Re: [OAUTH-WG] Hashing passwords for "password" grant type
Yutaka OIWA <y.oiwa@aist.go.jp> Fri, 10 September 2010 14:55 UTC
Return-Path: <y.oiwa@aist.go.jp>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 4E8503A6835 for <oauth@core3.amsl.com>; Fri, 10 Sep 2010 07:55:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.09
X-Spam-Level:
X-Spam-Status: No, score=-0.09 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_EQ_JP=1.244, HOST_EQ_JP=1.265]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id F-sRG5KxQ5Ea for <oauth@core3.amsl.com>; Fri, 10 Sep 2010 07:55:16 -0700 (PDT)
Received: from faust.rcis.jp (faust.rcis.jp [61.194.89.210]) by core3.amsl.com (Postfix) with ESMTP id 69E2A3A6403 for <oauth@ietf.org>; Fri, 10 Sep 2010 07:55:10 -0700 (PDT)
Received: from [10.0.1.44] (173-8-15-94-WashingtonDC.hfc.comcastbusiness.net [173.8.15.94]) (authenticated bits=0) by faust.rcis.jp (8.14.3/8.14.3/Debian-5+lenny1) with ESMTP id o8AEtNVP014745 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Fri, 10 Sep 2010 23:55:27 +0900
Message-ID: <4C8A46D5.9070207@aist.go.jp>
Date: Fri, 10 Sep 2010 23:55:17 +0900
From: Yutaka OIWA <y.oiwa@aist.go.jp>
Organization: RCIS, AIST
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en; rv:1.9.2.8) Gecko/20100802 Thunderbird/3.1.2
MIME-Version: 1.0
To: Aaron Parecki <aaron@parecki.com>
References: <AANLkTi=eODzwVYyPjQXwBP-S+po7-hpP8v-YgQpjVR8S@mail.gmail.com>
In-Reply-To: <AANLkTi=eODzwVYyPjQXwBP-S+po7-hpP8v-YgQpjVR8S@mail.gmail.com>
X-Enigmail-Version: 1.1.1
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 8bit
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Hashing passwords for "password" grant type
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 10 Sep 2010 14:55:18 -0000
Hi Aaron, In usual security senses, just hashing or salting the on-wire passwords will not improve security against credential stealing (both on-wire and local), because stolen hashed password will allow accesses to the resources. # At least theoretically, we can say that it "weakens" the security, because # stealing hashed passwords is theoretically "easier" than stealing raw # passwords (hint: the latter implies the former). If you are really concerning server-side leakage of on-wire credentials, one way is to request Digest- or APOP-style challenge-responses (but it may need one additional round-trip messages for getting a challenge, depending on the setting.) # One setting on which hashing the password makes security sense is # to use hashed passwords for low-security low-privilege interfaces # (e.g. tweeting) and to require raw passwords for # high-security high-privilege interfaces (such as configuration changes.) On 2010/09/07 12:09, Aaron Parecki wrote: > Hi folks, > > I'm implementing OAuth 2 for my project (geoloqi.com <http://geoloqi.com>) where > I have some mobile phone clients needing to authenticate. I'm using the > "password" grant type for these clients. Even though the call to the token > endpoint is going over HTTPS, I'm still slightly concerned about sending the > user's password to the server unencrypted. (I don't want the users' passwords to > appear in my debug log file for instance.) Does the spec allow for or have a way > to extend so that I can define a hashing algorithm the client can use to encrypt > the password before sending it? I'm already not storing the passwords in plain > text in the database anyway. Anybody else dealing with a similar issue? > > Aaron > > > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth -- 大岩 寛 Yutaka Oiwa 独立行政法人 産業技術総合研究所 情報セキュリティ研究センター ソフトウェアセキュリティ研究チーム <y.oiwa@aist.go.jp>, <yutaka@oiwa.jp> OpenPGP: id[440546B5] fp[7C9F 723A 7559 3246 229D 3139 8677 9BD2 4405 46B5]
- [OAUTH-WG] Hashing passwords for "password" grant… Aaron Parecki
- Re: [OAUTH-WG] Hashing passwords for "password" g… Luke Shepard
- Re: [OAUTH-WG] Hashing passwords for "password" g… Kris Selden
- Re: [OAUTH-WG] Hashing passwords for "password" g… Igor Faynberg
- Re: [OAUTH-WG] Hashing passwords for "password" g… Yutaka OIWA
- Re: [OAUTH-WG] Hashing passwords for "password" g… Brian Eaton
- Re: [OAUTH-WG] Hashing passwords for "password" g… Aaron Parecki
- Re: [OAUTH-WG] Hashing passwords for "password" g… Kris Selden