IETF Logo Mail Archive

Re: [http-auth] Proposed change for MutualAuth (1) - Use of Password-hardening

Yutaka OIWA <y.oiwa@aist.go.jp> Wed, 05 March 2014 19:14 UTC

Return-Path: <y.oiwa@aist.go.jp>
X-Original-To: http-auth@ietfa.amsl.com
Delivered-To: http-auth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 377B91A0162 for <http-auth@ietfa.amsl.com>; Wed, 5 Mar 2014 11:14:32 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.679
X-Spam-Level:
X-Spam-Status: No, score=-3.679 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PbbF_QUTqHWT for <http-auth@ietfa.amsl.com>; Wed, 5 Mar 2014 11:14:29 -0800 (PST)
Received: from na3sys010aog107.obsmtp.com (na3sys010aog107.obsmtp.com [74.125.245.82]) by ietfa.amsl.com (Postfix) with ESMTP id 63C221A021A for <http-auth@ietf.org>; Wed, 5 Mar 2014 11:14:25 -0800 (PST)
Received: from mail-ve0-f174.google.com ([209.85.128.174]) (using TLSv1) by na3sys010aob107.postini.com ([74.125.244.12]) with SMTP ID DSNKUxd3jYwTRUAuaR+/HqwAhJNk8+VEHjyU@postini.com; Wed, 05 Mar 2014 11:14:22 PST
Received: by mail-ve0-f174.google.com with SMTP id oz11so1500187veb.19 for <http-auth@ietf.org>; Wed, 05 Mar 2014 11:14:21 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=aist.go.jp; s=google; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=V4F74+TOF5Gx5MnwsXRVgtPW/RjF9oLzyNGjJLyfeZ0=; b=gaXhitEQN5cZFHQvH5n2ds8aqxO6w9sLz3od2xnT9i6uQ4vP6QyA4/gs09VXOwQJII mtdP+AFfpywtg3vx8K00EycVFhUf0Mf+UeLXUutI/fH5n8vLghexwyiSyXeEGREIcvNi E3KzawBaxIgZBBaVJ1laxv+Sj5PujrD2qcIPU=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=V4F74+TOF5Gx5MnwsXRVgtPW/RjF9oLzyNGjJLyfeZ0=; b=LK/YRLNqitHiMwXXIG9//tH6E+AJ7EzMsPAgqe6wbdnAYOPYKi4I5ZkeJlA1C4t2sE yz2iu7dfG+itk+omI7uq6pnJNbUQVamTp22QNrT61iydUhM+6hHwB7U/eoWOFZGz/dXa uPyY3PBvwzN/AYYlZfn+xCt2WncDKAzHMCMTXqBXACliEpd+LhpfAFgQvsZraZYKBRfF KDTGKGZ/anO/K0Gb8k79pC/+mxNgyauu/PIP9er15CPCWK3yo3aYdk4OuIlq9nI7l2Ok /s9t/0Tceiqa8IuUZRkJXXlXe00QjZY9+gOnITpmO+WendoZTwahg7uruA5KC+Ot/uia Qr1w==
X-Gm-Message-State: ALoCoQnzh2Oql3cTeEOwK9RxqWycWy3bGt9SL1jrvLB3ojxJTNQerYzM4OFg563P1cvGU3NHT0sN+x2GYXpzgCqcPs6f1W7K23YwcFzkfR24OhKTHT+xCgvJAO8PisIK5koIS8vt/6JWwGmifCt67leW5/7EoQzN4A==
X-Received: by 10.52.247.231 with SMTP id yh7mr1872036vdc.34.1394046861213; Wed, 05 Mar 2014 11:14:21 -0800 (PST)
X-Received: by 10.52.247.231 with SMTP id yh7mr1872029vdc.34.1394046861109; Wed, 05 Mar 2014 11:14:21 -0800 (PST)
MIME-Version: 1.0
Received: by 10.58.100.227 with HTTP; Wed, 5 Mar 2014 11:14:01 -0800 (PST)
In-Reply-To: <20140305175706.GV3070@sentinelchicken.org>
References: <CAMeZVwvq6n=3-nszLb-6CLCe7NzNEpGFeahnAbD6Z=2cx2FVew@mail.gmail.com> <20140305175706.GV3070@sentinelchicken.org>
From: Yutaka OIWA <y.oiwa@aist.go.jp>
Date: Thu, 06 Mar 2014 04:14:01 +0900
Message-ID: <CAMeZVwt92JLvaqZPBGk0sF+zkqqpSPXU4ghaC=eiK3j_h=0UEw@mail.gmail.com>
To: Tim <tim-research@sentinelchicken.org>
Content-Type: text/plain; charset="ISO-8859-1"
Archived-At: http://mailarchive.ietf.org/arch/msg/http-auth/iLZXZNUVoO4qWmChHIRcIP3WJ0U
Cc: "http-auth@ietf.org" <http-auth@ietf.org>
Subject: Re: [http-auth] Proposed change for MutualAuth (1) - Use of Password-hardening
X-BeenThere: http-auth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: HTTP authentication methods <http-auth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/http-auth>, <mailto:http-auth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/http-auth/>
List-Post: <mailto:http-auth@ietf.org>
List-Help: <mailto:http-auth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-auth>, <mailto:http-auth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 05 Mar 2014 19:14:32 -0000

Dear Tim,

Thank you very much for the information.
It's very interesting.  I'll read the paper and
how it can be used for benefit on our proposal...

# long-while expiring draft is an issue, indeed...
# to use it, someone should take care of that.


2014-03-06 2:57 GMT+09:00 Tim <tim-research@sentinelchicken.org>:
>
>>  * Which function, possibly other than PBKDF2, will be the best
>>    choice for the hardened password hash function?
>>    I currently chose PBKDF2 just because there is an RFC.
>
> I'm currently fond of scrypt, since it can be made memory-hard in
> addition to computationally hard.  There was an attempt to standardize
> it, but it appears the draft has expired:
>   https://tools.ietf.org/html/draft-josefsson-scrypt-kdf-01
>
> I believe scrypt is used as the work-factor function in several
> crypto-currencies, so it certainly does receive some scrutiny,
> security-wise. I'm not sure how difficult it would be to integrate
> this into your protocol...
>
> tim



-- 
Yutaka OIWA, Ph.D.                 Leader, System Life-cycle Research Group
                               Research Institute for Secure Systems (RISEC)
     National Institute of Advanced Industrial Science and Technology (AIST)
                       Mail addresses: <y.oiwa@aist.go.jp>, <yutaka@oiwa.jp>
OpenPGP: id[440546B5] fp[7C9F 723A 7559 3246 229D  3139 8677 9BD2 4405 46B5]

v2.23.0 | Report a Bug | By Email