IETF Logo Mail Archive

Re: [ldapext] [ldap] Re: draft-stroeder-hashed-userpassword-values-01

Kurt Zeilenga <kurt.zeilenga@isode.com> Fri, 15 March 2013 11:07 UTC

Return-Path: <kurt.zeilenga@isode.com>
X-Original-To: ldapext@ietfa.amsl.com
Delivered-To: ldapext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4E36D21F8F08 for <ldapext@ietfa.amsl.com>; Fri, 15 Mar 2013 04:07:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.599
X-Spam-Level:
X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BQS98o-WvPEc for <ldapext@ietfa.amsl.com>; Fri, 15 Mar 2013 04:07:52 -0700 (PDT)
Received: from statler.isode.com (statler.isode.com [62.3.217.254]) by ietfa.amsl.com (Postfix) with ESMTP id DA61021F8F61 for <ldapext@ietf.org>; Fri, 15 Mar 2013 04:07:51 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; t=1363345660; d=isode.com; s=selector; i=@isode.com; bh=FZ26dyXXuXGIXkSkqxKAs/a1dvVsmCnBd714R3t5e4k=; h=From:Sender:Reply-To:Subject:Date:Message-ID:To:Cc:MIME-Version: In-Reply-To:References:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description; b=cIV7v/diL2OdjIILps651d39OXqLuil4UVlTQfpSG0ENQFawuuoG8Tc7QuoAtWaA0HFOlV DX+RSbhVnuJ5oKsT5lgLQH5FwBcCQDww/a/H2tbycLhXkhDtbwenT8Se2no6Hg2GO4iBYj LLzg+JO4Y8qnhxr/ApH/CMJkOLt2eAk=;
Received: from pagan.boolean.net (66-214-104-34.dhcp.slto.ca.charter.com [66.214.104.34]) by statler.isode.com (submission channel) via TCP with ESMTPSA id <UUMA-gA4j0Tc@statler.isode.com>; Fri, 15 Mar 2013 11:07:39 +0000
From: Kurt Zeilenga <kurt.zeilenga@isode.com>
In-Reply-To: <20130315101840.GQ18706@slab.skills-1st.co.uk>
Date: Fri, 15 Mar 2013 04:07:29 -0700
Message-Id: <FC0DA02B-3A7F-4955-B534-5E6DB361DE7E@isode.com>
References: <5103F924.2070800@stroeder.com> <CABBgLkcnK7WfthFOBD5Esfz+g1izcKoGgtxzKKDntc0i=E7LOQ@mail.gmail.com> <510782A6.7050209@stroeder.com> <3ED81CD8-59DA-482E-8AFA-C68E53A62067@isode.com> <51410020.4020800@stroeder.com> <20130314001901.GN18706@slab.skills-1st.co.uk> <5141F560.6040805@highlandsun.com> <5142171C.6090807@stroeder.com> <51421EC9.6060502@highlandsun.com> <514222B0.9090107@stroeder.com> <20130315101840.GQ18706@slab.skills-1st.co.uk>
To: Andrew Findlay <andrew.findlay@skills-1st.co.uk>
X-Mailer: Apple Mail (2.1503)
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Cc: "ldap@umich.edu" <ldap@umich.edu>, ldapext <ldapext@ietf.org>, Michael Ströder <michael@stroeder.com>
Subject: Re: [ldapext] [ldap] Re: draft-stroeder-hashed-userpassword-values-01
X-BeenThere: ldapext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: LDAP Extension Working Group <ldapext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ldapext>, <mailto:ldapext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ldapext>
List-Post: <mailto:ldapext@ietf.org>
List-Help: <mailto:ldapext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ldapext>, <mailto:ldapext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 15 Mar 2013 11:07:53 -0000

On Mar 15, 2013, at 3:18 AM, Andrew Findlay <andrew.findlay@skills-1st.co.uk> wrote:

> On Thu, Mar 14, 2013 at 08:19:12PM +0100, Michael Ströder wrote:
> 
>>>>     userpasswordvalue  = cleartext-password / prefix hashed-password
>>> 
>>> I think you should replace "hashed-password" with "scheme-specific data" and
>>> stop there.
>> 
>> That's a conclusion of your opinion. But I want to describe the *order* of
>> password and salt used by any server I saw using the scheme.
> 
> Why not separate the description of the data from the overall syntax?
> It will be easier to read that way, and much more obvious that the whole
> thing is extensible and a bit informal.
> 
> userPassword has Octet String syntax, so in principle the value is
> <scheme name in curly brackets> <arbitrary data>
> 
> A separate section of the doc could then describe (or refer to) the formats
> of all the commonly-used storage schemes. I was about to call them 'hash
> schemes' but that is wrong, as some servers support reversible encryption
> schemes as well as hashes.
> 
> 
> On a slight tangent, a rough guide to the current strength of various hash
> schemes can be found on hashcat's front page:
> 
> 	http://hashcat.net/oclhashcat-plus/
> 
> The table at the bottom gives the brute-force attack rate in crypts/sec
> using a single PC with a good (mid-range gaming) graphics engine.
> Numbers range from about 4k c/s for bcrypt up to 7500M c/2 for NTLM.
> It does not explicitly list figures for SSHA and SMD5 but I suspect the
> 'sha512crypt $6$' figure is indicative at 12k c/s.

The difference per check of SSHA and SHA is one SHAUpdate call, even if this call account for 100% of the work, then SSHA should be no more than twice as expensive SHA.  Likewise for other simple salted hash methods.

-- Kurt

> 
> Andrew
> -- 
> -----------------------------------------------------------------------
> |                 From Andrew Findlay, Skills 1st Ltd                 |
> | Consultant in large-scale systems, networks, and directory services |
> |     http://www.skills-1st.co.uk/                +44 1628 782565     |
> -----------------------------------------------------------------------
> _______________________________________________
> Ldapext mailing list
> Ldapext@ietf.org
> https://www.ietf.org/mailman/listinfo/ldapext

v2.23.0 | Report a Bug | By Email