IETF Logo Mail Archive

Re: [OAUTH-WG] draft-ietf-oauth-spop-04: a way of making code_challenge

takamichi saito <saito@cs.meiji.ac.jp> Wed, 19 November 2014 14:56 UTC

Return-Path: <tan1tan2tan3tan4@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3D3701A8A91 for <oauth@ietfa.amsl.com>; Wed, 19 Nov 2014 06:56:56 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.65
X-Spam-Level:
X-Spam-Status: No, score=-1.65 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NXHVwkwKg_xd for <oauth@ietfa.amsl.com>; Wed, 19 Nov 2014 06:56:53 -0800 (PST)
Received: from mail-pa0-x22c.google.com (mail-pa0-x22c.google.com [IPv6:2607:f8b0:400e:c03::22c]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DADEC1A86F5 for <oauth@ietf.org>; Wed, 19 Nov 2014 06:56:52 -0800 (PST)
Received: by mail-pa0-f44.google.com with SMTP id et14so382181pad.31 for <oauth@ietf.org>; Wed, 19 Nov 2014 06:56:52 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=sender:content-type:mime-version:subject:from:in-reply-to:date :content-transfer-encoding:message-id:references:to; bh=hJDBfC3w2CoIhkKuQdXstw7WL6cNT6PRpLSaCO/M73w=; b=ATJJjkyq/pT40eshDiqEE91s63BTNcixpw79OHRyIHnB6Y9DAIm5JP0YN1ICT4UqPI wFP1jC4mxhAol4e023kHGzdP/e2fcPQdd8JgY4M5rC1onRovWc8WAiWG0/XCLIwU37X2 l5WiASm5FqMLRTVTbzG/2SHVduPwXd8rOU/NUNmoGSTa1ijiWHGG4uNq951HuxL2Wus5 Dklu2OiZFh6IkoK1NbHN+0+CzNXhZ4OeGooIGJt58XK7m5/s+vCvf59uOZmS5nLADbtk JaA/BxKxFyrnF3U7CNCudv46wfOGCFQKuwHKfUlp9otQjZd71fbSxA3mPESWV+BLpIKI 3x7g==
X-Received: by 10.70.95.4 with SMTP id dg4mr21653637pdb.85.1416409012022; Wed, 19 Nov 2014 06:56:52 -0800 (PST)
Received: from [192.168.11.8] (27-142-0-73.rev.home.ne.jp. [27.142.0.73]) by mx.google.com with ESMTPSA id nv7sm2032637pdb.68.2014.11.19.06.56.49 for <oauth@ietf.org> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Wed, 19 Nov 2014 06:56:50 -0800 (PST)
Sender: "saito@cs.meiji.ac.jp" <tan1tan2tan3tan4@gmail.com>
Content-Type: text/plain; charset="iso-2022-jp"
Mime-Version: 1.0 (Apple Message framework v1283)
From: takamichi saito <saito@cs.meiji.ac.jp>
In-Reply-To: <546C5C5B.9080001@gmail.com>
Date: Wed, 19 Nov 2014 23:56:46 +0900
Content-Transfer-Encoding: quoted-printable
Message-Id: <71C2C0EF-F59C-4DA1-ACFA-7DAA78819D27@cs.meiji.ac.jp>
References: <546ACC4F.9060801@cs.meiji.ac.jp> <1978901687.1831418.1416286458957.JavaMail.yahoo@jws10651.mail.bf1.yahoo.com> <546C2DF9.30107@cs.meiji.ac.jp> <546C5C5B.9080001@gmail.com>
To: oauth@ietf.org
X-Mailer: Apple Mail (2.1283)
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/q0fI7v8Z93eBHZhQvL4OcB6a5ZU
Subject: Re: [OAUTH-WG] draft-ietf-oauth-spop-04: a way of making code_challenge
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 19 Nov 2014 14:56:56 -0000

On 2014/11/19, at 18:01, Sergey Beryozkin wrote:

> Hi
> 
> Apologies for getting into this thread (I do not understand most of the mathematics at this stage :)),
> On 19/11/14 06:43, takamichi saito wrote:
>> (2014/11/18 13:54), Bill Mills wrote:
>>> There will be no rainbow table for 256bits of search space.  Suppose
>>> then that clientID has 256 possible values.  How does salting with
>>> client ID do anything more than making the search space 264 bits?
>>> 
>>> You keep saying that a salt is better than just adding entropy, but
>>> never actually justifying it.
>>> 
>>> 
>> 
>> Adding client_ID is not only for like adding password's salt.
>> Adding client_ID is not same as adding password's salt in this context.
>> 
> You've mentioned it would separate a search space, but as far as I understand that would require a client to randomly add either its client_id or server_id to the signature function. If it is only adding a client id then it sounds like a salt. Is that right ? I think I can understand that.

Adding client_id or server_id is not only for expanding	the searching space in case of attacking hash,
but also for separating the space each session.
This is protocol, we do not talk about cracking password.
Therefore, the attacker should overcome the server's verification.
Moreover,
to find v where v!=d', but S(v)=S(d') is general,
but to find v where v!=d', but S(v || client_id) = S(d') is unique to the session.
Then, the attacker find it in each session.
It can separate the space.

> The question is, where is a 'server_id' coming from and how a server would know that the signature was calculated with a client_id or server_id added in ?
> 
> Sorry if it is all just the noise...
> 
> Thanks, Sergey
>> 
>>> 
>>> On Monday, November 17, 2014 8:34 PM, takamichi saito
>>> <saito@cs.meiji.ac.jp> wrote:
>>> (2014/11/18 13:17), Bill Mills wrote:
>>>> Again, the only value of including client ID or any other value in
>>>> this case is to increase the number of bits of entropy in the value
>>>> being hashed. Using client ID is only useful if it's actually got
>>>> decent entropy in it, if it's just a version number then or a server
>>>> name or address it adds very little.
>>>> 
>>> 
>>> Client_ID is not for adding entropy.
>>> Again, Client_ID is separating the attacker's searching space.
>>> 
>>>> Yes, salting is valuable for passwords which have very low entropy.
>>>> But as has been discussed it adds little in this case.  Your
>>>> arguments are correct for passwords but not for 256 bits of random
>>>> number.
>>>> 
>>> 
>>> I agree that human-made password is low entropy.
>>> As I say, adding Client_ID can force the attacker has to search the
>>> value in each attack.
>>> If the attacker uses GPU, he can not get the value within the session.
>>> 
>>> I never confuse about password in these discussions.
>>> 
>>> 
>>> 
>>>> Regards,
>>>> 
>>>> -bill
>>>> 
>>>> 
>>>> 
>>>> On Monday, November 17, 2014 7:27 PM, takamichi saito
>>>> <saito@cs.meiji.ac.jp> wrote:
>>>> 
>>>> I agree that GPU can/may find the value on the fly.
>>>> But, it can not find it within the session.
>>>> The draft idea is enough against the attack with GPU.
>>>> 
>>>> On the other, the draft idea provide ONLY one combination of hash and
>>>> its plain. The attacker can prepare THE COMBINATION to success the
>>>> attack.
>>>> 
>>>> Adding client_ID or server_ID separate the searching space.
>>>> Then the attacker have to find the value in each case for the attack.
>>>> (The reason was said before.)
>>>> 
>>>> 
>>>> (2014/11/17 13:33), John Bradley wrote:
>>>>> The question is what is the attack.
>>>>> 
>>>>> Any salt added needs to be communicated from the client to the AS,
>>>>> so we
>>>>> must assume that the attacker has it.
>>>>> 
>>>>> The attacker can then a) create rainbow table using the client id or
>>>>> whatever is the known salt.  Yes the attacker  must create a new table
>>>>> per client.
>>>>> Salting is really only effective for low entropy passwords to try and
>>>>> slow down a rainbow table attack by making the input to the hash be
>>>>> higher than the that of the password on it's own.
>>>>> 
>>>>> Currently attackers can generate over 4Billion SHA256 hashes per second
>>>>> on a single GPU card.  (Thank you bitcoin)
>>>>> 
>>>>> It is faster to generate the hashes than to look them up via a index.
>>>>> 
>>>>> If you are generating the hash in real time salting provides no
>>>>> determent, as the salt is just included in the hash calculation.
>>>>> 
>>>>> If the code verifier was a password rather than a 256bit random key
>>>>> then
>>>>> a hash would add value against rainbow tables.
>>>>> 
>>>>> In reality finding a collision against a salted password is much easier
>>>>> using real time hash generation than by using rainbow tables.
>>>>> 
>>>>> Using SHA256 with a short hash is not safe for passwords any more.
>>>>> Something like PBES2 with at-least 200 rounds needs to be used, if you
>>>>> want have password files from being compromised quickly if disclosed.
>>>>>    (Yes I know people are not doing that,  and hence part of the
>>>>> reason
>>>>> why passwords are no longer secure)
>>>>> 
>>>>> More entropy in the code verifier adds to security eg moving to SHA512
>>>>> and larger verifiers, but adding a salt to SHA256 is basically a no op
>>>>> when defending against modern attacks.
>>>>> 
>>>>> I did originally agree with your position and wanted to HMAC the
>>>>> client_id to defend against rainbow tables, however I am now convinced
>>>>> that the attack has moved on so that is no more efective than a plain
>>>>> hash over a random 256bit value.
>>>>> 
>>>>> John B.
>>>>> 
>>>>>> On Nov 16, 2014, at 11:06 PM, Nat Sakimura <sakimura@gmail.com
>>>>>> <mailto:sakimura@gmail.com>> wrote:
>>>>>> 
>>>>>> I am actually not convinced. Since the code verifier is 256bit random,
>>>>>> adding salt does not seem to help.
>>>>>> Salting definitely helps if len(password) << 256 bit, but ...
>>>>>> 
>>>>>> 
>>>>>> On Mon Nov 17 2014 at 11:39:07 takamichi saito <saito@cs.meiji.ac.jp
>>>>>> <mailto:saito@cs.meiji.ac.jp>> wrote:
>>>>>> 
>>>>>> 
>>>>>> 
>>>>>>      (2014/11/14 13:02), Bill Mills wrote:
>>>>>>      > Yes, "plain" is actually sufficient.  The hashed value
>>>>>> protects
>>>>>>      against
>>>>>>      > disclosure/logging threats on the server auth server and
>>>>>> proxies
>>>>>>      perhaps
>>>>>>      > where the HTTPS is terminated somewhere other than the auth
>>>>>> server
>>>>>>      > itself, it's not actually required for the basic
>>>>>>      functionality/security
>>>>>>      > of the mechanism.
>>>>>> 
>>>>>>      In the threat model of the SPOP scheme, a wiretap is in it.
>>>>>> 
>>>>>>      And more, the hash is not used to keep secretly in the
>>>>>> sever/client.
>>>>>> 
>>>>>> 
>>>>>>      >
>>>>>>      >
>>>>>>      > On Thursday, November 13, 2014 7:07 PM, takamichi saito
>>>>>>      > <saito@cs.meiji.ac.jp <mailto:saito@cs.meiji.ac.jp>> wrote:
>>>>>>      >
>>>>>>      >
>>>>>>      > Sorry for my poor english.
>>>>>>      >
>>>>>>      >
>>>>>>      > 2014/11/14 10:55、Bill Mills <wmills_92105@yahoo.com
>>>>>>      <mailto:wmills_92105@yahoo.com>
>>>>>>      > <mailto:wmills_92105@yahoo.com
>>>>>>      <mailto:wmills_92105@yahoo.com>__>> のメール:
>>>>>>      >
>>>>>>      >  > The whole mechanism relies on the attacker not having
>>>>>> access
>>>>>>      to the
>>>>>>      > code_verifier or hash.  It's defending against the attacker
>>>>>>      getting the
>>>>>>      > code via weakness in IPC or other such mechanism like URI
>>>>>>      handlers.  How
>>>>>>      > many more bits is secure beyond 256 bits of entropy
>>>>>>      recommended?  If you
>>>>>>      > want to make it longer then just make it longer, salting
>>>>>> doesn't
>>>>>>      really
>>>>>>      > help that much.
>>>>>>      >  >
>>>>>>      >  > The original value or the hashed value *should* be
>>>>>> protected
>>>>>>      by the
>>>>>>      > transport security, and if it isn't then the attacker could be
>>>>>>      stealing
>>>>>>      > the original credential used to authenticate anyway.
>>>>>>      >  >
>>>>>>      >
>>>>>>      > Is it correct?
>>>>>>      > You mean that we don’t need to use hash itself? Only to use
>>>>>>      plain is enough?
>>>>>>      >
>>>>>>      >
>>>>>>      >  >
>>>>>>      >  >
>>>>>>      >  >
>>>>>>      >  > On Thursday, November 13, 2014 5:40 PM, takamichi saito
>>>>>>      > <saito@cs.meiji.ac.jp <mailto:saito@cs.meiji.ac.jp>
>>>>>>      <mailto:saito@cs.meiji.ac.jp <mailto:saito@cs.meiji.ac.jp>>>
>>>>>> wrote:
>>>>>>      >  >
>>>>>>      >  >
>>>>>>      >  >
>>>>>>      >  > Hi all,
>>>>>>      >  >
>>>>>>      >  > I appreciate this idea, simple and powerful to achieve
>>>>>> proof of
>>>>>>      > possession.
>>>>>>      >  > But, I have some questions against the scheme.
>>>>>>      >  > Sorry if these ware already discussed.
>>>>>>      >  >
>>>>>>      >  > I worry about using a hash function in simple way.
>>>>>>      >  > I mean, a simple use of random as code_verifier may
>>>>>> cause that
>>>>>>      > malicious client can have any code_verifier and
>>>>>> code_challenge.
>>>>>>      >  > All combinations of random and its hash can be obtained, it
>>>>>>      may not
>>>>>>      > be risk?
>>>>>>      >  >
>>>>>>      >  > So, we should use:
>>>>>>      >  > S256 "code_challenge" =
>>>>>> BASE64URL(SHA256("code___verifier" +
>>>>>>      “client ID”))
>>>>>>      >  > or
>>>>>>      >  > S256 "code_challenge" =
>>>>>> BASE64URL(SHA256("code___verifier" +
>>>>>>      “client
>>>>>>      > ID” + “server ID”))
>>>>>>      >  > Where, you know that client ID is client’s unique name.
>>>>>>      >  >
>>>>>>      >  >
>>>>>>      >  > Other problem is the following, using Nat’s slide:
>>>>>>      >  > http://www.slideshare.net/nat___sakimura/1112-spoppresso
>>>>>>      <http://www.slideshare.net/nat_sakimura/1112-spoppresso>
>>>>>>      > <http://www.slideshare.net/__nat_sakimura/1112-spoppresso
>>>>>>      <http://www.slideshare.net/nat_sakimura/1112-spoppresso>>.
>>>>>>      >  >
>>>>>>      >  > 0.    Attacker prepares own code_verifier and
>>>>>> code_challenge.
>>>>>>      >  > 1.    replage legitimate challenge with malicious
>>>>>> code_challenge.
>>>>>>      >  > 5. Attacker can submits own code_verifier.
>>>>>>      >  >
>>>>>>      >  > It may be out of the draft, I think.
>>>>>>      >  >
>>>>>>      >  > Best regards,
>>>>>>      >  >
>>>>>>      >  >
>>>>>>      >  > ;; takamixhi saito
>>>>>>      >  >
>>>>>>      >  > _________________________________________________
>>>>>>      >  > OAuth mailing list
>>>>>>      >  > OAuth@ietf.org <mailto:OAuth@ietf.org>
>>>>>> <mailto:OAuth@ietf.org
>>>>>>      <mailto:OAuth@ietf.org>>
>>>>>>      >  > https://www.ietf.org/mailman/__listinfo/oauth
>>>>>>      <https://www.ietf.org/mailman/listinfo/oauth>
>>>>>>      >
>>>>>>      >  >
>>>>>>      >  >
>>>>>>      >
>>>>>>      >
>>>>>>      > ;; takamixhi saito
>>>>>>      >
>>>>>>      > _________________________________________________
>>>>>>      > OAuth mailing list
>>>>>>      > OAuth@ietf.org <mailto:OAuth@ietf.org> <mailto:OAuth@ietf.org
>>>>>>      <mailto:OAuth@ietf.org>>
>>>>>>      > https://www.ietf.org/mailman/__listinfo/oauth
>>>>>>      <https://www.ietf.org/mailman/listinfo/oauth>
>>>> 
>>>>>>      >
>>>>>>      >
>>>>>> 
>>>>>> 
>>>>>>      --
>>>>>>      ;; takamixhi saito
>>>>>> 
>>>>>>      _________________________________________________
>>>>>>      OAuth mailing list
>>>>>>    OAuth@ietf.org <mailto:OAuth@ietf.org>
>>>>>>    https://www.ietf.org/mailman/__listinfo/oauth
>>>>>>      <https://www.ietf.org/mailman/listinfo/oauth>
>>>>>> 
>>>>>> _______________________________________________
>>>>>> OAuth mailing list
>>>>>> OAuth@ietf.org <mailto:OAuth@ietf.org>
>>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>> 
>>>> 
>>>> 
>>> 
>>> 
>> 
>> 
> 
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth


;; takamixhi saito

v2.23.0 | Report a Bug | By Email