IETF Logo Mail Archive

Re: [OAUTH-WG] draft-ietf-oauth-spop-04: a way of making code_challenge

Bill Mills <wmills_92105@yahoo.com> Tue, 18 November 2014 16:33 UTC

Return-Path: <wmills_92105@yahoo.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 56B371A1A56 for <oauth@ietfa.amsl.com>; Tue, 18 Nov 2014 08:33:31 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.094
X-Spam-Level:
X-Spam-Status: No, score=-1.094 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, FREEMAIL_REPLYTO=1, FREEMAIL_REPLYTO_END_DIGIT=0.25, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.594, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kPCOBs-20Zmj for <oauth@ietfa.amsl.com>; Tue, 18 Nov 2014 08:33:29 -0800 (PST)
Received: from nm9-vm0.bullet.mail.bf1.yahoo.com (nm9-vm0.bullet.mail.bf1.yahoo.com [98.139.213.154]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DD5411A1A7A for <oauth@ietf.org>; Tue, 18 Nov 2014 08:33:28 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1416328408; bh=z+Kx/459+E55LZQpOYYn8SJiGrzg666OfBh+a6gEsd4=; h=Date:From:Reply-To:To:Cc:In-Reply-To:References:Subject:From:Subject; b=c7P5CxULOmdTdiaxR+a/5m6hpdTJik7etfzM+wN9c8dBX8fuCWmwHFAwEKNVbFt7oot99/EXCZEnlBkGAEJoI3HO8SbvioBoiDYiDSIJc6yOPa1RNbsmwhs2249wNCMtRshJLGe9j55RTOgqRp5tXKvO8rvrCFvH8hNp2UnyX2YlRmd98XFvPnkaoOU4d/f7rOmMvU2/CHH3FRSlzGydc8MBiBY2oSrLZxL8SdxQIM84VzPIucUFz58oHZOVeHzsCd1mV33bm5INmWeEHxQmYO8EkIzODoTzUhOTOe4is0QhkmMJTJrud/QMAmdHYhiU6MWH79UDF8TIdx4inQzj6A==
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s2048; d=yahoo.com; b=frp/WVGO7jQgmbW4726q8240Go97kOB8M9Ky7gkjRIu77jQ64assGL8q4mN7VknI3cMhoZYAlR6xlhwnOJbjaytpvvyjRzzPDRavs0uRQgnWLXOxNH3YV1YJFHIYB5FqkcBNzD+RW7V5Zyf4ezwiBCeZTuJG/vQPuDmKuyuLUF+cqHHrSsxcBk/yMnkXv/NU+GXqjbFsyu5vPTaXWELV+/psRfw9GHUbtAoRmNHec0GaGKKcQFWeK/fjnu4F9Hb69SSXEKEHbwqnJ+ncfV6eQR5AvegkQs3K5dGvCxd/c1LY8VNyjGEAwMY8tbimX4KP/Oz+Qtq8/ElBQPfHc/FE9Q==;
Received: from [98.139.212.149] by nm9.bullet.mail.bf1.yahoo.com with NNFMP; 18 Nov 2014 16:33:28 -0000
Received: from [98.139.215.229] by tm6.bullet.mail.bf1.yahoo.com with NNFMP; 18 Nov 2014 16:33:28 -0000
Received: from [127.0.0.1] by omp1069.mail.bf1.yahoo.com with NNFMP; 18 Nov 2014 16:33:13 -0000
X-Yahoo-Newman-Property: ymail-3
X-Yahoo-Newman-Id: 293161.53495.bm@omp1069.mail.bf1.yahoo.com
Received: by 76.13.26.136; Tue, 18 Nov 2014 16:33:12 +0000
Date: Tue, 18 Nov 2014 16:33:10 +0000
From: Bill Mills <wmills_92105@yahoo.com>
To: John Bradley <ve7jtb@ve7jtb.com>, "saito@cs.meiji.ac.jp" <saito@cs.meiji.ac.jp>
Message-ID: <366435791.2063994.1416328390807.JavaMail.yahoo@jws10653.mail.bf1.yahoo.com>
In-Reply-To: <5C4B100F-77ED-49F4-993E-D025C739DF9B@ve7jtb.com>
References: <5C4B100F-77ED-49F4-993E-D025C739DF9B@ve7jtb.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/aEjdOPRSgJ0J8uS1YyKoroVm0eo
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] draft-ietf-oauth-spop-04: a way of making code_challenge
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: Bill Mills <wmills_92105@yahoo.com>
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Nov 2014 16:33:31 -0000

In this case it ceaper to add bits than use soemthing like BCrypt.



On Monday, November 17, 2014 9:33 PM, John Bradley <ve7jtb@ve7jtb.com> wrote:
I think where we are differing is that you think looking up a precomputed plain based on a indexed hash across some sort of media can be done faster than 3 Giga SHA256 Hash/s.
on a small system http://thepasswordproject.com/oclhashcat_benchmarking 

I don't think the largest disk arrays can keep up with that.

Do you have some evidence that shows that precomputing hashes would be an effective attack against 256 bits of entropy.   I agree that it would be agains the 40 ish bits of entropy in a password.

The likely mitigation is using PBKDF2 or BCrypt rather than SHA256, but that would slow adoption and can be added later.

John B.




My contention is that it can't 

> On Nov 17, 2014, at 10:27 PM, takamichi saito <saito@cs.meiji.ac.jp> wrote:
> 
> 
> I agree that GPU can/may find the value on the fly.
> But, it can not find it within the session.
> The draft idea is enough against the attack with GPU.
> 
> On the other, the draft idea provide ONLY one combination of hash and its plain. The attacker can prepare THE COMBINATION to success the attack.
> 
> Adding client_ID or server_ID separate the searching space.
> Then the attacker have to find the value in each case for the attack.
> (The reason was said before.)
> 
> 
> (2014/11/17 13:33), John Bradley wrote:
>> The question is what is the attack.
>> 
>> Any salt added needs to be communicated from the client to the AS, so we
>> must assume that the attacker has it.
>> 
>> The attacker can then a) create rainbow table using the client id or
>> whatever is the known salt.  Yes the attacker  must create a new table
>> per client.
>> Salting is really only effective for low entropy passwords to try and
>> slow down a rainbow table attack by making the input to the hash be
>> higher than the that of the password on it's own.
>> 
>> Currently attackers can generate over 4Billion SHA256 hashes per second
>> on a single GPU card.  (Thank you bitcoin)
>> 
>> It is faster to generate the hashes than to look them up via a index.
>> 
>> If you are generating the hash in real time salting provides no
>> determent, as the salt is just included in the hash calculation.
>> 
>> If the code verifier was a password rather than a 256bit random key then
>> a hash would add value against rainbow tables.
>> 
>> In reality finding a collision against a salted password is much easier
>> using real time hash generation than by using rainbow tables.
>> 
>> Using SHA256 with a short hash is not safe for passwords any more.
>> Something like PBES2 with at-least 200 rounds needs to be used, if you
>> want have password files from being compromised quickly if disclosed.
>>  (Yes I know people are not doing that,  and hence part of the reason
>> why passwords are no longer secure)
>> 
>> More entropy in the code verifier adds to security eg moving to SHA512
>> and larger verifiers, but adding a salt to SHA256 is basically a no op
>> when defending against modern attacks.
>> 
>> I did originally agree with your position and wanted to HMAC the
>> client_id to defend against rainbow tables, however I am now convinced
>> that the attack has moved on so that is no more efective than a plain
>> hash over a random 256bit value.
>> 
>> John B.
>> 
>>> On Nov 16, 2014, at 11:06 PM, Nat Sakimura <sakimura@gmail.com
>>> <mailto:sakimura@gmail.com>> wrote:
>>> 
>>> I am actually not convinced. Since the code verifier is 256bit random,
>>> adding salt does not seem to help.
>>> Salting definitely helps if len(password) << 256 bit, but ...
>>> 
>>> 
>>> On Mon Nov 17 2014 at 11:39:07 takamichi saito <saito@cs.meiji.ac.jp
>>> <mailto:saito@cs.meiji.ac.jp>> wrote:
>>> 
>>> 
>>> 
>>>    (2014/11/14 13:02), Bill Mills wrote:
>>>    > Yes, "plain" is actually sufficient.  The hashed value protects
>>>    against
>>>    > disclosure/logging threats on the server auth server and proxies
>>>    perhaps
>>>    > where the HTTPS is terminated somewhere other than the auth server
>>>    > itself, it's not actually required for the basic
>>>    functionality/security
>>>    > of the mechanism.
>>> 
>>>    In the threat model of the SPOP scheme, a wiretap is in it.
>>> 
>>>    And more, the hash is not used to keep secretly in the sever/client.
>>> 
>>> 
>>>    >
>>>    >
>>>    > On Thursday, November 13, 2014 7:07 PM, takamichi saito
>>>    > <saito@cs.meiji.ac.jp <mailto:saito@cs.meiji.ac.jp>> wrote:
>>>    >
>>>    >
>>>    > Sorry for my poor english.
>>>    >
>>>    >
>>>    > 2014/11/14 10:55、Bill Mills <wmills_92105@yahoo.com
>>>    <mailto:wmills_92105@yahoo.com>
>>>    > <mailto:wmills_92105@yahoo.com
>>>    <mailto:wmills_92105@yahoo.com>__>> のメール:
>>>    >
>>>    >  > The whole mechanism relies on the attacker not having access
>>>    to the
>>>    > code_verifier or hash.  It's defending against the attacker
>>>    getting the
>>>    > code via weakness in IPC or other such mechanism like URI
>>>    handlers.  How
>>>    > many more bits is secure beyond 256 bits of entropy
>>>    recommended?  If you
>>>    > want to make it longer then just make it longer, salting doesn't
>>>    really
>>>    > help that much.
>>>    >  >
>>>    >  > The original value or the hashed value *should* be protected
>>>    by the
>>>    > transport security, and if it isn't then the attacker could be
>>>    stealing
>>>    > the original credential used to authenticate anyway.
>>>    >  >
>>>    >
>>>    > Is it correct?
>>>    > You mean that we don’t need to use hash itself? Only to use
>>>    plain is enough?
>>>    >
>>>    >
>>>    >  >
>>>    >  >
>>>    >  >
>>>    >  > On Thursday, November 13, 2014 5:40 PM, takamichi saito
>>>    > <saito@cs.meiji.ac.jp <mailto:saito@cs.meiji.ac.jp>
>>>    <mailto:saito@cs.meiji.ac.jp <mailto:saito@cs.meiji.ac.jp>>> wrote:
>>>    >  >
>>>    >  >
>>>    >  >
>>>    >  > Hi all,
>>>    >  >
>>>    >  > I appreciate this idea, simple and powerful to achieve proof of
>>>    > possession.
>>>    >  > But, I have some questions against the scheme.
>>>    >  > Sorry if these ware already discussed.
>>>    >  >
>>>    >  > I worry about using a hash function in simple way.
>>>    >  > I mean, a simple use of random as code_verifier may cause that
>>>    > malicious client can have any code_verifier and code_challenge.
>>>    >  > All combinations of random and its hash can be obtained, it
>>>    may not
>>>    > be risk?
>>>    >  >
>>>    >  > So, we should use:
>>>    >  > S256 "code_challenge" = BASE64URL(SHA256("code___verifier" +
>>>    “client ID”))
>>>    >  > or
>>>    >  > S256 "code_challenge" = BASE64URL(SHA256("code___verifier" +
>>>    “client
>>>    > ID” + “server ID”))
>>>    >  > Where, you know that client ID is client’s unique name.
>>>    >  >
>>>    >  >
>>>    >  > Other problem is the following, using Nat’s slide:
>>>    >  > http://www.slideshare.net/nat___sakimura/1112-spoppresso
>>>    <http://www.slideshare.net/nat_sakimura/1112-spoppresso>
>>>    > <http://www.slideshare.net/__nat_sakimura/1112-spoppresso
>>>    <http://www.slideshare.net/nat_sakimura/1112-spoppresso>>.
>>>    >  >
>>>    >  > 0.    Attacker prepares own code_verifier and code_challenge.
>>>    >  > 1.    replage legitimate challenge with malicious code_challenge.
>>>    >  > 5. Attacker can submits own code_verifier.
>>>    >  >
>>>    >  > It may be out of the draft, I think.
>>>    >  >
>>>    >  > Best regards,
>>>    >  >
>>>    >  >
>>>    >  > ;; takamixhi saito
>>>    >  >
>>>    >  > _________________________________________________
>>>    >  > OAuth mailing list
>>>    >  > OAuth@ietf.org <mailto:OAuth@ietf.org> <mailto:OAuth@ietf.org
>>>    <mailto:OAuth@ietf.org>>
>>>    >  > https://www.ietf.org/mailman/__listinfo/oauth
>>>    <https://www.ietf.org/mailman/listinfo/oauth>
>>>    >
>>>    >  >
>>>    >  >
>>>    >
>>>    >
>>>    > ;; takamixhi saito
>>>    >
>>>    > _________________________________________________
>>>    > OAuth mailing list
>>>    > OAuth@ietf.org <mailto:OAuth@ietf.org> <mailto:OAuth@ietf.org
>>>    <mailto:OAuth@ietf.org>>
>>>    > https://www.ietf.org/mailman/__listinfo/oauth
>>>    <https://www.ietf.org/mailman/listinfo/oauth>
>>>    >
>>>    >
>>> 
>>> 
>>>    --
>>>    ;; takamixhi saito
>>> 
>>>    _________________________________________________
>>>    OAuth mailing list
>>>    OAuth@ietf.org <mailto:OAuth@ietf.org>
>>>    https://www.ietf.org/mailman/__listinfo/oauth
>>>    <https://www.ietf.org/mailman/listinfo/oauth>
>>> 
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org <mailto:OAuth@ietf.org>
>>> https://www.ietf.org/mailman/listinfo/oauth
>> 
> 
> 
> -- 
> ;; takamixhi saito
> 
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth


_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email