IETF Logo Mail Archive

Re: [kitten] Comments on draft-ietf-kitten-password-storage-00

Sam Whited <sam@samwhited.com> Fri, 30 October 2020 01:45 UTC

Return-Path: <sam@samwhited.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 803713A045E for <kitten@ietfa.amsl.com>; Thu, 29 Oct 2020 18:45:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=samwhited.com header.b=nmmWESga; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=hfWdx5No
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XF7KcklybcDe for <kitten@ietfa.amsl.com>; Thu, 29 Oct 2020 18:45:22 -0700 (PDT)
Received: from wout1-smtp.messagingengine.com (wout1-smtp.messagingengine.com [64.147.123.24]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E90D63A0408 for <kitten@ietf.org>; Thu, 29 Oct 2020 18:45:21 -0700 (PDT)
Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.west.internal (Postfix) with ESMTP id 0FD08A32; Thu, 29 Oct 2020 21:45:20 -0400 (EDT)
Received: from imap34 ([10.202.2.84]) by compute4.internal (MEProxy); Thu, 29 Oct 2020 21:45:21 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=samwhited.com; h=mime-version:message-id:in-reply-to:references:date:from:to :subject:content-type; s=fm1; bh=MDu7TdItb1/Vk2uIHKliaXS3LRrxfcA Ky6ntAlrptjw=; b=nmmWESgaq71E4hb+Ee8Vpqvd1f4fjHX1ccRMRnxp78qFAqm V9ynaFFR2IWz19EZiSKr/HNe5FvapaPmrKyN/qzFmS7obQ09ggKL9EzirbfAuhmk tmZH3y9+GOi/eAcwaviXduvxiQX8xF8fYTH37IgCF0zZ1hfDdB9imcG38X6Hnfux GqYkFirOahCTqI26p5cS4Pxs0lT7OEHqeF6qxi7/jZWzh2d3BGPvFyu7kuDd5gRJ puVitfBr0OvByb/b0ZdRzw+qdsPnhxOZatclNzXPfwhAh+FSh0vA/vrXsIa+kNzg 3arEOpmjBj1aVvltp1W03DJ4gkb5NlYUW95u7QQ==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm1; bh=MDu7Td Itb1/Vk2uIHKliaXS3LRrxfcAKy6ntAlrptjw=; b=hfWdx5NovLf+4Khqi5rrmm 0zeuoC71Lf9PDA0KMJTm4MBeWrrAfbRuXnR2rRqj7FHarPmz2LVMlMoTx2qebQ9A Dy+cvOw0KlqHtQFexl0OUFeJtTxPqOxtVuks/XIsaZdwX8ysR84itBCQ5Ox2ZCcg RXIulUSWtbJTKvqwyD/0Y/ahGCqmQgEaPa5MkL90XOlxF1HjLHrX/fFydRKpTohB 88wVqisL4HOARozowazS6YtlHdlTPv8OpF6VHq+WIIMMiPr+MnV823clxOMBmAHZ LX94Op68R6AxdZjCPu1W75JuAKwi1CdHwvxWMeBlF0d8nlBOGmItDVi5V0hIV59A ==
X-ME-Sender: <xms:MHCbX9Ag43NFvHN5ZK6QP298lqz4t06fLNWmbTHagS3BeTzMMSgBrw> <xme:MHCbX7j05U6UOf_YN5_v9MG4xHM48obZFHgUzk6sK1zBBSbDAez5fiZE6As0rQ-JE WFGnrsN4wxUqLxVZA>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedujedrleeggdefjecutefuodetggdotefrodftvf curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu uegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmdenuc fjughrpefofgggkfgjfhffhffvufgtsehttdertderredtnecuhfhrohhmpedfufgrmhcu hghhihhtvggufdcuoehsrghmsehsrghmfihhihhtvggurdgtohhmqeenucggtffrrghtth gvrhhnpeduvdfgkeeviedtkedugefhfeevhfehieejheejhfefieffhfduhefggfeuieej keenucffohhmrghinhepghhithhhuhgsrdgtohhmnecuvehluhhsthgvrhfuihiivgeptd enucfrrghrrghmpehmrghilhhfrhhomhepshgrmhesshgrmhifhhhithgvugdrtghomh
X-ME-Proxy: <xmx:MHCbX4naxlIaAz6sLZcvKcpUMbMre6v4fw0gnoqDuIiJmENFMvrslQ> <xmx:MHCbX3yOMXB2pETeYhSixCdAGyiujduOKmZVcmX2nPdnGKl7St-tHg> <xmx:MHCbXyTXsGmqtfksjlCaKS3RLknFW376YS0GOzwF2eS_sQE_RzuwDQ> <xmx:MHCbX5MG_xSxZzuWVPd0U3WQ-4FFs97A5xt7eANzFNnABPYf_9urIQ>
Received: by mailuser.nyi.internal (Postfix, from userid 501) id 278341460062; Thu, 29 Oct 2020 21:45:20 -0400 (EDT)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.3.0-530-g8da6958-fm-20201021.003-g69105b13-v35
Mime-Version: 1.0
Message-Id: <1ba8e285-1b39-42aa-8359-94f94f7a6287@www.fastmail.com>
In-Reply-To: <6dde1303-3d0c-6811-c201-00edbe5ab84e@bluepopcorn.net>
References: <6dde1303-3d0c-6811-c201-00edbe5ab84e@bluepopcorn.net>
Date: Thu, 29 Oct 2020 21:44:58 -0400
From: Sam Whited <sam@samwhited.com>
To: Jim Fenton <fenton@bluepopcorn.net>, KITTEN Working Group <kitten@ietf.org>
Content-Type: text/plain
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/VUlUtfEbPtqJlFhfDkHBV2f8dLs>
Subject: Re: [kitten] Comments on draft-ietf-kitten-password-storage-00
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 30 Oct 2020 01:45:24 -0000

Hi Jim et al,

Thanks for your reviews, I have published version 01 of the I-D which I
believe captures all of your feedback.

Thanks again,
Sam

On Fri, Sep 4, 2020, at 20:53, Jim Fenton wrote:
> Hi,
>
> I'm not generally up to speed on the work of the kitten WG, but
> someone pointed out this draft and thought I'd be interested, and I
> am. Please bear that in mind if some of my suggestions conflict with
> GSS-API, Kerberos, etc. And I'm not familiar with the various SASL
> mechanisms so don't have any comments on them.
>
> 1.1 Terminology
>
> Since the term "salt" is so widely used in this document, it would be
> good to reference a specific definition, since RFC 4949, SP 800-132,
> and SP 800-63-3 all have different definitions.
>
> For "pepper", does "not unique" mean that there is one pepper value
> for the entire database that is stored separately? This would be OK if
> the database is salted as well (need to de-duplicate cases where
> different users have the same password).
>
> 3.1 Mechanisms
>
> The end of paragraph 4 talks about providing a strong authenticator
> assurance level. In NIST SP 800-63B, authenticator assurance level is
> a categorization of authentication transactions (1-3), and single-
> factor authentication such as a password is only ever AAL1 regardless
> of how it's done. I suggest a different term be used here.
>
> 4.1 SASL requirements
>
> Hashes that are unsuitable for use with authenticators such as SHA256:
> Should explain what makes them unsuitable. I gather that's because
> SHA256 is too fast, especially with all the stuff developed for
> cryptocurrency mining. But really all hashes are too fast to be used
> alone; they need to be used iteratively or as part of a key derivation
> function that is hopefully time- and memory-hard.
>
> 4.2 Storage
>
> Salts don't really need to be random; they just need to be unique, and
> long enough to make it impractical to construct a rainbow table. "If
> it is stored": the salt, I assume? Please be specific. The pepper
> value should be stored at arm's length from everything else, such as
> in an HSM or otherwise separate place (example:
> https://github.com/jimfenton/rehash ). Storing the pepper in an
> environment variable seems like a really bad idea to me.
>
> As I mentioned above, a minimum salt length of 16 bytes seems
> excessive. NIST SP 800-63B requires 32 bits. Similarly, 32 bytes for
> the pepper is more than is really needed; SP 800-63B calls for 112
> bits (but calls it a "salt" which is confusing).
>
> 4.3 Authentication and rotation
>
> Paragraph 2, "iteration count" - some algorithms refer to this as a
> work factor so suggest "iteration count or work factor".
>
> Paragraph 3, Pepper rotation: In cases where the password is salted
> and iteratively hashed, and then a keyed hash with the pepper value is
> performed after that, it has been suggested that the keyed hash could
> be replaced by a keyed encryption, which has the advantage of allowing
> the key to be rotated by sending the verifier values to the peppering
> process, which could decrypt the verifiers with the old key and
> reencrypt with the new key. This makes a lot of sense; encryption
> isn't really a problem here because there isn't a practical brute
> force threat.
>
> 6. Password complexity
>
> Replace blacklist with blocklist, denylist, or something else
> of course.
>
> "(when paired with the same email or other uniquely identifying
> information)" - This would only result in denial of use of a password
> if it was used by the same account, when really we want to deny the
> use of things like passw0rd entirely. So just compare against the list
> without identifying information (which you don't want to have anyway).
> I'd leave out the part about commonly used patterns -- that leads down
> a slippery slope to the complex composition rules we have today, when
> really we just want to make sure common passwords aren't used. So if
> "aaaaaaaa" is considered a common password, just put it on the
> blocklist.
>
> I'm happy to discuss any of this further. Thanks for putting together
> this draft.
>
> -Jim
>
>
>

-- 
Sam Whited

v2.23.0 | Report a Bug | By Email