Re: IETF LC Gen-ART review of draft-harkins-salted-eap-pwd-06

worley@ariadne.com (Dale R. Worley) Fri, 09 September 2016 19:38 UTC

Return-Path: <worley@alum.mit.edu>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A669B12B337 for <ietf@ietfa.amsl.com>; Fri, 9 Sep 2016 12:38:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.934
X-Spam-Level:
X-Spam-Status: No, score=-1.934 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_SOFTFAIL=0.665] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OW-j_AzGy0Lq for <ietf@ietfa.amsl.com>; Fri, 9 Sep 2016 12:38:20 -0700 (PDT)
Received: from resqmta-ch2-01v.sys.comcast.net (resqmta-ch2-01v.sys.comcast.net [IPv6:2001:558:fe21:29:69:252:207:33]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D7F1812B203 for <ietf@ietf.org>; Fri, 9 Sep 2016 12:38:19 -0700 (PDT)
Received: from resomta-ch2-13v.sys.comcast.net ([69.252.207.109]) by resqmta-ch2-01v.sys.comcast.net with SMTP id iRX6bq6wjTaLwiRcxbocJM; Fri, 09 Sep 2016 19:38:19 +0000
Received: from hobgoblin.ariadne.com ([73.100.16.189]) by resomta-ch2-13v.sys.comcast.net with SMTP id iRcvbafN4DFgBiRcwbyog1; Fri, 09 Sep 2016 19:38:19 +0000
Received: from hobgoblin.ariadne.com (hobgoblin.ariadne.com [127.0.0.1]) by hobgoblin.ariadne.com (8.14.7/8.14.7) with ESMTP id u89JcHaD020822; Fri, 9 Sep 2016 15:38:17 -0400
Received: (from worley@localhost) by hobgoblin.ariadne.com (8.14.7/8.14.7/Submit) id u89JcHEl020819; Fri, 9 Sep 2016 15:38:17 -0400
X-Authentication-Warning: hobgoblin.ariadne.com: worley set sender to worley@alum.mit.edu using -f
From: worley@ariadne.com (Dale R. Worley)
To: Daniel Harkins <dharkins@arubanetworks.com>
Subject: Re: IETF LC Gen-ART review of draft-harkins-salted-eap-pwd-06
In-Reply-To: <74089959-67DF-4382-BEFF-8B6DFF3E8E25@arubanetworks.com> (dharkins@arubanetworks.com)
Sender: worley@ariadne.com (Dale R. Worley)
Date: Fri, 09 Sep 2016 15:38:16 -0400
Message-ID: <87k2ekvp7b.fsf@hobgoblin.ariadne.com>
X-CMAE-Envelope: MS4wfOrG9FqW+CTkVwutcvofJ3Yvr5a0UlWVAw3sLcqzkhrkzJWM+xuOY0fuxDllEfEjIx7Iemp7rRrxJzUbSqKFRgzef+0ydcldQojsuDmLmYfYs0XQtMm/ 5tyPtvFWIE4L7lBcM9t2P8Zp8n54AzOA00NNqCq5cdySn9UyZsoQYjnE8bEgqDa0oFgS8ZWx+CiVGEZrsUvA5+btEHCE792MXqwt5l/KWFw0PKmJwtNUBYy6 /0fIYE+T1xu0DkYNbAK688wCKKVdZm2VGOfH+vYRsIwXXZPUgUmgFsGnXvtb8o/F
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf/TUBdTzCNJuYhSJihPHpcAv3AQJk>
Cc: draft-harkins-salted-eap-pwd.all@ietf.org, gen-art@ietf.org, ietf@ietf.org
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 09 Sep 2016 19:38:21 -0000

Daniel Harkins <dharkins@arubanetworks.com> writes:
>>It might be worth noting that any salted password remote authorization
>>protocol has the same limitation as this draft's method, viz., that
>>disclosure of the hash of the salted password allows an attacker to
>>impersonate a client.  That is, that this method is not somehow
>>deficient because it also has that property.
>
>   I don't think that is true. The client needs to know the password,
> not the salted
> hash.

Maybe I'm misunderstanding you, but I think you're incorrect.  Indeed,
your draft says 

   the salted password from a compromised database can be used directly
   to impersonate the EAP-pwd client

The reason that this impersonation can be done is that this is a
*remote* authorization protocol, and there is no way for the server to
compel the attacker to hash what the attacker knows with the salt and
then transmit the result.  Whereas in a *local* authorization protocol,
the server compels the user to present the supposed password, and then
the server hashes it with the salt.

Dale