[OAUTH-WG] SPOP: Salt & other ideas

Hannes Tschofenig <hannes.tschofenig@gmx.net> Wed, 03 December 2014 12:22 UTC

Return-Path: <hannes.tschofenig@gmx.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com []) by ietfa.amsl.com (Postfix) with ESMTP id 6C2971A1A93 for <oauth@ietfa.amsl.com>; Wed, 3 Dec 2014 04:22:30 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id S8joL1tuT9NV for <oauth@ietfa.amsl.com>; Wed, 3 Dec 2014 04:22:28 -0800 (PST)
Received: from mout.gmx.net (mout.gmx.net []) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4B3F81A0174 for <oauth@ietf.org>; Wed, 3 Dec 2014 04:22:28 -0800 (PST)
Received: from [] ([]) by mail.gmx.com (mrgmx101) with ESMTPSA (Nemesis) id 0MKcdH-1XuE4c39CJ-0021Ib for <oauth@ietf.org>; Wed, 03 Dec 2014 13:22:25 +0100
Message-ID: <547F0081.2050200@gmx.net>
Date: Wed, 03 Dec 2014 13:22:25 +0100
From: Hannes Tschofenig <hannes.tschofenig@gmx.net>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.2.0
MIME-Version: 1.0
To: "oauth@ietf.org" <oauth@ietf.org>
OpenPGP: id=4D776BC9
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="7NrRRgHjlhBVQ4e1Ub6mRXhNjsvfoTgOm"
X-Provags-ID: V03:K0:0mM3upVJ/Pn5XT14RBVThZ9NIpT43+yuQ/XytA3qXcRU61MB5Q5 GBEXRNCPduOYoB6dHsV7pGR6cElC77xL+QeU6w/XeO0w8fdRIHh7V4QHKMUwDW/ZusbYaiM RsXlxc+zunWgxhGZ8m+0mgPVDvKj9vQfWKLovllYf99KJVuw9fSulqltjreGsSORFPlnL+i Icwn//Ip8E0GUO0msRc7Q==
X-UI-Out-Filterresults: notjunk:1;
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/V1C9zc483WhnIzrfMJDUcl-QOzc
Subject: [OAUTH-WG] SPOP: Salt & other ideas
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 03 Dec 2014 12:22:30 -0000

Hi all,

I also wanted to respond to various ideas that were entertained,
including adding salt into the hash function and also for including
other parameters in the hash.

Before adding new functionality we have to talk about the threats we are
trying to address.

For example, adding salt just makes the server do more computation. That
wouldn't be useful as such.

Adding other parameters into the hash function (such as the
client/server identifiers) is indeed a common technique with key
derivation functions. Here I wasn't able to come up with the attack that
we would prevent by doing so.