Re: [OAUTH-WG] draft-ietf-oauth-spop-04: a way of making code_challenge
John Bradley <ve7jtb@ve7jtb.com> Tue, 18 November 2014 05:33 UTC
Return-Path: <ve7jtb@ve7jtb.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BCB241AD0C5 for <oauth@ietfa.amsl.com>; Mon, 17 Nov 2014 21:33:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.831
X-Spam-Level:
X-Spam-Status: No, score=-1.831 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_SORBS_WEB=0.77, SPF_PASS=-0.001] autolearn=unavailable
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id n8AOLJSZNept for <oauth@ietfa.amsl.com>; Mon, 17 Nov 2014 21:33:13 -0800 (PST)
Received: from mail-qc0-f174.google.com (mail-qc0-f174.google.com [209.85.216.174]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 05CA41A00D0 for <oauth@ietf.org>; Mon, 17 Nov 2014 21:33:13 -0800 (PST)
Received: by mail-qc0-f174.google.com with SMTP id c9so6494545qcz.19 for <oauth@ietf.org>; Mon, 17 Nov 2014 21:33:10 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:message-id:references:to; bh=KKsoeubRalWve7apysRgqo6FX9mx8yJ0s7zPxZUpwzE=; b=UY6u8ULA/PDYOKBqTZ1fwn1e312GmhrDCrChiMFuThMML2g6LMfVrPtACDdRkHeZm3 8Yu8jCoxonBYbBBPvWvh3c9zxYQ0KbQGFcfBBTWaQ2PHmdp3xVM/P1EAU8OHqiElzcUu mBh3m/xoyoPL/ZzG7d8XiaclTTPFzOKbA8jeQGV2YgBlPcMLnGE1jzSRE0oQqngM4uCt bbB9uRGyMvbxb2o1IdPQ97trXWNLQKvbT2m33NT6O0rXL07goOTmH9qpi2KuIDNTnxZa cAyK77SeNUDsMSRJxRZ0HlrieBovLsDIUL37NDNh2ePF9aVMXalDKtfByUF124hVSeWV R57g==
X-Gm-Message-State: ALoCoQktNSgkvLDrVZfmXi5oLJyPmM0YE7YWliw8dp+1YjmDgtIzrF4QD9JRVY/rCB2T4igQgTAB
X-Received: by 10.140.42.135 with SMTP id c7mr39501196qga.7.1416288790540; Mon, 17 Nov 2014 21:33:10 -0800 (PST)
Received: from [192.168.5.81] (ip-64-134-240-36.public.wayport.net. [64.134.240.36]) by mx.google.com with ESMTPSA id g3sm18490027qaf.2.2014.11.17.21.33.09 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Mon, 17 Nov 2014 21:33:09 -0800 (PST)
Content-Type: multipart/signed; boundary="Apple-Mail=_0CD24C77-4853-487E-B472-19690C6630AE"; protocol="application/pkcs7-signature"; micalg="sha1"
Mime-Version: 1.0 (Mac OS X Mail 8.1 \(1993\))
From: John Bradley <ve7jtb@ve7jtb.com>
In-Reply-To: <546ABCA0.6010808@cs.meiji.ac.jp>
Date: Tue, 18 Nov 2014 00:33:08 -0500
Message-Id: <5C4B100F-77ED-49F4-993E-D025C739DF9B@ve7jtb.com>
References: <8DF11B47-479E-4542-853B-90CF552AEEC3@cs.meiji.ac.jp> <1725911091.499004.1415937773834.JavaMail.yahoo@jws10619.mail.bf1.yahoo.com> <54695FF0.2010603@cs.meiji.ac.jp> <CABzCy2Bp1nxJbzw7H1edoYCe-VaPQQgSJX-yMg0wvQKNE870VA@mail.gmail.com> <E734389D-499D-4E3E-AF19-16343457B33F@ve7jtb.com> <546ABCA0.6010808@cs.meiji.ac.jp>
To: saito@cs.meiji.ac.jp
X-Mailer: Apple Mail (2.1993)
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/6n9mGoZPI5c3T29R-HIny_i5bEo
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] draft-ietf-oauth-spop-04: a way of making code_challenge
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Nov 2014 05:33:25 -0000
I think where we are differing is that you think looking up a precomputed plain based on a indexed hash across some sort of media can be done faster than 3 Giga SHA256 Hash/s. on a small system http://thepasswordproject.com/oclhashcat_benchmarking I don't think the largest disk arrays can keep up with that. Do you have some evidence that shows that precomputing hashes would be an effective attack against 256 bits of entropy. I agree that it would be agains the 40 ish bits of entropy in a password. The likely mitigation is using PBKDF2 or BCrypt rather than SHA256, but that would slow adoption and can be added later. John B. My contention is that it can't > On Nov 17, 2014, at 10:27 PM, takamichi saito <saito@cs.meiji.ac.jp> wrote: > > > I agree that GPU can/may find the value on the fly. > But, it can not find it within the session. > The draft idea is enough against the attack with GPU. > > On the other, the draft idea provide ONLY one combination of hash and its plain. The attacker can prepare THE COMBINATION to success the attack. > > Adding client_ID or server_ID separate the searching space. > Then the attacker have to find the value in each case for the attack. > (The reason was said before.) > > > (2014/11/17 13:33), John Bradley wrote: >> The question is what is the attack. >> >> Any salt added needs to be communicated from the client to the AS, so we >> must assume that the attacker has it. >> >> The attacker can then a) create rainbow table using the client id or >> whatever is the known salt. Yes the attacker must create a new table >> per client. >> Salting is really only effective for low entropy passwords to try and >> slow down a rainbow table attack by making the input to the hash be >> higher than the that of the password on it's own. >> >> Currently attackers can generate over 4Billion SHA256 hashes per second >> on a single GPU card. (Thank you bitcoin) >> >> It is faster to generate the hashes than to look them up via a index. >> >> If you are generating the hash in real time salting provides no >> determent, as the salt is just included in the hash calculation. >> >> If the code verifier was a password rather than a 256bit random key then >> a hash would add value against rainbow tables. >> >> In reality finding a collision against a salted password is much easier >> using real time hash generation than by using rainbow tables. >> >> Using SHA256 with a short hash is not safe for passwords any more. >> Something like PBES2 with at-least 200 rounds needs to be used, if you >> want have password files from being compromised quickly if disclosed. >> (Yes I know people are not doing that, and hence part of the reason >> why passwords are no longer secure) >> >> More entropy in the code verifier adds to security eg moving to SHA512 >> and larger verifiers, but adding a salt to SHA256 is basically a no op >> when defending against modern attacks. >> >> I did originally agree with your position and wanted to HMAC the >> client_id to defend against rainbow tables, however I am now convinced >> that the attack has moved on so that is no more efective than a plain >> hash over a random 256bit value. >> >> John B. >> >>> On Nov 16, 2014, at 11:06 PM, Nat Sakimura <sakimura@gmail.com >>> <mailto:sakimura@gmail.com>> wrote: >>> >>> I am actually not convinced. Since the code verifier is 256bit random, >>> adding salt does not seem to help. >>> Salting definitely helps if len(password) << 256 bit, but ... >>> >>> >>> On Mon Nov 17 2014 at 11:39:07 takamichi saito <saito@cs.meiji.ac.jp >>> <mailto:saito@cs.meiji.ac.jp>> wrote: >>> >>> >>> >>> (2014/11/14 13:02), Bill Mills wrote: >>> > Yes, "plain" is actually sufficient. The hashed value protects >>> against >>> > disclosure/logging threats on the server auth server and proxies >>> perhaps >>> > where the HTTPS is terminated somewhere other than the auth server >>> > itself, it's not actually required for the basic >>> functionality/security >>> > of the mechanism. >>> >>> In the threat model of the SPOP scheme, a wiretap is in it. >>> >>> And more, the hash is not used to keep secretly in the sever/client. >>> >>> >>> > >>> > >>> > On Thursday, November 13, 2014 7:07 PM, takamichi saito >>> > <saito@cs.meiji.ac.jp <mailto:saito@cs.meiji.ac.jp>> wrote: >>> > >>> > >>> > Sorry for my poor english. >>> > >>> > >>> > 2014/11/14 10:55、Bill Mills <wmills_92105@yahoo.com >>> <mailto:wmills_92105@yahoo.com> >>> > <mailto:wmills_92105@yahoo.com >>> <mailto:wmills_92105@yahoo.com>__>> のメール: >>> > >>> > > The whole mechanism relies on the attacker not having access >>> to the >>> > code_verifier or hash. It's defending against the attacker >>> getting the >>> > code via weakness in IPC or other such mechanism like URI >>> handlers. How >>> > many more bits is secure beyond 256 bits of entropy >>> recommended? If you >>> > want to make it longer then just make it longer, salting doesn't >>> really >>> > help that much. >>> > > >>> > > The original value or the hashed value *should* be protected >>> by the >>> > transport security, and if it isn't then the attacker could be >>> stealing >>> > the original credential used to authenticate anyway. >>> > > >>> > >>> > Is it correct? >>> > You mean that we don’t need to use hash itself? Only to use >>> plain is enough? >>> > >>> > >>> > > >>> > > >>> > > >>> > > On Thursday, November 13, 2014 5:40 PM, takamichi saito >>> > <saito@cs.meiji.ac.jp <mailto:saito@cs.meiji.ac.jp> >>> <mailto:saito@cs.meiji.ac.jp <mailto:saito@cs.meiji.ac.jp>>> wrote: >>> > > >>> > > >>> > > >>> > > Hi all, >>> > > >>> > > I appreciate this idea, simple and powerful to achieve proof of >>> > possession. >>> > > But, I have some questions against the scheme. >>> > > Sorry if these ware already discussed. >>> > > >>> > > I worry about using a hash function in simple way. >>> > > I mean, a simple use of random as code_verifier may cause that >>> > malicious client can have any code_verifier and code_challenge. >>> > > All combinations of random and its hash can be obtained, it >>> may not >>> > be risk? >>> > > >>> > > So, we should use: >>> > > S256 "code_challenge" = BASE64URL(SHA256("code___verifier" + >>> “client ID”)) >>> > > or >>> > > S256 "code_challenge" = BASE64URL(SHA256("code___verifier" + >>> “client >>> > ID” + “server ID”)) >>> > > Where, you know that client ID is client’s unique name. >>> > > >>> > > >>> > > Other problem is the following, using Nat’s slide: >>> > > http://www.slideshare.net/nat___sakimura/1112-spoppresso >>> <http://www.slideshare.net/nat_sakimura/1112-spoppresso> >>> > <http://www.slideshare.net/__nat_sakimura/1112-spoppresso >>> <http://www.slideshare.net/nat_sakimura/1112-spoppresso>>. >>> > > >>> > > 0. Attacker prepares own code_verifier and code_challenge. >>> > > 1. replage legitimate challenge with malicious code_challenge. >>> > > 5. Attacker can submits own code_verifier. >>> > > >>> > > It may be out of the draft, I think. >>> > > >>> > > Best regards, >>> > > >>> > > >>> > > ;; takamixhi saito >>> > > >>> > > _________________________________________________ >>> > > OAuth mailing list >>> > > OAuth@ietf.org <mailto:OAuth@ietf.org> <mailto:OAuth@ietf.org >>> <mailto:OAuth@ietf.org>> >>> > > https://www.ietf.org/mailman/__listinfo/oauth >>> <https://www.ietf.org/mailman/listinfo/oauth> >>> > >>> > > >>> > > >>> > >>> > >>> > ;; takamixhi saito >>> > >>> > _________________________________________________ >>> > OAuth mailing list >>> > OAuth@ietf.org <mailto:OAuth@ietf.org> <mailto:OAuth@ietf.org >>> <mailto:OAuth@ietf.org>> >>> > https://www.ietf.org/mailman/__listinfo/oauth >>> <https://www.ietf.org/mailman/listinfo/oauth> >>> > >>> > >>> >>> >>> -- >>> ;; takamixhi saito >>> >>> _________________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org <mailto:OAuth@ietf.org> >>> https://www.ietf.org/mailman/__listinfo/oauth >>> <https://www.ietf.org/mailman/listinfo/oauth> >>> >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org <mailto:OAuth@ietf.org> >>> https://www.ietf.org/mailman/listinfo/oauth >> > > > -- > ;; takamixhi saito > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] draft-ietf-oauth-spop-04: a way of mak… takamichi saito
- Re: [OAUTH-WG] draft-ietf-oauth-spop-04: a way of… John Bradley
- Re: [OAUTH-WG] draft-ietf-oauth-spop-04: a way of… Bill Mills
- Re: [OAUTH-WG] draft-ietf-oauth-spop-04: a way of… Nat Sakimura
- Re: [OAUTH-WG] draft-ietf-oauth-spop-04: a way of… William Denniss
- Re: [OAUTH-WG] draft-ietf-oauth-spop-04: a way of… takamichi saito
- Re: [OAUTH-WG] draft-ietf-oauth-spop-04: a way of… takamichi saito
- Re: [OAUTH-WG] draft-ietf-oauth-spop-04: a way of… takamichi saito
- Re: [OAUTH-WG] draft-ietf-oauth-spop-04: a way of… John Bradley
- Re: [OAUTH-WG] draft-ietf-oauth-spop-04: a way of… Bill Mills
- Re: [OAUTH-WG] draft-ietf-oauth-spop-04: a way of… Bill Mills
- Re: [OAUTH-WG] draft-ietf-oauth-spop-04: a way of… John Bradley
- Re: [OAUTH-WG] draft-ietf-oauth-spop-04: a way of… takamichi saito
- Re: [OAUTH-WG] draft-ietf-oauth-spop-04: a way of… Nat Sakimura
- Re: [OAUTH-WG] draft-ietf-oauth-spop-04: a way of… takamichi saito
- Re: [OAUTH-WG] draft-ietf-oauth-spop-04: a way of… takamichi saito
- Re: [OAUTH-WG] draft-ietf-oauth-spop-04: a way of… Nat Sakimura
- Re: [OAUTH-WG] draft-ietf-oauth-spop-04: a way of… John Bradley
- Re: [OAUTH-WG] draft-ietf-oauth-spop-04: a way of… Bill Mills
- Re: [OAUTH-WG] draft-ietf-oauth-spop-04: a way of… Bill Mills
- Re: [OAUTH-WG] draft-ietf-oauth-spop-04: a way of… takamichi saito
- Re: [OAUTH-WG] draft-ietf-oauth-spop-04: a way of… takamichi saito
- Re: [OAUTH-WG] draft-ietf-oauth-spop-04: a way of… John Bradley
- Re: [OAUTH-WG] draft-ietf-oauth-spop-04: a way of… Nat Sakimura
- Re: [OAUTH-WG] draft-ietf-oauth-spop-04: a way of… Bill Mills
- Re: [OAUTH-WG] draft-ietf-oauth-spop-04: a way of… John Bradley
- Re: [OAUTH-WG] draft-ietf-oauth-spop-04: a way of… takamichi saito
- Re: [OAUTH-WG] draft-ietf-oauth-spop-04: a way of… takamichi saito
- Re: [OAUTH-WG] draft-ietf-oauth-spop-04: a way of… Sergey Beryozkin
- Re: [OAUTH-WG] draft-ietf-oauth-spop-04: a way of… Nat Sakimura
- Re: [OAUTH-WG] draft-ietf-oauth-spop-04: a way of… John Bradley
- Re: [OAUTH-WG] draft-ietf-oauth-spop-04: a way of… Sergey Beryozkin
- Re: [OAUTH-WG] draft-ietf-oauth-spop-04: a way of… takamichi saito
- Re: [OAUTH-WG] draft-ietf-oauth-spop-04: a way of… takamichi saito