Re: [kitten] Comments on draft-ietf-kitten-password-storage-04
Jim Fenton <fenton@bluepopcorn.net> Sun, 21 March 2021 02:33 UTC
Return-Path: <fenton@bluepopcorn.net>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1])
by ietfa.amsl.com (Postfix) with ESMTP id BFE843A1275
for <kitten@ietfa.amsl.com>; Sat, 20 Mar 2021 19:33:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.199
X-Spam-Level:
X-Spam-Status: No, score=-0.199 tagged_above=-999 required=5
tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1,
DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001,
URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key)
header.d=bluepopcorn.net
Received: from mail.ietf.org ([4.31.198.44])
by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id 1Ly4XlwWkoSL for <kitten@ietfa.amsl.com>;
Sat, 20 Mar 2021 19:33:13 -0700 (PDT)
Received: from v2.bluepopcorn.net (v2.bluepopcorn.net [IPv6:2607:f2f8:a994::2])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(No client certificate requested)
by ietfa.amsl.com (Postfix) with ESMTPS id 19F643A1274
for <kitten@ietf.org>; Sat, 20 Mar 2021 19:33:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
d=bluepopcorn.net; s=supersize; h=Content-Transfer-Encoding:Content-Type:
MIME-Version:References:In-Reply-To:Message-ID:Date:Subject:Cc:To:From:Sender
:Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From:
Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:
List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive;
bh=hVnwG+9SJipB0VJEokxkLYkRJEQUGljPf2T61i9/x80=; b=proCo14GrFNJt5B+8SqF9c6r0k
1oY2UEMuXOMGEjEdv7T2zuZHDz721z/DetD26VgtmboprVgQiuJmI5PtCQJA2oZkQt+rxT07RvmL1
0gjkcgcoetzCfyKgRR3BuWlrKK/94Wu30JcxpaaW/qmaRQLWAc56oVso6UPM0i3QoHBI=;
Received: from [2601:647:4400:1261:e96d:d840:4bd1:2e33] (helo=[10.10.20.144])
by v2.bluepopcorn.net with esmtpsa
(TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92)
(envelope-from <fenton@bluepopcorn.net>)
id 1lNntt-0001GM-9d; Sat, 20 Mar 2021 19:33:10 -0700
From: "Jim Fenton" <fenton@bluepopcorn.net>
To: steve@tobtu.com
Cc: kitten@ietf.org
Date: Sat, 20 Mar 2021 19:33:07 -0700
X-Mailer: MailMate (1.13.2r5673)
Message-ID: <A98BD97E-B7D6-46E1-B433-3A302CE3CB30@bluepopcorn.net>
In-Reply-To: <2110984725.110415.1616290531763@email.ionos.com>
References: <E4D53992-EFFD-4938-8427-D276B5A0A178@bluepopcorn.net>
<2110984725.110415.1616290531763@email.ionos.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"; format=flowed
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/toFBq1fMqhyq6uFfGM7h5BIjfZ0>
Subject: Re: [kitten] Comments on draft-ietf-kitten-password-storage-04
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>,
<mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>,
<mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 21 Mar 2021 02:33:18 -0000
More generally, the OWASP recommendations will change and this document won’t, so it’s not a good idea to refer to what OWASP currently says but rather to point to them as a source of current advice. -Jim On 20 Mar 2021, at 18:35, steve@tobtu.com wrote: > Note on OWASP, it is going through massive changes and should not be > looked at for about a week. Also settings are now based on benchmarks > or theoretical speeds, except bcrypt because "9 feels low". > > Argon2id: > m=37 MiB, t=1, p=1 > m=15 MiB, t=2, p=1 > > bcrypt: > cost 12 > > PBKDF2: > HMAC-SHA1: 720,000 iterations > HMAC-SHA256: 310,000 iterations > HMAC-SHA512: 120,000 iterations > > >> On 03/20/2021 7:31 PM Jim Fenton <fenton@bluepopcorn.net> wrote: >> >> >> Some comments on the draft: >> >> Abstract: “other authentication secrets”: There are >> authentication >> secrets with high enough entropy that iterated/salted/peppered >> storage >> is overkill. An example (although I’m not sure how relevant to >> SASL) >> is a secret used for generating time-based one-time passwords; in >> this >> case you can’t hash the secret at all. I’d suggest targeting this >> more specifically to modest-entropy secrets (memorized secrets being >> the >> obvious example). >> >> 1.1 Pepper definition: “They must not be stored alongside…” >> This >> is a normative MUST, so all caps. But the better place to put a >> normative requirement like this is probably in section 4.2 rather >> than >> in the definition. >> >> 3.1 “man in the middled”: aside from the verbing of a common >> term, >> this is inappropriately gendered. Suggest “has successfully >> executed >> an in-the-middle attack” >> >> 3.2 “authenticators”: suggest “authentication secrets” (2 >> places). Similarly in 4.1; perhaps other places. >> >> 4.1: I’m concerned that the MUST NOT here conflicts with the SHOULD >> NOT regarding OBSOLETE and LIMITED mechanisms in Section 2. Of >> course, >> MD5 is not an SASL mechanism per se, and “support any mechanism” >> in >> this context may not necessarily mean an SASL mechanism, but I still >> found this vaguely confusing. >> >> 4.2: “more up to date numbers may be found in >> [OWASP.CS.passwords]” >> I couldn’t find this in the OWASP recommendations. As I think I >> commented before, I think the salt and pepper minimums are too large. >> Salt is needed to make rainbow tables impractical and to deduplicate >> entries with the same password, so 32 bits should be sufficient (this >> value is used in NIST SP 800-63B). The pepper value needs to be large >> enough to resist brute-force and other likely attacks; NIST SP >> 800-131A >> specifies 112 bits. I’d suggest not getting carried away on the >> minimums. >> >> 4.3: “using a cryptographically secure hash such as SHA256” is a >> poor example because elsewhere it says not to use plain SHA256 since >> it’s fast. Suggest you use a real KDF as an example. >> >> 5.2: Bcrypt is no longer the current (top) OWASP recommendation. >> >> 7: Suggest saying something about Unicode characters and password >> length, that the 8 character minimum doesn’t mean 8 bytes of >> Unicode. >> SP 800-63B says, “Each Unicode code point SHALL be counted as a >> single >> character” which is better but I’m not sure is the perfect >> wording >> since accents, etc. are code points and the Scottish flag is >> apparently >> 7 code points. >> >> -Jim >> >> _______________________________________________ >> Kitten mailing list >> Kitten@ietf.org >> https://www.ietf.org/mailman/listinfo/kitten > > _______________________________________________ > Kitten mailing list > Kitten@ietf.org > https://www.ietf.org/mailman/listinfo/kitten
- [kitten] Comments on draft-ietf-kitten-password-s… Jim Fenton
- Re: [kitten] Comments on draft-ietf-kitten-passwo… steve
- Re: [kitten] Comments on draft-ietf-kitten-passwo… Jim Fenton
- Re: [kitten] Comments on draft-ietf-kitten-passwo… Sam Whited
- Re: [kitten] Comments on draft-ietf-kitten-passwo… Sam Whited
- Re: [kitten] Comments on draft-ietf-kitten-passwo… steve
- Re: [kitten] Comments on draft-ietf-kitten-passwo… Sam Whited
- Re: [kitten] Comments on draft-ietf-kitten-passwo… steve
- Re: [kitten] Comments on draft-ietf-kitten-passwo… Jim Fenton
- Re: [kitten] Comments on draft-ietf-kitten-passwo… Sam Whited