IETF Logo Mail Archive

Re: [kitten] Comments on draft-ietf-kitten-password-storage-04

steve@tobtu.com Fri, 02 April 2021 22:20 UTC

Return-Path: <steve@tobtu.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 29C093A25E5 for <kitten@ietfa.amsl.com>; Fri, 2 Apr 2021 15:20:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.918
X-Spam-Level:
X-Spam-Status: No, score=-1.918 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iDRWMov3VdXC for <kitten@ietfa.amsl.com>; Fri, 2 Apr 2021 15:19:55 -0700 (PDT)
Received: from mout.perfora.net (mout.perfora.net [74.208.4.197]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 59BF33A25E3 for <kitten@ietf.org>; Fri, 2 Apr 2021 15:19:55 -0700 (PDT)
Received: from oxusgaltgw07.schlund.de ([10.72.72.53]) by mrelay.perfora.net (mreueus004 [74.208.5.2]) with ESMTPSA (Nemesis) id 1MIxeQ-1lCZBQ1NSk-00KN3d for <kitten@ietf.org>; Sat, 03 Apr 2021 00:19:54 +0200
Date: Fri, 02 Apr 2021 17:19:53 -0500
From: steve@tobtu.com
To: KITTEN Working Group <kitten@ietf.org>
Message-ID: <1851819717.317233.1617401993949@email.ionos.com>
In-Reply-To: <5f8e8af3-7ab6-4523-be19-82b4bd949603@www.fastmail.com>
References: <E4D53992-EFFD-4938-8427-D276B5A0A178@bluepopcorn.net> <2110984725.110415.1616290531763@email.ionos.com> <37ae1f6c-2c39-4a76-995c-642a91131553@www.fastmail.com> <1510312202.215184.1617394615886@email.ionos.com> <5f8e8af3-7ab6-4523-be19-82b4bd949603@www.fastmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Priority: 3
Importance: Normal
X-Mailer: Open-Xchange Mailer v7.10.4-Rev20
X-Originating-Client: open-xchange-appsuite
X-Provags-ID: V03:K1:hT/Yw+4qR+4NwfIUj2kMIe8XYsxSBvhOt0IwSzgjBxQmeb6+y32 L2DVu1thFVegCDum93emb1obaZ+oJE/D91wv8YovpLObi7uFG/FSE/zpxONBST61qKowJRc waoLNnoPZ14o66i+d4tVZDEKORfj+gGpmhH67mvmUNmBrjG3TwiYOGUCeaXlEwbb1uqdswD HQPlyk8g5eMCeoF1U738w==
X-UI-Out-Filterresults: notjunk:1;V03:K0:5WtjE+Q4Ri4=:YJwLQNXxLd2sdbQq2wKPw0 lW2kpxkOTnszyfB6k19KfEfqbgO5bp0m+KJs7AyNPQYfHR0WPwMhfg10PGXs6CWMHKTlSMXbt MZ4XJfhh2LAgh9r1RnRTCqYFRqGR94ROmIh1mE3ULpUOK3NOeCRajUfMXaxhcm/qHrpWGHaGU NzBZnnn4raZHJj+7vt2HyWZ3AcbWGS3kR2LSZD6Lw3AHV/LGThG2lcSFA5qjJb0IP2v4KnAYK eD9urDsoFSV/HtQ5/xTuW2tNNbc/NxUXmPvo9RHp2gQ8XflB1Z+EYN+wOJZmnChGGR+65ukmi o0dAsNAIxI3Lf+T2sB4KOk09wlijm0zXAg8A8lnhtdvVDx/mvIM8cWMU/IjtctgCn8plw//ie tSvQ5uEIQCjn2j8inDlODHyR/r4ZZKvVtkaQDuk6FgozqB7EEyDbQtj8qmjhh6Bj8xqtL9yH7 Z4bAF1bU8UTr1dcmtcrDWEW+gcvaYVlyRoJuDIhG+C4luD5fXRLw
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/S7CICmjuWQ1LsBEubrxz0Kzka2o>
Subject: Re: [kitten] Comments on draft-ietf-kitten-password-storage-04
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 02 Apr 2021 22:20:00 -0000

I haven't sent it yet. I should probably read through their message history, but I was considering just forwarding that.

> On 04/02/2021 3:29 PM Sam Whited <sam@samwhited.com> wrote:
> 
>  
> Thank you. Have you sent that to the IRTF list (I'm not on there, so
> apologies if you have)? I feel pretty strongly that this document should
> just link to and mirror what draft-irtf-cfrg-argon2 says, so we should
> probably fix it there if their numbers aren't great.
> 
> Thanks again for the feedback.
> 
> —Sam
> 
> On Fri, Apr 2, 2021, at 16:16, steve@tobtu.com wrote:
> > > On 04/01/2021 5:57 PM Sam Whited <sam@samwhited.com> wrote:
> > >
> > >
> > > Out of curiosity, why the lower memory size and a single lane, as
> > > opposed to the m=2GiB, t=1, p=4 from
> > > https://tools.ietf.org/html/draft-irtf-cfrg-argon2-13#section-7.3
> > >
> >
> > My suggestion of "Argon2id m=37 MiB, t=1, p=1 or m=15 MiB, t=2, p=1"
> > is based on facts. "Argon2id m=2 GiB, t=1, p=4" is based on feelings.
> > Also I think I gave like 4 or 5 and OWASP went with the first two. The
> > third one "m=10 MiB, t=3, p=1" is important since those settings can
> > be used with Argon2i (because t≥3).
> >
> > https://tools.ietf.org/html/draft-irtf-cfrg-argon2-13#section-7.4:
> > "The Argon2id variant with t=1 and 2GiB memory is FIRST RECOMMENDED
> > option and is suggested as a default setting for all environments.
> > This setting is secure against side-channel attacks and maximizes
> > adversarial costs on dedicated bruteforce hardware.  The Argon2id
> > variant with t=3 and 64 MiB memory is SECOND RECOMMENDED option and is
> > suggested as a default setting for memory-constrained environments."
> >
> > Let's break that down. (Note section 4 states p=4 for both)
> >
> > FIRST RECOMMENDED option: Argon2id m=2 GiB, t=1, p=4 SECOND
> > RECOMMENDED option: Argon2id m=64 MiB, t=3, p=4
> >
> > For an attacker with enough memory, these settings should be
> > similarly hard. In reality the one with lower memory usage should be
> > harder for an attacker with enough memory. *BUT* "m=2 GiB, t=1"
> > reads/writes 4 GiB of memory and "m=64 MiB, t=3" reads/writes 0.5 GiB
> > of memory. So "m=2 GiB, t=1" is 8x harder than "m=64 MiB, t=3" given
> > an attacker with enough memory. To match memory reads/writes you need
> > "m=64 MiB, t=22".
> >
> > So their two recommended options don't match in quality.
> >
> > "[Argon2id m=2 GiB, t=1, p=4] is suggested as a default setting for
> > all environments." Looking at VPS services with 4 GiB and both sites I
> > checked have 4 GiB, 2 CPU cores (yes there are 8 GiB, 4 CPU cores, but
> > I'm going with just enough memory to run it). Which means you should
> > have p=2. Also unless you implement a queuing system you should not
> > run "m=2 GiB, t=1, p=4". Since an attacker can easily DoS by exceeding
> > memory usage with only a few request per second. P.S. This takes 1.4
> > seconds on my computer which is a very long time for authentication.
> >
> > Now "This setting is secure against side-channel attacks..." [citation
> > needed]. Do side-channel attacks stop working when 4 threads are
> > randomly reading in 1 GiB of memory? I'd say no. Argon2id with side-
> > channel attacks drops it to Argon2i m=m'/4*(1+x/p), t=1 where x is 1
> > or 2. x is 2 with probability of ((p-1)/p)^p. Also you'll never need
> > to keep more than m/p/2 amount of memory. The actual amount is less
> > and based on probabilities. So "Argon2id m=2 GiB, t=1, p=4" with a side-
> > channel attack turns into "Argon2i m=640 MiB, t=1" with 68.4%
> > probability or "Argon2i m=768 MiB, t=1" with 31.6% probability. I'm
> > not aware of Argon2i t=1 attacks that just disappear when m is large-
> > ish like 640 MiB or 768 MiB.
> >
> > ----
> >
> > OK now why is "Argon2id m=37 MiB, t=1, p=1; m=15 MiB, t=2, p=1; or
> > m=10 MiB, t=3, p=1" based on facts? Also these are minimum good
> > settings. You can go higher.
> >
> > After searching for CPUs, GPUs, and FPGAs, the best attacker is GPUs.
> > FPGAs have 1/2 to 1/3 the memory bandwidth as GPUs. CPUs have 1/4 to
> > 1/20 the memory bandwidth as GPUs.
> >
> > GPUs: RTX 3080: 10 GiB, 760.0 GB/s RTX 3090: 24 GiB, 935.8 GB/s (takes
> > 3 "PCI slots" vs 2) Radeon VII: 16 GiB, 1028 GB/s
> >
> > There are these GPUs. Cost is unknown but a system with 8 A100 cards
> > is $200k: A100 80GB​: 80 GiB, 2039 GB/s
> > A100: 40 GiB, 1555 GB/s
> >
> > Since the current best cost/performance GPU for password cracking is
> > the RTX 3080, I'll go with that. Memory hard algorithms cracking speed
> > is based on memory bandwidth if there's enough computing power. At low
> > memory usage we can assume it gets near max bandwidth. The goal for a
> > good password hash/KDF for auth is <10 kH/s/GPU. Basically <10
> > kH/s/GPU is good and ≥10 kH/s/GPU is not good. Therefore a memory hard
> > algorithm needs to read/write at least 72.5 MiB
> > (760,000,000,000/10,000/1024/1024). "m=37 MiB, t=1" does 74 MiB, "m=15
> > MiB, t=2" does 75 MiB, and "m=10 MiB, t=3" does 80 MiB. These are just
> > higher than 72.5 MiB which means the theoretical max is <10 kH/s/GPU.
> > You could argue that an attacker could buy Radeon VII's which would
> > push those to read/write at least 98.1 MiB. I'd argue that people
> > aren't building password cracking rigs specifically for memory hard
> > algorithms, but let's say you win: m=50 MiB, t=1: does 100 MiB m=20
> > MiB, t=2: does 100 MiB m=13 MiB, t=3: does 104 MiB
> >
> >
> > Now p=1, I've made this argument in a few places here's the latest
> > with a few minor edits:
> >
> > Stealing a quote from myself "For authentication you should use p=1
> > because a lot of people are running a VPS with a single CPU core. Even
> > if not, one could benchmark this and think they can go higher on
> > settings than they should because they are not thinking about
> > throughput. Also with memory hard algorithms, it would be wise to
> > limit the number of simultaneous instances. An attacker can likely
> > send more requests per second than a server to do. Which will make the
> > server exhaust all memory if there isn't a limit." There's another
> > place I mention that with scrypt even though you can run it with
> > multiple threads, don't. You can think of it as t in Argon2. But if
> > you do set up a queue or mutex, you can use multiple threads (if you
> > are mindful of throughput). This actually makes it a better experience
> > since it's just as strong but during off-peak times latency is faster.
> > Using a queue is better than a mutex. Also have a max queue length and
> > serve a 503 error if queue is too long. Otherwise the connection could
> > timeout and you'll probably still end up doing the work.
> >
> > That's only for when the server is running the password hash. If the
> > client is running a password KDF for a PAKE or some other auth scheme
> > then yes increase p.
> >
> > _______________________________________________
> > Kitten mailing list Kitten@ietf.org
> > https://www.ietf.org/mailman/listinfo/kitten
> >
> 
> -- 
> Sam Whited
> 
> _______________________________________________
> Kitten mailing list
> Kitten@ietf.org
> https://www.ietf.org/mailman/listinfo/kitten

v2.23.0 | Report a Bug | By Email