[Cfrg] [requesting suggestions] password hashing for PAKE
Yutaka OIWA <y.oiwa@aist.go.jp> Wed, 05 March 2014 17:11 UTC
Return-Path: <y.oiwa@aist.go.jp>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E66471A0179 for <cfrg@ietfa.amsl.com>; Wed, 5 Mar 2014 09:11:51 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.679
X-Spam-Level:
X-Spam-Status: No, score=-3.679 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2TB8rh5wvBpp for <cfrg@ietfa.amsl.com>; Wed, 5 Mar 2014 09:11:43 -0800 (PST)
Received: from na3sys010aog113.obsmtp.com (na3sys010aog113.obsmtp.com [74.125.245.94]) by ietfa.amsl.com (Postfix) with ESMTP id 00EE31A0150 for <cfrg@irtf.org>; Wed, 5 Mar 2014 09:11:42 -0800 (PST)
Received: from mail-vc0-f169.google.com ([209.85.220.169]) (using TLSv1) by na3sys010aob113.postini.com ([74.125.244.12]) with SMTP ID DSNKUxdayyMY5aPDpaP0Gp2N2/t9LvxhwFum@postini.com; Wed, 05 Mar 2014 09:11:39 PST
Received: by mail-vc0-f169.google.com with SMTP id hq11so1323726vcb.14 for <cfrg@irtf.org>; Wed, 05 Mar 2014 09:11:38 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=aist.go.jp; s=google; h=mime-version:from:date:message-id:subject:to:content-type; bh=q+TCQoPxCFqICCMCrHr+A4MMYBRVQ1fzu/ZV/oWXX/E=; b=cb2kDs/Xy7PP7l76pUhSl2WiHKWNrt/UQw/j1/f0dBfrVHrKlVWnHYAZIQ1aWKwT3U 8WmTZrrD4ihgKYVVp9M+yq/eizMkGTbyEFtANmjhFQdQnyfv75v9ZuCee3M5Few5EGus WUBrvRYnjtcrme8r14elXZb+YA+sZgj1AlW18=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:from:date:message-id:subject:to :content-type; bh=q+TCQoPxCFqICCMCrHr+A4MMYBRVQ1fzu/ZV/oWXX/E=; b=h4tRHlfAXY4P8PZ3bzxVS0WBvkLm8v9CVf1Fv4tBBIwXW5IAcjbgrHSXN0gNY4pG22 u0hKc+yM8vvYRWV7J3RRGtQYYrk8Gs2DLpcDHrIk923nHsOrJZg8aETYU95es9xJGYwK jEVEB8ZVHfLOhMw9ZpNW7YMHvLvcy438RYgV1ktFA61Yawt1JMUcbW41ge06PzIC8O5l fGOyO75HRToOvCyrgRVTQPTIeI0NW/rG6SeW+XMxkoT51Y837HULdol8DZ3A00/pcXvI 2EDtvrtqKfFSQ905QLVu5sRryqNxg8HdZkheiH8o3zqVmM1V/mW7uK4zbIM8QHnncuVz 6YxQ==
X-Gm-Message-State: ALoCoQlQf/g6HEKjt15QatDCatCPb+AIkmiGWpd0UsoaJbcAxMErjYKA+UXbT3sOSyLaiNmUlF9Bn+wuB+jLs116OBM3YwFdnqaW2HmjHaQytBcZlYK80irzG3BscmZpKSQKVdnBCnryJlinthYI0oOSwwNde7RaxQ==
X-Received: by 10.221.74.65 with SMTP id yv1mr769222vcb.31.1394039498932; Wed, 05 Mar 2014 09:11:38 -0800 (PST)
X-Received: by 10.221.74.65 with SMTP id yv1mr769202vcb.31.1394039498603; Wed, 05 Mar 2014 09:11:38 -0800 (PST)
MIME-Version: 1.0
Received: by 10.58.100.227 with HTTP; Wed, 5 Mar 2014 09:11:18 -0800 (PST)
From: Yutaka OIWA <y.oiwa@aist.go.jp>
Date: Thu, 06 Mar 2014 02:11:18 +0900
Message-ID: <CAMeZVwu_g_h5LN1be=c3PS-Yjfhp=U6e5LvZ7tFEGtF15jO=BQ@mail.gmail.com>
To: cfrg <cfrg@irtf.org>
Content-Type: text/plain; charset="ISO-8859-1"
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/IDtFGVbo-sTtaSsx6G7ZZUxdYDs
Subject: [Cfrg] [requesting suggestions] password hashing for PAKE
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 05 Mar 2014 17:11:52 -0000
Dear all in CFRG mailing list,
I want to have some suggestions about the use of strengthened password
hash for the PAKE family of protocols in reality.
As you know (better than me), "password" in cryptographic primitives
is just an element of some group, usually an integer element in a cyclic group.
In real world, "passwords" is just an octet string of unlimited, unfixed length.
So we need to convert the latter to the former.
We assume, hereafter, we use 256-bit hash, and some cyclic group Z/rZ
generated by 2047-bit prime r as a target group.
The simple way of doing that conversion is to apply an existing hash function.
To prevent off-line attacks from credentials stolen from server-side storage,
we suggested use of some existing password-strengthening hashes
such as PBKDF2 (RFC 2898), and are preparing to do so.
The usual hash produces an integer in [0, 2^256 - 1], and
PBKDF2 can produce some larger output like one in [0, 2^1792 - 1], but
what we want best is an integer uniformly distributed in range [0, r - 1].
(PBKDF2's output length is limited to the multiple of that of the base
hash function.)
So, how do you think what is the best tactics among below?
1) PAKE allows non-uniform distribution of passwords, so
just having 256-bit is fine.
2) It's better do as long as possible with existing functions, so
have 1792 bit.
3) We may introduce a small trick to PBKDF2 to produce 2046 bit (the
best integer).
4) We should implement SOMETHING which will produce the best [0, r-1] range.
Especially for 4), do you have some suggestions for doing that?
Do you also have some recommendations for better alternatives other
than PBKDF2 for use with IETF experimental (or standard-track) documents?
Thanks a lot,
--
Yutaka OIWA, Ph.D. Leader, System Life-cycle Research Group
Research Institute for Secure Systems (RISEC)
National Institute of Advanced Industrial Science and Technology (AIST)
Mail addresses: <y.oiwa@aist.go.jp>, <yutaka@oiwa.jp>
OpenPGP: id[440546B5] fp[7C9F 723A 7559 3246 229D 3139 8677 9BD2 4405 46B5]
- [Cfrg] [requesting suggestions] password hashing … Yutaka OIWA
- Re: [Cfrg] [requesting suggestions] password hash… Douglas Stebila