IETF Logo Mail Archive

Re: [kitten] Requesting WG adoption of several SCRAM related documents

Simon Josefsson <simon@josefsson.org> Tue, 26 October 2021 20:53 UTC

Return-Path: <simon@josefsson.org>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DC6033A17DC for <kitten@ietfa.amsl.com>; Tue, 26 Oct 2021 13:53:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (unsupported algorithm ed25519-sha256)" header.d=josefsson.org header.b=D551/go3; dkim=pass (2736-bit key) header.d=josefsson.org header.b=DqZO/wxm
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KOk5dadQ-42R for <kitten@ietfa.amsl.com>; Tue, 26 Oct 2021 13:53:04 -0700 (PDT)
Received: from uggla.sjd.se (uggla.sjd.se [IPv6:2001:9b1:8633::107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 90AF93A1342 for <kitten@ietf.org>; Tue, 26 Oct 2021 13:53:03 -0700 (PDT)
DKIM-Signature: v=1; a=ed25519-sha256; q=dns/txt; c=relaxed/relaxed; d=josefsson.org; s=ed2110; h=Content-Type:MIME-Version:Message-ID:In-Reply-To :Date:References:Subject:Cc:To:From:Sender:Reply-To:Content-Transfer-Encoding :Content-ID:Content-Description; bh=GByazOnVSEDrjingFji1cIfzuG189RTr8goZW8k1cfU=; t=1635281584; x=1636491184; b=D551/go3WVcmIiH7bF/dNdP5n+RQSWvioU2m9JVZQhhGGRMZMAtYAdIr966wl8ThS0vDMJfblRk qSBeZUpH0Dw==;
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=josefsson.org; s=rsa2110; h=Content-Type:MIME-Version:Message-ID: In-Reply-To:Date:References:Subject:Cc:To:From:Sender:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description; bh=GByazOnVSEDrjingFji1cIfzuG189RTr8goZW8k1cfU=; t=1635281584; x=1636491184; b=DqZO/wxmII/dae+ixUrvIDQ/6swJLIgQp1K6mB3UNL4K1GSCIwbnSMCLj0kc99DKoA/mhHjMMvb bHAyu8up6L6i2dQ5INlVAP5uegu/fmN2/0S3sT8C/6A0QGtzTsDM2ilbq+KmJPFEXxRCB11GPRvyJ jjN0HOS0iSK8dVpAI54offA2pSBsdnfkuxrnz6xBPGXaTO6RaljGmxcaWnrhkjnUrM5y6Jf4RvD7i wLBtBlLzY6ybjIdq6ahCPoGedFdIDxX5Kh77ySNlbELCxprDrS1ycwMrSfW/QdRot5Tvee5EK7mDi gn4dZ9HUyPlYULxD0xj9rx4TNjjvaJT76v3+TW5aTfheEu2EGrFOjuQd5aMlLJS83izm0SCTxYaji a6ZmRy75N1tOgo4CReuc465Tg23TGojFKEr4ol+Z/1MLlAlu1rsOD2CY72zz2J/l3Ww1Oucsp;
Received: from [2001:9b0:21a:d900::834] (port=34060 helo=latte) by uggla.sjd.se with esmtpsa (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from <simon@josefsson.org>) id 1mfTRK-00Aubk-VG; Tue, 26 Oct 2021 22:52:58 +0200
From: Simon Josefsson <simon@josefsson.org>
To: Alexey Melnikov <alexey.melnikov@isode.com>
Cc: "kitten@ietf.org" <kitten@ietf.org>, Robbie Harwood <rharwood@redhat.com>
References: <4a14c16b-644f-ac40-7b3a-a1712c9aa3d2@isode.com>
OpenPGP: id=B1D2BD1375BECB784CF4F8C4D73CF638C53C06BE; url=https://josefsson.org/key-20190320.txt
X-Hashcash: 1:22:211026:kitten@ietf.org::3VLULcIc51G4Y4u/:8Nax
X-Hashcash: 1:22:211026:rharwood@redhat.com::0x8FAijNP28ps6+r:7DQM
X-Hashcash: 1:22:211026:alexey.melnikov@isode.com::SpLop/A70EPJnUnP:5K1D
Date: Tue, 26 Oct 2021 22:52:54 +0200
In-Reply-To: <4a14c16b-644f-ac40-7b3a-a1712c9aa3d2@isode.com> (Alexey Melnikov's message of "Tue, 26 Oct 2021 11:43:25 +0100")
Message-ID: <87ilxjo6e1.fsf@latte.josefsson.org>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux)
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha256"; protocol="application/pgp-signature"
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/z9AvfahpZe2D6qOtJ6N98cCluMs>
Subject: Re: [kitten] Requesting WG adoption of several SCRAM related documents
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 Oct 2021 20:53:11 -0000

Hi.  I'm not strongly opposed to these work items, but I do feel
publishing these documents without adressing high-level concerns have a
risk of causing problems during deployment.  I think the WG should
understand and consider the implication before adopting the documents -
maybe there is alternative work that needs to happen before/instead.

1) For SCRAM-2FA how is user interaction supposed to work for
applications that open many connections?  This is the problem that
turned out to kill deployment of SAML20 and OPENID20 for typical
environments.  I think this is a serious problem for any SASL mechanisms
that works with non-long-term secrets, and I think we should ponder if
there is some generic mechanism (like SASL re-authentication or
authentication resumption) that needs to be standardized.  Otherwise I
think SCRAM-2FA will end up in the same way, and cause people to do a
lot of work to try to implement it and run into the same problems.

2) Add new hashes for SCRAM causes complexity in applications to specify
and support multiple database entries for different
password-equivalents.  There is no real guidance on how clients and
servers should treat multiple hash variants and negotiation between
them.  SASL does not handle sub-mechanism negotiation well, so it has a
security complexity cost.  I wrote about some of this in
https://blog.josefsson.org/2021/06/08/whats-wrong-with-scram/ and at
least one problem is worth repeating:

  How to negotiate which variant to use is not well-defined. Consider if
  the server only has access to a SCRAM-SHA-1 hashed password for user X
  and a SCRAM-SHA-256 hashed password for user Y. What mechanisms should
  it offer to an unknown client? Offering both is likely to cause
  authentication failures, and the fall-back behaviour of SASL is poor.

/Simon

Alexey Melnikov <alexey.melnikov@isode.com> writes:

> Dear Kitten WG participants,
>
> I would like to request WG adoption of several SCRAM related documents:
>
> 1) Extensions to Salted Challenge Response (SCRAM) for 2 factor
> authentication
> <https://datatracker.ietf.org/doc/draft-melnikov-scram-2fa/>
>
> There were some earlier discussions of this document and it seems to
> be in scope for the current charter.
>
> 2) SCRAM-SHA-512 and SCRAM-SHA-512-PLUS Simple Authentication and
> Security Layer (SASL) Mechanisms
> <https://datatracker.ietf.org/doc/draft-melnikov-scram-sha-512/>
>
> This is already implemented in Cyrus SASL, so it would be good to have
> stable documentation.
>
> 3) SCRAM-SHA3-512 and SCRAM-SHA3-512-PLUS Simple Authentication and
> Security Layer (SASL) Mechanisms
> <https://datatracker.ietf.org/doc/draft-melnikov-scram-sha3-512/>
>
> Best Regards,
>
> Alexey
>
> P.S. As I am editing various documents mentioned in this email, my
> co-chair Robbie will judge consensus on adoption of each document.
>

v2.23.0 | Report a Bug | By Email