IETF Logo Mail Archive

[kitten] Comments on draft-ietf-kitten-password-storage-04

Jim Fenton <fenton@bluepopcorn.net> Sun, 21 March 2021 00:31 UTC

Return-Path: <fenton@bluepopcorn.net>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 95E673A0F13 for <kitten@ietfa.amsl.com>; Sat, 20 Mar 2021 17:31:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=bluepopcorn.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BQcLlqPq2uUi for <kitten@ietfa.amsl.com>; Sat, 20 Mar 2021 17:31:12 -0700 (PDT)
Received: from v2.bluepopcorn.net (v2.bluepopcorn.net [IPv6:2607:f2f8:a994::2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0748A3A0F0F for <kitten@ietf.org>; Sat, 20 Mar 2021 17:31:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=bluepopcorn.net; s=supersize; h=Content-Transfer-Encoding:Content-Type: MIME-Version:Message-ID:Date:Subject:Cc:To:From:Sender:Reply-To:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=joey2/kQk6N1+/ZrJeWjgmTrufo+lJ+o/nwQ6Ck/lww=; b=VbXJ7oGqC75nRFm3W8otJJHe+s gyOr01fyUe2AslAXxk1Fa/oMMgurr4YApRJZ/mqcfB9PNrpnp1Xup46L41Qwuw/EWmkuBH+QYJlQ/ tD4QCbmIdc//0asbu6a0WLsSA89Djvc71lQk3kyhvYgM2k9RJoLpKTC5+sktMl8p/FhM=;
Received: from [2601:647:4400:1261:e96d:d840:4bd1:2e33] (helo=[10.10.20.144]) by v2.bluepopcorn.net with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from <fenton@bluepopcorn.net>) id 1lNlzo-0000oZ-QB; Sat, 20 Mar 2021 17:31:09 -0700
From: "Jim Fenton" <fenton@bluepopcorn.net>
To: "Sam Whited" <sam@samwhited.com>
Cc: "KITTEN Working Group" <kitten@ietf.org>
Date: Sat, 20 Mar 2021 17:31:07 -0700
X-Mailer: MailMate (1.13.2r5673)
Message-ID: <E4D53992-EFFD-4938-8427-D276B5A0A178@bluepopcorn.net>
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"; format=flowed; markup=markdown
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/M8LHRT9tBJ46zl3cXIqfrfQJ-hE>
Subject: [kitten] Comments on draft-ietf-kitten-password-storage-04
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 21 Mar 2021 00:31:14 -0000

Some comments on the draft:

Abstract: “other authentication secrets”: There are authentication 
secrets with high enough entropy that iterated/salted/peppered storage 
is overkill. An example (although I’m not sure how relevant to SASL) 
is a secret used for generating time-based one-time passwords; in this 
case you can’t hash the secret at all. I’d suggest targeting this 
more specifically to modest-entropy secrets (memorized secrets being the 
obvious example).

1.1 Pepper definition: “They must not be stored alongside…” This 
is a normative MUST, so all caps. But the better place to put a 
normative requirement like this is probably in section 4.2 rather than 
in the definition.

3.1 “man in the middled”: aside from the verbing of a common term, 
this is inappropriately gendered. Suggest “has successfully executed 
an in-the-middle attack”

3.2 “authenticators”: suggest “authentication secrets” (2 
places). Similarly in 4.1; perhaps other places.

4.1: I’m concerned that the MUST NOT here conflicts with the SHOULD 
NOT regarding OBSOLETE and LIMITED mechanisms in Section 2. Of course, 
MD5 is not an SASL mechanism per se, and “support any mechanism” in 
this context may not necessarily mean an SASL mechanism, but I still 
found this vaguely confusing.

4.2: “more up to date numbers may be found in [OWASP.CS.passwords]” 
I couldn’t find this in the OWASP recommendations. As I think I 
commented before, I think the salt and pepper minimums are too large. 
Salt is needed to make rainbow tables impractical and to deduplicate 
entries with the same password, so 32 bits should be sufficient (this 
value is used in NIST SP 800-63B). The pepper value needs to be large 
enough to resist brute-force and other likely attacks; NIST SP 800-131A 
specifies 112 bits. I’d suggest not getting carried away on the 
minimums.

4.3: “using a cryptographically secure hash such as SHA256” is a 
poor example because elsewhere it says not to use plain SHA256 since 
it’s fast. Suggest you use a real KDF as an example.

5.2: Bcrypt is no longer the current (top) OWASP recommendation.

7: Suggest saying something about Unicode characters and password 
length, that the 8 character minimum doesn’t mean 8 bytes of Unicode. 
SP 800-63B says, “Each Unicode code point SHALL be counted as a single 
character” which is better but I’m not sure is the perfect wording 
since accents, etc. are code points and the Scottish flag is apparently 
7 code points.

-Jim

v2.8.7 | Report a Bug | By Email