com [199.106.114.254]) by ietfa.amsl.com (Postfix) with ESMTP id E517D11E812B for <cfrg@irtf.org>; Wed, 1 Feb 2012 09:11:49 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=qualcomm.com; i=ggr@qualcomm.com; q=dns/txt; s=qcdkim; t=1328116309; x=1359652309; h=from:to:cc:subject:thread-topic:thread-index:date: message-id:references:in-reply-to:accept-language: content-language:x-ms-has-attach:x-ms-tnef-correlator: x-originating-ip:content-type:content-id: content-transfer-encoding:mime-version; z=From:=20"Rose,=20Greg"=20<ggr@qualcomm.com>|To:=20"<zhou .sujing@zte.com.cn>=20=20<zhou.sujing@zte.com.cn>"=0D=0A =09<zhou.sujing@zte.com.cn>|CC:=20"Rose,=20Greg"=20<ggr@q ualcomm.com>,=20"cfrg@irtf.org"=20<cfrg@irtf.org> |Subject:=20=3D?big5?B?UmU6IFtDZnJnXSC1qs5gOiBSZTogIFtzYW FnXSBOZXcgZHJhZnQ6IEhhc2hlZCBQ?=3D=0D=0A=20=3D?big5?Q?ass word_Exchange?=3D|Thread-Topic:=20=3D?big5?B?W0NmcmddILWq zmA6IFJlOiAgW3NhYWddIE5ldyBkcmFmdDogSGFzaGVkIFBhc3N3?=3D =0D=0A=20=3D?big5?Q?ord_Exchange?=3D|Thread-Index:=20AQHM 4QSRjummxzsoaUqVGiZC5NcTNw=3D=3D|Date:=20Wed,=201=20Feb =202012=2017:11:44=20+0000|Message-ID:=20<1872CE9C-C36C-4 E76-90A5-59271631610B@qualcomm.com>|References:=20<OFE5B4 F6A2.A17AFEF9-ON48257997.002D1C71-48257997.002D29C8@zte.c om.cn>|In-Reply-To:=20<OFE5B4F6A2.A17AFEF9-ON48257997.002 D1C71-48257997.002D29C8@zte.com.cn>|Accept-Language:=20en -US|Content-Language:=20en-US|X-MS-Has-Attach: |X-MS-TNEF-Correlator:|x-originating-ip:=20[172.30.39.5] |Content-Type:=20text/plain=3B=20charset=3D"big5" |Content-ID:=20<A7FFFAD2510E8C4CB528E6740C47373B@qualcomm .com>|Content-Transfer-Encoding:=20base64|MIME-Version: =201.0; bh=EHZmuA/zVa3xeawwMBHEG/1B9NGp7NAYssHzP+O2sTg=; b=K+ri8NYLnGMQiS3yVve3hIvYoJ7o85PjRqrBv9QY0wfrrx3pcQfVf4io 8pp6UKvJHgTaQyRJBo5F/3txcoUqij+deZQ3P0hdb7RSphgLjQ6Zlq96W ddmV1pkRGb2eXBVqTmshcq6Az50G86LQPOy5EXwLZgVKL2EdedkNzTqSK k=;
X-IronPort-AV: E=McAfee;i="5400,1158,6606"; a="159685845"
Received: from ironmsg04-r.qualcomm.com ([172.30.46.18]) by wolverine01.qualcomm.com with ESMTP; 01 Feb 2012 09:11:49 -0800
X-IronPort-AV: E=Sophos;i="4.71,601,1320652800"; d="scan'208";a="248662282"
Received: from nasanexhc07.na.qualcomm.com ([172.30.39.190]) by Ironmsg04-R.qualcomm.com with ESMTP/TLS/AES128-SHA; 01 Feb 2012 09:11:49 -0800
Received: from NASANEXD01D.na.qualcomm.com ([169.254.4.71]) by nasanexhc07.na.qualcomm.com ([172.30.39.190]) with mapi id 14.01.0339.001; Wed, 1 Feb 2012 09:11:48 -0800
From: "Rose, Greg" <ggr@qualcomm.com>
To: "<zhou.sujing@zte.com.cn> <zhou.sujing@zte.com.cn>" <zhou.sujing@zte.com.cn>
Thread-Topic: =?big5?B?W0NmcmddILWqzmA6IFJlOiAgW3NhYWddIE5ldyBkcmFmdDogSGFzaGVkIFBhc3N3?= =?big5?Q?ord_Exchange?=
Thread-Index: AQHM4QSRjummxzsoaUqVGiZC5NcTNw==
Date: Wed, 1 Feb 2012 17:11:44 +0000
Message-ID: <1872CE9C-C36C-4E76-90A5-59271631610B@qualcomm.com>
References: <OFE5B4F6A2.A17AFEF9-ON48257997.002D1C71-48257997.002D29C8@zte.com.cn>
In-Reply-To: <OFE5B4F6A2.A17AFEF9-ON48257997.002D1C71-48257997.002D29C8@zte.com.cn>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [172.30.39.5]
Content-Type: text/plain; charset="big5"
Content-ID: <A7FFFAD2510E8C4CB528E6740C47373B@qualcomm.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Cc: "Rose, Greg" <ggr@qualcomm.com>, "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] =?big5?b?tarOYDogUmU6ICBbc2FhZ10gTmV3IGRyYWZ0OiBIYXNoZWQg?= =?big5?b?UGFzc3dvcmQgRXhjaGFuZ2U=?=
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 01 Feb 2012 17:11:50 -0000

On 2012 Feb 1, at 0:13 , <zhou.sujing@zte.com.cn>
<zhou.sujing@zte.com.cn> wrote:
> Since passwords are often not too long, and not so random, it is better 
> to hash it before using it as a key in a HMAC. 

I'm afraid this is a fallacy. While it will be longer, and will look random, there is exactly the same (lack of) entropy in a hashed weak password as there is in the original password. It's still vulnerable to password search, although with a slightly increased workload due to the (single) extra hash invocation.

Greg.