IETF Logo Mail Archive

Re: [ldapext] [ldap] Re: draft-stroeder-hashed-userpassword-values-01

Andrew Findlay <andrew.findlay@skills-1st.co.uk> Fri, 15 March 2013 12:36 UTC

Return-Path: <andrew.findlay@skills-1st.co.uk>
X-Original-To: ldapext@ietfa.amsl.com
Delivered-To: ldapext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DF86B21F9138 for <ldapext@ietfa.amsl.com>; Fri, 15 Mar 2013 05:36:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.45
X-Spam-Level:
X-Spam-Status: No, score=-2.45 tagged_above=-999 required=5 tests=[AWL=0.150, BAYES_00=-2.599, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gko9DVSOP-rW for <ldapext@ietfa.amsl.com>; Fri, 15 Mar 2013 05:36:18 -0700 (PDT)
Received: from kea.ourshack.com (kea.ourshack.com [IPv6:2001:470:1f15:20::201]) by ietfa.amsl.com (Postfix) with ESMTP id 3940921F9137 for <ldapext@ietf.org>; Fri, 15 Mar 2013 05:36:14 -0700 (PDT)
Received: from 2.b.0.9.d.6.e.f.f.f.a.6.1.2.2.0.1.e.7.f.0.d.8.0.0.b.8.0.1.0.0.2.ip6.arpa ([2001:8b0:8d0:f7e1:221:6aff:fe6d:90b2] helo=slab.skills-1st.co.uk) by kea.ourshack.com with esmtpsa (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.72) (envelope-from <andrew.findlay@skills-1st.co.uk>) id 1UGTrn-0002Ln-6W; Fri, 15 Mar 2013 12:36:11 +0000
Received: from andrew by slab.skills-1st.co.uk with local (Exim 4.80.1) (envelope-from <andrew.findlay@skills-1st.co.uk>) id 1UGTrm-0005xO-C2; Fri, 15 Mar 2013 12:36:10 +0000
Date: Fri, 15 Mar 2013 12:36:10 +0000
From: Andrew Findlay <andrew.findlay@skills-1st.co.uk>
To: Kurt Zeilenga <kurt.zeilenga@isode.com>
Message-ID: <20130315123610.GR18706@slab.skills-1st.co.uk>
References: <510782A6.7050209@stroeder.com> <3ED81CD8-59DA-482E-8AFA-C68E53A62067@isode.com> <51410020.4020800@stroeder.com> <20130314001901.GN18706@slab.skills-1st.co.uk> <5141F560.6040805@highlandsun.com> <5142171C.6090807@stroeder.com> <51421EC9.6060502@highlandsun.com> <514222B0.9090107@stroeder.com> <20130315101840.GQ18706@slab.skills-1st.co.uk> <FC0DA02B-3A7F-4955-B534-5E6DB361DE7E@isode.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <FC0DA02B-3A7F-4955-B534-5E6DB361DE7E@isode.com>
User-Agent: Mutt/1.5.21 (2010-09-15)
Sender: Andrew Findlay <andrew.findlay@skills-1st.co.uk>
Cc: "ldap@umich.edu" <ldap@umich.edu>, ldapext <ldapext@ietf.org>, Michael Ströder <michael@stroeder.com>
Subject: Re: [ldapext] [ldap] Re: draft-stroeder-hashed-userpassword-values-01
X-BeenThere: ldapext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: LDAP Extension Working Group <ldapext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ldapext>, <mailto:ldapext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ldapext>
List-Post: <mailto:ldapext@ietf.org>
List-Help: <mailto:ldapext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ldapext>, <mailto:ldapext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 15 Mar 2013 12:36:20 -0000

On Fri, Mar 15, 2013 at 04:07:29AM -0700, Kurt Zeilenga wrote:

> > On a slight tangent, a rough guide to the current strength of various hash
> > schemes can be found on hashcat's front page:
> > 
> > 	http://hashcat.net/oclhashcat-plus/
> > 
> > The table at the bottom gives the brute-force attack rate in crypts/sec
> > using a single PC with a good (mid-range gaming) graphics engine.
> > Numbers range from about 4k c/s for bcrypt up to 7500M c/2 for NTLM.
> > It does not explicitly list figures for SSHA and SMD5 but I suspect the
> > 'sha512crypt $6$' figure is indicative at 12k c/s.
> 
> The difference per check of SSHA and SHA is one SHAUpdate call, even if this call account for 100% of the work, then SSHA should be no more than twice as expensive SHA.  Likewise for other simple salted hash methods.

Good point. Salt protects against pre-computed lookup tables but
on its own has minimal effect on this style of brute-force attack,
as the salt is known by the attacker.

The big difference with sha512crypt is the number of rounds. This defaults
to 5000, which should make it 5000 times slower than SHA512. The Hashcat
numbers are roughly consistent with that.

This suggests that implementers should be encouraged to future-proof their
products:

	Make it easy to add new password-storage schemes - preferably
		without recompiling the server or client code
	Provide schemes with multiple rounds in the standard distribution
	Make it easy to configure the number of rounds
	Ensure that passwords stored with different schemes and number of
		rounds can still be used even if the server config is changed
	Provide a way to disable passwords stored with particular
		configs in the past that are now considered insecure

The document under discussion would be a good place to put that advice.

Andrew
-- 
-----------------------------------------------------------------------
|                 From Andrew Findlay, Skills 1st Ltd                 |
| Consultant in large-scale systems, networks, and directory services |
|     http://www.skills-1st.co.uk/                +44 1628 782565     |
-----------------------------------------------------------------------

v2.23.0 | Report a Bug | By Email