IETF Logo Mail Archive

Re: [kitten] Comments on draft-ietf-kitten-password-storage-00

Sam Whited <sam@samwhited.com> Thu, 24 September 2020 17:36 UTC

Return-Path: <sam@samwhited.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7E89A3A124E for <kitten@ietfa.amsl.com>; Thu, 24 Sep 2020 10:36:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.12
X-Spam-Level:
X-Spam-Status: No, score=-2.12 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=samwhited.com header.b=NXE/VGhS; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=YY4TB1cL
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EZ97DvUhIENy for <kitten@ietfa.amsl.com>; Thu, 24 Sep 2020 10:36:55 -0700 (PDT)
Received: from out4-smtp.messagingengine.com (out4-smtp.messagingengine.com [66.111.4.28]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D76C23A11BC for <kitten@ietf.org>; Thu, 24 Sep 2020 10:36:47 -0700 (PDT)
Received: from compute7.internal (compute7.nyi.internal [10.202.2.47]) by mailout.nyi.internal (Postfix) with ESMTP id 2C8175C01A2; Thu, 24 Sep 2020 13:36:47 -0400 (EDT)
Received: from imap34 ([10.202.2.84]) by compute7.internal (MEProxy); Thu, 24 Sep 2020 13:36:47 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=samwhited.com; h=mime-version:message-id:in-reply-to:references:date:from:to :subject:content-type:content-transfer-encoding; s=fm1; bh=Ec5Q3 bhEuB/DBBqq2hs3XwMM1cZ1yL2MYbukK9DIhns=; b=NXE/VGhSkcBBIFt0fxvCa Qayx3jbMNvyuR6YkOVzWea9Tvkmq67Q+I4kwU3e7Y0qJ/e2s121jbslSmIhzEd2Z 7S9JXUDCxhosi61wZ+VIfWsCjIlb0fbsI4rOCqqJfUgC34iKy6ZygeDbSQYHuQrB TfCLVPQ26aIoQiuQhhQS4OmiQU97Gy3J8FLIkoUrzhVsuxZZJ8a6qHwE7ANOpHdO 6wtrBv15Ak9VaMoqy0PmUiYdbk7HAYf1fZg/oLbWeSUtAfEnYdkQs/jCwUyFirk4 egbmxrjaZlqGJhLl7Bi9ukGJZ3zHQ80a971gEn14kfya6cML7tSYjE2ThOYZXjYI Q==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender :x-sasl-enc; s=fm3; bh=Ec5Q3bhEuB/DBBqq2hs3XwMM1cZ1yL2MYbukK9DIh ns=; b=YY4TB1cLWlKEWozRJgCBrEkqnpsqE27hn8iGPMgmg1GgsZEgb0NV/MuSs UxwNdsFJeeUmvaJZqXpXs5M16bDo0hDRJ4XJV9b9M0PzTr2BmlrlGjpupKfQ+y7O u8PYcw7q/J/KdQSIXu4yRlU+ef0kHn04nYkl0KIQ+NQ5kcsne/fM1QepBL7OqfJj hFIMW1Zdg18vUGm0yW9oIW6cxRk+MmgWyMCJeYZywpQ4axr1o6dHIl0ce8GaJizs Ovs7BaRFlQfGquL2iJ3CnINClm9SKKv10h3KW0U7loUu1pjW26QbcJ8bygZdiH2Z MylHTr1/cBPgLTBDsq8qlnp2kIkqg==
X-ME-Sender: <xms:LtlsX-25RrU-v3SaTgiyT8SDpaD5kmwA9YI7i_3-BcrN8ydDbReh2g> <xme:LtlsXxE0mu6NAyFmuPX-IYYQHeVdHEUKLS9QkRuSvSqc7BQJgtQzs9N6I11eNsP28 7iuDifM7s5M7sbLNA>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedujedrudekgdduudejucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne cujfgurhepofgfggfkjghffffhvffutgfgsehtqhertderreejnecuhfhrohhmpedfufgr mhcuhghhihhtvggufdcuoehsrghmsehsrghmfihhihhtvggurdgtohhmqeenucggtffrrg htthgvrhhnpeehkeelkeeifeetfeejhfeukedukedtjeetueevteeigedtffffvefgfeei udeffeenucffohhmrghinhepghhithhhuhgsrdgtohhmnecuvehluhhsthgvrhfuihiivg eptdenucfrrghrrghmpehmrghilhhfrhhomhepshgrmhesshgrmhifhhhithgvugdrtgho mh
X-ME-Proxy: <xmx:LtlsX27Je9fpflgs4DAgY7fkld0JVqVn31JaKBsnr9du5kT1J2mIIg> <xmx:LtlsX_0D-VC2MCoP1lkuVLdYs4iW0U6VR4JCALFeTv6O3KMyyE9gqA> <xmx:LtlsXxHFG4PoFR4G5Cir-oLU2tV-bcFrbQfzw9KZJbggCnSkxBiYJA> <xmx:L9lsXwx4cA1jvjvJ2ZWQGYLVAq1_mCWWIWg3_iHJqmxfD3gBTTjTfQ>
Received: by mailuser.nyi.internal (Postfix, from userid 501) id B19181460062; Thu, 24 Sep 2020 13:36:46 -0400 (EDT)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.3.0-355-g3ece53b-fm-20200922.004-g3ece53b9
Mime-Version: 1.0
Message-Id: <b96fd5b4-d51c-47cb-aef4-db160f824938@www.fastmail.com>
In-Reply-To: <6dde1303-3d0c-6811-c201-00edbe5ab84e@bluepopcorn.net>
References: <6dde1303-3d0c-6811-c201-00edbe5ab84e@bluepopcorn.net>
Date: Thu, 24 Sep 2020 13:36:33 -0400
From: Sam Whited <sam@samwhited.com>
To: Jim Fenton <fenton@bluepopcorn.net>, KITTEN Working Group <kitten@ietf.org>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/oHpwie0kGJCpJdO9qZ_xuelqIWg>
Subject: Re: [kitten] Comments on draft-ietf-kitten-password-storage-00
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 24 Sep 2020 17:36:58 -0000

My apologies, I don't really follow this list so I missed this reply. I
do need to make an update since I've received other feedback off list,
so replies inline (TL;DR — mostly I'm in agreement and will fix everything):

On Fri, Sep 4, 2020, at 20:53, Jim Fenton wrote:
> Since the term "salt" is so widely used in this document, it would be
> good to reference a specific definition, since RFC 4949, SP 800-132,
> and SP 800-63-3 all have different definitions.

I think the definitions these documents use are compatible and are
saying the same thing, but maybe it's worth pointing at a specific
definition for clarity.

> For "pepper", does "not unique" mean that there is one pepper value
> for the entire database that is stored separately? This would be OK if
> the database is salted as well (need to de-duplicate cases where
> different users have the same password).

Yes, the pepper is used alongside the salt and resides outside the
database (eg. it may be baked into an application, or part of a config
file). I will attempt to clarify this.

> The end of paragraph 4 talks about providing a strong authenticator
> assurance level. In NIST SP 800-63B, authenticator assurance level is
> a categorization of authentication transactions (1-3), and single-
> factor authentication such as a password is only ever AAL1 regardless
> of how it's done. I suggest a different term be used here.

Good eye, I'll fix this. Thanks.

> Hashes that are unsuitable for use with authenticators such as SHA256:
> Should explain what makes them unsuitable. I gather that's because
> SHA256 is too fast, especially with all the stuff developed for
> cryptocurrency mining. But really all hashes are too fast to be used
> alone; they need to be used iteratively or as part of a key derivation
> function that is hopefully time- and memory-hard.

I am using my terminology loosely here, you're correct, I should be
saying "hashes are unsuitable, use a KDF" not "some hashes like PBKDF.2
are okay, but other hashes like SHA256 are not", which is not really
accurate enough for this document.

> Salts don't really need to be random; they just need to be unique, and
> long enough to make it impractical to construct a rainbow table. "If
> it is stored": the salt, I assume? Please be specific.

I think recommending randomness is still probably a good idea, but this
is fair. Will update.

> The pepper value should be stored at arm's length from everything
> else, such as in an HSM or otherwise separate place (example:
> https://github.com/jimfenton/rehash ). Storing the pepper in an
> environment variable seems like a really bad idea to me.

I disagree that storing it in an environment variable is bad (though of
course a HSM would be ideal), the point of the pepper is to provide a
separate value that isn't stolen if eg. the attacker can steal the
database. Of course, if the attacker can steal the DB they *may* be able
to enumerate environment variables as well, but then again they may not.

> As I mentioned above, a minimum salt length of 16 bytes seems
> excessive. NIST SP 800-63B requires 32 bits. Similarly, 32 bytes for
> the pepper is more than is really needed; SP 800-63B calls for 112
> bits (but calls it a "salt" which is confusing).

I took these values from OWASP recommendations which are often more up
to date than the SP series, I'll make sure that's cited correctly.

> Paragraph 2, "iteration count" - some algorithms refer to this as a
> work factor so suggest "iteration count or work factor".

I'll make sure the definitions mention this (and are referenced on first
use of the term).

> Replace blacklist with blocklist, denylist, or something else
> of course.

Good idea; will do.

> "(when paired with the same email or other uniquely identifying
> information)" - This would only result in denial of use of a password
> if it was used by the same account, when really we want to deny the
> use of things like passw0rd entirely. So just compare against the list
> without identifying information (which you don't want to have anyway).
> I'd leave out the part about commonly used patterns -- that leads down
> a slippery slope to the complex composition rules we have today, when
> really we just want to make sure common passwords aren't used. So if
> "aaaaaaaa" is considered a common password, just put it on the
> blocklist.

Good idea; I've done pattern based stuff before for a company I worked
for, and it really does end up just being a mess for very little value
(I suspect).

Thanks for the feedback! I've recently started a new job so I'm not sure
if/when I'll have time to update this document again, but I am saving
feedback and will attempt to prepare a future update at some point.


—Sam

v2.23.0 | Report a Bug | By Email