Re: [Cfrg] [saag] New draft: Hashed Password Exchange
Yaron Sheffer <yaronf.ietf@gmail.com> Thu, 05 January 2012 07:13 UTC
Return-Path: <yaronf.ietf@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 031611F0C41 for <cfrg@ietfa.amsl.com>; Wed, 4 Jan 2012 23:13:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -103.543
X-Spam-Level:
X-Spam-Status: No, score=-103.543 tagged_above=-999 required=5 tests=[AWL=0.057, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Bjmh0EHeuhfd for <cfrg@ietfa.amsl.com>; Wed, 4 Jan 2012 23:13:01 -0800 (PST)
Received: from mail-ee0-f54.google.com (mail-ee0-f54.google.com [74.125.83.54]) by ietfa.amsl.com (Postfix) with ESMTP id 2DD5A21F8688 for <cfrg@irtf.org>; Wed, 4 Jan 2012 23:13:01 -0800 (PST)
Received: by eekc50 with SMTP id c50so171373eek.13 for <cfrg@irtf.org>; Wed, 04 Jan 2012 23:13:00 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type:content-transfer-encoding; bh=UeGoE+W6fBSmDbX/8Fi0B14nahJhTXFb4sg1a/xFG6I=; b=QUA3DeYcrXggw7Riaku3H781aRrsgm1Fsb+dvQ+ybt5X7ZrXdqt3FtamVZxHH/fOoT aVfjrcT+vNeK1//bnzUPhyUDMgv41hlBqmYspkZZcmrlCYgcA4KhbReAnOcnioGt3H2X WC644fYNME6FUULSTfgnCSifGaX5TGojN3W1k=
Received: by 10.213.8.145 with SMTP id h17mr279192ebh.62.1325747579975; Wed, 04 Jan 2012 23:12:59 -0800 (PST)
Received: from [10.0.0.6] ([109.67.155.85]) by mx.google.com with ESMTPS id a60sm230100356eeb.4.2012.01.04.23.12.58 (version=SSLv3 cipher=OTHER); Wed, 04 Jan 2012 23:12:59 -0800 (PST)
Message-ID: <4F054D78.1080008@gmail.com>
Date: Thu, 05 Jan 2012 09:12:56 +0200
From: Yaron Sheffer <yaronf.ietf@gmail.com>
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:8.0) Gecko/20111124 Thunderbird/8.0
MIME-Version: 1.0
To: Steven Bellovin <smb@cs.columbia.edu>
References: <583849CD-D0AD-4792-8894-04598898BA0F@cs.columbia.edu> <4F04D0CD.9010807@isi.edu> <95A30BC1-F5F8-4937-AE41-08BF92B5BBB5@cs.columbia.edu> <4F04DAA1.5050604@isi.edu> <33E0B548-D141-48CA-86DC-F7E4EB1DEDD2@cs.columbia.edu>
In-Reply-To: <33E0B548-D141-48CA-86DC-F7E4EB1DEDD2@cs.columbia.edu>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Cc: cfrg@irtf.org, saag@ietf.org
Subject: Re: [Cfrg] [saag] New draft: Hashed Password Exchange
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Jan 2012 07:13:02 -0000
Hi Steve,
thanks for the new draft. A few comments:
* The argument against using a random salt is somewhat unconvincing: "it
would have to be known to the user as well as
the server, and users typically have multiple devices on which they
enter passwords." Since we assume computing power on the client side,
there's no reason why we cannot have the server send the salt to the
user instead of having it stored client-side. I do agree though that the
benefits of a random salt added to this scheme are minimal.
* Arbitrary non-ASCII passwords must be supported. I suggest to remove
the under-specified bullet about "canonicalizing the entered password"
and adopt text similar to (from RFC 6124):
This protocol supports internationalized, non-ASCII passwords. The
input password string SHOULD be processed according to the rules of the
[RFC4013] profile of [RFC3454]. A password SHOULD be considered a
"stored string" per [RFC3454], and unassigned code points are therefore
prohibited. The output is the binary representation of the processed
UTF-8 [RFC3629] character string. Prohibited output and unassigned code
points encountered in SASLprep preprocessing SHOULD cause a
preprocessing failure and the output SHOULD NOT be used.
* The text implicitly assumes that we are "sending the effective
password over the wire." This is obviously not the case if strong
password-based methods of the EKE family are used.
* "If effective passwords are used only for the usual password
verification and not for cryptographic purposes, they should be treated
with the care used for ordinary password, i.e., salted, hashed, etc. " I
can see the value of hashing here, but not of salting.
Thanks,
Yaron
> >> >>> On 1/4/2012 1:41 PM, Steven Bellovin wrote:
>>>>> >>>> I'd appreciate comments on my new draft, draft-bellovin-hpw-00.txt:
>>>>> >>>>
>>>>> >>>> Abstract
>>>>> >>>>
>>>>> >>>> Many systems (e.g., cryptographic protocols relying on symmetric
>>>>> >>>> cryptography) require that plaintext passwords be stored. Given how
>>>>> >>>> often people reuse passwords on different systems, this poses a very
>>>>> >>>> serious risk if a single machine is compromised. We propose a scheme
>>>>> >>>> to derive passwords limited to a single machine from a typed
>>>>> >>>> password, and explain how a protocol definition can specify this
>>>>> >>>> scheme.
>>>>> >>>>
>>>>> >>>>
>>>>> >>>> --Steve Bellovin,https://www.cs.columbia.edu/~smb
>>>>> >>>>
>>>>> >>>>
>>>>> >>>>
>>>>> >>>>
>>>>> >>>>
>>>>> >>>> _______________________________________________
>>>>> >>>> saag mailing list
>>>>> >>>> saag@ietf.org
>>>>> >>>> https://www.ietf.org/mailman/listinfo/saag
>>>> >>>
>>> >>
>>> >>
>>> >> --Steve Bellovin,https://www.cs.columbia.edu/~smb
>>> >>
>>> >>
>>> >>
>>> >>
>>> >>
>> >
> --Steve Bellovin,https://www.cs.columbia.edu/~smb
>
>
>
>
>
> _______________________________________________
> saag mailing list
> saag@ietf.org
> https://www.ietf.org/mailman/listinfo/saag
- [Cfrg] New draft: Hashed Password Exchange Steven Bellovin
- Re: [Cfrg] [saag] New draft: Hashed Password Exch… Steven Bellovin
- Re: [Cfrg] [saag] New draft: Hashed Password Exch… Steven Bellovin
- Re: [Cfrg] [saag] New draft: Hashed Password Exch… Yaron Sheffer
- Re: [Cfrg] [saag] New draft: Hashed Password Exch… Blumenthal, Uri - 0668 - MITLL
- Re: [Cfrg] [saag] New draft: Hashed Password Exch… Dan Harkins
- [Cfrg] 答复: Re: [saag] New draft: Hashed Password … zhou.sujing
- [Cfrg] 答复: Re: [saag] New draft: Hashed Password … zhou.sujing
- Re: [Cfrg] 答复: Re: [saag] New draft: Hashed Passw… Blumenthal, Uri - 0668 - MITLL
- Re: [Cfrg] 答复: Re: [saag] New draft: Hashed Passw… Rose, Greg
- Re: [Cfrg] 答复: Re: [saag] New draft: Hashed Passw… Blumenthal, Uri - 0668 - MITLL
- [Cfrg] 答复: Re: 答复: Re: [saag] New draft: Hashed P… zhou.sujing
- Re: [Cfrg] ´ð¸´: Re: ´ð¸´: Re: [saag] New draft: … Dan Harkins
- Re: [Cfrg] ´ð¸´: Re: ´ð¸´: Re: [saag] New draft: … Steven Bellovin
- Re: [Cfrg] 答复: Re: [saag] New draft: Hashed Passw… Igoe, Kevin M.
- Re: [Cfrg] 答复: Re: [saag] New draft: Hashed Passw… Blumenthal, Uri - 0668 - MITLL
- Re: [Cfrg] ´ð¸´: Re: ´ð¸´: Re: [saag] New draft: … Henry B. Hotz
- Re: [Cfrg] [saag] New draft: Hashed Password Exch… Yaron Sheffer
- Re: [Cfrg] [saag] New draft: Hashed Password Exch… Steven Bellovin
- [Cfrg] 答复: Re: ´ð¸´: Re: ´ð¸´: Re: [saag] New dra… zhou.sujing
- Re: [Cfrg] 答复: Re: ´ð¸´: Re: ´ð¸´: Re: [saag] New… Steven Bellovin
- Re: [Cfrg] [saag] New draft: Hashed Password Exch… Steven Bellovin