Re: [ldapext] DBIS - new IETF drafts
Andrew Findlay <andrew.findlay@skills-1st.co.uk> Thu, 09 January 2014 17:43 UTC
Return-Path: <andrew.findlay@skills-1st.co.uk>
X-Original-To: ldapext@ietfa.amsl.com
Delivered-To: ldapext@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 86C971AE521 for <ldapext@ietfa.amsl.com>; Thu, 9 Jan 2014 09:43:35 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.602
X-Spam-Level:
X-Spam-Status: No, score=-1.602 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, MIME_8BIT_HEADER=0.3, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7-odjnDJRLNY for <ldapext@ietfa.amsl.com>; Thu, 9 Jan 2014 09:43:33 -0800 (PST)
Received: from kea.ourshack.com (kea.ourshack.com [IPv6:2001:470:1f15:20::201]) by ietfa.amsl.com (Postfix) with ESMTP id 3DFA21AE51F for <ldapext@ietf.org>; Thu, 9 Jan 2014 09:43:33 -0800 (PST)
Received: from 9.1.5.2.b.3.c.7.4.f.9.1.a.6.4.b.1.e.7.f.0.d.8.0.0.b.8.0.1.0.0.2.ip6.arpa ([2001:8b0:8d0:f7e1:b46a:19f4:7c3b:2519] helo=slab.skills-1st.co.uk) by kea.ourshack.com with esmtpsa (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.72) (envelope-from <andrew.findlay@skills-1st.co.uk>) id 1W1Jda-0005s1-98; Thu, 09 Jan 2014 17:43:22 +0000
Received: from andrew by slab.skills-1st.co.uk with local (Exim 4.80.1) (envelope-from <andrew.findlay@skills-1st.co.uk>) id 1W1JdZ-0006Bm-RB; Thu, 09 Jan 2014 17:43:21 +0000
Date: Thu, 09 Jan 2014 17:43:21 +0000
From: Andrew Findlay <andrew.findlay@skills-1st.co.uk>
To: Michael Ströder <michael@stroeder.com>
Message-ID: <20140109174321.GV3938@slab.skills-1st.co.uk>
References: <52C9BED5.2080900@proseconsulting.co.uk> <52CAEA7D.5030002@highlandsun.com> <1389033674.27654.32.camel@pico.ipa.ssimo.org> <52CB2030.3010403@proseconsulting.co.uk> <1389050240.27654.67.camel@pico.ipa.ssimo.org> <52CDB6B2.2080406@proseconsulting.co.uk> <52CEBEAE.5090701@stroeder.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <52CEBEAE.5090701@stroeder.com>
User-Agent: Mutt/1.5.21 (2010-09-15)
Sender: Andrew Findlay <andrew.findlay@skills-1st.co.uk>
Cc: ldapext@ietf.org
Subject: Re: [ldapext] DBIS - new IETF drafts
X-BeenThere: ldapext@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: LDAP Extension Working Group <ldapext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ldapext>, <mailto:ldapext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ldapext/>
List-Post: <mailto:ldapext@ietf.org>
List-Help: <mailto:ldapext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ldapext>, <mailto:ldapext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Jan 2014 17:43:35 -0000
On Thu, Jan 09, 2014 at 04:22:22PM +0100, Michael Ströder wrote: > Mark R Bannister wrote: > >> Exposing hashes should be a last resort for compatibility reasons only > >> and should be disabled by default with appropriate ACIs. Absolutely. You need the LDAP server to support the old-style hashes to allow for migrating data in, but exposing *any* form of hash outside your trusted LDAP servers is asking for trouble. Every LDAP-aware client system that I have worked with can use the bind operation as a means to validate passwords, so the only possible excuse for exporting hashes is temporary support of migrating systems. If you only allow the export of hashes that are actually needed by the old non-LDAP systems then at least you are not making matters worse than they were before the migration. > >> My point of view is that using LDAP binds SHOULD be mandated for > >> authentication for any new client following any new schema, and exposing > >> hashes MUST be disabled by default, and explicitly enabled by admins > >> that needs backwards compatibility. We need to move up the security bar, > >> and you do that only with appropriate defaults, and new IETF work should > >> reflect that IMHO. > >> > >> Simo. > > +1 to Simo's comment. Another +1. I find that showing people the crack-attempt rate tables on Hashcat's front page usually ups the priority for getting rid of old hashes... To see the data for Crypt-style hashes you need to go back in the archive a bit: http://web.archive.org/web/20130703144216/http://hashcat.net/oclhashcat-plus/ Comparing those figures (July 2013, based on software from January 2013) with todays is interesting too. The latest hardware they have tested boosts the crack-rate by another order of magnitude so traditional Unix-style crypt(3) hashes are probably testable at 600M attempts/sec, with plain MD5 now at 81000M and NTLM at 140000M... That means that *every possible* 8-character ASCII password can be tested against a file of NTLM hashes in 12 hours, or against Unix crypt in 117 days on a single PC. Real passwords are at least 1000 times weaker in practice. In terms of LDAP best practice what this means is: Store password data using a modern salted hash that was designed specifically for this purpose. Preferably choose one that allows the number of iterations to be increased in the future. [ I currently favour bcrypt ($2a$), falling back to sha512crypt ($6$) or md5crypt ($1$) if that is not available ] Use ACIs to prevent access to password storage fields. Use all good system-management practices to protect the LDAP database, the filesystem, the physical disks, and the backup tapes from being copied or stolen. Advise users to set much longer passwords than before. e.g. a 5-word Diceware password is about 1000 times better than the best possible 8-character ASCII password - and a lot easier to remember and to type! Passwords hashed with weak schemes may be imported as part of a migration process provided they are changed within some short period of time to be set by a sensible risk analysis. > > I don't think LDAP binds can be mandated, we can only strongly recommend it. > > Given the migration path I have already described, I find it highly unlikely > > that people will be able to move to LDAP binds and move off CRYPT immediately, > > If your customers have old legacy systems which they won't change at all then > simply let them run them in a isolated environment with all the old cruft > around they need for those systems. Sooner or later they have to migrate > anyway because systems are running out-of-service (e.g. will not receive > security updates anymore). I would be a bit more flexible than that. There are often advantages to loose coupling of the old system to the new one: reduced support effort, maybe even increased security as passwords actually do get changed, etc. There are risks though, and these need to be considered on a case-by-case basis. An obvious example here would be a system that stores an old Unix-crypt hash alongside a bcrypt one with both derived from the same data. The old hash is easily attacked and will expose the first 8 chars of the full password with very little effort, making it much easier to attack the full password in the bcrypt hash. > IMO any new standard should focus on getting the near future right. Yes, but that does have to include migrating stuff that is currently stuck in the technological past! Andrew -- ----------------------------------------------------------------------- | From Andrew Findlay, Skills 1st Ltd | | Consultant in large-scale systems, networks, and directory services | | http://www.skills-1st.co.uk/ +44 1628 782565 | -----------------------------------------------------------------------
- [ldapext] DBIS - new IETF drafts Mark R Bannister
- Re: [ldapext] DBIS - new IETF drafts Howard Chu
- Re: [ldapext] DBIS - new IETF drafts Mark R Bannister
- Re: [ldapext] DBIS - new IETF drafts Howard Chu
- Re: [ldapext] DBIS - new IETF drafts Mark R Bannister
- Re: [ldapext] DBIS - new IETF drafts Mark R Bannister
- Re: [ldapext] DBIS - new IETF drafts Howard Chu
- Re: [ldapext] DBIS - new IETF drafts Howard Chu
- Re: [ldapext] DBIS - new IETF drafts Arthur de Jong
- Re: [ldapext] DBIS - new IETF drafts Michael Ströder
- Re: [ldapext] DBIS - new IETF drafts Michael Ströder
- Re: [ldapext] DBIS - new IETF drafts Mark R Bannister
- Re: [ldapext] DBIS - new IETF drafts Mark R Bannister
- Re: [ldapext] DBIS - new IETF drafts Mark R Bannister
- Re: [ldapext] DBIS - new IETF drafts Mark R Bannister
- Re: [ldapext] DBIS - new IETF drafts Mark R Bannister
- Re: [ldapext] DBIS - new IETF drafts Michael Ströder
- Re: [ldapext] DBIS - new IETF drafts Michael Ströder
- Re: [ldapext] DBIS - new IETF drafts Michael Ströder
- Re: [ldapext] DBIS - new IETF drafts Michael Ströder
- Re: [ldapext] DBIS - new IETF drafts Ludovic Poitou
- Re: [ldapext] DBIS - new IETF drafts Clément OUDOT
- Re: [ldapext] DBIS - new IETF drafts Andrew Findlay
- Re: [ldapext] DBIS - new IETF drafts Andrew Findlay
- Re: [ldapext] DBIS - new IETF drafts Michael Ströder
- Re: [ldapext] DBIS - new IETF drafts Michael Ströder
- Re: [ldapext] DBIS - new IETF drafts Michael Ströder
- Re: [ldapext] DBIS - new IETF drafts Michael Ströder
- Re: [ldapext] DBIS - new IETF drafts Charlie
- Re: [ldapext] DBIS - new IETF drafts Luke Howard
- Re: [ldapext] DBIS - new IETF drafts Neal-Joslin, Robert (3PAR Engineering)
- Re: [ldapext] DBIS - new IETF drafts Howard Chu
- Re: [ldapext] DBIS - new IETF drafts Michael Ströder
- Re: [ldapext] DBIS - new IETF drafts Mark R Bannister
- Re: [ldapext] DBIS - new IETF drafts Mark R Bannister
- Re: [ldapext] DBIS - new IETF drafts Mark R Bannister
- Re: [ldapext] DBIS - new IETF drafts Mark R Bannister
- Re: [ldapext] DBIS - new IETF drafts Mark R Bannister
- Re: [ldapext] DBIS - new IETF drafts Luke Howard
- Re: [ldapext] DBIS - new IETF drafts Luke Howard
- Re: [ldapext] DBIS - new IETF drafts Mark R Bannister
- Re: [ldapext] DBIS - new IETF drafts Mark R Bannister
- Re: [ldapext] DBIS - new IETF drafts Mark R Bannister
- Re: [ldapext] DBIS - new IETF drafts Mark R Bannister
- Re: [ldapext] DBIS - new IETF drafts Michael Ströder
- Re: [ldapext] DBIS - new IETF drafts Mark R Bannister
- Re: [ldapext] DBIS - new IETF drafts Michael Ströder
- Re: [ldapext] DBIS - new IETF drafts Michael Ströder
- Re: [ldapext] DBIS - new IETF drafts Andrew Findlay
- Re: [ldapext] DBIS - new IETF drafts Andrew Findlay
- Re: [ldapext] DBIS - new IETF drafts Michael Ströder
- Re: [ldapext] DBIS - new IETF drafts Michael Ströder
- Re: [ldapext] DBIS - new IETF drafts Howard Chu
- Re: [ldapext] DBIS - new IETF drafts Charlie
- Re: [ldapext] DBIS - new IETF drafts Mark R Bannister