Re: [OAUTH-WG] draft-ietf-oauth-spop-04: a way of making code_challenge
Sergey Beryozkin <sberyozkin@gmail.com> Wed, 19 November 2014 09:01 UTC
Return-Path: <sberyozkin@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0BF071A00E7 for <oauth@ietfa.amsl.com>; Wed, 19 Nov 2014 01:01:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1
X-Spam-Level:
X-Spam-Status: No, score=-1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, FREEMAIL_REPLY=1, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id geM4e6ABO55k for <oauth@ietfa.amsl.com>; Wed, 19 Nov 2014 01:01:22 -0800 (PST)
Received: from mail-wi0-x231.google.com (mail-wi0-x231.google.com [IPv6:2a00:1450:400c:c05::231]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EBF421A0049 for <oauth@ietf.org>; Wed, 19 Nov 2014 01:01:21 -0800 (PST)
Received: by mail-wi0-f177.google.com with SMTP id l15so1044172wiw.10 for <oauth@ietf.org>; Wed, 19 Nov 2014 01:01:20 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-type:content-transfer-encoding; bh=t1EKa34gVQM+d+mbkUcJt+g7zibIrotRZXgVw8GXOu0=; b=gkCiihXMyh31Xn6unIzS7Dj8rSG9oXvQjBbDD2JF42AeVEtrqcBqL8AUIR8IGkQwFH Fh5jYJsRN/Ebp8PA0t6LDwmA6zmCRVem5EsnuNOJ671dGlbNVmWw2vusABrRowaDwpm5 Klaqx8MEnvRy2UyMt57OFy1kRID6StuIf0kqLrelIkYvoPNNVcwkvG5IDsvoH3u2P6h4 GvozrYhUdSpoWIJOTFndvXI4M51w8wGJWP4i+TakghV4ohERwaekFpHbAfRkgqYRHzuw sDWhcpigyCUljiOuzO/hXF74Zp5k3Wb9W/RxBYjg14GK0rp0QtQ6e8qgISD+156IA6r2 2wdQ==
X-Received: by 10.180.11.65 with SMTP id o1mr3636826wib.22.1416387680762; Wed, 19 Nov 2014 01:01:20 -0800 (PST)
Received: from [10.20.16.116] ([109.74.48.129]) by mx.google.com with ESMTPSA id kn5sm1334455wjb.48.2014.11.19.01.01.18 for <oauth@ietf.org> (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 19 Nov 2014 01:01:19 -0800 (PST)
Message-ID: <546C5C5B.9080001@gmail.com>
Date: Wed, 19 Nov 2014 10:01:15 +0100
From: Sergey Beryozkin <sberyozkin@gmail.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.2.0
MIME-Version: 1.0
To: oauth@ietf.org
References: <546ACC4F.9060801@cs.meiji.ac.jp> <1978901687.1831418.1416286458957.JavaMail.yahoo@jws10651.mail.bf1.yahoo.com> <546C2DF9.30107@cs.meiji.ac.jp>
In-Reply-To: <546C2DF9.30107@cs.meiji.ac.jp>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/-RlHVHGXpKbJFDu1WdUNAFnWvQg
Subject: Re: [OAUTH-WG] draft-ietf-oauth-spop-04: a way of making code_challenge
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 19 Nov 2014 09:01:25 -0000
Hi Apologies for getting into this thread (I do not understand most of the mathematics at this stage :)), On 19/11/14 06:43, takamichi saito wrote: > (2014/11/18 13:54), Bill Mills wrote: >> There will be no rainbow table for 256bits of search space. Suppose >> then that clientID has 256 possible values. How does salting with >> client ID do anything more than making the search space 264 bits? >> >> You keep saying that a salt is better than just adding entropy, but >> never actually justifying it. >> >> > > Adding client_ID is not only for like adding password's salt. > Adding client_ID is not same as adding password's salt in this context. > You've mentioned it would separate a search space, but as far as I understand that would require a client to randomly add either its client_id or server_id to the signature function. If it is only adding a client id then it sounds like a salt. Is that right ? I think I can understand that. The question is, where is a 'server_id' coming from and how a server would know that the signature was calculated with a client_id or server_id added in ? Sorry if it is all just the noise... Thanks, Sergey > >> >> On Monday, November 17, 2014 8:34 PM, takamichi saito >> <saito@cs.meiji.ac.jp> wrote: >> (2014/11/18 13:17), Bill Mills wrote: >>> Again, the only value of including client ID or any other value in >>> this case is to increase the number of bits of entropy in the value >>> being hashed. Using client ID is only useful if it's actually got >>> decent entropy in it, if it's just a version number then or a server >>> name or address it adds very little. >>> >> >> Client_ID is not for adding entropy. >> Again, Client_ID is separating the attacker's searching space. >> >>> Yes, salting is valuable for passwords which have very low entropy. >>> But as has been discussed it adds little in this case. Your >>> arguments are correct for passwords but not for 256 bits of random >>> number. >>> >> >> I agree that human-made password is low entropy. >> As I say, adding Client_ID can force the attacker has to search the >> value in each attack. >> If the attacker uses GPU, he can not get the value within the session. >> >> I never confuse about password in these discussions. >> >> >> >>> Regards, >>> >>> -bill >>> >>> >>> >>> On Monday, November 17, 2014 7:27 PM, takamichi saito >>> <saito@cs.meiji.ac.jp> wrote: >>> >>> I agree that GPU can/may find the value on the fly. >>> But, it can not find it within the session. >>> The draft idea is enough against the attack with GPU. >>> >>> On the other, the draft idea provide ONLY one combination of hash and >>> its plain. The attacker can prepare THE COMBINATION to success the >>> attack. >>> >>> Adding client_ID or server_ID separate the searching space. >>> Then the attacker have to find the value in each case for the attack. >>> (The reason was said before.) >>> >>> >>> (2014/11/17 13:33), John Bradley wrote: >>>> The question is what is the attack. >>>> >>>> Any salt added needs to be communicated from the client to the AS, >>>> so we >>>> must assume that the attacker has it. >>>> >>>> The attacker can then a) create rainbow table using the client id or >>>> whatever is the known salt. Yes the attacker must create a new table >>>> per client. >>>> Salting is really only effective for low entropy passwords to try and >>>> slow down a rainbow table attack by making the input to the hash be >>>> higher than the that of the password on it's own. >>>> >>>> Currently attackers can generate over 4Billion SHA256 hashes per second >>>> on a single GPU card. (Thank you bitcoin) >>>> >>>> It is faster to generate the hashes than to look them up via a index. >>>> >>>> If you are generating the hash in real time salting provides no >>>> determent, as the salt is just included in the hash calculation. >>>> >>>> If the code verifier was a password rather than a 256bit random key >>>> then >>>> a hash would add value against rainbow tables. >>>> >>>> In reality finding a collision against a salted password is much easier >>>> using real time hash generation than by using rainbow tables. >>>> >>>> Using SHA256 with a short hash is not safe for passwords any more. >>>> Something like PBES2 with at-least 200 rounds needs to be used, if you >>>> want have password files from being compromised quickly if disclosed. >>>> (Yes I know people are not doing that, and hence part of the >>>> reason >>>> why passwords are no longer secure) >>>> >>>> More entropy in the code verifier adds to security eg moving to SHA512 >>>> and larger verifiers, but adding a salt to SHA256 is basically a no op >>>> when defending against modern attacks. >>>> >>>> I did originally agree with your position and wanted to HMAC the >>>> client_id to defend against rainbow tables, however I am now convinced >>>> that the attack has moved on so that is no more efective than a plain >>>> hash over a random 256bit value. >>>> >>>> John B. >>>> >>>>> On Nov 16, 2014, at 11:06 PM, Nat Sakimura <sakimura@gmail.com >>>>> <mailto:sakimura@gmail.com>> wrote: >>>>> >>>>> I am actually not convinced. Since the code verifier is 256bit random, >>>>> adding salt does not seem to help. >>>>> Salting definitely helps if len(password) << 256 bit, but ... >>>>> >>>>> >>>>> On Mon Nov 17 2014 at 11:39:07 takamichi saito <saito@cs.meiji.ac.jp >>>>> <mailto:saito@cs.meiji.ac.jp>> wrote: >>>>> >>>>> >>>>> >>>>> (2014/11/14 13:02), Bill Mills wrote: >>>>> > Yes, "plain" is actually sufficient. The hashed value >>>>> protects >>>>> against >>>>> > disclosure/logging threats on the server auth server and >>>>> proxies >>>>> perhaps >>>>> > where the HTTPS is terminated somewhere other than the auth >>>>> server >>>>> > itself, it's not actually required for the basic >>>>> functionality/security >>>>> > of the mechanism. >>>>> >>>>> In the threat model of the SPOP scheme, a wiretap is in it. >>>>> >>>>> And more, the hash is not used to keep secretly in the >>>>> sever/client. >>>>> >>>>> >>>>> > >>>>> > >>>>> > On Thursday, November 13, 2014 7:07 PM, takamichi saito >>>>> > <saito@cs.meiji.ac.jp <mailto:saito@cs.meiji.ac.jp>> wrote: >>>>> > >>>>> > >>>>> > Sorry for my poor english. >>>>> > >>>>> > >>>>> > 2014/11/14 10:55、Bill Mills <wmills_92105@yahoo.com >>>>> <mailto:wmills_92105@yahoo.com> >>>>> > <mailto:wmills_92105@yahoo.com >>>>> <mailto:wmills_92105@yahoo.com>__>> のメール: >>>>> > >>>>> > > The whole mechanism relies on the attacker not having >>>>> access >>>>> to the >>>>> > code_verifier or hash. It's defending against the attacker >>>>> getting the >>>>> > code via weakness in IPC or other such mechanism like URI >>>>> handlers. How >>>>> > many more bits is secure beyond 256 bits of entropy >>>>> recommended? If you >>>>> > want to make it longer then just make it longer, salting >>>>> doesn't >>>>> really >>>>> > help that much. >>>>> > > >>>>> > > The original value or the hashed value *should* be >>>>> protected >>>>> by the >>>>> > transport security, and if it isn't then the attacker could be >>>>> stealing >>>>> > the original credential used to authenticate anyway. >>>>> > > >>>>> > >>>>> > Is it correct? >>>>> > You mean that we don’t need to use hash itself? Only to use >>>>> plain is enough? >>>>> > >>>>> > >>>>> > > >>>>> > > >>>>> > > >>>>> > > On Thursday, November 13, 2014 5:40 PM, takamichi saito >>>>> > <saito@cs.meiji.ac.jp <mailto:saito@cs.meiji.ac.jp> >>>>> <mailto:saito@cs.meiji.ac.jp <mailto:saito@cs.meiji.ac.jp>>> >>>>> wrote: >>>>> > > >>>>> > > >>>>> > > >>>>> > > Hi all, >>>>> > > >>>>> > > I appreciate this idea, simple and powerful to achieve >>>>> proof of >>>>> > possession. >>>>> > > But, I have some questions against the scheme. >>>>> > > Sorry if these ware already discussed. >>>>> > > >>>>> > > I worry about using a hash function in simple way. >>>>> > > I mean, a simple use of random as code_verifier may >>>>> cause that >>>>> > malicious client can have any code_verifier and >>>>> code_challenge. >>>>> > > All combinations of random and its hash can be obtained, it >>>>> may not >>>>> > be risk? >>>>> > > >>>>> > > So, we should use: >>>>> > > S256 "code_challenge" = >>>>> BASE64URL(SHA256("code___verifier" + >>>>> “client ID”)) >>>>> > > or >>>>> > > S256 "code_challenge" = >>>>> BASE64URL(SHA256("code___verifier" + >>>>> “client >>>>> > ID” + “server ID”)) >>>>> > > Where, you know that client ID is client’s unique name. >>>>> > > >>>>> > > >>>>> > > Other problem is the following, using Nat’s slide: >>>>> > > http://www.slideshare.net/nat___sakimura/1112-spoppresso >>>>> <http://www.slideshare.net/nat_sakimura/1112-spoppresso> >>>>> > <http://www.slideshare.net/__nat_sakimura/1112-spoppresso >>>>> <http://www.slideshare.net/nat_sakimura/1112-spoppresso>>. >>>>> > > >>>>> > > 0. Attacker prepares own code_verifier and >>>>> code_challenge. >>>>> > > 1. replage legitimate challenge with malicious >>>>> code_challenge. >>>>> > > 5. Attacker can submits own code_verifier. >>>>> > > >>>>> > > It may be out of the draft, I think. >>>>> > > >>>>> > > Best regards, >>>>> > > >>>>> > > >>>>> > > ;; takamixhi saito >>>>> > > >>>>> > > _________________________________________________ >>>>> > > OAuth mailing list >>>>> > > OAuth@ietf.org <mailto:OAuth@ietf.org> >>>>> <mailto:OAuth@ietf.org >>>>> <mailto:OAuth@ietf.org>> >>>>> > > https://www.ietf.org/mailman/__listinfo/oauth >>>>> <https://www.ietf.org/mailman/listinfo/oauth> >>>>> > >>>>> > > >>>>> > > >>>>> > >>>>> > >>>>> > ;; takamixhi saito >>>>> > >>>>> > _________________________________________________ >>>>> > OAuth mailing list >>>>> > OAuth@ietf.org <mailto:OAuth@ietf.org> <mailto:OAuth@ietf.org >>>>> <mailto:OAuth@ietf.org>> >>>>> > https://www.ietf.org/mailman/__listinfo/oauth >>>>> <https://www.ietf.org/mailman/listinfo/oauth> >>> >>>>> > >>>>> > >>>>> >>>>> >>>>> -- >>>>> ;; takamixhi saito >>>>> >>>>> _________________________________________________ >>>>> OAuth mailing list >>>>> OAuth@ietf.org <mailto:OAuth@ietf.org> >>>>> https://www.ietf.org/mailman/__listinfo/oauth >>>>> <https://www.ietf.org/mailman/listinfo/oauth> >>>>> >>>>> _______________________________________________ >>>>> OAuth mailing list >>>>> OAuth@ietf.org <mailto:OAuth@ietf.org> >>>>> https://www.ietf.org/mailman/listinfo/oauth >>>> >>> >>> >> >> > >
- [OAUTH-WG] draft-ietf-oauth-spop-04: a way of mak… takamichi saito
- Re: [OAUTH-WG] draft-ietf-oauth-spop-04: a way of… John Bradley
- Re: [OAUTH-WG] draft-ietf-oauth-spop-04: a way of… Bill Mills
- Re: [OAUTH-WG] draft-ietf-oauth-spop-04: a way of… Nat Sakimura
- Re: [OAUTH-WG] draft-ietf-oauth-spop-04: a way of… William Denniss
- Re: [OAUTH-WG] draft-ietf-oauth-spop-04: a way of… takamichi saito
- Re: [OAUTH-WG] draft-ietf-oauth-spop-04: a way of… takamichi saito
- Re: [OAUTH-WG] draft-ietf-oauth-spop-04: a way of… takamichi saito
- Re: [OAUTH-WG] draft-ietf-oauth-spop-04: a way of… John Bradley
- Re: [OAUTH-WG] draft-ietf-oauth-spop-04: a way of… Bill Mills
- Re: [OAUTH-WG] draft-ietf-oauth-spop-04: a way of… Bill Mills
- Re: [OAUTH-WG] draft-ietf-oauth-spop-04: a way of… John Bradley
- Re: [OAUTH-WG] draft-ietf-oauth-spop-04: a way of… takamichi saito
- Re: [OAUTH-WG] draft-ietf-oauth-spop-04: a way of… Nat Sakimura
- Re: [OAUTH-WG] draft-ietf-oauth-spop-04: a way of… takamichi saito
- Re: [OAUTH-WG] draft-ietf-oauth-spop-04: a way of… takamichi saito
- Re: [OAUTH-WG] draft-ietf-oauth-spop-04: a way of… Nat Sakimura
- Re: [OAUTH-WG] draft-ietf-oauth-spop-04: a way of… John Bradley
- Re: [OAUTH-WG] draft-ietf-oauth-spop-04: a way of… Bill Mills
- Re: [OAUTH-WG] draft-ietf-oauth-spop-04: a way of… Bill Mills
- Re: [OAUTH-WG] draft-ietf-oauth-spop-04: a way of… takamichi saito
- Re: [OAUTH-WG] draft-ietf-oauth-spop-04: a way of… takamichi saito
- Re: [OAUTH-WG] draft-ietf-oauth-spop-04: a way of… John Bradley
- Re: [OAUTH-WG] draft-ietf-oauth-spop-04: a way of… Nat Sakimura
- Re: [OAUTH-WG] draft-ietf-oauth-spop-04: a way of… Bill Mills
- Re: [OAUTH-WG] draft-ietf-oauth-spop-04: a way of… John Bradley
- Re: [OAUTH-WG] draft-ietf-oauth-spop-04: a way of… takamichi saito
- Re: [OAUTH-WG] draft-ietf-oauth-spop-04: a way of… takamichi saito
- Re: [OAUTH-WG] draft-ietf-oauth-spop-04: a way of… Sergey Beryozkin
- Re: [OAUTH-WG] draft-ietf-oauth-spop-04: a way of… Nat Sakimura
- Re: [OAUTH-WG] draft-ietf-oauth-spop-04: a way of… John Bradley
- Re: [OAUTH-WG] draft-ietf-oauth-spop-04: a way of… Sergey Beryozkin
- Re: [OAUTH-WG] draft-ietf-oauth-spop-04: a way of… takamichi saito
- Re: [OAUTH-WG] draft-ietf-oauth-spop-04: a way of… takamichi saito