IETF Logo Mail Archive

Re: [OAUTH-WG] draft-ietf-oauth-spop-04: a way of making code_challenge

John Bradley <ve7jtb@ve7jtb.com> Mon, 17 November 2014 04:33 UTC

Return-Path: <ve7jtb@ve7jtb.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5BED31A00BB for <oauth@ietfa.amsl.com>; Sun, 16 Nov 2014 20:33:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.83
X-Spam-Level:
X-Spam-Status: No, score=-1.83 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_SORBS_WEB=0.77, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qqB10YgOWWur for <oauth@ietfa.amsl.com>; Sun, 16 Nov 2014 20:33:22 -0800 (PST)
Received: from mail-qg0-f42.google.com (mail-qg0-f42.google.com [209.85.192.42]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 017F41A00BA for <oauth@ietf.org>; Sun, 16 Nov 2014 20:33:21 -0800 (PST)
Received: by mail-qg0-f42.google.com with SMTP id i50so14734794qgf.15 for <oauth@ietf.org>; Sun, 16 Nov 2014 20:33:21 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:message-id:references:to; bh=vhHvHx9DQLbCzcjfDL1u4rXTHLFmeguPJizeSB6CFk0=; b=Td4F3JxzPLphA0O/tbM5R6k/X8NcYlgjjH4Hsx5HUjRGKbFLQlzNPSwyFLqrf6rW5R HANcKTcVoYCOiG7zaacjhwnO3xIMhyz332Io+BbetDRdrnH/KODi/ftqd4bq2rWEOCOE R0grO+fMoqJKNXfYVAU/iNn8GW+IMRkC9a4fUomNJir9Q89l5qaSJMj12oNBwddfJvKf PRh7Knr7QwWj8/3o/tT2oVHoA7dfWpHc+CZnl8GyZ+BYly9MALoDHgEPs9t6L2mfqstp KqcU2ju2kYbdadSmA/7bG0prwB4I51dC0vL4Koq3GlPCL1Cx/Ww+MrfXTvbFlkutbPYO GXYw==
X-Gm-Message-State: ALoCoQlNqpmsvWuZNc6MWy+EL22Bi3LxlKv7hGtdkKtnIzNbpEX3W7KnAdXru47SKRiJJnDZDaAu
X-Received: by 10.224.45.65 with SMTP id d1mr31691749qaf.43.1416198801022; Sun, 16 Nov 2014 20:33:21 -0800 (PST)
Received: from [192.168.6.66] (ip-64-134-240-36.public.wayport.net. [64.134.240.36]) by mx.google.com with ESMTPSA id i77sm18725383qgd.20.2014.11.16.20.33.19 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Sun, 16 Nov 2014 20:33:20 -0800 (PST)
Content-Type: multipart/signed; boundary="Apple-Mail=_846F85EF-4626-4D77-A0A5-4D69CDBE3E86"; protocol="application/pkcs7-signature"; micalg="sha1"
Mime-Version: 1.0 (Mac OS X Mail 8.0 \(1990.1\))
From: John Bradley <ve7jtb@ve7jtb.com>
In-Reply-To: <CABzCy2Bp1nxJbzw7H1edoYCe-VaPQQgSJX-yMg0wvQKNE870VA@mail.gmail.com>
Date: Sun, 16 Nov 2014 23:33:17 -0500
Message-Id: <E734389D-499D-4E3E-AF19-16343457B33F@ve7jtb.com>
References: <8DF11B47-479E-4542-853B-90CF552AEEC3@cs.meiji.ac.jp> <1725911091.499004.1415937773834.JavaMail.yahoo@jws10619.mail.bf1.yahoo.com> <54695FF0.2010603@cs.meiji.ac.jp> <CABzCy2Bp1nxJbzw7H1edoYCe-VaPQQgSJX-yMg0wvQKNE870VA@mail.gmail.com>
To: Nat Sakimura <sakimura@gmail.com>
X-Mailer: Apple Mail (2.1990.1)
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/PvjRHyXtpiHRnp8WbgojHQtRf74
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] draft-ietf-oauth-spop-04: a way of making code_challenge
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 17 Nov 2014 04:33:26 -0000

The question is what is the attack.

Any salt added needs to be communicated from the client to the AS, so we must assume that the attacker has it.

The attacker can then a) create rainbow table using the client id or whatever is the known salt.  Yes the attacker  must create a new table per client.   
Salting is really only effective for low entropy passwords to try and slow down a rainbow table attack by making the input to the hash be higher than the that of the password on it's own.

Currently attackers can generate over 4Billion SHA256 hashes per second on a single GPU card.  (Thank you bitcoin) 

It is faster to generate the hashes than to look them up via a index. 

If you are generating the hash in real time salting provides no determent, as the salt is just included in the hash calculation.

If the code verifier was a password rather than a 256bit random key then a hash would add value against rainbow tables.

In reality finding a collision against a salted password is much easier using real time hash generation than by using rainbow tables. 

Using SHA256 with a short hash is not safe for passwords any more.   Something like PBES2 with at-least 200 rounds needs to be used, if you want have password files from being compromised quickly if disclosed.  (Yes I know people are not doing that,  and hence part of the reason why passwords are no longer secure)

More entropy in the code verifier adds to security eg moving to SHA512 and larger verifiers, but adding a salt to SHA256 is basically a no op when defending against modern attacks.

I did originally agree with your position and wanted to HMAC the client_id to defend against rainbow tables, however I am now convinced that the attack has moved on so that is no more efective than a plain hash over a random 256bit value.

John B.

> On Nov 16, 2014, at 11:06 PM, Nat Sakimura <sakimura@gmail.com> wrote:
> 
> I am actually not convinced. Since the code verifier is 256bit random, adding salt does not seem to help. 
> Salting definitely helps if len(password) << 256 bit, but ... 
> 
> 
> On Mon Nov 17 2014 at 11:39:07 takamichi saito <saito@cs.meiji.ac.jp <mailto:saito@cs.meiji.ac.jp>> wrote:
> 
> 
> (2014/11/14 13:02), Bill Mills wrote:
> > Yes, "plain" is actually sufficient.  The hashed value protects against
> > disclosure/logging threats on the server auth server and proxies perhaps
> > where the HTTPS is terminated somewhere other than the auth server
> > itself, it's not actually required for the basic functionality/security
> > of the mechanism.
> 
> In the threat model of the SPOP scheme, a wiretap is in it.
> 
> And more, the hash is not used to keep secretly in the sever/client.
> 
> 
> >
> >
> > On Thursday, November 13, 2014 7:07 PM, takamichi saito
> > <saito@cs.meiji.ac.jp <mailto:saito@cs.meiji.ac.jp>> wrote:
> >
> >
> > Sorry for my poor english.
> >
> >
> > 2014/11/14 10:55、Bill Mills <wmills_92105@yahoo.com <mailto:wmills_92105@yahoo.com>
> > <mailto:wmills_92105@yahoo.com <mailto:wmills_92105@yahoo.com>>> のメール:
> >
> >  > The whole mechanism relies on the attacker not having access to the
> > code_verifier or hash.  It's defending against the attacker getting the
> > code via weakness in IPC or other such mechanism like URI handlers.  How
> > many more bits is secure beyond 256 bits of entropy recommended?  If you
> > want to make it longer then just make it longer, salting doesn't really
> > help that much.
> >  >
> >  > The original value or the hashed value *should* be protected by the
> > transport security, and if it isn't then the attacker could be stealing
> > the original credential used to authenticate anyway.
> >  >
> >
> > Is it correct?
> > You mean that we don’t need to use hash itself? Only to use plain is enough?
> >
> >
> >  >
> >  >
> >  >
> >  > On Thursday, November 13, 2014 5:40 PM, takamichi saito
> > <saito@cs.meiji.ac.jp <mailto:saito@cs.meiji.ac.jp> <mailto:saito@cs.meiji.ac.jp <mailto:saito@cs.meiji.ac.jp>>> wrote:
> >  >
> >  >
> >  >
> >  > Hi all,
> >  >
> >  > I appreciate this idea, simple and powerful to achieve proof of
> > possession.
> >  > But, I have some questions against the scheme.
> >  > Sorry if these ware already discussed.
> >  >
> >  > I worry about using a hash function in simple way.
> >  > I mean, a simple use of random as code_verifier may cause that
> > malicious client can have any code_verifier and code_challenge.
> >  > All combinations of random and its hash can be obtained, it may not
> > be risk?
> >  >
> >  > So, we should use:
> >  > S256 "code_challenge" = BASE64URL(SHA256("code_verifier" + “client ID”))
> >  > or
> >  > S256 "code_challenge" = BASE64URL(SHA256("code_verifier" + “client
> > ID” + “server ID”))
> >  > Where, you know that client ID is client’s unique name.
> >  >
> >  >
> >  > Other problem is the following, using Nat’s slide:
> >  > http://www.slideshare.net/nat_sakimura/1112-spoppresso <http://www.slideshare.net/nat_sakimura/1112-spoppresso>
> > <http://www.slideshare.net/nat_sakimura/1112-spoppresso <http://www.slideshare.net/nat_sakimura/1112-spoppresso>>.
> >  >
> >  > 0.    Attacker prepares own code_verifier and code_challenge.
> >  > 1.    replage legitimate challenge with malicious code_challenge.
> >  > 5. Attacker can submits own code_verifier.
> >  >
> >  > It may be out of the draft, I think.
> >  >
> >  > Best regards,
> >  >
> >  >
> >  > ;; takamixhi saito
> >  >
> >  > _______________________________________________
> >  > OAuth mailing list
> >  > OAuth@ietf.org <mailto:OAuth@ietf.org> <mailto:OAuth@ietf.org <mailto:OAuth@ietf.org>>
> >  > https://www.ietf.org/mailman/listinfo/oauth <https://www.ietf.org/mailman/listinfo/oauth>
> >
> >  >
> >  >
> >
> >
> > ;; takamixhi saito
> >
> > _______________________________________________
> > OAuth mailing list
> > OAuth@ietf.org <mailto:OAuth@ietf.org> <mailto:OAuth@ietf.org <mailto:OAuth@ietf.org>>
> > https://www.ietf.org/mailman/listinfo/oauth <https://www.ietf.org/mailman/listinfo/oauth>
> >
> >
> 
> 
> --
> ;; takamixhi saito
> 
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org <mailto:OAuth@ietf.org>
> https://www.ietf.org/mailman/listinfo/oauth <https://www.ietf.org/mailman/listinfo/oauth>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email