Re: [Cfrg] 答复: Re: [saag] New draft: Hashed Password Exchange

"Igoe, Kevin M." <kmigoe@nsa.gov> Fri, 03 February 2012 14:08 UTC

Return-Path: <kmigoe@nsa.gov>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1AC7C21F85CE for <cfrg@ietfa.amsl.com>; Fri, 3 Feb 2012 06:08:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.951
X-Spam-Level:
X-Spam-Status: No, score=-2.951 tagged_above=-999 required=5 tests=[AWL=-3.647, BAYES_00=-2.599, CHARSET_FARAWAY_HEADER=3.2, MIME_8BIT_HEADER=0.3, MIME_CHARSET_FARAWAY=2.45, RCVD_IN_DNSWL_MED=-4, SARE_SUB_ENC_GB2312=1.345]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kRjzd9ve6KHf for <cfrg@ietfa.amsl.com>; Fri, 3 Feb 2012 06:08:03 -0800 (PST)
Received: from msux-gh1-uea01.nsa.gov (msux-gh1-uea01.nsa.gov [63.239.65.39]) by ietfa.amsl.com (Postfix) with ESMTP id 6638221F8535 for <cfrg@irtf.org>; Fri, 3 Feb 2012 06:08:03 -0800 (PST)
Received: from MSCS-GH1-UEA02.corp.nsa.gov (localhost [127.0.0.1]) by msux-gh1-uea01.nsa.gov (8.12.10/8.12.10) with ESMTP id q13E81ni029912; Fri, 3 Feb 2012 14:08:01 GMT
Received: from MSIS-GH1-UEA06.corp.nsa.gov ([10.215.228.137]) by MSCS-GH1-UEA02.corp.nsa.gov with Microsoft SMTPSVC(6.0.3790.3959); Fri, 3 Feb 2012 09:08:01 -0500
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="gb2312"
Content-Transfer-Encoding: quoted-printable
X-MimeOLE: Produced By Microsoft Exchange V6.5
Date: Fri, 3 Feb 2012 09:08:01 -0500
Message-ID: <80F9AC969A517A4DA0DE3E7CF74CC1BB425BAD@MSIS-GH1-UEA06.corp.nsa.gov>
In-Reply-To: <CB4F1C7B.A594%uri@ll.mit.edu>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: =?gb2312?B?W0NmcmddILTwuLQ6IFJlOiAgW3NhYWddIE5ldyBkcmFmdDogSGFzaA==?= =?gb2312?B?ZWQgUGFzc3dvcmQgRXhjaGFuZ2U=?=
Thread-Index: AczhKtX/OtNEbfTsTlGGOKbUr1guRABTl2iA
References: <1872CE9C-C36C-4E76-90A5-59271631610B@qualcomm.com> <CB4F1C7B.A594%uri@ll.mit.edu>
From: "Igoe, Kevin M." <kmigoe@nsa.gov>
To: "Blumenthal, Uri - 0668 - MITLL" <uri@ll.mit.edu>, <cfrg@irtf.org>
X-OriginalArrivalTime: 03 Feb 2012 14:08:01.0545 (UTC) FILETIME=[3D60DF90:01CCE27D]
Subject: Re: [Cfrg] =?gb2312?b?tPC4tDogUmU6ICBbc2FhZ10gTmV3IGRyYWZ0OiBIYXNo?= =?gb2312?b?ZWQgUGFzc3dvcmQgRXhjaGFuZ2U=?=
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 03 Feb 2012 14:08:04 -0000

Applying a function to a random variable can never increase its
entopy.  See chapter 2 of Cover & Thomas' "Elements of Information
Theory", exercise 5, which shows that for any function g and random
variable X in the domain of g,

	H( g(X) ) <= H(X) 

(where H(Z) = the entropy of a random variable Z).
 
In our case g is a hash function, X is the original password and 
g(X) is the hash of the password. Then a hashed password cannot
have more entropy than the original password and may in fact 
have less entropy.


> -----Original Message-----
> From: cfrg-bounces@irtf.org [mailto:cfrg-bounces@irtf.org] On Behalf Of
> Blumenthal, Uri - 0668 - MITLL
> Sent: Wednesday, February 01, 2012 4:46 PM
> To: cfrg@irtf.org
> Subject: Re: [Cfrg] 答复: Re: [saag] New draft: Hashed Password
> Exchange
> 
> On 2/1/12 12:11 , "Rose, Greg" <ggr@qualcomm.com> wrote:
> 
> >On 2012 Feb 1, at 0:13 , <zhou.sujing@zte.com.cn>
> ><zhou.sujing@zte.com.cn> wrote:
> >> Since passwords are often not too long, and not so random, it is
> better
> >> to hash it before using it as a key in a HMAC.
> >
> >I'm afraid this is a fallacy. While it will be longer, and will look
> >random, there is exactly the same (lack of) entropy in a hashed weak
> >password as there is in the original password. It's still vulnerable
> to
> >password search, although with a slightly increased workload due to
> the
> >(single) extra hash invocation.
> 
> Concur 100%.
> 
> _______________________________________________
> Cfrg mailing list
> Cfrg@irtf.org
> http://www.irtf.org/mailman/listinfo/cfrg