Re: [OAUTH-WG] draft-ietf-oauth-spop-04: a way of making code_challenge
takamichi saito <saito@cs.meiji.ac.jp> Wed, 19 November 2014 05:04 UTC
Return-Path: <tan1tan2tan3tan4@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C9D8C1ACF7D for <oauth@ietfa.amsl.com>; Tue, 18 Nov 2014 21:04:31 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.65
X-Spam-Level:
X-Spam-Status: No, score=-1.65 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RHWvx78hd-Ya for <oauth@ietfa.amsl.com>; Tue, 18 Nov 2014 21:04:27 -0800 (PST)
Received: from mail-pa0-x22f.google.com (mail-pa0-x22f.google.com [IPv6:2607:f8b0:400e:c03::22f]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 50B021ACF7C for <oauth@ietf.org>; Tue, 18 Nov 2014 21:04:27 -0800 (PST)
Received: by mail-pa0-f47.google.com with SMTP id kq14so7171328pab.34 for <oauth@ietf.org>; Tue, 18 Nov 2014 21:04:26 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=sender:message-id:date:from:reply-to:user-agent:mime-version:to :subject:references:in-reply-to:content-type :content-transfer-encoding; bh=DA8NSDcUXFY/YYhLq2lFxqYwEc2pO7/DteB4zby57Ns=; b=D8JVLOJLxkJiYxrQTDOqCaHDIDxk7LY8GA/BVaMsstrQVOdvepD+/LBrvxR1jU4lG8 4JkEQVyVCKvxbLbJn3KCOBOahP54pMtYo/i/mNRfl12MtwP9sGjD9T4rBu6nH3QwRyQ/ 0dDBcfl7cUjhfyHLTBbh3Ty0ylIxUlYEzJJxUqLCYf/6dEVzhc7dwAD3VDIoac3X2+Qz QbFXEs1tQ8ylFi0/MVBBtkRk5H1JVXGQTGxaIU+RjIPQdFLEm3OlgwZMVtX5UwtKjFtc hJIJ4vadmJ/2bZJi18o6evMo/TfdqsXMGQiZ+zQBdrFO536Ybr9zHTiyHZbfZcWSGqjK 7QQg==
X-Received: by 10.66.139.234 with SMTP id rb10mr16092287pab.146.1416373466440; Tue, 18 Nov 2014 21:04:26 -0800 (PST)
Received: from [127.0.0.1] ([133.26.134.125]) by mx.google.com with ESMTPSA id tv4sm578137pab.28.2014.11.18.21.04.23 for <oauth@ietf.org> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Tue, 18 Nov 2014 21:04:25 -0800 (PST)
Sender: "saito@cs.meiji.ac.jp" <tan1tan2tan3tan4@gmail.com>
Message-ID: <546C24D6.5010206@cs.meiji.ac.jp>
Date: Wed, 19 Nov 2014 14:04:22 +0900
From: takamichi saito <saito@cs.meiji.ac.jp>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.6.0
MIME-Version: 1.0
To: "oauth@ietf.org" <oauth@ietf.org>
References: <8DF11B47-479E-4542-853B-90CF552AEEC3@cs.meiji.ac.jp> <1725911091.499004.1415937773834.JavaMail.yahoo@jws10619.mail.bf1.yahoo.com> <54695FF0.2010603@cs.meiji.ac.jp> <CABzCy2Bp1nxJbzw7H1edoYCe-VaPQQgSJX-yMg0wvQKNE870VA@mail.gmail.com> <E734389D-499D-4E3E-AF19-16343457B33F@ve7jtb.com> <546ABCA0.6010808@cs.meiji.ac.jp> <5C4B100F-77ED-49F4-993E-D025C739DF9B@ve7jtb.com> <CABzCy2BBXaP1Tm=OwWqrw-dyDTLX_JEd9-npSUrd6wcp=z+bVg@mail.gmail.com>
In-Reply-To: <CABzCy2BBXaP1Tm=OwWqrw-dyDTLX_JEd9-npSUrd6wcp=z+bVg@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/rSnmm9pACpwVLin1uZD4QmisQ8o
Subject: Re: [OAUTH-WG] draft-ietf-oauth-spop-04: a way of making code_challenge
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: saito@cs.meiji.ac.jp
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 19 Nov 2014 05:04:32 -0000
(2014/11/18 17:08), Nat Sakimura wrote: > The code verifier is 256 bit high entropy cryptographic random. > > Let D:= {d | all possible 256 bit random}. This is the set of all > possible code verifiers. > Let S be SHA256 function. > Then, set of all possible code challenge corresponding to D, which is > denoted by R, is defined as: > S:D->R. > Note that D=R. Mathematically, it is not correct. Depeding on the mathetical definition of D, D is quite larger than R. Then we can not write D=R. > Rainbow table attack is to prepare a mapping table enumerating d∈D to > r∈R and look up the value of ri=code_challenge to find the corresponding > di, the code_verifier. > Let such table to be expressed by T. > Salting is creating a string d'=s||d where '||' is the concatenation > operator and s is a string of length > 0. > Let D':={any d'}. > Let R'=S(D'). > Note that by the nature of S, R'=R=D. Mathematically, it is not correct. It is confused with a bijective function. Hash is not injective but a surjective function. That's why adding client_ID gets effect. The following is happened with no-injective but a surjective function, e.g. hash function. hash( 12345 | "client_ID" ) = 4567 hash( 789 ) = 4567 Even if cryptographical hash has the property `second preimage resistance', the collision can be happened. Again, adding client_ID is NOT only for expanding the searching space. It is a constraing against an attacker to search the code_verifier. > > Suppose the attacker who has T but does not have the corresponding > salted table T' observed the code_challenge r'. > He can still look up r' from T and find the corresponding value for the > code_verifier, v, in it. > Note v!=d', but S(v)=S(d'). (At this point, we have found a weak > collision in S!) > Then, the client can send v as the code_verifier to the server and still > the verification at the server succeeds. > i.e., salting did not make it harder for the attack to succeed. > > You could also argue that by salting, the search space become larger. > However, this is true if D is a strict subset of D' because then S(D) > will be a strict subset of S(D'). However, due to the definition of D, > S(D)=S(D'). > > Finally, let us take a substantially smaller subset C of D as the domain > of S. Let C' be the set of x||c where x is a salt and c is an element of C. > Suppose that C was known by the attacker and the attacker has created > the corresponding table Tc. This is typically the case when the > distribution of d is not uniform and skewed, such as often used > passwords. In this case, salting used to help as calculating new hash > from C' was typically slower than reading out Tc. This holds true as > long as the speed of lookup of the 256bit value from the table is faster > than calculating a S(c'). This, unfortunately is no longer true as John > has pointed out [1]. But again, this become irrelevant when C=D. > > [1] Use of PBES2 with increasing n is an attempt to keep this (lookup > time) < (calcluation time) formula. > > Best, > > Nat > > On Tue Nov 18 2014 at 14:34:03 John Bradley <ve7jtb@ve7jtb.com > <mailto:ve7jtb@ve7jtb.com>> wrote: > > I think where we are differing is that you think looking up a > precomputed plain based on a indexed hash across some sort of media > can be done faster than 3 Giga SHA256 Hash/s. > on a small system > http://thepasswordproject.com/__oclhashcat_benchmarking > <http://thepasswordproject.com/oclhashcat_benchmarking> > > I don't think the largest disk arrays can keep up with that. > > Do you have some evidence that shows that precomputing hashes would > be an effective attack against 256 bits of entropy. I agree that > it would be agains the 40 ish bits of entropy in a password. > > The likely mitigation is using PBKDF2 or BCrypt rather than SHA256, > but that would slow adoption and can be added later. > > John B. > > > > > My contention is that it can't > > On Nov 17, 2014, at 10:27 PM, takamichi saito > <saito@cs.meiji.ac.jp <mailto:saito@cs.meiji.ac.jp>> wrote: > > > > > > I agree that GPU can/may find the value on the fly. > > But, it can not find it within the session. > > The draft idea is enough against the attack with GPU. > > > > On the other, the draft idea provide ONLY one combination of hash > and its plain. The attacker can prepare THE COMBINATION to success > the attack. > > > > Adding client_ID or server_ID separate the searching space. > > Then the attacker have to find the value in each case for the attack. > > (The reason was said before.) > > > > > > (2014/11/17 13:33), John Bradley wrote: > >> The question is what is the attack. > >> > >> Any salt added needs to be communicated from the client to the > AS, so we > >> must assume that the attacker has it. > >> > >> The attacker can then a) create rainbow table using the client id or > >> whatever is the known salt. Yes the attacker must create a new > table > >> per client. > >> Salting is really only effective for low entropy passwords to > try and > >> slow down a rainbow table attack by making the input to the hash be > >> higher than the that of the password on it's own. > >> > >> Currently attackers can generate over 4Billion SHA256 hashes per > second > >> on a single GPU card. (Thank you bitcoin) > >> > >> It is faster to generate the hashes than to look them up via a > index. > >> > >> If you are generating the hash in real time salting provides no > >> determent, as the salt is just included in the hash calculation. > >> > >> If the code verifier was a password rather than a 256bit random > key then > >> a hash would add value against rainbow tables. > >> > >> In reality finding a collision against a salted password is much > easier > >> using real time hash generation than by using rainbow tables. > >> > >> Using SHA256 with a short hash is not safe for passwords any more. > >> Something like PBES2 with at-least 200 rounds needs to be used, > if you > >> want have password files from being compromised quickly if > disclosed. > >> (Yes I know people are not doing that, and hence part of the > reason > >> why passwords are no longer secure) > >> > >> More entropy in the code verifier adds to security eg moving to > SHA512 > >> and larger verifiers, but adding a salt to SHA256 is basically a > no op > >> when defending against modern attacks. > >> > >> I did originally agree with your position and wanted to HMAC the > >> client_id to defend against rainbow tables, however I am now > convinced > >> that the attack has moved on so that is no more efective than a > plain > >> hash over a random 256bit value. > >> > >> John B. > >> > >>> On Nov 16, 2014, at 11:06 PM, Nat Sakimura <sakimura@gmail.com > <mailto:sakimura@gmail.com> > >>> <mailto:sakimura@gmail.com <mailto:sakimura@gmail.com>>> wrote: > >>> > >>> I am actually not convinced. Since the code verifier is 256bit > random, > >>> adding salt does not seem to help. > >>> Salting definitely helps if len(password) << 256 bit, but ... > >>> > >>> > >>> On Mon Nov 17 2014 at 11:39:07 takamichi saito > <saito@cs.meiji.ac.jp <mailto:saito@cs.meiji.ac.jp> > >>> <mailto:saito@cs.meiji.ac.jp <mailto:saito@cs.meiji.ac.jp>>> wrote: > >>> > >>> > >>> > >>> (2014/11/14 13:02), Bill Mills wrote: > >>> > Yes, "plain" is actually sufficient. The hashed value > protects > >>> against > >>> > disclosure/logging threats on the server auth server and > proxies > >>> perhaps > >>> > where the HTTPS is terminated somewhere other than the > auth server > >>> > itself, it's not actually required for the basic > >>> functionality/security > >>> > of the mechanism. > >>> > >>> In the threat model of the SPOP scheme, a wiretap is in it. > >>> > >>> And more, the hash is not used to keep secretly in the > sever/client. > >>> > >>> > >>> > > >>> > > >>> > On Thursday, November 13, 2014 7:07 PM, takamichi saito > >>> > <saito@cs.meiji.ac.jp <mailto:saito@cs.meiji.ac.jp> > <mailto:saito@cs.meiji.ac.jp <mailto:saito@cs.meiji.ac.jp>>> wrote: > >>> > > >>> > > >>> > Sorry for my poor english. > >>> > > >>> > > >>> > 2014/11/14 10:55、Bill Mills <wmills_92105@yahoo.com > <mailto:wmills_92105@yahoo.com> > >>> <mailto:wmills_92105@yahoo.com > <mailto:wmills_92105@yahoo.com>__> > >>> > <mailto:wmills_92105@yahoo.com <mailto:wmills_92105@yahoo.com> > >>> <mailto:wmills_92105@yahoo.com > <mailto:wmills_92105@yahoo.com>__>__>> のメール: > >>> > > >>> > > The whole mechanism relies on the attacker not having > access > >>> to the > >>> > code_verifier or hash. It's defending against the attacker > >>> getting the > >>> > code via weakness in IPC or other such mechanism like URI > >>> handlers. How > >>> > many more bits is secure beyond 256 bits of entropy > >>> recommended? If you > >>> > want to make it longer then just make it longer, salting > doesn't > >>> really > >>> > help that much. > >>> > > > >>> > > The original value or the hashed value *should* be > protected > >>> by the > >>> > transport security, and if it isn't then the attacker could be > >>> stealing > >>> > the original credential used to authenticate anyway. > >>> > > > >>> > > >>> > Is it correct? > >>> > You mean that we don’t need to use hash itself? Only to use > >>> plain is enough? > >>> > > >>> > > >>> > > > >>> > > > >>> > > > >>> > > On Thursday, November 13, 2014 5:40 PM, takamichi saito > >>> > <saito@cs.meiji.ac.jp <mailto:saito@cs.meiji.ac.jp> > <mailto:saito@cs.meiji.ac.jp <mailto:saito@cs.meiji.ac.jp>> > >>> <mailto:saito@cs.meiji.ac.jp <mailto:saito@cs.meiji.ac.jp> > <mailto:saito@cs.meiji.ac.jp <mailto:saito@cs.meiji.ac.jp>>>__> wrote: > >>> > > > >>> > > > >>> > > > >>> > > Hi all, > >>> > > > >>> > > I appreciate this idea, simple and powerful to achieve > proof of > >>> > possession. > >>> > > But, I have some questions against the scheme. > >>> > > Sorry if these ware already discussed. > >>> > > > >>> > > I worry about using a hash function in simple way. > >>> > > I mean, a simple use of random as code_verifier may > cause that > >>> > malicious client can have any code_verifier and > code_challenge. > >>> > > All combinations of random and its hash can be obtained, it > >>> may not > >>> > be risk? > >>> > > > >>> > > So, we should use: > >>> > > S256 "code_challenge" = > BASE64URL(SHA256("code_____verifier" + > >>> “client ID”)) > >>> > > or > >>> > > S256 "code_challenge" = > BASE64URL(SHA256("code_____verifier" + > >>> “client > >>> > ID” + “server ID”)) > >>> > > Where, you know that client ID is client’s unique name. > >>> > > > >>> > > > >>> > > Other problem is the following, using Nat’s slide: > >>> > > > http://www.slideshare.net/nat_____sakimura/1112-spoppresso > <http://www.slideshare.net/nat___sakimura/1112-spoppresso> > >>> <http://www.slideshare.net/__nat_sakimura/1112-spoppresso > <http://www.slideshare.net/nat_sakimura/1112-spoppresso>> > >>> > > <http://www.slideshare.net/____nat_sakimura/1112-spoppresso > <http://www.slideshare.net/__nat_sakimura/1112-spoppresso> > >>> <http://www.slideshare.net/__nat_sakimura/1112-spoppresso > <http://www.slideshare.net/nat_sakimura/1112-spoppresso>>>__. > >>> > > > >>> > > 0. Attacker prepares own code_verifier and > code_challenge. > >>> > > 1. replage legitimate challenge with malicious > code_challenge. > >>> > > 5. Attacker can submits own code_verifier. > >>> > > > >>> > > It may be out of the draft, I think. > >>> > > > >>> > > Best regards, > >>> > > > >>> > > > >>> > > ;; takamixhi saito > >>> > > > >>> > > ___________________________________________________ > >>> > > OAuth mailing list > >>> > > OAuth@ietf.org <mailto:OAuth@ietf.org> > <mailto:OAuth@ietf.org <mailto:OAuth@ietf.org>> > <mailto:OAuth@ietf.org <mailto:OAuth@ietf.org> > >>> <mailto:OAuth@ietf.org <mailto:OAuth@ietf.org>>> > >>> > > https://www.ietf.org/mailman/____listinfo/oauth > <https://www.ietf.org/mailman/__listinfo/oauth> > >>> <https://www.ietf.org/mailman/__listinfo/oauth > <https://www.ietf.org/mailman/listinfo/oauth>> > >>> > > >>> > > > >>> > > > >>> > > >>> > > >>> > ;; takamixhi saito > >>> > > >>> > ___________________________________________________ > >>> > OAuth mailing list > >>> > OAuth@ietf.org <mailto:OAuth@ietf.org> > <mailto:OAuth@ietf.org <mailto:OAuth@ietf.org>> > <mailto:OAuth@ietf.org <mailto:OAuth@ietf.org> > >>> <mailto:OAuth@ietf.org <mailto:OAuth@ietf.org>>> > >>> > https://www.ietf.org/mailman/____listinfo/oauth > <https://www.ietf.org/mailman/__listinfo/oauth> > >>> <https://www.ietf.org/mailman/__listinfo/oauth > <https://www.ietf.org/mailman/listinfo/oauth>> > >>> > > >>> > > >>> > >>> > >>> -- > >>> ;; takamixhi saito > >>> > >>> ___________________________________________________ > >>> OAuth mailing list > >>> OAuth@ietf.org <mailto:OAuth@ietf.org> <mailto:OAuth@ietf.org > <mailto:OAuth@ietf.org>> > >>> https://www.ietf.org/mailman/____listinfo/oauth > <https://www.ietf.org/mailman/__listinfo/oauth> > >>> <https://www.ietf.org/mailman/__listinfo/oauth > <https://www.ietf.org/mailman/listinfo/oauth>> > >>> > >>> _________________________________________________ > >>> OAuth mailing list > >>> OAuth@ietf.org <mailto:OAuth@ietf.org> <mailto:OAuth@ietf.org > <mailto:OAuth@ietf.org>> > >>> https://www.ietf.org/mailman/__listinfo/oauth > <https://www.ietf.org/mailman/listinfo/oauth> > >> > > > > > > -- > > ;; takamixhi saito > > > > _________________________________________________ > > OAuth mailing list > > OAuth@ietf.org <mailto:OAuth@ietf.org> > > https://www.ietf.org/mailman/__listinfo/oauth > <https://www.ietf.org/mailman/listinfo/oauth> > > _________________________________________________ > OAuth mailing list > OAuth@ietf.org <mailto:OAuth@ietf.org> > https://www.ietf.org/mailman/__listinfo/oauth > <https://www.ietf.org/mailman/listinfo/oauth> > -- ;; takamixhi saito
- [OAUTH-WG] draft-ietf-oauth-spop-04: a way of mak… takamichi saito
- Re: [OAUTH-WG] draft-ietf-oauth-spop-04: a way of… John Bradley
- Re: [OAUTH-WG] draft-ietf-oauth-spop-04: a way of… Bill Mills
- Re: [OAUTH-WG] draft-ietf-oauth-spop-04: a way of… Nat Sakimura
- Re: [OAUTH-WG] draft-ietf-oauth-spop-04: a way of… William Denniss
- Re: [OAUTH-WG] draft-ietf-oauth-spop-04: a way of… takamichi saito
- Re: [OAUTH-WG] draft-ietf-oauth-spop-04: a way of… takamichi saito
- Re: [OAUTH-WG] draft-ietf-oauth-spop-04: a way of… takamichi saito
- Re: [OAUTH-WG] draft-ietf-oauth-spop-04: a way of… John Bradley
- Re: [OAUTH-WG] draft-ietf-oauth-spop-04: a way of… Bill Mills
- Re: [OAUTH-WG] draft-ietf-oauth-spop-04: a way of… Bill Mills
- Re: [OAUTH-WG] draft-ietf-oauth-spop-04: a way of… John Bradley
- Re: [OAUTH-WG] draft-ietf-oauth-spop-04: a way of… takamichi saito
- Re: [OAUTH-WG] draft-ietf-oauth-spop-04: a way of… Nat Sakimura
- Re: [OAUTH-WG] draft-ietf-oauth-spop-04: a way of… takamichi saito
- Re: [OAUTH-WG] draft-ietf-oauth-spop-04: a way of… takamichi saito
- Re: [OAUTH-WG] draft-ietf-oauth-spop-04: a way of… Nat Sakimura
- Re: [OAUTH-WG] draft-ietf-oauth-spop-04: a way of… John Bradley
- Re: [OAUTH-WG] draft-ietf-oauth-spop-04: a way of… Bill Mills
- Re: [OAUTH-WG] draft-ietf-oauth-spop-04: a way of… Bill Mills
- Re: [OAUTH-WG] draft-ietf-oauth-spop-04: a way of… takamichi saito
- Re: [OAUTH-WG] draft-ietf-oauth-spop-04: a way of… takamichi saito
- Re: [OAUTH-WG] draft-ietf-oauth-spop-04: a way of… John Bradley
- Re: [OAUTH-WG] draft-ietf-oauth-spop-04: a way of… Nat Sakimura
- Re: [OAUTH-WG] draft-ietf-oauth-spop-04: a way of… Bill Mills
- Re: [OAUTH-WG] draft-ietf-oauth-spop-04: a way of… John Bradley
- Re: [OAUTH-WG] draft-ietf-oauth-spop-04: a way of… takamichi saito
- Re: [OAUTH-WG] draft-ietf-oauth-spop-04: a way of… takamichi saito
- Re: [OAUTH-WG] draft-ietf-oauth-spop-04: a way of… Sergey Beryozkin
- Re: [OAUTH-WG] draft-ietf-oauth-spop-04: a way of… Nat Sakimura
- Re: [OAUTH-WG] draft-ietf-oauth-spop-04: a way of… John Bradley
- Re: [OAUTH-WG] draft-ietf-oauth-spop-04: a way of… Sergey Beryozkin
- Re: [OAUTH-WG] draft-ietf-oauth-spop-04: a way of… takamichi saito
- Re: [OAUTH-WG] draft-ietf-oauth-spop-04: a way of… takamichi saito