IETF Logo Mail Archive

Re: [OAUTH-WG] draft-ietf-oauth-spop-04: a way of making code_challenge

John Bradley <ve7jtb@ve7jtb.com> Tue, 18 November 2014 16:42 UTC

Return-Path: <ve7jtb@ve7jtb.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C21FA1A1A4E for <oauth@ietfa.amsl.com>; Tue, 18 Nov 2014 08:42:27 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.601
X-Spam-Level:
X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iQL8BzLDTFUa for <oauth@ietfa.amsl.com>; Tue, 18 Nov 2014 08:42:24 -0800 (PST)
Received: from mail-ig0-f178.google.com (mail-ig0-f178.google.com [209.85.213.178]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6ADA31A1A4D for <oauth@ietf.org>; Tue, 18 Nov 2014 08:42:24 -0800 (PST)
Received: by mail-ig0-f178.google.com with SMTP id hl2so4499742igb.17 for <oauth@ietf.org>; Tue, 18 Nov 2014 08:42:23 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:content-transfer-encoding:message-id:references :to; bh=aXTEsUnZtwMIyxHH6hb2IpTxEoBnNpLqsHCcI05Xuwo=; b=KXveG/QZLfpX42qHloNX6McIVSHWr21wRQaJL42BqiHlJQgrP7msOh16k14dZ3OQRv Zb3MkAQwILRh82QKXOsCmmPPwtmyZ1wS7VmALodgjDYOtDW/3O1eF9FN+fkr9jRD67Jg qfgsq0FTtDfZm3Cmu4xkcFggUpUnlH6ZuKXxwbVvKcfz2JBUaqYuYYLgkqcpznTDCefM RkpwMmhlCktZsHlfDYboLBIVJcHJpADXotdG5bTM30mAU0JClW8ku0+fjtqfFZvk/YNb XawKeGUkK3Qhz2bNd+XEaw3wtqf4Zu3+IWJiO6qN3aZzyhnySN98Iht3E7Ngffp1FTO4 0agg==
X-Gm-Message-State: ALoCoQnNqkVRBh3uTwR9EGcxVKPUKy6l0IMyYuU5Yh/A/ritVdtl5gYUHWE7wA2g4dBzF9fGJbcP
X-Received: by 10.107.10.93 with SMTP id u90mr6935655ioi.13.1416328943668; Tue, 18 Nov 2014 08:42:23 -0800 (PST)
Received: from [10.2.2.71] (PING-IDENTI.bar1.Boston1.Level3.net. [4.31.154.18]) by mx.google.com with ESMTPSA id rp2sm2434918igb.0.2014.11.18.08.42.22 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Tue, 18 Nov 2014 08:42:23 -0800 (PST)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (1.0)
From: John Bradley <ve7jtb@ve7jtb.com>
X-Mailer: iPhone Mail (12B411)
In-Reply-To: <366435791.2063994.1416328390807.JavaMail.yahoo@jws10653.mail.bf1.yahoo.com>
Date: Tue, 18 Nov 2014 11:42:22 -0500
Content-Transfer-Encoding: quoted-printable
Message-Id: <C8923DDE-97C3-4236-85DE-373D62CAFF7D@ve7jtb.com>
References: <5C4B100F-77ED-49F4-993E-D025C739DF9B@ve7jtb.com> <366435791.2063994.1416328390807.JavaMail.yahoo@jws10653.mail.bf1.yahoo.com>
To: Bill Mills <wmills_92105@yahoo.com>
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/Yu9HdoftxA4bCDCAazfInr10gLE
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] draft-ietf-oauth-spop-04: a way of making code_challenge
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Nov 2014 16:42:28 -0000

Yes SHA512 or even a left half SHA512 slows the attacker significantly over SHA256 as that alg has had a lot of ASIC optimization.    

I personally think that SHA256 for a short lived token is still good for a while. 

Sent from my iPhone

> On Nov 18, 2014, at 11:33 AM, Bill Mills <wmills_92105@yahoo.com> wrote:
> 
> In this case it ceaper to add bits than use soemthing like BCrypt.
> 
> 
> 
> On Monday, November 17, 2014 9:33 PM, John Bradley <ve7jtb@ve7jtb.com> wrote:
> I think where we are differing is that you think looking up a precomputed plain based on a indexed hash across some sort of media can be done faster than 3 Giga SHA256 Hash/s.
> on a small system http://thepasswordproject.com/oclhashcat_benchmarking 
> 
> I don't think the largest disk arrays can keep up with that.
> 
> Do you have some evidence that shows that precomputing hashes would be an effective attack against 256 bits of entropy.   I agree that it would be agains the 40 ish bits of entropy in a password.
> 
> The likely mitigation is using PBKDF2 or BCrypt rather than SHA256, but that would slow adoption and can be added later.
> 
> John B.
> 
> 
> 
> 
> My contention is that it can't 
> 
>> On Nov 17, 2014, at 10:27 PM, takamichi saito <saito@cs.meiji.ac.jp> wrote:
>> 
>> 
>> I agree that GPU can/may find the value on the fly.
>> But, it can not find it within the session.
>> The draft idea is enough against the attack with GPU.
>> 
>> On the other, the draft idea provide ONLY one combination of hash and its plain. The attacker can prepare THE COMBINATION to success the attack.
>> 
>> Adding client_ID or server_ID separate the searching space.
>> Then the attacker have to find the value in each case for the attack.
>> (The reason was said before.)
>> 
>> 
>> (2014/11/17 13:33), John Bradley wrote:
>>> The question is what is the attack.
>>> 
>>> Any salt added needs to be communicated from the client to the AS, so we
>>> must assume that the attacker has it.
>>> 
>>> The attacker can then a) create rainbow table using the client id or
>>> whatever is the known salt.  Yes the attacker  must create a new table
>>> per client.
>>> Salting is really only effective for low entropy passwords to try and
>>> slow down a rainbow table attack by making the input to the hash be
>>> higher than the that of the password on it's own.
>>> 
>>> Currently attackers can generate over 4Billion SHA256 hashes per second
>>> on a single GPU card.  (Thank you bitcoin)
>>> 
>>> It is faster to generate the hashes than to look them up via a index.
>>> 
>>> If you are generating the hash in real time salting provides no
>>> determent, as the salt is just included in the hash calculation.
>>> 
>>> If the code verifier was a password rather than a 256bit random key then
>>> a hash would add value against rainbow tables.
>>> 
>>> In reality finding a collision against a salted password is much easier
>>> using real time hash generation than by using rainbow tables.
>>> 
>>> Using SHA256 with a short hash is not safe for passwords any more.
>>> Something like PBES2 with at-least 200 rounds needs to be used, if you
>>> want have password files from being compromised quickly if disclosed.
>>> (Yes I know people are not doing that,  and hence part of the reason
>>> why passwords are no longer secure)
>>> 
>>> More entropy in the code verifier adds to security eg moving to SHA512
>>> and larger verifiers, but adding a salt to SHA256 is basically a no op
>>> when defending against modern attacks.
>>> 
>>> I did originally agree with your position and wanted to HMAC the
>>> client_id to defend against rainbow tables, however I am now convinced
>>> that the attack has moved on so that is no more efective than a plain
>>> hash over a random 256bit value.
>>> 
>>> John B.
>>> 
>>>> On Nov 16, 2014, at 11:06 PM, Nat Sakimura <sakimura@gmail.com
>>>> <mailto:sakimura@gmail.com>> wrote:
>>>> 
>>>> I am actually not convinced. Since the code verifier is 256bit random,
>>>> adding salt does not seem to help.
>>>> Salting definitely helps if len(password) << 256 bit, but ...
>>>> 
>>>> 
>>>> On Mon Nov 17 2014 at 11:39:07 takamichi saito <saito@cs.meiji.ac.jp
>>>> <mailto:saito@cs.meiji.ac.jp>> wrote:
>>>> 
>>>> 
>>>> 
>>>>   (2014/11/14 13:02), Bill Mills wrote:
>>>>> Yes, "plain" is actually sufficient.  The hashed value protects
>>>>   against
>>>>> disclosure/logging threats on the server auth server and proxies
>>>>   perhaps
>>>>> where the HTTPS is terminated somewhere other than the auth server
>>>>> itself, it's not actually required for the basic
>>>>   functionality/security
>>>>> of the mechanism.
>>>> 
>>>>   In the threat model of the SPOP scheme, a wiretap is in it.
>>>> 
>>>>   And more, the hash is not used to keep secretly in the sever/client.
>>>> 
>>>> 
>>>>> 
>>>>> 
>>>>> On Thursday, November 13, 2014 7:07 PM, takamichi saito
>>>>> <saito@cs.meiji.ac.jp <mailto:saito@cs.meiji.ac.jp>> wrote:
>>>>> 
>>>>> 
>>>>> Sorry for my poor english.
>>>>> 
>>>>> 
>>>>> 2014/11/14 10:55、Bill Mills <wmills_92105@yahoo.com
>>>>   <mailto:wmills_92105@yahoo.com>
>>>>> <mailto:wmills_92105@yahoo.com
>>>>   <mailto:wmills_92105@yahoo.com>__>> のメール:
>>>>> 
>>>>>> The whole mechanism relies on the attacker not having access
>>>>   to the
>>>>> code_verifier or hash.  It's defending against the attacker
>>>>   getting the
>>>>> code via weakness in IPC or other such mechanism like URI
>>>>   handlers.  How
>>>>> many more bits is secure beyond 256 bits of entropy
>>>>   recommended?  If you
>>>>> want to make it longer then just make it longer, salting doesn't
>>>>   really
>>>>> help that much.
>>>>>> 
>>>>>> The original value or the hashed value *should* be protected
>>>>   by the
>>>>> transport security, and if it isn't then the attacker could be
>>>>   stealing
>>>>> the original credential used to authenticate anyway.
>>>>> 
>>>>> Is it correct?
>>>>> You mean that we don’t need to use hash itself? Only to use
>>>>   plain is enough?
>>>>> 
>>>>> 
>>>>>> 
>>>>>> 
>>>>>> 
>>>>>> On Thursday, November 13, 2014 5:40 PM, takamichi saito
>>>>> <saito@cs.meiji.ac.jp <mailto:saito@cs.meiji.ac.jp>
>>>>   <mailto:saito@cs.meiji.ac.jp <mailto:saito@cs.meiji.ac.jp>>> wrote:
>>>>>> 
>>>>>> 
>>>>>> 
>>>>>> Hi all,
>>>>>> 
>>>>>> I appreciate this idea, simple and powerful to achieve proof of
>>>>> possession.
>>>>>> But, I have some questions against the scheme.
>>>>>> Sorry if these ware already discussed.
>>>>>> 
>>>>>> I worry about using a hash function in simple way.
>>>>>> I mean, a simple use of random as code_verifier may cause that
>>>>> malicious client can have any code_verifier and code_challenge.
>>>>>> All combinations of random and its hash can be obtained, it
>>>>   may not
>>>>> be risk?
>>>>>> 
>>>>>> So, we should use:
>>>>>> S256 "code_challenge" = BASE64URL(SHA256("code___verifier" +
>>>>   “client ID”))
>>>>>> or
>>>>>> S256 "code_challenge" = BASE64URL(SHA256("code___verifier" +
>>>>   “client
>>>>> ID” + “server ID”))
>>>>>> Where, you know that client ID is client’s unique name.
>>>>>> 
>>>>>> 
>>>>>> Other problem is the following, using Nat’s slide:
>>>>>> http://www.slideshare.net/nat___sakimura/1112-spoppresso
>>>>   <http://www.slideshare.net/nat_sakimura/1112-spoppresso>
>>>>> <http://www.slideshare.net/__nat_sakimura/1112-spoppresso
>>>>   <http://www.slideshare.net/nat_sakimura/1112-spoppresso>>.
>>>>>> 
>>>>>> 0.    Attacker prepares own code_verifier and code_challenge.
>>>>>> 1.    replage legitimate challenge with malicious code_challenge.
>>>>>> 5. Attacker can submits own code_verifier.
>>>>>> 
>>>>>> It may be out of the draft, I think.
>>>>>> 
>>>>>> Best regards,
>>>>>> 
>>>>>> 
>>>>>> ;; takamixhi saito
>>>>>> 
>>>>>> _________________________________________________
>>>>>> OAuth mailing list
>>>>>> OAuth@ietf.org <mailto:OAuth@ietf.org> <mailto:OAuth@ietf.org
>>>>   <mailto:OAuth@ietf.org>>
>>>>>> https://www.ietf.org/mailman/__listinfo/oauth
>>>>   <https://www.ietf.org/mailman/listinfo/oauth>
>>>>> 
>>>>> 
>>>>> 
>>>>> ;; takamixhi saito
>>>>> 
>>>>> _________________________________________________
>>>>> OAuth mailing list
>>>>> OAuth@ietf.org <mailto:OAuth@ietf.org> <mailto:OAuth@ietf.org
>>>>   <mailto:OAuth@ietf.org>>
>>>>> https://www.ietf.org/mailman/__listinfo/oauth
>>>>   <https://www.ietf.org/mailman/listinfo/oauth>
>>>> 
>>>> 
>>>>   --
>>>>   ;; takamixhi saito
>>>> 
>>>>   _________________________________________________
>>>>   OAuth mailing list
>>>>   OAuth@ietf.org <mailto:OAuth@ietf.org>
>>>>   https://www.ietf.org/mailman/__listinfo/oauth
>>>>   <https://www.ietf.org/mailman/listinfo/oauth>
>>>> 
>>>> _______________________________________________
>>>> OAuth mailing list
>>>> OAuth@ietf.org <mailto:OAuth@ietf.org>
>>>> https://www.ietf.org/mailman/listinfo/oauth
>> 
>> 
>> -- 
>> ;; takamixhi saito
>> 
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
> 
> 
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email