Re: [kitten] draft-hansen-scram-sha256 and the hash iteration count
Simon Josefsson <simon@josefsson.org> Wed, 25 February 2015 15:06 UTC
Return-Path: <simon@josefsson.org>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 193871A875E for <kitten@ietfa.amsl.com>; Wed, 25 Feb 2015 07:06:38 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.348
X-Spam-Level:
X-Spam-Status: No, score=0.348 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, HELO_EQ_SE=0.35, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1QpUFOjMvqI8 for <kitten@ietfa.amsl.com>; Wed, 25 Feb 2015 07:06:36 -0800 (PST)
Received: from duva.sjd.se (duva.sjd.se [IPv6:2001:9b0:1:1702::100]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3BF0B1A8758 for <kitten@ietf.org>; Wed, 25 Feb 2015 07:06:36 -0800 (PST)
Received: from latte.josefsson.org (c-04f7e555.014-1001-73746f1.cust.bredbandsbolaget.se [85.229.247.4]) (authenticated bits=0) by duva.sjd.se (8.14.4/8.14.4/Debian-4) with ESMTP id t1PF6MLv019546 (version=TLSv1/SSLv3 cipher=AES128-GCM-SHA256 bits=128 verify=NOT); Wed, 25 Feb 2015 16:06:23 +0100
From: Simon Josefsson <simon@josefsson.org>
To: Tony Hansen <tony@att.com>
References: <54DC00D0.2050900@cs.tcd.ie> <54EC66FF.50603@cs.tcd.ie> <54ECA7DA.40203@att.com>
OpenPGP: id=54265E8C; url=http://josefsson.org/54265e8c.txt
X-Hashcash: 1:22:150225:kitten@ietf.org::LbP+tK9kP0BpOIZ7:6a70
X-Hashcash: 1:22:150225:tony@att.com::Om4/BCH+6WepAkt6:861C
Date: Wed, 25 Feb 2015 16:06:21 +0100
In-Reply-To: <54ECA7DA.40203@att.com> (Tony Hansen's message of "Tue, 24 Feb 2015 11:33:30 -0500")
Message-ID: <874mqaghea.fsf@latte.josefsson.org>
User-Agent: Gnus/5.130012 (Ma Gnus v0.12) Emacs/24.4 (gnu/linux)
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha256"; protocol="application/pgp-signature"
X-Virus-Scanned: clamav-milter 0.98.5 at duva.sjd.se
X-Virus-Status: Clean
Archived-At: <http://mailarchive.ietf.org/arch/msg/kitten/wtqhAZxiMc71k_3Jke_MdS2KAyM>
Cc: "kitten@ietf.org" <kitten@ietf.org>
Subject: Re: [kitten] draft-hansen-scram-sha256 and the hash iteration count
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 25 Feb 2015 15:06:38 -0000
Tony Hansen <tony@att.com> writes: > So, what to do for SCRAM-SHA-256? > > One way to derive a recommended number might be to use a log scale > between 2000's and 2010's numbers, extend it out to 2015, then reduce > the number by some percentage to account for SHA-1 vs SHA-256 > performance. If my math is correct, and using a performance reduction > of 30%, this gives 4260, which is only a few percent away from my > original recommendation of 4096 for SHA-2. > > Or we could jump all the way up to 14500, as suggested by Russ. > > > Another possibility is to suggest two values: one for mobile use and > one for non-mobile use. I think there are at least two different considerations: 1) Language used. As you quoted, the text now says that servers "SHOULD announce at least 4096". Using SHOULD already gives room for using other values if there is good justification. To split things into mobile and non-mobile use-cases (which sounds like a bad idea for several reasons to me) would require changing the language, as the server normally doesn't know what type the client is. Another idea is to give two values but phrase it in a different way: one MUST minimum value for protocol conformance (say 4096) and one RECOMMENDED value for good protection in various deployments (say 14500). 2) How to decide the value. I don't agree with the focus on performance -- the reason for using PBKDF2 is to improve security, so the normal approach to decide security parameters (compare key sizes) is that the security needs dictate the requirements. On one extreme, using 10 iteration count would be weak (although I can't cite attacks, maybe because nobody uses 10 iterations...). IMHO, the metric should be: how many iterations raises the cost for an attacker so that it is no longer a cost-effective way to crack the system? Of course, different systems will have different attack cost models, but we should give a ball-park number applicable for common Internet applications. I'm with Alexey that current estimates are probably mostly guesses. I don't know of a established way to derive a better value. However it feels weird for us to not raise the value when we are revising the specification: surely all attacks are more cost-effective as time passes by, so the value should at least be incremented somewhat. /Simon
- [kitten] AD sponsoring draft-hansen-scram-sha256 Stephen Farrell
- Re: [kitten] AD sponsoring draft-hansen-scram-sha… Peter Saint-Andre - &yet
- Re: [kitten] AD sponsoring draft-hansen-scram-sha… Tony Hansen
- Re: [kitten] AD sponsoring draft-hansen-scram-sha… Peter Saint-Andre - &yet
- Re: [kitten] AD sponsoring draft-hansen-scram-sha… Simon Josefsson
- Re: [kitten] [saag] AD sponsoring draft-hansen-sc… Simon Josefsson
- Re: [kitten] [saag] AD sponsoring draft-hansen-sc… Alexey Melnikov
- Re: [kitten] [saag] AD sponsoring draft-hansen-sc… Dave Cridland
- Re: [kitten] AD sponsoring draft-hansen-scram-sha… Simon Josefsson
- Re: [kitten] [saag] AD sponsoring draft-hansen-sc… Martin Thomson
- Re: [kitten] [saag] AD sponsoring draft-hansen-sc… Sam Whited
- Re: [kitten] [saag] AD sponsoring draft-hansen-sc… Stephen Farrell
- Re: [kitten] [saag] AD sponsoring draft-hansen-sc… Tony Hansen
- Re: [kitten] [saag] AD sponsoring draft-hansen-sc… Tony Hansen
- [kitten] draft-hansen-scram-sha256 and the hash i… Tony Hansen
- [kitten] draft-hansen-scram-sha256 and incorporat… Tony Hansen
- Re: [kitten] draft-hansen-scram-sha256 and the ha… Dave Cridland
- Re: [kitten] draft-hansen-scram-sha256 and the ha… Alexey Melnikov
- Re: [kitten] draft-hansen-scram-sha256 and the ha… Tony Hansen
- Re: [kitten] draft-hansen-scram-sha256 and the ha… Simon Josefsson
- Re: [kitten] draft-hansen-scram-sha256 and incorp… Simon Josefsson
- Re: [kitten] draft-hansen-scram-sha256 and incorp… Alexey Melnikov
- Re: [kitten] draft-hansen-scram-sha256 and incorp… Simon Josefsson
- Re: [kitten] draft-hansen-scram-sha256 and incorp… Alexey Melnikov
- Re: [kitten] draft-hansen-scram-sha256 and incorp… Tony Hansen
- Re: [kitten] [saag] AD sponsoring draft-hansen-sc… Karthikeyan Bhargavan
- Re: [kitten] draft-hansen-scram-sha256 and incorp… Simon Josefsson
- Re: [kitten] [saag] AD sponsoring draft-hansen-sc… Simon Josefsson
- Re: [kitten] draft-hansen-scram-sha256 and incorp… Nico Williams
- Re: [kitten] draft-hansen-scram-sha256 and incorp… Nico Williams
- Re: [kitten] draft-hansen-scram-sha256 and incorp… Simon Josefsson
- Re: [kitten] draft-hansen-scram-sha256 and incorp… Simon Josefsson
- Re: [kitten] draft-hansen-scram-sha256 and incorp… Stephen Farrell
- Re: [kitten] draft-hansen-scram-sha256 and incorp… Nico Williams
- Re: [kitten] draft-hansen-scram-sha256 and incorp… Tony Hansen
- Re: [kitten] draft-hansen-scram-sha256 and incorp… Nico Williams
- Re: [kitten] draft-hansen-scram-sha256 and incorp… Simon Josefsson
- Re: [kitten] draft-hansen-scram-sha256 and incorp… Tony Hansen
- Re: [kitten] draft-hansen-scram-sha256 and incorp… Nico Williams
- Re: [kitten] draft-hansen-scram-sha256 and incorp… Simon Josefsson
- Re: [kitten] draft-hansen-scram-sha256 and incorp… Simon Josefsson
- Re: [kitten] draft-hansen-scram-sha256 and incorp… Nico Williams
- Re: [kitten] draft-hansen-scram-sha256 and incorp… Tony Hansen