IETF Logo Mail Archive

Re: [http-auth] Normalization forms in draft-ietf-httpauth-basicauth-enc

"Martin J. Dürst" <duerst@it.aoyama.ac.jp> Mon, 01 July 2013 05:45 UTC

Return-Path: <duerst@it.aoyama.ac.jp>
X-Original-To: http-auth@ietfa.amsl.com
Delivered-To: http-auth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AAAC421F9EE3 for <http-auth@ietfa.amsl.com>; Sun, 30 Jun 2013 22:45:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -99.79
X-Spam-Level:
X-Spam-Status: No, score=-99.79 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_EQ_JP=1.244, HOST_EQ_JP=1.265, MIME_8BIT_HEADER=0.3, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id R7mu5RPaV0xo for <http-auth@ietfa.amsl.com>; Sun, 30 Jun 2013 22:45:29 -0700 (PDT)
Received: from scintmta01.scbb.aoyama.ac.jp (scintmta01.scbb.aoyama.ac.jp [133.2.253.33]) by ietfa.amsl.com (Postfix) with ESMTP id 1F3DF21F9D8F for <http-auth@ietf.org>; Sun, 30 Jun 2013 22:45:28 -0700 (PDT)
Received: from scmse02.scbb.aoyama.ac.jp ([133.2.253.231]) by scintmta01.scbb.aoyama.ac.jp (secret/secret) with SMTP id r615jATo023140; Mon, 1 Jul 2013 14:45:10 +0900
Received: from (unknown [133.2.206.134]) by scmse02.scbb.aoyama.ac.jp with smtp id 30e8_07cd_64ba0cd4_e211_11e2_8023_001e6722eec2; Mon, 01 Jul 2013 14:45:10 +0900
Received: from [IPv6:::1] (unknown [133.2.210.1]) by itmail2.it.aoyama.ac.jp (Postfix) with ESMTP id 67308C0003; Mon, 1 Jul 2013 14:43:37 +0900 (JST)
Message-ID: <51D1175C.3020007@it.aoyama.ac.jp>
Date: Mon, 01 Jul 2013 14:45:00 +0900
From: "\"Martin J. Dürst\"" <duerst@it.aoyama.ac.jp>
Organization: Aoyama Gakuin University
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.9) Gecko/20100722 Eudora/3.0.4
MIME-Version: 1.0
To: Paul Hoffman <paul.hoffman@vpnc.org>
References: <20130630142838.31885.15315.idtracker@ietfa.amsl.com> <51D04326.5060600@gmx.de> <DEA2EA74-7587-4CAA-9424-4478B136308E@vpnc.org> <51D09F98.2070508@gmail.com> <D434C8F9-D3DC-40EB-A25A-3A259C1A22E6@vpnc.org>
In-Reply-To: <D434C8F9-D3DC-40EB-A25A-3A259C1A22E6@vpnc.org>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Cc: Julian Reschke <julian.reschke@gmx.de>, http-auth@ietf.org
Subject: Re: [http-auth] Normalization forms in draft-ietf-httpauth-basicauth-enc
X-BeenThere: http-auth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: HTTP authentication methods <http-auth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/http-auth>, <mailto:http-auth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/http-auth>
List-Post: <mailto:http-auth@ietf.org>
List-Help: <mailto:http-auth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-auth>, <mailto:http-auth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 01 Jul 2013 05:45:35 -0000

On 2013/07/01 6:35, Paul Hoffman wrote:
> On Jun 30, 2013, at 2:14 PM, Yaron Sheffer<yaronf.ietf@gmail.com>  wrote:
>
>> Paul, your proposed text doesn't make sense to me, because with Basic auth, the server might keep a hash of the password instead of the raw password (to reduce the damage if the entire database gets stolen). In which case I would expect the server to normalize the password before it is being hashed without any check of the "expected value".
>
> The process that is checking for equivalence is not necessarily the process that stored the (possibly normalized) password, and the two processes might have different views of what normalization to use.

That's definitely an important aspect of the problem, and should be 
called out. In particular, it's important to say that if you don't 
normalize when creating a password hash, then in the odd case that you 
get something half-baked (e.g. half in NFC and half in NFD,...), then 
it's going to be very hard to get back to the original form.

> Normalizing takes time.

Well, that's often brought up but not really very true or relevant.

First, it's easily possible to make normalization fast. In particular, 
it is possible to make normalization very fast for the frequent cases. 
(It's also possible to make it slow, but that's true of any kind of 
processing.)

Second, security-related calculations (hashes,...) are regularly 
designed so as to not be too fast. So normalization shouldn't be the 
bottleneck.

Regards,   Martin.

> Thus, I would expect that the server would do a straight check first, and only fall back to one or more forms of string conversion (normalization, fixing of various i18n digit forms, removing points in Hebrew, etc.) if the first test failed.
>
> This isn't to say that your assumption is wrong, but it is not the only one. Thus, my particularly wavy wording.
>
> --Paul Hoffman
> _______________________________________________
> http-auth mailing list
> http-auth@ietf.org
> https://www.ietf.org/mailman/listinfo/http-auth
>

v2.39.1 | Report a Bug | By Email | System Status