Re: [ldapext] DBIS - new IETF drafts

Andrew Findlay <andrew.findlay@skills-1st.co.uk> Thu, 09 January 2014 17:43 UTC

Return-Path: <andrew.findlay@skills-1st.co.uk>
X-Original-To: ldapext@ietfa.amsl.com
Delivered-To: ldapext@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 86C971AE521 for <ldapext@ietfa.amsl.com>; Thu, 9 Jan 2014 09:43:35 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.602
X-Spam-Level:
X-Spam-Status: No, score=-1.602 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, MIME_8BIT_HEADER=0.3, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7-odjnDJRLNY for <ldapext@ietfa.amsl.com>; Thu, 9 Jan 2014 09:43:33 -0800 (PST)
Received: from kea.ourshack.com (kea.ourshack.com [IPv6:2001:470:1f15:20::201]) by ietfa.amsl.com (Postfix) with ESMTP id 3DFA21AE51F for <ldapext@ietf.org>; Thu, 9 Jan 2014 09:43:33 -0800 (PST)
Received: from 9.1.5.2.b.3.c.7.4.f.9.1.a.6.4.b.1.e.7.f.0.d.8.0.0.b.8.0.1.0.0.2.ip6.arpa ([2001:8b0:8d0:f7e1:b46a:19f4:7c3b:2519] helo=slab.skills-1st.co.uk) by kea.ourshack.com with esmtpsa (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.72) (envelope-from <andrew.findlay@skills-1st.co.uk>) id 1W1Jda-0005s1-98; Thu, 09 Jan 2014 17:43:22 +0000
Received: from andrew by slab.skills-1st.co.uk with local (Exim 4.80.1) (envelope-from <andrew.findlay@skills-1st.co.uk>) id 1W1JdZ-0006Bm-RB; Thu, 09 Jan 2014 17:43:21 +0000
Date: Thu, 9 Jan 2014 17:43:21 +0000
From: Andrew Findlay <andrew.findlay@skills-1st.co.uk>
To: Michael =?iso-8859-1?Q?Str=F6der?= <michael@stroeder.com>
Message-ID: <20140109174321.GV3938@slab.skills-1st.co.uk>
References: <52C9BED5.2080900@proseconsulting.co.uk> <52CAEA7D.5030002@highlandsun.com> <1389033674.27654.32.camel@pico.ipa.ssimo.org> <52CB2030.3010403@proseconsulting.co.uk> <1389050240.27654.67.camel@pico.ipa.ssimo.org> <52CDB6B2.2080406@proseconsulting.co.uk> <52CEBEAE.5090701@stroeder.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <52CEBEAE.5090701@stroeder.com>
User-Agent: Mutt/1.5.21 (2010-09-15)
Sender: Andrew Findlay <andrew.findlay@skills-1st.co.uk>
Cc: ldapext@ietf.org
Subject: Re: [ldapext] DBIS - new IETF drafts
X-BeenThere: ldapext@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: LDAP Extension Working Group <ldapext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ldapext>, <mailto:ldapext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ldapext/>
List-Post: <mailto:ldapext@ietf.org>
List-Help: <mailto:ldapext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ldapext>, <mailto:ldapext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Jan 2014 17:43:35 -0000

On Thu, Jan 09, 2014 at 04:22:22PM +0100, Michael Ströder wrote:

> Mark R Bannister wrote:
> >> Exposing hashes should be a last resort for compatibility reasons only
> >> and should be disabled by default with appropriate ACIs.

Absolutely. You need the LDAP server to support the old-style hashes
to allow for migrating data in, but exposing *any* form of hash
outside your trusted LDAP servers is asking for trouble.

Every LDAP-aware client system that I have worked with can use the
bind operation as a means to validate passwords, so the only
possible excuse for exporting hashes is temporary support of
migrating systems. If you only allow the export of hashes that are
actually needed by the old non-LDAP systems then at least you are
not making matters worse than they were before the migration.

> >> My point of view is that using LDAP binds SHOULD be mandated for
> >> authentication for any new client following any new schema, and exposing
> >> hashes MUST be disabled by default, and explicitly enabled by admins
> >> that needs backwards compatibility. We need to move up the security bar,
> >> and you do that only with appropriate defaults, and new IETF work should
> >> reflect that IMHO.
> >>
> >> Simo.
> 
> +1 to Simo's comment.

Another +1.

I find that showing people the crack-attempt rate tables on
Hashcat's front page usually ups the priority for getting rid of old
hashes... To see the data for Crypt-style hashes you need to go back
in the archive a bit:

	http://web.archive.org/web/20130703144216/http://hashcat.net/oclhashcat-plus/

Comparing those figures (July 2013, based on software from January
2013) with todays is interesting too. The latest hardware they have
tested boosts the crack-rate by another order of magnitude so
traditional Unix-style crypt(3) hashes are probably testable at 600M
attempts/sec, with plain MD5 now at 81000M and NTLM at 140000M...
That means that *every possible* 8-character ASCII password can be
tested against a file of NTLM hashes in 12 hours, or against Unix crypt
in 117 days on a single PC. Real passwords are at least 1000 times
weaker in practice.

In terms of LDAP best practice what this means is:

	Store password data using a modern salted hash that was
	designed specifically for this purpose. Preferably choose
	one that allows the number of iterations to be increased in
	the future. [ I currently favour bcrypt ($2a$), falling back to
	sha512crypt ($6$) or md5crypt ($1$) if that is not available ]

	Use ACIs to prevent access to password storage fields.

	Use all good system-management practices to protect the LDAP
	database, the filesystem, the physical disks, and the backup
	tapes from being copied or stolen.

	Advise users to set much longer passwords than before.
	e.g. a 5-word Diceware password is about 1000 times better
	than the best possible 8-character ASCII password - and a
	lot easier to remember and to type!

	Passwords hashed with weak schemes may be imported as part
	of a migration process provided they are changed within some
	short period of time to be set by a sensible risk analysis.

> > I don't think LDAP binds can be mandated, we can only strongly recommend it. 
> > Given the migration path I have already described, I find it highly unlikely
> > that people will be able to move to LDAP binds and move off CRYPT immediately,
> 
> If your customers have old legacy systems which they won't change at all then
> simply let them run them in a isolated environment with all the old cruft
> around they need for those systems. Sooner or later they have to migrate
> anyway because systems are running out-of-service (e.g. will not receive
> security updates anymore).

I would be a bit more flexible than that. There are often advantages
to loose coupling of the old system to the new one: reduced support
effort, maybe even increased security as passwords actually do get
changed, etc. There are risks though, and these need to be
considered on a case-by-case basis. An obvious example here would be
a system that stores an old Unix-crypt hash alongside a bcrypt one
with both derived from the same data. The old hash is easily
attacked and will expose the first 8 chars of the full password with
very little effort, making it much easier to attack the full
password in the bcrypt hash.

> IMO any new standard should focus on getting the near future right.

Yes, but that does have to include migrating stuff that is currently
stuck in the technological past!

Andrew
-- 
-----------------------------------------------------------------------
|                 From Andrew Findlay, Skills 1st Ltd                 |
| Consultant in large-scale systems, networks, and directory services |
|     http://www.skills-1st.co.uk/                +44 1628 782565     |
-----------------------------------------------------------------------