Re: [Emu] [saag] Feedback on Salted EAP draft
"Dan Harkins" <dharkins@lounge.org> Tue, 14 July 2015 19:51 UTC
Return-Path: <dharkins@lounge.org>
X-Original-To: emu@ietfa.amsl.com
Delivered-To: emu@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 676571B2BB3; Tue, 14 Jul 2015 12:51:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.867
X-Spam-Level:
X-Spam-Status: No, score=-3.867 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DM6Wx7iedPrZ; Tue, 14 Jul 2015 12:51:08 -0700 (PDT)
Received: from colo.trepanning.net (colo.trepanning.net [69.55.226.174]) by ietfa.amsl.com (Postfix) with ESMTP id B4C491B2B9E; Tue, 14 Jul 2015 12:51:06 -0700 (PDT)
Received: from www.trepanning.net (localhost [127.0.0.1]) by colo.trepanning.net (Postfix) with ESMTP id E3C4910224008; Tue, 14 Jul 2015 12:51:05 -0700 (PDT)
Received: from 24.43.232.186 (SquirrelMail authenticated user dharkins@lounge.org) by www.trepanning.net with HTTP; Tue, 14 Jul 2015 12:51:06 -0700 (PDT)
Message-ID: <5636ab22edcd875820b72b48bbf27b2e.squirrel@www.trepanning.net>
In-Reply-To: <DM2PR0301MB06558BFBD0251595A3B4B0B9A89B0@DM2PR0301MB0655.namprd03.pro d.outlook.com>
References: <CAHbuEH5u=Q_h4L4yNdrpPw1J3fAsr1MfEMBV84TgdnHVWcxX0w@mail.gmail.com> <CAHbuEH4--TP0duM-8GSaR4RaUG5DoL=QtnCFE3shHbaUNPvwVg@mail.gmail.com> <tsloane9wff.fsf@mit.edu> <CAHbuEH5cGW3pknnwseEnp=mqzrMLPFBh-bN4pd2wKKDgpS08wQ@mail.gmail.com> <DM2PR0301MB06558BFBD0251595A3B4B0B9A89B0@DM2PR0301MB0655.namprd03.prod.outlook.com>
Date: Tue, 14 Jul 2015 12:51:06 -0700
From: Dan Harkins <dharkins@lounge.org>
To: Christian Huitema <huitema@microsoft.com>
User-Agent: SquirrelMail/1.4.14 [SVN]
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
X-Priority: 3 (Normal)
Importance: Normal
Archived-At: <http://mailarchive.ietf.org/arch/msg/emu/kUIvEoAfnvISvop9TTJh0A5Nv30>
Cc: "saag@ietf.org" <saag@ietf.org>, "emu@ietf.org" <emu@ietf.org>
Subject: Re: [Emu] [saag] Feedback on Salted EAP draft
X-BeenThere: emu@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "EAP Methods Update \(EMU\)" <emu.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/emu>, <mailto:emu-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/emu/>
List-Post: <mailto:emu@ietf.org>
List-Help: <mailto:emu-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Jul 2015 19:51:13 -0000
Hi Christian, On Tue, July 14, 2015 10:50 am, Christian Huitema wrote: > On Tuesday, July 14, 2015 9:01 AM, Kathleen Moriarty wrote: > >> Is there interest in reviewing this draft? Sam pointed out the >> importance of moving >> this work forward, it would be helpful to have volunteers to review the >> work and also >> to understand the level of interest (if any) before this goes forward as >> AD sponsored. > > The draft is short and clear enough, but it acknowledges a pretty big > security issue: "the salted > password from a compromised database can be used directly to impersonate > the client-- there > is no dictionary attack needed to recover the plaintext password." > > That's a pretty big caveat, but there are still some advantages over > operating with unsalted passwords. The draft aligns server side password > management for EAP-pwd with standard industry practices, which is good. > In case of server compromise, the immediate effect of the compromise is an > attack on the already compromised server, and the per-user salt make > password discovery harder. The security section should be expanded to > explain this tradeoff. Yea, that is a big caveat. There are existing databases of salted passwords that cannot be used with RFC 5931 so the motivation for this draft is to support those currently deployed databases. The Security Considerations are intended to be as blunt as possible. > Nits: > > - in the abstract, missing "not" in " but did (not?) include support for > salted passwords." Thanks for finding this; I'll fix it in an update. regards, Dan. > -- Christian Huitema > > > _______________________________________________ > saag mailing list > saag@ietf.org > https://www.ietf.org/mailman/listinfo/saag >
- [Emu] Feedback on Salted EAP draft Kathleen Moriarty
- Re: [Emu] Feedback on Salted EAP draft Kathleen Moriarty
- Re: [Emu] [saag] Feedback on Salted EAP draft Sam Hartman
- Re: [Emu] [saag] Feedback on Salted EAP draft Kathleen Moriarty
- Re: [Emu] [saag] Feedback on Salted EAP draft Dan Harkins
- Re: [Emu] [saag] Feedback on Salted EAP draft Sam Hartman
- Re: [Emu] [saag] Feedback on Salted EAP draft Stefan Winter
- Re: [Emu] [saag] Feedback on Salted EAP draft Dan Harkins
- Re: [Emu] [saag] Feedback on Salted EAP draft Joseph Salowey
- Re: [Emu] [saag] Feedback on Salted EAP draft Dan Harkins