IETF Logo Mail Archive

Re: [kitten] Comments on draft-ietf-kitten-password-storage-04

Sam Whited <sam@samwhited.com> Fri, 02 April 2021 20:30 UTC

Return-Path: <sam@samwhited.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F0B0D3A2262 for <kitten@ietfa.amsl.com>; Fri, 2 Apr 2021 13:30:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.82
X-Spam-Level:
X-Spam-Status: No, score=-2.82 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=samwhited.com header.b=shCSQrIU; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=EmEEiH/3
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id y0_YFtb0bgOq for <kitten@ietfa.amsl.com>; Fri, 2 Apr 2021 13:30:15 -0700 (PDT)
Received: from out1-smtp.messagingengine.com (out1-smtp.messagingengine.com [66.111.4.25]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E27F73A2266 for <kitten@ietf.org>; Fri, 2 Apr 2021 13:30:14 -0700 (PDT)
Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.nyi.internal (Postfix) with ESMTP id 9B1AB5C0112 for <kitten@ietf.org>; Fri, 2 Apr 2021 16:30:13 -0400 (EDT)
Received: from imap34 ([10.202.2.84]) by compute4.internal (MEProxy); Fri, 02 Apr 2021 16:30:13 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=samwhited.com; h=mime-version:message-id:in-reply-to:references:date:from:to :subject:content-type:content-transfer-encoding; s=fm2; bh=g8+VW W5C2mVRnWbwhT4oqDMDb1jPx8gSunCwG+IBECA=; b=shCSQrIUQ9iB8FAHDUz4B raGYRtjo44rVWWmB0uGd9as3v1dcCN3BCLPXrEPG4HbVC/+Z+WhfzVyZw3/vZ3jE Ag+1aKI2qJ08+USGPH/WfTIKIVpjeRSD3uBzj4JQU1P4TGCVv96wyzT6sNN52WZY oyPvbnWKGHqaXoLndhQD1htXzXbZ/aHzNyODRXEMf2+QU2TgKTsGdrSOqEUSOx/+ Ob7dT9qQMTzf3hrQzO4cWrY1C/uLAmOw/oGmAt07troot71Z3COoSqd6nNhxubtS liGbTm+SSlfVrMGkL5NI4pL8+XiEEoNFlgbtFibsqulQ3Vwn1NQn4qYIRUxTg1uE w==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender :x-sasl-enc; s=fm2; bh=g8+VWW5C2mVRnWbwhT4oqDMDb1jPx8gSunCwG+IBE CA=; b=EmEEiH/3X0ARewfc+LfR6OBtVO98WVmT7seKFL6DybbnyMtZ7m9QIi+wq moHk/95uj4Tle8Dtyu8eOVapj4hVcn6ph0G3oNvGK6TUNHUm/m75RwxUxoLjwCBn u5H99uku7B9mSb5lggR8qGHccfD/hH6OA6B2dvfWBnmE86RC+a2PT9ZVif+RkH69 cMbLLiORTdXEBaVT2o6D+6qSTftawx1Bofzr9POzs1FSS+yh83INPZzWPC6GhQkN a6ThiZBOv0cAVAOowtUBZ3iaED+aKAcLqqoSdhAiwvgGPNswPqTKhz3j/hkNxL5p Uv3zRc1oCuof8nyec7yW3KllnBIGg==
X-ME-Sender: <xms:1X5nYGMlk4jFOZEXtiWQqq8N69VDJUZ3D9YwHZGLZEZqkJN8eHpfHA> <xme:1X5nYE_5d_M55bfwdzoYLv3pbA0Z0enG6Tgvd-7bXKxq4ljWMsRYgyIr812jEgo2L B8NlTRn0o5X5kaDgg>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduledrudeiiedgudegkecutefuodetggdotefrod ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfgh necuuegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmd enucfjughrpefofgggkfgjfhffhffvufgtgfesthhqredtreerjeenucfhrhhomhepfdfu rghmucghhhhithgvugdfuceoshgrmhesshgrmhifhhhithgvugdrtghomheqnecuggftrf grthhtvghrnhepfeduudekkeeuteeuleefgeeuvdeuvdffhedvveeiffeghefhjefftdev veeuvdffnecuffhomhgrihhnpehivghtfhdrohhrghenucevlhhushhtvghrufhiiigvpe dtnecurfgrrhgrmhepmhgrihhlfhhrohhmpehsrghmsehsrghmfihhihhtvggurdgtohhm
X-ME-Proxy: <xmx:1X5nYNR4RsIK4dtOHCEj8mQ6QfzkuSVqv-wqB4zGIo7k1JY2-uZK3w> <xmx:1X5nYGtW44jzGXhcauM5yrNlTvm2yS14RZX_9grXdCR4War5G8mDJA> <xmx:1X5nYOexVzlA1ZWd_Ue8DOC5C9gMkYzHLtkAjZ1RHjahf87WI2goXA> <xmx:1X5nYIq5z28TRb1KnVOgKiMFZrbexWGUD0AlDcwPg7IGyUWakG77BQ>
Received: by mailuser.nyi.internal (Postfix, from userid 501) id 52E78280076; Fri, 2 Apr 2021 16:30:13 -0400 (EDT)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.5.0-alpha0-273-g8500d2492d-fm-20210323.002-g8500d249
Mime-Version: 1.0
Message-Id: <5f8e8af3-7ab6-4523-be19-82b4bd949603@www.fastmail.com>
In-Reply-To: <1510312202.215184.1617394615886@email.ionos.com>
References: <E4D53992-EFFD-4938-8427-D276B5A0A178@bluepopcorn.net> <2110984725.110415.1616290531763@email.ionos.com> <37ae1f6c-2c39-4a76-995c-642a91131553@www.fastmail.com> <1510312202.215184.1617394615886@email.ionos.com>
Date: Fri, 02 Apr 2021 16:29:52 -0400
From: Sam Whited <sam@samwhited.com>
To: KITTEN Working Group <kitten@ietf.org>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/iCCkw4C4RdKQEnivtmxR1eu_qDA>
Subject: Re: [kitten] Comments on draft-ietf-kitten-password-storage-04
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 02 Apr 2021 20:30:20 -0000

Thank you. Have you sent that to the IRTF list (I'm not on there, so
apologies if you have)? I feel pretty strongly that this document should
just link to and mirror what draft-irtf-cfrg-argon2 says, so we should
probably fix it there if their numbers aren't great.

Thanks again for the feedback.

—Sam

On Fri, Apr 2, 2021, at 16:16, steve@tobtu.com wrote:
> > On 04/01/2021 5:57 PM Sam Whited <sam@samwhited.com> wrote:
> >
> >
> > Out of curiosity, why the lower memory size and a single lane, as
> > opposed to the m=2GiB, t=1, p=4 from
> > https://tools.ietf.org/html/draft-irtf-cfrg-argon2-13#section-7.3
> >
>
> My suggestion of "Argon2id m=37 MiB, t=1, p=1 or m=15 MiB, t=2, p=1"
> is based on facts. "Argon2id m=2 GiB, t=1, p=4" is based on feelings.
> Also I think I gave like 4 or 5 and OWASP went with the first two. The
> third one "m=10 MiB, t=3, p=1" is important since those settings can
> be used with Argon2i (because t≥3).
>
> https://tools.ietf.org/html/draft-irtf-cfrg-argon2-13#section-7.4:
> "The Argon2id variant with t=1 and 2GiB memory is FIRST RECOMMENDED
> option and is suggested as a default setting for all environments.
> This setting is secure against side-channel attacks and maximizes
> adversarial costs on dedicated bruteforce hardware.  The Argon2id
> variant with t=3 and 64 MiB memory is SECOND RECOMMENDED option and is
> suggested as a default setting for memory-constrained environments."
>
> Let's break that down. (Note section 4 states p=4 for both)
>
> FIRST RECOMMENDED option: Argon2id m=2 GiB, t=1, p=4 SECOND
> RECOMMENDED option: Argon2id m=64 MiB, t=3, p=4
>
> For an attacker with enough memory, these settings should be
> similarly hard. In reality the one with lower memory usage should be
> harder for an attacker with enough memory. *BUT* "m=2 GiB, t=1"
> reads/writes 4 GiB of memory and "m=64 MiB, t=3" reads/writes 0.5 GiB
> of memory. So "m=2 GiB, t=1" is 8x harder than "m=64 MiB, t=3" given
> an attacker with enough memory. To match memory reads/writes you need
> "m=64 MiB, t=22".
>
> So their two recommended options don't match in quality.
>
> "[Argon2id m=2 GiB, t=1, p=4] is suggested as a default setting for
> all environments." Looking at VPS services with 4 GiB and both sites I
> checked have 4 GiB, 2 CPU cores (yes there are 8 GiB, 4 CPU cores, but
> I'm going with just enough memory to run it). Which means you should
> have p=2. Also unless you implement a queuing system you should not
> run "m=2 GiB, t=1, p=4". Since an attacker can easily DoS by exceeding
> memory usage with only a few request per second. P.S. This takes 1.4
> seconds on my computer which is a very long time for authentication.
>
> Now "This setting is secure against side-channel attacks..." [citation
> needed]. Do side-channel attacks stop working when 4 threads are
> randomly reading in 1 GiB of memory? I'd say no. Argon2id with side-
> channel attacks drops it to Argon2i m=m'/4*(1+x/p), t=1 where x is 1
> or 2. x is 2 with probability of ((p-1)/p)^p. Also you'll never need
> to keep more than m/p/2 amount of memory. The actual amount is less
> and based on probabilities. So "Argon2id m=2 GiB, t=1, p=4" with a side-
> channel attack turns into "Argon2i m=640 MiB, t=1" with 68.4%
> probability or "Argon2i m=768 MiB, t=1" with 31.6% probability. I'm
> not aware of Argon2i t=1 attacks that just disappear when m is large-
> ish like 640 MiB or 768 MiB.
>
> ----
>
> OK now why is "Argon2id m=37 MiB, t=1, p=1; m=15 MiB, t=2, p=1; or
> m=10 MiB, t=3, p=1" based on facts? Also these are minimum good
> settings. You can go higher.
>
> After searching for CPUs, GPUs, and FPGAs, the best attacker is GPUs.
> FPGAs have 1/2 to 1/3 the memory bandwidth as GPUs. CPUs have 1/4 to
> 1/20 the memory bandwidth as GPUs.
>
> GPUs: RTX 3080: 10 GiB, 760.0 GB/s RTX 3090: 24 GiB, 935.8 GB/s (takes
> 3 "PCI slots" vs 2) Radeon VII: 16 GiB, 1028 GB/s
>
> There are these GPUs. Cost is unknown but a system with 8 A100 cards
> is $200k: A100 80GB​: 80 GiB, 2039 GB/s
> A100: 40 GiB, 1555 GB/s
>
> Since the current best cost/performance GPU for password cracking is
> the RTX 3080, I'll go with that. Memory hard algorithms cracking speed
> is based on memory bandwidth if there's enough computing power. At low
> memory usage we can assume it gets near max bandwidth. The goal for a
> good password hash/KDF for auth is <10 kH/s/GPU. Basically <10
> kH/s/GPU is good and ≥10 kH/s/GPU is not good. Therefore a memory hard
> algorithm needs to read/write at least 72.5 MiB
> (760,000,000,000/10,000/1024/1024). "m=37 MiB, t=1" does 74 MiB, "m=15
> MiB, t=2" does 75 MiB, and "m=10 MiB, t=3" does 80 MiB. These are just
> higher than 72.5 MiB which means the theoretical max is <10 kH/s/GPU.
> You could argue that an attacker could buy Radeon VII's which would
> push those to read/write at least 98.1 MiB. I'd argue that people
> aren't building password cracking rigs specifically for memory hard
> algorithms, but let's say you win: m=50 MiB, t=1: does 100 MiB m=20
> MiB, t=2: does 100 MiB m=13 MiB, t=3: does 104 MiB
>
>
> Now p=1, I've made this argument in a few places here's the latest
> with a few minor edits:
>
> Stealing a quote from myself "For authentication you should use p=1
> because a lot of people are running a VPS with a single CPU core. Even
> if not, one could benchmark this and think they can go higher on
> settings than they should because they are not thinking about
> throughput. Also with memory hard algorithms, it would be wise to
> limit the number of simultaneous instances. An attacker can likely
> send more requests per second than a server to do. Which will make the
> server exhaust all memory if there isn't a limit." There's another
> place I mention that with scrypt even though you can run it with
> multiple threads, don't. You can think of it as t in Argon2. But if
> you do set up a queue or mutex, you can use multiple threads (if you
> are mindful of throughput). This actually makes it a better experience
> since it's just as strong but during off-peak times latency is faster.
> Using a queue is better than a mutex. Also have a max queue length and
> serve a 503 error if queue is too long. Otherwise the connection could
> timeout and you'll probably still end up doing the work.
>
> That's only for when the server is running the password hash. If the
> client is running a password KDF for a PAKE or some other auth scheme
> then yes increase p.
>
> _______________________________________________
> Kitten mailing list Kitten@ietf.org
> https://www.ietf.org/mailman/listinfo/kitten
>

-- 
Sam Whited

v2.23.0 | Report a Bug | By Email