Re: [OAUTH-WG] Hashing passwords for "password" grant type
Brian Eaton <beaton@google.com> Fri, 10 September 2010 15:49 UTC
Return-Path: <beaton@google.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 325343A6868 for <oauth@core3.amsl.com>; Fri, 10 Sep 2010 08:49:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -104.241
X-Spam-Level:
X-Spam-Status: No, score=-104.241 tagged_above=-999 required=5 tests=[AWL=1.736, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id G34PlmcT36P5 for <oauth@core3.amsl.com>; Fri, 10 Sep 2010 08:49:06 -0700 (PDT)
Received: from smtp-out.google.com (smtp-out.google.com [74.125.121.35]) by core3.amsl.com (Postfix) with ESMTP id 210B33A6875 for <oauth@ietf.org>; Fri, 10 Sep 2010 08:49:02 -0700 (PDT)
Received: from hpaq1.eem.corp.google.com (hpaq1.eem.corp.google.com [172.25.149.1]) by smtp-out.google.com with ESMTP id o8AFnT1r015637 for <oauth@ietf.org>; Fri, 10 Sep 2010 08:49:29 -0700
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=google.com; s=beta; t=1284133769; bh=6PMVDI/REGBCuBu02JUwO/I04gk=; h=MIME-Version:In-Reply-To:References:Date:Message-ID:Subject:From: To:Cc:Content-Type:Content-Transfer-Encoding; b=ySK/mb7Qc7IOKAibhL2iMeAkw97ehKgzh4pbPTuexbRETv+YYhXUcwWeqDgBmbR5d VLUshBBu87S0i7b1YAQFQ==
Received: from pwj9 (pwj9.prod.google.com [10.241.219.73]) by hpaq1.eem.corp.google.com with ESMTP id o8AFnRaN021106 for <oauth@ietf.org>; Fri, 10 Sep 2010 08:49:27 -0700
Received: by pwj9 with SMTP id 9so1527338pwj.15 for <oauth@ietf.org>; Fri, 10 Sep 2010 08:49:26 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=beta; h=domainkey-signature:mime-version:received:received:in-reply-to :references:date:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=yo6YUXNJgIRUP3Xgksgm229rT8ZiLp4TchOpk58uXtM=; b=CtImJQllhMIuh8zHurL9lE7wm+1aPSAqY4smsgy+g9Prty4qCWBd1PX14dDeRNK3GE bxrEYTKcNVyx2VITAKlQ==
DomainKey-Signature: a=rsa-sha1; c=nofws; d=google.com; s=beta; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; b=A/cPzcrYTK7qNzaPdz2QV0DLrUOoG3g6U0TnwGnA40M+14FaVa5i+jdfIKUfOYNTn8 KGq5k5CZ/wv1sio1LgNg==
MIME-Version: 1.0
Received: by 10.142.151.16 with SMTP id y16mr983165wfd.93.1284133765024; Fri, 10 Sep 2010 08:49:25 -0700 (PDT)
Received: by 10.142.211.7 with HTTP; Fri, 10 Sep 2010 08:49:24 -0700 (PDT)
In-Reply-To: <4C8A46D5.9070207@aist.go.jp>
References: <AANLkTi=eODzwVYyPjQXwBP-S+po7-hpP8v-YgQpjVR8S@mail.gmail.com> <4C8A46D5.9070207@aist.go.jp>
Date: Fri, 10 Sep 2010 08:49:24 -0700
Message-ID: <AANLkTikYTMBP1uLJ7g5ckWsoAg7n+aQ1awSq4kfvRJ+c@mail.gmail.com>
From: Brian Eaton <beaton@google.com>
To: Yutaka OIWA <y.oiwa@aist.go.jp>
Content-Type: text/plain; charset="ISO-2022-JP"
Content-Transfer-Encoding: 7bit
X-System-Of-Record: true
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Hashing passwords for "password" grant type
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 10 Sep 2010 15:49:08 -0000
Hey Aaron - Here's some more research and recommendations for you: http://chargen.matasano.com/chargen/2007/9/7/enough-with-the-rainbow-tables-what-you-need-to-know-about-s.html. I agree with the other recommendations on this thread, probably not a good idea for you to invent a hashing scheme for this. Especially not if you're going to be accepting logins from browsers. Cheers, Brian On Fri, Sep 10, 2010 at 7:55 AM, Yutaka OIWA <y.oiwa@aist.go.jp> wrote: > Hi Aaron, > > In usual security senses, just hashing or salting the on-wire passwords will not > improve security against credential stealing (both on-wire and local), because > stolen hashed password will allow accesses to the resources. > > # At least theoretically, we can say that it "weakens" the security, because > # stealing hashed passwords is theoretically "easier" than stealing raw > # passwords (hint: the latter implies the former). > > If you are really concerning server-side leakage of on-wire credentials, > one way is to request Digest- or APOP-style challenge-responses > (but it may need one additional round-trip messages for getting a challenge, > depending on the setting.) > > # One setting on which hashing the password makes security sense is > # to use hashed passwords for low-security low-privilege interfaces > # (e.g. tweeting) and to require raw passwords for > # high-security high-privilege interfaces (such as configuration changes.) > > On 2010/09/07 12:09, Aaron Parecki wrote: >> Hi folks, >> >> I'm implementing OAuth 2 for my project (geoloqi.com <http://geoloqi.com>) where >> I have some mobile phone clients needing to authenticate. I'm using the >> "password" grant type for these clients. Even though the call to the token >> endpoint is going over HTTPS, I'm still slightly concerned about sending the >> user's password to the server unencrypted. (I don't want the users' passwords to >> appear in my debug log file for instance.) Does the spec allow for or have a way >> to extend so that I can define a hashing algorithm the client can use to encrypt >> the password before sending it? I'm already not storing the passwords in plain >> text in the database anyway. Anybody else dealing with a similar issue? >> >> Aaron >> >> >> >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth > > -- > 大岩 寛 Yutaka Oiwa 独立行政法人 産業技術総合研究所 > 情報セキュリティ研究センター ソフトウェアセキュリティ研究チーム > <y.oiwa@aist.go.jp>, <yutaka@oiwa.jp> > OpenPGP: id[440546B5] fp[7C9F 723A 7559 3246 229D 3139 8677 9BD2 4405 46B5] > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth >
- [OAUTH-WG] Hashing passwords for "password" grant… Aaron Parecki
- Re: [OAUTH-WG] Hashing passwords for "password" g… Luke Shepard
- Re: [OAUTH-WG] Hashing passwords for "password" g… Kris Selden
- Re: [OAUTH-WG] Hashing passwords for "password" g… Igor Faynberg
- Re: [OAUTH-WG] Hashing passwords for "password" g… Yutaka OIWA
- Re: [OAUTH-WG] Hashing passwords for "password" g… Brian Eaton
- Re: [OAUTH-WG] Hashing passwords for "password" g… Aaron Parecki
- Re: [OAUTH-WG] Hashing passwords for "password" g… Kris Selden