Re: [OAUTH-WG] [Technical Errata Reported] RFC7636 (6179)
Rifaat Shekh-Yusef <rifaat.s.ietf@gmail.com> Sun, 31 May 2020 19:41 UTC
Return-Path: <rifaat.s.ietf@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5FB0E3A00B0 for <oauth@ietfa.amsl.com>; Sun, 31 May 2020 12:41:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Di0AcYcA-PCH for <oauth@ietfa.amsl.com>; Sun, 31 May 2020 12:41:39 -0700 (PDT)
Received: from mail-wr1-x432.google.com (mail-wr1-x432.google.com [IPv6:2a00:1450:4864:20::432]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 250D43A0045 for <oauth@ietf.org>; Sun, 31 May 2020 12:41:39 -0700 (PDT)
Received: by mail-wr1-x432.google.com with SMTP id x14so9430976wrp.2 for <oauth@ietf.org>; Sun, 31 May 2020 12:41:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=UtoMdoEedOoF9L3KeW7ca2PfVgWkL6+BOHVuTLlM40c=; b=ur6bq9sGD/qxslHCtsPsNawDCffWmwq7MKbWa7dmg170fHbPjdmaz+V7oBdEdKZVDO 1rftohxvX2gsPiHlZ+KaAwADCJHRAF4dpQREmn+75SZOglVNr1ZH5EwjvuG0xMqOtBGo ON+j1vY28/5uqYD7XLWbrVX1iCypHpRLTLGxS35X6olvkEVY4dnX/wjmRsJPEBpbtdV3 Km9V+te0NMspM32zExGNKox3e4mCzFKMSAT/Sz4kc310GQLGMAwTFSXS0Agou9owU5WG wZbuHnFTEHbugc+alKW7wMpd8+P7wAl1hA+pjgTVXbP/1e+kfVG3mlG8GcrInHP0nW6I 34pw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=UtoMdoEedOoF9L3KeW7ca2PfVgWkL6+BOHVuTLlM40c=; b=nRIal5ngo4UhPJI/UTGjgBdcYTo46O+0XT/xACGUYK4Led6KcslHy+EMGK++WtHECH 6MMgsRkdnV33QO1GzeCiIbC+Xpf5DohYYczLfo8zUKoHHng7BWapMlZKM5h4rPjv3r57 RWiufBBuiSCrHvJZqOPD/OezoMEIs1nq9RsWVmyQu2KxkpTe7/DpMGNLBKHfbVaRzd46 2ZMxspoIbtnuyNF0l4/vjxx9UpdkUAJkkY7JaGpODRkPshFGOPqvuH84z+d6VwwNYHEK 0uDedN2mAocsxpxvOoHsDPb3aAR1vr/tQ7Aa1CWswTp+Ioq0TWC9SekzRakEPZ5GpXMK x2IQ==
X-Gm-Message-State: AOAM5315Xy6UBGFIZFi3q4ltAGyY2z9NhEUTCY2aOQYaibaExSUHA5fi HKrA1JHyobq2uYR0QG/PP+5dJOY5KMCF6RFR01w=
X-Google-Smtp-Source: ABdhPJwAsVBFPAKkF+LEaa3DJn9mV2hkOd6g9hVV6uPYIQT/xuXFGETpCrK3kzTgvOocPCgN1ZVEL1f3TVqSEiH/RZ0=
X-Received: by 2002:adf:82d0:: with SMTP id 74mr17516643wrc.138.1590954067671; Sun, 31 May 2020 12:41:07 -0700 (PDT)
MIME-Version: 1.0
References: <20200518100426.ACC2DF40753@rfc-editor.org> <20200523202532.GE58497@kduck.mit.edu>
In-Reply-To: <20200523202532.GE58497@kduck.mit.edu>
From: Rifaat Shekh-Yusef <rifaat.s.ietf@gmail.com>
Date: Sun, 31 May 2020 15:40:56 -0400
Message-ID: <CADNypP85O2uxAg05_dNn3Q0fHu5bqt093BkBVp_pRhyL5TOasA@mail.gmail.com>
To: Benjamin Kaduk <kaduk@mit.edu>
Cc: RFC Errata System <rfc-editor@rfc-editor.org>, n-sakimura@nri.co.jp, ve7jtb@ve7jtb.com, naa@google.com, rdd@cert.org, Hannes Tschofenig <Hannes.Tschofenig@gmx.net>, dmitry.khlebnikov@rea-group.com, oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000000ebd8c05a6f6dc80"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/F8K4iKS9AavJZdmMOHzfHbfQkOA>
Subject: Re: [OAUTH-WG] [Technical Errata Reported] RFC7636 (6179)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 31 May 2020 19:41:41 -0000
Nat, John, Do you guys have any thoughts on this errata? Regards, Rifaat On Sat, May 23, 2020 at 4:25 PM Benjamin Kaduk <kaduk@mit.edu> wrote: > Authors, WG, any comments? > > Right now the likely dispositions seem to me to be Editorial/HFDU or > Rejected; the text is noting that salting is not used and attempting to > give an explanation of why that's the right choice. It's not clear that > the WG was in error to include some such discussion at the time of > publication, which is essentially what this errata report is claiming. > > Thanks, > > Ben > > On Mon, May 18, 2020 at 03:04:26AM -0700, RFC Errata System wrote: > > The following errata report has been submitted for RFC7636, > > "Proof Key for Code Exchange by OAuth Public Clients". > > > > -------------------------------------- > > You may review the report below and at: > > https://www.rfc-editor.org/errata/eid6179 > > > > -------------------------------------- > > Type: Technical > > Reported by: Dmitry Khlebnikov <dmitry.khlebnikov@rea-group.com> > > > > Section: 7.3 > > > > Original Text > > ------------- > > 7.3. Salting the code_challenge > > > > To reduce implementation complexity, salting is not used in the > > production of the code challenge, as the code verifier contains > > sufficient entropy to prevent brute-force attacks. Concatenating a > > publicly known value to a code verifier (containing 256 bits of > > entropy) and then hashing it with SHA256 to produce a code challenge > > would not increase the number of attempts necessary to brute force a > > valid value for code verifier. > > > > While the "S256" transformation is like hashing a password, there are > > important differences. Passwords tend to be relatively low-entropy > > words that can be hashed offline and the hash looked up in a > > dictionary. By concatenating a unique though public value to each > > password prior to hashing, the dictionary space that an attacker > > needs to search is greatly expanded. > > > > Modern graphics processors now allow attackers to calculate hashes in > > real time faster than they could be looked up from a disk. This > > eliminates the value of the salt in increasing the complexity of a > > brute-force attack for even low-entropy passwords. > > > > Corrected Text > > -------------- > > > > > > Notes > > ----- > > The section misrepresents the information about "salting" and the whole > idea > > of "salting" is not applicable to a standalone hash. I suggest to drop > the entire > > section as irrelevant to the rest of the standard. > > > > For some reason the section implies that "salting" is protecting and > increasing > > entropy of a single hash, which is not what "salting" is about and is > not the > > reason for the technique. The section is also making a speculative > assumptions > > about the low-entropy tendency in password hashes and makes an incorrect > > conclusion on the benefits of "salting" for a password hash. > > > > One could argue that the entropy and the complexity required to > bruteforce a hash > > and a salted hash for the same password (where the same hashing > algorithm is > > applied) are approximately the same in most cases (or just slightly more > > complex for the salted version if the producer of the hash used a > non-standard > > routine in relation of mixing in the salt, e.g. instead of appending the > salt > > it inserts in in the middle of the password to be hashed). In any case, > that > > public data is already known to the attacker and it is just a matter of > the > > configuration for the bruteforcing tool (such as JohnTheRipper) to > incorporate > > the knowledge. > > > > Just as an illustration: consider an example password ('abc'), an > example salt > > ('123'), and that the hash is generated using a concatinated version of > these > > two (e.g. HASH('abc123')). Since the salt is included with the hash in > plain > > text, the bruteforcer would just need to set their tool up with the > "^.*123$" > > pattern making the salt essentially a string terminator which is not > affecting > > the bruteforce effort in any way). > > > > More and more people I meet are confused about the problem area the > "salting" > > technique was invented to address: it is to increase the entropy of a > set of > > passwords, so the same password would not result in the same hash value, > with > > the primary goal is to prevent attackers to be able to re-use > pre-calculated > > hashes (e.g. rainbow hash tables) or, in the early stages of the attack, > to > > make it impossible to quickly assess what hashes the attacker should > focus on > > (e.g. when you have 1000 hashes and without salts you can easily spot > that > > some hashes are the same, which means breaking these one would gain much > more > > in comparison to unique hashes in the same set). > > > > This being said, I am suggesting to drop section 7.3 completely as > irrelevant, > > since what we currently have is very confusing and seeds unnecessary and > > wrong ideas that "salting" can improve the security of a single hash by > itself. > > > > Instructions: > > ------------- > > This erratum is currently posted as "Reported". If necessary, please > > use "Reply All" to discuss whether it should be verified or > > rejected. When a decision is reached, the verifying party > > can log in to change the status and edit the report, if necessary. > > > > -------------------------------------- > > RFC7636 (draft-ietf-oauth-spop-15) > > -------------------------------------- > > Title : Proof Key for Code Exchange by OAuth Public Clients > > Publication Date : September 2015 > > Author(s) : N. Sakimura, Ed., J. Bradley, N. Agarwal > > Category : PROPOSED STANDARD > > Source : Web Authorization Protocol > > Area : Security > > Stream : IETF > > Verifying Party : IESG >
- [OAUTH-WG] [Technical Errata Reported] RFC7636 (6… RFC Errata System
- Re: [OAUTH-WG] [Technical Errata Reported] RFC763… Benjamin Kaduk
- Re: [OAUTH-WG] [Technical Errata Reported] RFC763… Rifaat Shekh-Yusef
- Re: [OAUTH-WG] [Technical Errata Reported] RFC763… Benjamin Kaduk