Re: [Cfrg] [saag] New draft: Hashed Password Exchange

Yaron Sheffer <yaronf.ietf@gmail.com> Thu, 05 January 2012 07:13 UTC

Return-Path: <yaronf.ietf@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 031611F0C41 for <cfrg@ietfa.amsl.com>; Wed, 4 Jan 2012 23:13:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -103.543
X-Spam-Level:
X-Spam-Status: No, score=-103.543 tagged_above=-999 required=5 tests=[AWL=0.057, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Bjmh0EHeuhfd for <cfrg@ietfa.amsl.com>; Wed, 4 Jan 2012 23:13:01 -0800 (PST)
Received: from mail-ee0-f54.google.com (mail-ee0-f54.google.com [74.125.83.54]) by ietfa.amsl.com (Postfix) with ESMTP id 2DD5A21F8688 for <cfrg@irtf.org>; Wed, 4 Jan 2012 23:13:01 -0800 (PST)
Received: by eekc50 with SMTP id c50so171373eek.13 for <cfrg@irtf.org>; Wed, 04 Jan 2012 23:13:00 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type:content-transfer-encoding; bh=UeGoE+W6fBSmDbX/8Fi0B14nahJhTXFb4sg1a/xFG6I=; b=QUA3DeYcrXggw7Riaku3H781aRrsgm1Fsb+dvQ+ybt5X7ZrXdqt3FtamVZxHH/fOoT aVfjrcT+vNeK1//bnzUPhyUDMgv41hlBqmYspkZZcmrlCYgcA4KhbReAnOcnioGt3H2X WC644fYNME6FUULSTfgnCSifGaX5TGojN3W1k=
Received: by 10.213.8.145 with SMTP id h17mr279192ebh.62.1325747579975; Wed, 04 Jan 2012 23:12:59 -0800 (PST)
Received: from [10.0.0.6] ([109.67.155.85]) by mx.google.com with ESMTPS id a60sm230100356eeb.4.2012.01.04.23.12.58 (version=SSLv3 cipher=OTHER); Wed, 04 Jan 2012 23:12:59 -0800 (PST)
Message-ID: <4F054D78.1080008@gmail.com>
Date: Thu, 05 Jan 2012 09:12:56 +0200
From: Yaron Sheffer <yaronf.ietf@gmail.com>
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:8.0) Gecko/20111124 Thunderbird/8.0
MIME-Version: 1.0
To: Steven Bellovin <smb@cs.columbia.edu>
References: <583849CD-D0AD-4792-8894-04598898BA0F@cs.columbia.edu> <4F04D0CD.9010807@isi.edu> <95A30BC1-F5F8-4937-AE41-08BF92B5BBB5@cs.columbia.edu> <4F04DAA1.5050604@isi.edu> <33E0B548-D141-48CA-86DC-F7E4EB1DEDD2@cs.columbia.edu>
In-Reply-To: <33E0B548-D141-48CA-86DC-F7E4EB1DEDD2@cs.columbia.edu>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Cc: cfrg@irtf.org, saag@ietf.org
Subject: Re: [Cfrg] [saag] New draft: Hashed Password Exchange
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Jan 2012 07:13:02 -0000

Hi Steve,

thanks for the new draft. A few comments:

* The argument against using a random salt is somewhat unconvincing: "it 
would have to be known to the user as well as
the server, and users typically have multiple devices on which they 
enter passwords." Since we assume computing power on the client side, 
there's no reason why we cannot have the server send the salt to the 
user instead of having it stored client-side. I do agree though that the 
benefits of a random salt added to this scheme are minimal.

* Arbitrary non-ASCII passwords must be supported. I suggest to remove 
the under-specified bullet about "canonicalizing the entered password" 
and adopt text similar to (from RFC 6124):

This protocol supports internationalized, non-ASCII passwords.  The 
input password string SHOULD be processed according to the rules of the 
[RFC4013] profile of [RFC3454].  A password SHOULD be considered a 
"stored string" per [RFC3454], and unassigned code points are therefore 
prohibited.  The output is the binary representation of the processed 
UTF-8 [RFC3629] character string.  Prohibited output and unassigned code 
points encountered in SASLprep preprocessing SHOULD cause a 
preprocessing failure and the output SHOULD NOT be used.

* The text implicitly assumes that we are "sending the effective 
password over the wire." This is obviously not the case if strong 
password-based methods of the EKE family are used.

* "If effective passwords are used only for the usual password 
verification and not for cryptographic purposes, they should be treated 
with the care used for ordinary password, i.e., salted, hashed, etc. " I 
can see the value of hashing here, but not of salting.

Thanks,
     Yaron

> >> >>> On 1/4/2012 1:41 PM, Steven Bellovin wrote:
>>>>> >>>>  I'd appreciate comments on my new draft, draft-bellovin-hpw-00.txt:
>>>>> >>>>  
>>>>> >>>>  Abstract
>>>>> >>>>  
>>>>> >>>>      Many systems (e.g., cryptographic protocols relying on symmetric
>>>>> >>>>      cryptography) require that plaintext passwords be stored.  Given how
>>>>> >>>>      often people reuse passwords on different systems, this poses a very
>>>>> >>>>      serious risk if a single machine is compromised.  We propose a scheme
>>>>> >>>>      to derive passwords limited to a single machine from a typed
>>>>> >>>>      password, and explain how a protocol definition can specify this
>>>>> >>>>      scheme.
>>>>> >>>>  
>>>>> >>>>  
>>>>> >>>>  		--Steve Bellovin,https://www.cs.columbia.edu/~smb
>>>>> >>>>  
>>>>> >>>>  
>>>>> >>>>  
>>>>> >>>>  
>>>>> >>>>  
>>>>> >>>>  _______________________________________________
>>>>> >>>>  saag mailing list
>>>>> >>>>  saag@ietf.org
>>>>> >>>>  https://www.ietf.org/mailman/listinfo/saag
>>>> >>>  
>>> >>  
>>> >>  
>>> >>  		--Steve Bellovin,https://www.cs.columbia.edu/~smb
>>> >>  
>>> >>  
>>> >>  
>>> >>  
>>> >>  
>> >  
> 		--Steve Bellovin,https://www.cs.columbia.edu/~smb
>
>
>
>
>
> _______________________________________________
> saag mailing list
> saag@ietf.org
> https://www.ietf.org/mailman/listinfo/saag