Re: [Cfrg] [saag] New draft: Hashed Password Exchange

"Dan Harkins" <dharkins@lounge.org> Sat, 07 January 2012 09:03 UTC

Return-Path: <dharkins@lounge.org>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3D3BB21F8572 for <cfrg@ietfa.amsl.com>; Sat, 7 Jan 2012 01:03:29 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.147
X-Spam-Level:
X-Spam-Status: No, score=-5.147 tagged_above=-999 required=5 tests=[AWL=-0.082, BAYES_00=-2.599, IP_NOT_FRIENDLY=0.334, J_CHICKENPOX_44=0.6, J_CHICKENPOX_48=0.6, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wz8iv5FfC76l for <cfrg@ietfa.amsl.com>; Sat, 7 Jan 2012 01:03:29 -0800 (PST)
Received: from colo.trepanning.net (colo.trepanning.net [69.55.226.174]) by ietfa.amsl.com (Postfix) with ESMTP id 12BA321F8570 for <cfrg@irtf.org>; Sat, 7 Jan 2012 01:03:26 -0800 (PST)
Received: from www.trepanning.net (localhost [127.0.0.1]) by colo.trepanning.net (Postfix) with ESMTP id 671131022404A; Sat, 7 Jan 2012 01:03:25 -0800 (PST)
Received: from 69.12.173.8 (SquirrelMail authenticated user dharkins@lounge.org) by www.trepanning.net with HTTP; Sat, 7 Jan 2012 01:03:25 -0800 (PST)
Message-ID: <1c680c52d4a354cdeda0a39e9cc47d32.squirrel@www.trepanning.net>
In-Reply-To: <95A30BC1-F5F8-4937-AE41-08BF92B5BBB5@cs.columbia.edu>
References: <583849CD-D0AD-4792-8894-04598898BA0F@cs.columbia.edu> <4F04D0CD.9010807@isi.edu> <95A30BC1-F5F8-4937-AE41-08BF92B5BBB5@cs.columbia.edu>
Date: Sat, 7 Jan 2012 01:03:25 -0800 (PST)
From: "Dan Harkins" <dharkins@lounge.org>
To: "Steven Bellovin" <smb@cs.columbia.edu>
User-Agent: SquirrelMail/1.4.14 [SVN]
MIME-Version: 1.0
Content-Type: text/plain;charset=iso-8859-1
Content-Transfer-Encoding: 8bit
X-Priority: 3 (Normal)
Importance: Normal
Cc: cfrg@irtf.org, saag@ietf.org
Subject: Re: [Cfrg] [saag] New draft: Hashed Password Exchange
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sat, 07 Jan 2012 09:03:29 -0000

On Wed, January 4, 2012 2:56 pm, Steven Bellovin wrote:
> Good point; let me think about it for -01.  An obvious solution is to send
> the hostname with the effective password.

  How is that different than using random salt then? If _something_ is
going to be sent shouldn't it be a uniformly random bitstring instead of
a hostname?

  A uniformly random bitstring would be more appropriate as a key to
HMAC than a highly structured string like a password too. Iterate
HMAC(salt, password | service-URI) instead of HMAC(password, service-URI).

  That said, goal 4 in the draft-- "By iterating a sufficient number of
times, dictionary attacks can be made arbitrarily expensive"-- seems a
bit misguided. The Amazon cloud service has been used to launch an
off-line dictionary attack against the WPA-PSK protocol which uses PBKDF2
(HMAC-SHA1) with 4096 iterations to obfuscate a password. This attack
checks 24,000,000 candidate passwords per minute at a cost of $0.28.
That's more than 1,600,000,000 iterations per second for about 1/2 a cent.
So I don't think increased iteration makes dictionary attacks much more
expensive.

  Which begs the question, how is this proposal different than PBKDF2?
That the "salt" is a service URI?

  regards,

  Dan.

> On Jan 4, 2012, at 5:21 01PM, Joe Touch wrote:
>
>> Hi, Steve,
>>
>> This doc doesn't appear to address the case where a host has multiple
>> DNS names, which could make it difficult to incorporate the hostname
>> into the transform. I.e., I could contact a mail server at an IP address
>> that represents any of dozens of DNS names - how does the server know
>> which one I used so it can match without exhaustively trying all its
>> equivalent names?
>>
>> Joe
>>
>> On 1/4/2012 1:41 PM, Steven Bellovin wrote:
>>> I'd appreciate comments on my new draft, draft-bellovin-hpw-00.txt:
>>>
>>> Abstract
>>>
>>>    Many systems (e.g., cryptographic protocols relying on symmetric
>>>    cryptography) require that plaintext passwords be stored.  Given how
>>>    often people reuse passwords on different systems, this poses a very
>>>    serious risk if a single machine is compromised.  We propose a
>>> scheme
>>>    to derive passwords limited to a single machine from a typed
>>>    password, and explain how a protocol definition can specify this
>>>    scheme.
>>>
>>>
>>> 		--Steve Bellovin, https://www.cs.columbia.edu/~smb
>>>
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> saag mailing list
>>> saag@ietf.org
>>> https://www.ietf.org/mailman/listinfo/saag
>>
>
>
> 		--Steve Bellovin, https://www.cs.columbia.edu/~smb
>
>
>
>
>
> _______________________________________________
> saag mailing list
> saag@ietf.org
> https://www.ietf.org/mailman/listinfo/saag
>