Re: [Cfrg] ´ð¸´: Re: ´ð¸´: Re: [saag] New draft: Ha shed Password Exchange
"Dan Harkins" <dharkins@lounge.org> Thu, 02 February 2012 18:46 UTC
Return-Path: <dharkins@lounge.org>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 944C321F861F; Thu, 2 Feb 2012 10:46:35 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.945
X-Spam-Level:
X-Spam-Status: No, score=-3.945 tagged_above=-999 required=5 tests=[AWL=-1.269, BAYES_05=-1.11, IP_NOT_FRIENDLY=0.334, J_CHICKENPOX_23=0.6, J_CHICKENPOX_44=0.6, J_CHICKENPOX_48=0.6, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id w8-mp-yfWG20; Thu, 2 Feb 2012 10:46:34 -0800 (PST)
Received: from colo.trepanning.net (colo.trepanning.net [69.55.226.174]) by ietfa.amsl.com (Postfix) with ESMTP id 8E63821F85AF; Thu, 2 Feb 2012 10:46:34 -0800 (PST)
Received: from www.trepanning.net (localhost [127.0.0.1]) by colo.trepanning.net (Postfix) with ESMTP id BDB18A88810C; Thu, 2 Feb 2012 10:46:33 -0800 (PST)
Received: from 69.12.173.8 (SquirrelMail authenticated user dharkins@lounge.org) by www.trepanning.net with HTTP; Thu, 2 Feb 2012 10:46:33 -0800 (PST)
Message-ID: <e598972c439562298e33614b230b1896.squirrel@www.trepanning.net>
In-Reply-To: <OF4B334631.C715AF00-ON48257998.0007373A-48257998.00078BA6@zte.com.cn>
References: <OF4B334631.C715AF00-ON48257998.0007373A-48257998.00078BA6@zte.com.cn>
Date: Thu, 02 Feb 2012 10:46:33 -0800
From: Dan Harkins <dharkins@lounge.org>
To: zhou.sujing@zte.com.cn
User-Agent: SquirrelMail/1.4.14 [SVN]
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
X-Priority: 3 (Normal)
Importance: Normal
Cc: "cfrg@irtf.org" <cfrg@irtf.org>, cfrg-bounces@irtf.org
Subject: Re: [Cfrg] ´ð¸´: Re: ´ð¸´: Re: [saag] New draft: Ha shed Password Exchange
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 02 Feb 2012 18:46:35 -0000
The issue is that hashing a password doesn't make it "random" (while it might make it "long"). So no, an ordinary hash is not enough. As I suggested, I think a non-secret salt exchanged in the protocol can be used as a key to a HMAC and the password can be included in the data to be HMAC'd. Dan. On Wed, February 1, 2012 5:22 pm, zhou.sujing@zte.com.cn wrote: > Well£¬ it is the requirement of the HMAC for key being long and random. > Then in the case of the draft, ordinary hash is enough I guess? > > > Regards~~~ > > > cfrg-bounces@irtf.org дÓÚ 2012-02-01 23:49:13: > >> My take on this is: if you believe that a hash-function is a good >> randomizer and can be used in cryptographic key generation process ¨C >> then it does not matter whether what you feed as a "key" input to >> HMAC is uniformly distributed or not (because of HMAC internal "hash >> spins"). And if you are uneasy on how really random your hash output >> is ¨C then a lot of the currently used mechanisms and primitives need >> revisiting. >> -- >> Regards, >> Uri Blumenthal Voice: (781) 981-1638 >> Cyber Systems and Technology Fax: (781) 981-0186 >> MIT Lincoln Laboratory >> >> From: "zhou.sujing@zte.com.cn" <zhou.sujing@zte.com.cn> >> Date: Wed, 1 Feb 2012 03:13:07 -0500 >> To: Dan Harkins <dharkins@lounge.org> >> Cc: "cfrg@irtf.org" <cfrg@irtf.org>, Steven Bellovin > <smb@cs.columbia.edu> >> Subject: [Cfrg] ´ð¸´: Re: [saag] New draft: Hashed Password Exchange >> >> >> Hi,all >> >> cfrg-bounces@irtf.org дÓÚ 2012-01-07 17:03:25: >> >> > >> > >> > On Wed, January 4, 2012 2:56 pm, Steven Bellovin wrote: >> > > Good point; let me think about it for -01. An obvious solution is > to send >> > > the hostname with the effective password. >> > >> > How is that different than using random salt then? If _something_ >> is >> > going to be sent shouldn't it be a uniformly random bitstring instead > of >> > a hostname? >> > >> > A uniformly random bitstring would be more appropriate as a key to >> > HMAC than a highly structured string like a password too. Iterate >> > HMAC(salt, password | service-URI) instead of HMAC(password, > service-URI). >> >> >> >> I think Dan's suggestion is reasonable, I checked the RFC 2104 and >> found the following section : >> >> "3. Keys >> >> The key for HMAC can be of any length (keys longer than B bytes are >> first hashed using H). However, less than L bytes is strongly >> discouraged as it would decrease the security strength of the >> function. Keys longer than L bytes are acceptable but the extra >> length would not significantly increase the function strength. (A >> longer key may be advisable if the randomness of the key is >> considered weak.) >> >> Keys need to be chosen at random (or using a cryptographically >> strong >> pseudo-random generator seeded with a random seed), and periodically >> refreshed. (Current attacks do not indicate a specific recommended >> frequency for key changes as these attacks are practically >> infeasible. However, periodic key refreshment is a fundamental >> security practice that helps against potential weaknesses of the >> function and keys, and limits the damage of an exposed key.)" >> >> >> Since passwords are often not too long, and not so random, it is better >> to hash it before using it as a key in a HMAC. >> >> >> Regards~~~ >> >> -Sujing Zhou >> > >> > That said, goal 4 in the draft-- "By iterating a sufficient number > of >> > times, dictionary attacks can be made arbitrarily expensive"-- seems >> a >> > bit misguided. The Amazon cloud service has been used to launch an >> > off-line dictionary attack against the WPA-PSK protocol which uses > PBKDF2 >> > (HMAC-SHA1) with 4096 iterations to obfuscate a password. This attack >> > checks 24,000,000 candidate passwords per minute at a cost of $0.28. >> > That's more than 1,600,000,000 iterations per second for about 1/2 a > cent. >> > So I don't think increased iteration makes dictionary attacks much > more >> > expensive. >> > >> > Which begs the question, how is this proposal different than >> PBKDF2? >> > That the "salt" is a service URI? >> > >> > regards, >> > >> > Dan. >> > >> > > On Jan 4, 2012, at 5:21 01PM, Joe Touch wrote: >> > > >> > >> Hi, Steve, >> > >> >> > >> This doc doesn't appear to address the case where a host has > multiple >> > >> DNS names, which could make it difficult to incorporate the > hostname >> > >> into the transform. I.e., I could contact a mail server at an IP > address >> > >> that represents any of dozens of DNS names - how does the server > know >> > >> which one I used so it can match without exhaustively trying all > its >> > >> equivalent names? >> > >> >> > >> Joe >> > >> >> > >> On 1/4/2012 1:41 PM, Steven Bellovin wrote: >> > >>> I'd appreciate comments on my new draft, > draft-bellovin-hpw-00.txt: >> > >>> >> > >>> Abstract >> > >>> >> > >>> Many systems (e.g., cryptographic protocols relying on > symmetric >> > >>> cryptography) require that plaintext passwords be stored. Given > how >> > >>> often people reuse passwords on different systems, this poses a > very >> > >>> serious risk if a single machine is compromised. We propose a >> > >>> scheme >> > >>> to derive passwords limited to a single machine from a typed >> > >>> password, and explain how a protocol definition can specify > this >> > >>> scheme. >> > >>> >> > >>> >> > >>> --Steve Bellovin, https://www.cs.columbia.edu/~smb >> > >>> >> > >>> >> > >>> >> > >>> >> > >>> >> > >>> _______________________________________________ >> > >>> saag mailing list >> > >>> saag@ietf.org >> > >>> https://www.ietf.org/mailman/listinfo/saag >> > >> >> > > >> > > >> > > --Steve Bellovin, https://www.cs.columbia.edu/~smb >> > > >> > > >> > > >> > > >> > > >> > > _______________________________________________ >> > > saag mailing list >> > > saag@ietf.org >> > > https://www.ietf.org/mailman/listinfo/saag >> > > >> > >> > >> > _______________________________________________ >> > Cfrg mailing list >> > Cfrg@irtf.org >> > http://www.irtf.org/mailman/listinfo/cfrg >> > [¸½¼þ "smime.p7s" ±» ÖÜËÕ¾²00132831/user/zte_ltd ɾ³ý] >> _______________________________________________ >> Cfrg mailing list >> Cfrg@irtf.org >> http://www.irtf.org/mailman/listinfo/cfrg > > _______________________________________________ > Cfrg mailing list > Cfrg@irtf.org > http://www.irtf.org/mailman/listinfo/cfrg >
- [Cfrg] New draft: Hashed Password Exchange Steven Bellovin
- Re: [Cfrg] [saag] New draft: Hashed Password Exch… Steven Bellovin
- Re: [Cfrg] [saag] New draft: Hashed Password Exch… Steven Bellovin
- Re: [Cfrg] [saag] New draft: Hashed Password Exch… Yaron Sheffer
- Re: [Cfrg] [saag] New draft: Hashed Password Exch… Blumenthal, Uri - 0668 - MITLL
- Re: [Cfrg] [saag] New draft: Hashed Password Exch… Dan Harkins
- [Cfrg] 答复: Re: [saag] New draft: Hashed Password … zhou.sujing
- [Cfrg] 答复: Re: [saag] New draft: Hashed Password … zhou.sujing
- Re: [Cfrg] 答复: Re: [saag] New draft: Hashed Passw… Blumenthal, Uri - 0668 - MITLL
- Re: [Cfrg] 答复: Re: [saag] New draft: Hashed Passw… Rose, Greg
- Re: [Cfrg] 答复: Re: [saag] New draft: Hashed Passw… Blumenthal, Uri - 0668 - MITLL
- [Cfrg] 答复: Re: 答复: Re: [saag] New draft: Hashed P… zhou.sujing
- Re: [Cfrg] ´ð¸´: Re: ´ð¸´: Re: [saag] New draft: … Dan Harkins
- Re: [Cfrg] ´ð¸´: Re: ´ð¸´: Re: [saag] New draft: … Steven Bellovin
- Re: [Cfrg] 答复: Re: [saag] New draft: Hashed Passw… Igoe, Kevin M.
- Re: [Cfrg] 答复: Re: [saag] New draft: Hashed Passw… Blumenthal, Uri - 0668 - MITLL
- Re: [Cfrg] ´ð¸´: Re: ´ð¸´: Re: [saag] New draft: … Henry B. Hotz
- Re: [Cfrg] [saag] New draft: Hashed Password Exch… Yaron Sheffer
- Re: [Cfrg] [saag] New draft: Hashed Password Exch… Steven Bellovin
- [Cfrg] 答复: Re: ´ð¸´: Re: ´ð¸´: Re: [saag] New dra… zhou.sujing
- Re: [Cfrg] 答复: Re: ´ð¸´: Re: ´ð¸´: Re: [saag] New… Steven Bellovin
- Re: [Cfrg] [saag] New draft: Hashed Password Exch… Steven Bellovin