IETF Logo Mail Archive

Re: [OAUTH-WG] draft-ietf-oauth-spop-04: a way of making code_challenge

Sergey Beryozkin <sberyozkin@gmail.com> Wed, 19 November 2014 13:47 UTC

Return-Path: <sberyozkin@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0783F1A6EE1 for <oauth@ietfa.amsl.com>; Wed, 19 Nov 2014 05:47:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.4
X-Spam-Level:
X-Spam-Status: No, score=-0.4 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, FREEMAIL_REPLY=1, J_CHICKENPOX_62=0.6, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6CYIZ8327ZmD for <oauth@ietfa.amsl.com>; Wed, 19 Nov 2014 05:47:44 -0800 (PST)
Received: from mail-wg0-x230.google.com (mail-wg0-x230.google.com [IPv6:2a00:1450:400c:c00::230]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 836B11A1C05 for <oauth@ietf.org>; Wed, 19 Nov 2014 05:47:43 -0800 (PST)
Received: by mail-wg0-f48.google.com with SMTP id y19so878142wgg.35 for <oauth@ietf.org>; Wed, 19 Nov 2014 05:47:42 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type:content-transfer-encoding; bh=7DXNTjZN+hW4fgA9vmvtx/sLPpGu+am6yOJYGODxfDk=; b=jZYsJ5gWhkd1Zutznrc+1UY6p2QfQtFRqexFDqTTKGe3j1mnNHVU5Ri+ujW/7G1KwY WVeWI1aakGakX7TkACThRxvDrIbyrvjHkY/9/9L2lbXfjINun87fXZLuk6XJ7oFATGtR +NJmIokPHUgGXy4pcMc5P7CX2akPCDOHNhrD+MEV0MFw9jeacpqrweU7sS50a+GkM82Q hqpC8/6QF3JlhyehoCHqM4gYVyO4c/KcX0oNE8+RzdkK6RSVy+sVsOKdKNE3Bc82W88c ctDnHvAZZyAwB6if63WsCOi2NmSm0/7uNhdGNWJy9sDSoisYDwK3iBBHVI6JnvrB/dKN CIBg==
X-Received: by 10.194.187.164 with SMTP id ft4mr57468384wjc.76.1416404862220; Wed, 19 Nov 2014 05:47:42 -0800 (PST)
Received: from [10.20.16.170] ([109.74.48.129]) by mx.google.com with ESMTPSA id ry19sm2388836wjb.3.2014.11.19.05.47.39 for <multiple recipients> (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 19 Nov 2014 05:47:41 -0800 (PST)
Message-ID: <546C9F6C.1010805@gmail.com>
Date: Wed, 19 Nov 2014 14:47:24 +0100
From: Sergey Beryozkin <sberyozkin@gmail.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.2.0
MIME-Version: 1.0
To: John Bradley <ve7jtb@ve7jtb.com>
References: <546ACC4F.9060801@cs.meiji.ac.jp> <1978901687.1831418.1416286458957.JavaMail.yahoo@jws10651.mail.bf1.yahoo.com> <546C2DF9.30107@cs.meiji.ac.jp> <546C5C5B.9080001@gmail.com> <B669E478-3D78-4A93-B1FB-83F4F34A3927@ve7jtb.com>
In-Reply-To: <B669E478-3D78-4A93-B1FB-83F4F34A3927@ve7jtb.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/SqRDraKe5JEQBrs170NfpEsAmoE
Cc: oauth@ietf.org
Subject: Re: [OAUTH-WG] draft-ietf-oauth-spop-04: a way of making code_challenge
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 19 Nov 2014 13:47:47 -0000

Hi John

Thanks for going over it again and explaining it all so nicely, even I 
do understand it now (I'd like to think so :-)) why using a client id as 
a salt does not add much to the signature strength.
I thought the idea was consider to introduce some extra randomization, 
where say even multiple clients with the same id can sometimes use a 
server id as opposed to a client id to add to the signature function 
input. May be I've misunderstood.
It's been an interesting thread to watch for sure :-)

Many thanks, Sergey
On 19/11/14 13:17, John Bradley wrote:
> Hi Sergey,
>
> If we change from a SHA256 function over the code_verifier to a SHA256 over the concatenation of the code_verifier and client_id, that would be defined in the spec.
> We would not do both, and the salt would not be a real random.   There would be many instances of a client all using the same salt value.
>
> The client_id is sent in both the request to the authorization endpoint and the token endpoint and is validated by having a registered redirect_uri.
>
> The question is if doing that adds any net security given the likely attacks.
>
> I originally proposed using a SHA256 HMAC of the client)id in one of the first drafts.   (effectively the same as a hash of the concatenation of the two values)
>
> That was taken out as being too complicated for developers based on feedback.
>
> The compromise was a simple SHA256 hash of the code verifier.   This allowed Google and others to support this transform as Mandatory to Implement on the server.
>
> I have been convinced that as long as the code_verifier as enough entropy (256bits) using the HMAC didn't add enough security to warrant the additional concatenation step.
>
> In the theoretical yes splitting the search space by adding a salt is better than not if the attacker is using precomputed values, and is a wash if the attacker can compute hashes useng the salt in real time as fast or faster than using a lookup.
>
> The only downside to using a salt is that people may elect to reduce the size of code_verifier because they feel the salt is providing some security.
>
> If the client uses a 128bit random  for code verifier and a fixed 128bit client_id to produce a 256bit has that would be significantly less secure than using using a 256bit code_verifier if the attacker is using oclhashcat with GPU.  http://hashcat.net/oclhashcat/
>
> If we do go back to effectively doing a HMAC then we do need to be careful that people don't reduce the entropy of code_verifyer.
>
> John B.
>
>> On Nov 19, 2014, at 4:01 AM, Sergey Beryozkin <sberyozkin@gmail.com> wrote:
>>
>> Hi
>>
>> Apologies for getting into this thread (I do not understand most of the mathematics at this stage :)),
>> On 19/11/14 06:43, takamichi saito wrote:
>>> (2014/11/18 13:54), Bill Mills wrote:
>>>> There will be no rainbow table for 256bits of search space.  Suppose
>>>> then that clientID has 256 possible values.  How does salting with
>>>> client ID do anything more than making the search space 264 bits?
>>>>
>>>> You keep saying that a salt is better than just adding entropy, but
>>>> never actually justifying it.
>>>>
>>>>
>>>
>>> Adding client_ID is not only for like adding password's salt.
>>> Adding client_ID is not same as adding password's salt in this context.
>>>
>> You've mentioned it would separate a search space, but as far as I understand that would require a client to randomly add either its client_id or server_id to the signature function. If it is only adding a client id then it sounds like a salt. Is that right ? I think I can understand that.
>> The question is, where is a 'server_id' coming from and how a server would know that the signature was calculated with a client_id or server_id added in ?
>>
>> Sorry if it is all just the noise...
>>
>> Thanks, Sergey
>>>
>>>>
>>>> On Monday, November 17, 2014 8:34 PM, takamichi saito
>>>> <saito@cs.meiji.ac.jp> wrote:
>>>> (2014/11/18 13:17), Bill Mills wrote:
>>>>> Again, the only value of including client ID or any other value in
>>>>> this case is to increase the number of bits of entropy in the value
>>>>> being hashed. Using client ID is only useful if it's actually got
>>>>> decent entropy in it, if it's just a version number then or a server
>>>>> name or address it adds very little.
>>>>>
>>>>
>>>> Client_ID is not for adding entropy.
>>>> Again, Client_ID is separating the attacker's searching space.
>>>>
>>>>> Yes, salting is valuable for passwords which have very low entropy.
>>>>> But as has been discussed it adds little in this case.  Your
>>>>> arguments are correct for passwords but not for 256 bits of random
>>>>> number.
>>>>>
>>>>
>>>> I agree that human-made password is low entropy.
>>>> As I say, adding Client_ID can force the attacker has to search the
>>>> value in each attack.
>>>> If the attacker uses GPU, he can not get the value within the session.
>>>>
>>>> I never confuse about password in these discussions.
>>>>
>>>>
>>>>
>>>>> Regards,
>>>>>
>>>>> -bill
>>>>>
>>>>>
>>>>>
>>>>> On Monday, November 17, 2014 7:27 PM, takamichi saito
>>>>> <saito@cs.meiji.ac.jp> wrote:
>>>>>
>>>>> I agree that GPU can/may find the value on the fly.
>>>>> But, it can not find it within the session.
>>>>> The draft idea is enough against the attack with GPU.
>>>>>
>>>>> On the other, the draft idea provide ONLY one combination of hash and
>>>>> its plain. The attacker can prepare THE COMBINATION to success the
>>>>> attack.
>>>>>
>>>>> Adding client_ID or server_ID separate the searching space.
>>>>> Then the attacker have to find the value in each case for the attack.
>>>>> (The reason was said before.)
>>>>>
>>>>>
>>>>> (2014/11/17 13:33), John Bradley wrote:
>>>>>> The question is what is the attack.
>>>>>>
>>>>>> Any salt added needs to be communicated from the client to the AS,
>>>>>> so we
>>>>>> must assume that the attacker has it.
>>>>>>
>>>>>> The attacker can then a) create rainbow table using the client id or
>>>>>> whatever is the known salt.  Yes the attacker  must create a new table
>>>>>> per client.
>>>>>> Salting is really only effective for low entropy passwords to try and
>>>>>> slow down a rainbow table attack by making the input to the hash be
>>>>>> higher than the that of the password on it's own.
>>>>>>
>>>>>> Currently attackers can generate over 4Billion SHA256 hashes per second
>>>>>> on a single GPU card.  (Thank you bitcoin)
>>>>>>
>>>>>> It is faster to generate the hashes than to look them up via a index.
>>>>>>
>>>>>> If you are generating the hash in real time salting provides no
>>>>>> determent, as the salt is just included in the hash calculation.
>>>>>>
>>>>>> If the code verifier was a password rather than a 256bit random key
>>>>>> then
>>>>>> a hash would add value against rainbow tables.
>>>>>>
>>>>>> In reality finding a collision against a salted password is much easier
>>>>>> using real time hash generation than by using rainbow tables.
>>>>>>
>>>>>> Using SHA256 with a short hash is not safe for passwords any more.
>>>>>> Something like PBES2 with at-least 200 rounds needs to be used, if you
>>>>>> want have password files from being compromised quickly if disclosed.
>>>>>>     (Yes I know people are not doing that,  and hence part of the
>>>>>> reason
>>>>>> why passwords are no longer secure)
>>>>>>
>>>>>> More entropy in the code verifier adds to security eg moving to SHA512
>>>>>> and larger verifiers, but adding a salt to SHA256 is basically a no op
>>>>>> when defending against modern attacks.
>>>>>>
>>>>>> I did originally agree with your position and wanted to HMAC the
>>>>>> client_id to defend against rainbow tables, however I am now convinced
>>>>>> that the attack has moved on so that is no more efective than a plain
>>>>>> hash over a random 256bit value.
>>>>>>
>>>>>> John B.
>>>>>>
>>>>>>> On Nov 16, 2014, at 11:06 PM, Nat Sakimura <sakimura@gmail.com
>>>>>>> <mailto:sakimura@gmail.com>> wrote:
>>>>>>>
>>>>>>> I am actually not convinced. Since the code verifier is 256bit random,
>>>>>>> adding salt does not seem to help.
>>>>>>> Salting definitely helps if len(password) << 256 bit, but ...
>>>>>>>
>>>>>>>
>>>>>>> On Mon Nov 17 2014 at 11:39:07 takamichi saito <saito@cs.meiji.ac.jp
>>>>>>> <mailto:saito@cs.meiji.ac.jp>> wrote:
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>       (2014/11/14 13:02), Bill Mills wrote:
>>>>>>>       > Yes, "plain" is actually sufficient.  The hashed value
>>>>>>> protects
>>>>>>>       against
>>>>>>>       > disclosure/logging threats on the server auth server and
>>>>>>> proxies
>>>>>>>       perhaps
>>>>>>>       > where the HTTPS is terminated somewhere other than the auth
>>>>>>> server
>>>>>>>       > itself, it's not actually required for the basic
>>>>>>>       functionality/security
>>>>>>>       > of the mechanism.
>>>>>>>
>>>>>>>       In the threat model of the SPOP scheme, a wiretap is in it.
>>>>>>>
>>>>>>>       And more, the hash is not used to keep secretly in the
>>>>>>> sever/client.
>>>>>>>
>>>>>>>
>>>>>>>       >
>>>>>>>       >
>>>>>>>       > On Thursday, November 13, 2014 7:07 PM, takamichi saito
>>>>>>>       > <saito@cs.meiji.ac.jp <mailto:saito@cs.meiji.ac.jp>> wrote:
>>>>>>>       >
>>>>>>>       >
>>>>>>>       > Sorry for my poor english.
>>>>>>>       >
>>>>>>>       >
>>>>>>>       > 2014/11/14 10:55、Bill Mills <wmills_92105@yahoo.com
>>>>>>>       <mailto:wmills_92105@yahoo.com>
>>>>>>>       > <mailto:wmills_92105@yahoo.com
>>>>>>>       <mailto:wmills_92105@yahoo.com>__>> のメール:
>>>>>>>       >
>>>>>>>       >  > The whole mechanism relies on the attacker not having
>>>>>>> access
>>>>>>>       to the
>>>>>>>       > code_verifier or hash.  It's defending against the attacker
>>>>>>>       getting the
>>>>>>>       > code via weakness in IPC or other such mechanism like URI
>>>>>>>       handlers.  How
>>>>>>>       > many more bits is secure beyond 256 bits of entropy
>>>>>>>       recommended?  If you
>>>>>>>       > want to make it longer then just make it longer, salting
>>>>>>> doesn't
>>>>>>>       really
>>>>>>>       > help that much.
>>>>>>>       >  >
>>>>>>>       >  > The original value or the hashed value *should* be
>>>>>>> protected
>>>>>>>       by the
>>>>>>>       > transport security, and if it isn't then the attacker could be
>>>>>>>       stealing
>>>>>>>       > the original credential used to authenticate anyway.
>>>>>>>       >  >
>>>>>>>       >
>>>>>>>       > Is it correct?
>>>>>>>       > You mean that we don’t need to use hash itself? Only to use
>>>>>>>       plain is enough?
>>>>>>>       >
>>>>>>>       >
>>>>>>>       >  >
>>>>>>>       >  >
>>>>>>>       >  >
>>>>>>>       >  > On Thursday, November 13, 2014 5:40 PM, takamichi saito
>>>>>>>       > <saito@cs.meiji.ac.jp <mailto:saito@cs.meiji.ac.jp>
>>>>>>>       <mailto:saito@cs.meiji.ac.jp <mailto:saito@cs.meiji.ac.jp>>>
>>>>>>> wrote:
>>>>>>>       >  >
>>>>>>>       >  >
>>>>>>>       >  >
>>>>>>>       >  > Hi all,
>>>>>>>       >  >
>>>>>>>       >  > I appreciate this idea, simple and powerful to achieve
>>>>>>> proof of
>>>>>>>       > possession.
>>>>>>>       >  > But, I have some questions against the scheme.
>>>>>>>       >  > Sorry if these ware already discussed.
>>>>>>>       >  >
>>>>>>>       >  > I worry about using a hash function in simple way.
>>>>>>>       >  > I mean, a simple use of random as code_verifier may
>>>>>>> cause that
>>>>>>>       > malicious client can have any code_verifier and
>>>>>>> code_challenge.
>>>>>>>       >  > All combinations of random and its hash can be obtained, it
>>>>>>>       may not
>>>>>>>       > be risk?
>>>>>>>       >  >
>>>>>>>       >  > So, we should use:
>>>>>>>       >  > S256 "code_challenge" =
>>>>>>> BASE64URL(SHA256("code___verifier" +
>>>>>>>       “client ID”))
>>>>>>>       >  > or
>>>>>>>       >  > S256 "code_challenge" =
>>>>>>> BASE64URL(SHA256("code___verifier" +
>>>>>>>       “client
>>>>>>>       > ID” + “server ID”))
>>>>>>>       >  > Where, you know that client ID is client’s unique name.
>>>>>>>       >  >
>>>>>>>       >  >
>>>>>>>       >  > Other problem is the following, using Nat’s slide:
>>>>>>>       >  > http://www.slideshare.net/nat___sakimura/1112-spoppresso
>>>>>>>       <http://www.slideshare.net/nat_sakimura/1112-spoppresso>
>>>>>>>       > <http://www.slideshare.net/__nat_sakimura/1112-spoppresso
>>>>>>>       <http://www.slideshare.net/nat_sakimura/1112-spoppresso>>.
>>>>>>>       >  >
>>>>>>>       >  > 0.    Attacker prepares own code_verifier and
>>>>>>> code_challenge.
>>>>>>>       >  > 1.    replage legitimate challenge with malicious
>>>>>>> code_challenge.
>>>>>>>       >  > 5. Attacker can submits own code_verifier.
>>>>>>>       >  >
>>>>>>>       >  > It may be out of the draft, I think.
>>>>>>>       >  >
>>>>>>>       >  > Best regards,
>>>>>>>       >  >
>>>>>>>       >  >
>>>>>>>       >  > ;; takamixhi saito
>>>>>>>       >  >
>>>>>>>       >  > _________________________________________________
>>>>>>>       >  > OAuth mailing list
>>>>>>>       >  > OAuth@ietf.org <mailto:OAuth@ietf.org>
>>>>>>> <mailto:OAuth@ietf.org
>>>>>>>       <mailto:OAuth@ietf.org>>
>>>>>>>       >  > https://www.ietf.org/mailman/__listinfo/oauth
>>>>>>>       <https://www.ietf.org/mailman/listinfo/oauth>
>>>>>>>       >
>>>>>>>       >  >
>>>>>>>       >  >
>>>>>>>       >
>>>>>>>       >
>>>>>>>       > ;; takamixhi saito
>>>>>>>       >
>>>>>>>       > _________________________________________________
>>>>>>>       > OAuth mailing list
>>>>>>>       > OAuth@ietf.org <mailto:OAuth@ietf.org> <mailto:OAuth@ietf.org
>>>>>>>       <mailto:OAuth@ietf.org>>
>>>>>>>       > https://www.ietf.org/mailman/__listinfo/oauth
>>>>>>>       <https://www.ietf.org/mailman/listinfo/oauth>
>>>>>
>>>>>>>       >
>>>>>>>       >
>>>>>>>
>>>>>>>
>>>>>>>       --
>>>>>>>       ;; takamixhi saito
>>>>>>>
>>>>>>>       _________________________________________________
>>>>>>>       OAuth mailing list
>>>>>>>     OAuth@ietf.org <mailto:OAuth@ietf.org>
>>>>>>>     https://www.ietf.org/mailman/__listinfo/oauth
>>>>>>>       <https://www.ietf.org/mailman/listinfo/oauth>
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> OAuth mailing list
>>>>>>> OAuth@ietf.org <mailto:OAuth@ietf.org>
>>>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>
>>>
>>
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>

v2.23.0 | Report a Bug | By Email