Re: [Emu] [saag] Feedback on Salted EAP draft
"Dan Harkins" <dharkins@lounge.org> Thu, 13 August 2015 21:35 UTC
Return-Path: <dharkins@lounge.org>
X-Original-To: emu@ietfa.amsl.com
Delivered-To: emu@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 986BD1B3B39; Thu, 13 Aug 2015 14:35:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.467
X-Spam-Level:
X-Spam-Status: No, score=-2.467 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iFJBpzL3pHiU; Thu, 13 Aug 2015 14:35:55 -0700 (PDT)
Received: from colo.trepanning.net (colo.trepanning.net [69.55.226.174]) by ietfa.amsl.com (Postfix) with ESMTP id 856DA1B39D3; Thu, 13 Aug 2015 14:35:55 -0700 (PDT)
Received: from www.trepanning.net (localhost [127.0.0.1]) by colo.trepanning.net (Postfix) with ESMTP id 1FE881022400A; Thu, 13 Aug 2015 14:35:55 -0700 (PDT)
Received: from 69.12.173.8 (SquirrelMail authenticated user dharkins@lounge.org) by www.trepanning.net with HTTP; Thu, 13 Aug 2015 14:35:55 -0700 (PDT)
Message-ID: <449964e467e0347db185eb787db71efd.squirrel@www.trepanning.net>
In-Reply-To: <DM2PR0301MB06558BFBD0251595A3B4B0B9A89B0@DM2PR0301MB0655.namprd03.pro d.outlook.com>
References: <CAHbuEH5u=Q_h4L4yNdrpPw1J3fAsr1MfEMBV84TgdnHVWcxX0w@mail.gmail.com> <CAHbuEH4--TP0duM-8GSaR4RaUG5DoL=QtnCFE3shHbaUNPvwVg@mail.gmail.com> <tsloane9wff.fsf@mit.edu> <CAHbuEH5cGW3pknnwseEnp=mqzrMLPFBh-bN4pd2wKKDgpS08wQ@mail.gmail.com> <DM2PR0301MB06558BFBD0251595A3B4B0B9A89B0@DM2PR0301MB0655.namprd03.prod.outlook.com>
Date: Thu, 13 Aug 2015 14:35:55 -0700
From: Dan Harkins <dharkins@lounge.org>
To: Christian Huitema <huitema@microsoft.com>
User-Agent: SquirrelMail/1.4.14 [SVN]
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
X-Priority: 3 (Normal)
Importance: Normal
Archived-At: <http://mailarchive.ietf.org/arch/msg/emu/hXi6f2n261X4TjOdgnCYocG89Ak>
Cc: Sam Hartman <hartmans-ietf@mit.edu>, "saag@ietf.org" <saag@ietf.org>, "emu@ietf.org" <emu@ietf.org>
Subject: Re: [Emu] [saag] Feedback on Salted EAP draft
X-BeenThere: emu@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "EAP Methods Update \(EMU\)" <emu.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/emu>, <mailto:emu-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/emu/>
List-Post: <mailto:emu@ietf.org>
List-Help: <mailto:emu-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 13 Aug 2015 21:35:56 -0000
Hi Christian, On Tue, July 14, 2015 10:50 am, Christian Huitema wrote: [snip] > The draft is short and clear enough, but it acknowledges a pretty big > security issue: "the salted > password from a compromised database can be used directly to impersonate > the client-- there > is no dictionary attack needed to recover the plaintext password." > > That's a pretty big caveat, but there are still some advantages over > operating with unsalted passwords. The draft aligns server side password > management for EAP-pwd with standard industry practices, which is good. > In case of server compromise, the immediate effect of the compromise is an > attack on the already compromised server, and the per-user salt make > password discovery harder. The security section should be expanded to > explain this tradeoff. Yes, it's a big caveat and, as I mentioned, I'm trying to be as blunt as possible about it. I have updated the Security Considerations to include the point you are making about server compromise and the per-user salt still making password recovery harder. > Nits: > > - in the abstract, missing "not" in " but did (not?) include support for > salted passwords." Nice catch. An -02 version has been posted. Would you please take a look and let me know whether it satisfactorily addresses your comments? regards, Dan.
- [Emu] Feedback on Salted EAP draft Kathleen Moriarty
- Re: [Emu] Feedback on Salted EAP draft Kathleen Moriarty
- Re: [Emu] [saag] Feedback on Salted EAP draft Sam Hartman
- Re: [Emu] [saag] Feedback on Salted EAP draft Kathleen Moriarty
- Re: [Emu] [saag] Feedback on Salted EAP draft Dan Harkins
- Re: [Emu] [saag] Feedback on Salted EAP draft Sam Hartman
- Re: [Emu] [saag] Feedback on Salted EAP draft Stefan Winter
- Re: [Emu] [saag] Feedback on Salted EAP draft Dan Harkins
- Re: [Emu] [saag] Feedback on Salted EAP draft Joseph Salowey
- Re: [Emu] [saag] Feedback on Salted EAP draft Dan Harkins