IETF Logo Mail Archive

Re: [OAUTH-WG] Hashing passwords for "password" grant type

Igor Faynberg <igor.faynberg@alcatel-lucent.com> Tue, 07 September 2010 07:18 UTC

Return-Path: <igor.faynberg@alcatel-lucent.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 1CD783A6900 for <oauth@core3.amsl.com>; Tue, 7 Sep 2010 00:18:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.455
X-Spam-Level:
X-Spam-Status: No, score=-2.455 tagged_above=-999 required=5 tests=[AWL=0.144, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mLtZ4rTbRDUs for <oauth@core3.amsl.com>; Tue, 7 Sep 2010 00:18:21 -0700 (PDT)
Received: from ihemail1.lucent.com (ihemail1.lucent.com [135.245.0.33]) by core3.amsl.com (Postfix) with ESMTP id 868C73A6891 for <oauth@ietf.org>; Tue, 7 Sep 2010 00:18:20 -0700 (PDT)
Received: from umail.lucent.com (h135-3-40-63.lucent.com [135.3.40.63]) by ihemail1.lucent.com (8.13.8/IER-o) with ESMTP id o877Imhb017328 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 7 Sep 2010 02:18:48 -0500 (CDT)
Received: from [135.244.20.104] (faynberg.lra.lucent.com [135.244.20.104]) by umail.lucent.com (8.13.8/TPES) with ESMTP id o877Il3a017167; Tue, 7 Sep 2010 02:18:48 -0500 (CDT)
Message-ID: <4C85E757.6010501@alcatel-lucent.com>
Date: Tue, 07 Sep 2010 03:18:47 -0400
From: Igor Faynberg <igor.faynberg@alcatel-lucent.com>
Organization: Alcatel-Lucent
User-Agent: Thunderbird 2.0.0.24 (Windows/20100228)
MIME-Version: 1.0
To: Aaron Parecki <aaron@parecki.com>
References: <AANLkTi=eODzwVYyPjQXwBP-S+po7-hpP8v-YgQpjVR8S@mail.gmail.com>
In-Reply-To: <AANLkTi=eODzwVYyPjQXwBP-S+po7-hpP8v-YgQpjVR8S@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Scanned-By: MIMEDefang 2.57 on 135.245.2.33
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Hashing passwords for "password" grant type
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: igor.faynberg@alcatel-lucent.com
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Sep 2010 07:18:23 -0000

Aaron,

Actually, I never fully understood the "password" access grant type, as 
technically it is against the very spirit of OAuth, which, I thought, 
was to avoid divulging the password. 

TLS provides confidentiality, and so you ought to be able to rely on 
TLS, although I have no idea what kinds of logs there may be.

Unfortunately, hashing won't help with encryption, because it is 
impossible to decrypt. Relying on the hash of the password, without 
salt, is not solving the problem because anyone who can intercept this 
hash could then use it. Things would be somewhat better if the salt were 
known, but how can the salt be known to anyone except the server that 
has created it (and must keep it secret)?  I guess the only sure way is 
to use the public key of the receiver (or a one-time pad based on the 
shared secret).

Igor

Aaron Parecki wrote:
> Hi folks,
>
> I'm implementing OAuth 2 for my project (geoloqi.com 
> <http://geoloqi.com>) where I have some mobile phone clients needing 
> to authenticate. I'm using the "password" grant type for these 
> clients. Even though the call to the token endpoint is going over 
> HTTPS, I'm still slightly concerned about sending the user's password 
> to the server unencrypted. (I don't want the users' passwords to 
> appear in my debug log file for instance.) Does the spec allow for or 
> have a way to extend so that I can define a hashing algorithm the 
> client can use to encrypt the password before sending it? I'm already 
> not storing the passwords in plain text in the database anyway. 
> Anybody else dealing with a similar issue?
>
> Aaron
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>

v2.23.0 | Report a Bug | By Email