IETF Logo Mail Archive

Re: [Cfrg] ´ð¸´: Re: ´ð¸´: Re: [saag] New draft: Ha shed Password Exchange

Steven Bellovin <smb@cs.columbia.edu> Sat, 11 February 2012 22:08 UTC

Return-Path: <smb@cs.columbia.edu>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3FF8821F8554 for <cfrg@ietfa.amsl.com>; Sat, 11 Feb 2012 14:08:46 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.701
X-Spam-Level:
X-Spam-Status: No, score=-2.701 tagged_above=-999 required=5 tests=[AWL=-2.198, BAYES_50=0.001, J_CHICKENPOX_23=0.6, J_CHICKENPOX_44=0.6, J_CHICKENPOX_48=0.6, MIME_8BIT_HEADER=0.3, MIME_QP_LONG_LINE=1.396, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id N5u2q+bCdwup for <cfrg@ietfa.amsl.com>; Sat, 11 Feb 2012 14:08:44 -0800 (PST)
Received: from paneer.cc.columbia.edu (paneer.cc.columbia.edu [128.59.29.4]) by ietfa.amsl.com (Postfix) with ESMTP id B8ACA21F8552 for <cfrg@irtf.org>; Sat, 11 Feb 2012 14:08:44 -0800 (PST)
Received: from [192.168.2.180] (74-92-112-54-Philadelphia.hfc.comcastbusiness.net [74.92.112.54]) (user=smb2132 mech=PLAIN bits=0) by paneer.cc.columbia.edu (8.14.4/8.14.3) with ESMTP id q1BM8fKP008338 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NOT); Sat, 11 Feb 2012 17:08:42 -0500 (EST)
Mime-Version: 1.0 (Apple Message framework v1257)
Content-Type: text/plain; charset="utf-8"
From: Steven Bellovin <smb@cs.columbia.edu>
In-Reply-To: <OF8D1D6637.DCEC2C9E-ON482579A0.0002CFD7-482579A0.00033B0B@zte.com.cn>
Date: Sat, 11 Feb 2012 17:08:41 -0500
Content-Transfer-Encoding: quoted-printable
Message-Id: <FEEBCF33-6BB7-4D37-BF91-7FC5C765C77D@cs.columbia.edu>
References: <OF8D1D6637.DCEC2C9E-ON482579A0.0002CFD7-482579A0.00033B0B@zte.com.cn>
To: zhou.sujing@zte.com.cn
X-Mailer: Apple Mail (2.1257)
X-No-Spam-Score: Local
X-Scanned-By: MIMEDefang 2.68 on 128.59.29.4
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] ´ð¸´: Re: ´ð¸´: Re: [saag] New draft: Ha shed Password Exchange
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sat, 11 Feb 2012 22:08:46 -0000

On Feb 9, 2012, at 7:35 PM, zhou.sujing@zte.com.cn wrote:

> 
> 
> Steven Bellovin <smb@cs.columbia.edu> 写于 2012-02-09 20:32:07:
> 
> > I dealt with that in my note: how do you deal with multiple devices? 
> 
> Just copy and paste to all the devices, or retrieve the required long key from a USB key. 
> It is seldom required to change, so it does not bring much inconvenience, and just an option for users to choose.   
> 
Apart from the fact that I think that that's user-unfriendly, I still don't
understand what problem you are trying to solve.  


> > 
> > Sent from my iPad 
> > 
> > On Feb 9, 2012, at 4:49 AM, zhou.sujing@zte.com.cn wrote:
> 
> > 
> > I understand the aim of your proposal, and similar ideas have also 
> > been proposed, such as pwdhash by Standford university, 
> > a only  simple hash before sending passwoed can prevent more 
> > security loss when a server is broken, because it is human's 
> > weakness to have only a few sets of passwords, 
> > even worse, the few passwords are often randomless for memory easiness. 
> > 
> > But only hashing password will not increase entropy, maybe an option
> > can be added to your scheme that 
> > another long and random key K can be stored exclusively in the user's device, 
> > and the effective password equals hash of <password,user,service> and K? 
> > 
> > 
> > 
> > 
> > Regards~~~
> > 
> > -Sujing Zhou 
> > 
> > Steven Bellovin <smb@cs.columbia.edu> 写于 2012-02-03 07:38:11:
> > 
> > > I'll be revising my draft soon.  For now, let me explain a few points.
> > > 
> > > First -- the primary goal of the draft is avoiding storage of cleartext
> > > passwords, because even strong passwords are easily compromised if the
> > > device or server is hacked.  A second goal is to conceal that the same
> > > password is used for two different users or the same user on two different
> > > services.
> > > 
> > > It's obviously true that attackers can still launch password-
> > guessing attacks.
> > > This does increase their work factor.  While the difference in work factor
> > > may not be important for targeted attacks, it does help against broad-scale
> > > attacks: can any single password be retrieved?  The way I look at it is
> > > this: for a given effort, how many passwords can the attacker get?  If the
> > > iteration count is doubled, the yield per given effort is obviously halved.
> > > 
> > > There are no large-scale precomputation attacks possible, because every
> > > hashed password is unique for a given <password,user,service> triple.
> > > 
> > > I do not see how a random salt would help at all -- it still requires
> > > about the same amount of computation per user per service per guess.
> > > The essential difference between a random salt and my scheme is that
> > > if I change my password to itself, with a random salt the hashed password
> > > would be different; with my scheme, it would be the same.  The attacker's
> > > effort would remain the same.  In addition, a random salt would hurt
> > > usability and/or security.  For the former, consider that I (and many
> > > other people) have many devices with stored passwords.  I personally
> > > use three or four computers and two iToys to read mail.  So -- I set a new
> > > password from one.  I now have to copy down that string and enter it
> > > on five other devices.  Not very user-friendly.  Assume, then, that
> > > the salt is sent as part of the protocol.  That not only hurts adoptability,
> > > since the protocol would now have to have a way to transmit it at the right
> > > point, after it knows the userid but before the authenticator is entered
> > > (quick -- what will that do to, say, IKEv2?), it means that the user's
> > > node would have to have the cleartext password available in order to
> > > hash it with the salt.  But that defeats the purpose of my scheme.
> > > HPW requires no changes to the protocol, and the only possible change
> > > to the implementation is a longer input buffer.
> > > 
> > > Finally, I'm quite convinced that focusing on strong passwords is fighting
> > > the last war (and, I might add, a war we've lost).  *NO ONE* is using
> > > strong, unique, memorized passwords ubiquitously -- people have too many 
> > > of them to remember.  By actual count, I have >100 web site passwords,
> > > plus login passwords, root passwords, mail passwords, ATM PINs, phone
> > > unlock codes, and more.  Sorry -- EBRAINFULL.  I think that far bigger
> > > dangers are password reuse and node compromise.  HPW is designed to deal
> > > with those threats.
> > > 
> > > "In a world of smart cards, hand-held authenticators, and zero-
> > > knowledge proofs, it seems pointless to be worrying about poorly-
> > > chosen passwords.  Were the world like that, we might agree.  Today,
> > > it is not."  Mike Merritt and I wrote that about 20 years ago, in
> > > the original EKE paper.  Fortunately, passwords are no longer in use, 
> > > since they've been replaced by better technology, right?  Oh, wait.
> > > 
> > > 
> > > 
> > > On Feb 2, 2012, at 1:46 PM, Dan Harkins wrote:
> > > 
> > > > 
> > > >  The issue is that hashing a password doesn't make it "random"
> > > > (while it might make it "long"). So no, an ordinary hash is not
> > > > enough. As I suggested, I think a non-secret salt exchanged in
> > > > the protocol can be used as a key to a HMAC and the password can
> > > > be included in the data to be HMAC'd.
> > > > 
> > > >  Dan.
> > > > 
> > > > On Wed, February 1, 2012 5:22 pm, zhou.sujing@zte.com.cn wrote:
> > > >> Well£¬ it is the requirement of the HMAC for key being long and random.
> > > >> Then in the case of the draft, ordinary hash is enough I guess?
> > > >> 
> > > >> 
> > > >> Regards~~~
> > > >> 
> > > >> 
> > > >> cfrg-bounces@irtf.org дÓÚ 2012-02-01 23:49:13:
> > > >> 
> > > >>> My take on this is: if you believe that a hash-function is a good
> > > >>> randomizer and can be used in cryptographic key generation process ¨C
> > > >>> then  it does not matter whether what you feed as a "key" input to
> > > >>> HMAC is uniformly distributed or not (because of HMAC internal "hash
> > > >>> spins"). And if you are uneasy on how really random your hash output
> > > >>> is ¨C then a lot of the currently used mechanisms and primitives need
> > > >>> revisiting.
> > > >>> --
> > > >>> Regards,
> > > >>> Uri Blumenthal                            Voice: (781) 981-1638
> > > >>> Cyber Systems and Technology  Fax:    (781) 981-0186
> > > >>> MIT Lincoln Laboratory
> > > >>> 
> > > >>> From: "zhou.sujing@zte.com.cn" <zhou.sujing@zte.com.cn>
> > > >>> Date: Wed, 1 Feb 2012 03:13:07 -0500
> > > >>> To: Dan Harkins <dharkins@lounge.org>
> > > >>> Cc: "cfrg@irtf.org" <cfrg@irtf.org>, Steven Bellovin
> > > >> <smb@cs.columbia.edu>
> > > >>> Subject: [Cfrg] ´ð¸´: Re: [saag] New draft: Hashed Password Exchange
> > > >>> 
> > > >>> 
> > > >>> Hi,all
> > > >>> 
> > > >>> cfrg-bounces@irtf.org дÓÚ 2012-01-07 17:03:25:
> > > >>> 
> > > >>>> 
> > > >>>> 
> > > >>>> On Wed, January 4, 2012 2:56 pm, Steven Bellovin wrote:
> > > >>>>> Good point; let me think about it for -01.  An obvious solution is
> > > >> to send
> > > >>>>> the hostname with the effective password.
> > > >>>> 
> > > >>>>  How is that different than using random salt then? If _something_
> > > >>> is
> > > >>>> going to be sent shouldn't it be a uniformly random bitstring instead
> > > >> of
> > > >>>> a hostname?
> > > >>>> 
> > > >>>>  A uniformly random bitstring would be more appropriate as a key to
> > > >>>> HMAC than a highly structured string like a password too. Iterate
> > > >>>> HMAC(salt, password | service-URI) instead of HMAC(password,
> > > >> service-URI).
> > > >>> 
> > > >>> 
> > > >>> 
> > > >>> I think Dan's suggestion is reasonable, I checked the RFC 2104 and
> > > >>> found the following section :
> > > >>> 
> > > >>> "3. Keys
> > > >>> 
> > > >>>   The key for HMAC can be of any length (keys longer than B bytes are
> > > >>>   first hashed using H).  However, less than L bytes is strongly
> > > >>>   discouraged as it would decrease the security strength of the
> > > >>>   function.  Keys longer than L bytes are acceptable but the extra
> > > >>>   length would not significantly increase the function strength. (A
> > > >>>   longer key may be advisable if the randomness of the key is
> > > >>>   considered weak.)
> > > >>> 
> > > >>>   Keys need to be chosen at random (or using a cryptographically
> > > >>> strong
> > > >>>   pseudo-random generator seeded with a random seed), and periodically
> > > >>>   refreshed.  (Current attacks do not indicate a specific recommended
> > > >>>   frequency for key changes as these attacks are practically
> > > >>>   infeasible.  However, periodic key refreshment is a fundamental
> > > >>>   security practice that helps against potential weaknesses of the
> > > >>>   function and keys, and limits the damage of an exposed key.)"
> > > >>> 
> > > >>> 
> > > >>> Since passwords are often not too long, and not so random, it is better
> > > >>> to hash it before using it as a key in a HMAC.
> > > >>> 
> > > >>> 
> > > >>> Regards~~~
> > > >>> 
> > > >>> -Sujing Zhou
> > > >>>> 
> > > >>>>  That said, goal 4 in the draft-- "By iterating a sufficient number
> > > >> of
> > > >>>> times, dictionary attacks can be made arbitrarily expensive"-- seems
> > > >>> a
> > > >>>> bit misguided. The Amazon cloud service has been used to launch an
> > > >>>> off-line dictionary attack against the WPA-PSK protocol which uses
> > > >> PBKDF2
> > > >>>> (HMAC-SHA1) with 4096 iterations to obfuscate a password. This attack
> > > >>>> checks 24,000,000 candidate passwords per minute at a cost of $0.28.
> > > >>>> That's more than 1,600,000,000 iterations per second for about 1/2 a
> > > >> cent.
> > > >>>> So I don't think increased iteration makes dictionary attacks much
> > > >> more
> > > >>>> expensive.
> > > >>>> 
> > > >>>>  Which begs the question, how is this proposal different than
> > > >>> PBKDF2?
> > > >>>> That the "salt" is a service URI?
> > > >>>> 
> > > >>>>  regards,
> > > >>>> 
> > > >>>>  Dan.
> > > >>>> 
> > > >>>>> On Jan 4, 2012, at 5:21 01PM, Joe Touch wrote:
> > > >>>>> 
> > > >>>>>> Hi, Steve,
> > > >>>>>> 
> > > >>>>>> This doc doesn't appear to address the case where a host has
> > > >> multiple
> > > >>>>>> DNS names, which could make it difficult to incorporate the
> > > >> hostname
> > > >>>>>> into the transform. I.e., I could contact a mail server at an IP
> > > >> address
> > > >>>>>> that represents any of dozens of DNS names - how does the server
> > > >> know
> > > >>>>>> which one I used so it can match without exhaustively trying all
> > > >> its
> > > >>>>>> equivalent names?
> > > >>>>>> 
> > > >>>>>> Joe
> > > >>>>>> 
> > > >>>>>> On 1/4/2012 1:41 PM, Steven Bellovin wrote:
> > > >>>>>>> I'd appreciate comments on my new draft,
> > > >> draft-bellovin-hpw-00.txt:
> > > >>>>>>> 
> > > >>>>>>> Abstract
> > > >>>>>>> 
> > > >>>>>>>   Many systems (e.g., cryptographic protocols relying on
> > > >> symmetric
> > > >>>>>>>   cryptography) require that plaintext passwords be stored. Given
> > > >> how
> > > >>>>>>>   often people reuse passwords on different systems, this poses a
> > > >> very
> > > >>>>>>>   serious risk if a single machine is compromised.  We propose a
> > > >>>>>>> scheme
> > > >>>>>>>   to derive passwords limited to a single machine from a typed
> > > >>>>>>>   password, and explain how a protocol definition can specify
> > > >> this
> > > >>>>>>>   scheme.
> > > >>>>>>> 
> > > >>>>>>> 
> > > >>>>>>>      --Steve Bellovin, https://www.cs.columbia.edu/~smb
> > > >>>>>>> 
> > > >>>>>>> 
> > > >>>>>>> 
> > > >>>>>>> 
> > > >>>>>>> 
> > > >>>>>>> _______________________________________________
> > > >>>>>>> saag mailing list
> > > >>>>>>> saag@ietf.org
> > > >>>>>>> https://www.ietf.org/mailman/listinfo/saag
> > > >>>>>> 
> > > >>>>> 
> > > >>>>> 
> > > >>>>>      --Steve Bellovin, https://www.cs.columbia.edu/~smb
> > > >>>>> 
> > > >>>>> 
> > > >>>>> 
> > > >>>>> 
> > > >>>>> 
> > > >>>>> _______________________________________________
> > > >>>>> saag mailing list
> > > >>>>> saag@ietf.org
> > > >>>>> https://www.ietf.org/mailman/listinfo/saag
> > > >>>>> 
> > > >>>> 
> > > >>>> 
> > > >>>> _______________________________________________
> > > >>>> Cfrg mailing list
> > > >>>> Cfrg@irtf.org
> > > >>>> http://www.irtf.org/mailman/listinfo/cfrg
> > > >>>> [¸½¼þ "smime.p7s" ±» ÖÜËÕ¾²00132831/user/zte_ltd ɾ³ý]
> > > >>> _______________________________________________
> > > >>> Cfrg mailing list
> > > >>> Cfrg@irtf.org
> > > >>> http://www.irtf.org/mailman/listinfo/cfrg
> > > >> 
> > > >> _______________________________________________
> > > >> Cfrg mailing list
> > > >> Cfrg@irtf.org
> > > >> http://www.irtf.org/mailman/listinfo/cfrg
> > > >> 
> > > > 
> > > > 
> > > > _______________________________________________
> > > > Cfrg mailing list
> > > > Cfrg@irtf.org
> > > > http://www.irtf.org/mailman/listinfo/cfrg
> > > > 
> > > 
> > > 
> > >       --Steve Bellovin, https://www.cs.columbia.edu/~smb
> > > 
> > > 
> > > 
> > > 
> > > 
> > >


		--Steve Bellovin, https://www.cs.columbia.edu/~smb

v2.23.0 | Report a Bug | By Email