Re: [Cfrg] [requesting suggestions] password hashing for PAKE
Douglas Stebila <stebila@qut.edu.au> Thu, 06 March 2014 07:38 UTC
Return-Path: <stebila@qut.edu.au>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A1F701A0103 for <cfrg@ietfa.amsl.com>; Wed, 5 Mar 2014 23:38:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.744
X-Spam-Level:
X-Spam-Status: No, score=-1.744 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_AU=0.377, HOST_EQ_AU=0.327, RP_MATCHES_RCVD=-0.547, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GcWl5gxnnsei for <cfrg@ietfa.amsl.com>; Wed, 5 Mar 2014 23:38:35 -0800 (PST)
Received: from QUTEXEDGE06.qut.edu.au (qutexedge06.qut.edu.au [131.181.191.23]) by ietfa.amsl.com (Postfix) with ESMTP id BF3811A0101 for <cfrg@irtf.org>; Wed, 5 Mar 2014 23:38:33 -0800 (PST)
Received: from EX10HT01.qut.edu.au (131.181.107.232) by QUTEXEDGE06.qut.edu.au (131.181.191.23) with Microsoft SMTP Server (TLS) id 8.3.279.5; Thu, 6 Mar 2014 17:38:28 +1000
Received: from EX10MB6.qut.edu.au ([169.254.8.72]) by EX10HT01.qut.edu.au ([131.181.107.232]) with mapi id 14.03.0158.001; Thu, 6 Mar 2014 17:38:28 +1000
From: Douglas Stebila <stebila@qut.edu.au>
To: Yutaka OIWA <y.oiwa@aist.go.jp>
Thread-Topic: [Cfrg] [requesting suggestions] password hashing for PAKE
Thread-Index: AQHPOJYLQjINuzE2s0iqo2Lbt3G5SprTBTqA
Date: Thu, 06 Mar 2014 07:38:28 +0000
Message-ID: <7A208E69-61AB-4243-9402-C072A097D73B@qut.edu.au>
References: <CAMeZVwu_g_h5LN1be=c3PS-Yjfhp=U6e5LvZ7tFEGtF15jO=BQ@mail.gmail.com>
In-Reply-To: <CAMeZVwu_g_h5LN1be=c3PS-Yjfhp=U6e5LvZ7tFEGtF15jO=BQ@mail.gmail.com>
Accept-Language: en-CA, en-AU, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [131.181.118.223]
Content-Type: text/plain; charset="us-ascii"
Content-ID: <EF5D8D9AA655FC49987C00F47840BDD4@exchange.qut.edu.au>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/fV7XPltuDQ3THIzNkniZsThdQoc
Cc: cfrg <cfrg@irtf.org>
Subject: Re: [Cfrg] [requesting suggestions] password hashing for PAKE
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 06 Mar 2014 07:38:37 -0000
Section B.5.1 of NIST SP 800-90A discusses different ways and relative merits of pseudorandomly generating integers in a range using a pseudorandom bit generator. I don't know enough about your protocol to know whether just using a 256-bit value is fine or whether you need a full-domain value, in some cases it can matter and in some cases it doesn't matter. If you're not certain, it's probably safest to go with a full domain value. As for PBKDF2's role in this, the PBKDF2 spec allows for variable (block) length output, basically by running multiple blocks of PBKDF2 with the same password/salt/iteration but the input concatenated with a counter for the block number. Thus you can use standardized PBKDF2 to produce as many bits are required for the method you choose from B.5.1 of NIST SP 800-90A. (My intuition is that PBKDF2's method for generating multiple block outputs is overkill: I think for hardening purposes it would suffice to generate a single block output key using PBKDF2 and then generating the desired variable length output using a non-hardened KDF from that single block key. But since PBKDF2 does do variable length output itself, you might as well use that for compatibility.) Douglas On 2014/03/06, at 03:11, Yutaka OIWA <y.oiwa@aist.go.jp> wrote: > Dear all in CFRG mailing list, > > I want to have some suggestions about the use of strengthened password > hash for the PAKE family of protocols in reality. > > As you know (better than me), "password" in cryptographic primitives > is just an element of some group, usually an integer element in a cyclic group. > In real world, "passwords" is just an octet string of unlimited, unfixed length. > So we need to convert the latter to the former. > > We assume, hereafter, we use 256-bit hash, and some cyclic group Z/rZ > generated by 2047-bit prime r as a target group. > > The simple way of doing that conversion is to apply an existing hash function. > To prevent off-line attacks from credentials stolen from server-side storage, > we suggested use of some existing password-strengthening hashes > such as PBKDF2 (RFC 2898), and are preparing to do so. > The usual hash produces an integer in [0, 2^256 - 1], and > PBKDF2 can produce some larger output like one in [0, 2^1792 - 1], but > what we want best is an integer uniformly distributed in range [0, r - 1]. > (PBKDF2's output length is limited to the multiple of that of the base > hash function.) > So, how do you think what is the best tactics among below? > > 1) PAKE allows non-uniform distribution of passwords, so > just having 256-bit is fine. > 2) It's better do as long as possible with existing functions, so > have 1792 bit. > 3) We may introduce a small trick to PBKDF2 to produce 2046 bit (the > best integer). > 4) We should implement SOMETHING which will produce the best [0, r-1] range. > > Especially for 4), do you have some suggestions for doing that? > Do you also have some recommendations for better alternatives other > than PBKDF2 for use with IETF experimental (or standard-track) documents? > > Thanks a lot, > > -- > Yutaka OIWA, Ph.D. Leader, System Life-cycle Research Group > Research Institute for Secure Systems (RISEC) > National Institute of Advanced Industrial Science and Technology (AIST) > Mail addresses: <y.oiwa@aist.go.jp>, <yutaka@oiwa.jp> > OpenPGP: id[440546B5] fp[7C9F 723A 7559 3246 229D 3139 8677 9BD2 4405 46B5] > > _______________________________________________ > Cfrg mailing list > Cfrg@irtf.org > http://www.irtf.org/mailman/listinfo/cfrg
- [Cfrg] [requesting suggestions] password hashing … Yutaka OIWA
- Re: [Cfrg] [requesting suggestions] password hash… Douglas Stebila