Re: [saag] Feedback on Salted EAP draft

Joseph Salowey <joe@salowey.net> Mon, 17 August 2015 04:33 UTC

Return-Path: <joe@salowey.net>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C42331A0397 for <saag@ietfa.amsl.com>; Sun, 16 Aug 2015 21:33:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.978
X-Spam-Level:
X-Spam-Status: No, score=-1.978 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=unavailable
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tSD5Uq6u_DxL for <saag@ietfa.amsl.com>; Sun, 16 Aug 2015 21:33:18 -0700 (PDT)
Received: from mail-lb0-f178.google.com (mail-lb0-f178.google.com [209.85.217.178]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C77DF1A038E for <saag@ietf.org>; Sun, 16 Aug 2015 21:33:17 -0700 (PDT)
Received: by lbbpu9 with SMTP id pu9so74567189lbb.3 for <saag@ietf.org>; Sun, 16 Aug 2015 21:33:16 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=WdOi5+tEa6h/Je+EHrTpwErIniwYnhMBMR2mVfMD300=; b=ZMRN5Z6At1ZarZlwO5OYlxD/WeZ3m227yNU6yx8ZZ9UoS5OJCQUo/kF9LoKBJJMfaj Ozs5mw88ispl3qTPPkp0d9DPOBcloX9J+t/OBIMvHr5yl+3mIqX7zUayTFkMBtS0k7s7 O9ui462tCZn43Yq7AEQjiEhzDvV2Yw6YIsnuKboxtgAgCtEoL0iVQglsR87e+3+EOjex ezLpTmqF8z6SkW+e2pMaDWJWPI4z9JBp+/TCkDnnbHYTawyVNbNM8V7rPvrtWfp/6EEf t8a3SzXF9sbWFb/JT16nlY/ATjTpbh0qbCBqR/1ljPK/O7KVzSUskzvQkWqxFu/umanT GkUQ==
X-Gm-Message-State: ALoCoQkEyiDdWJiSHGd1MzSHdSC4ATBMkYdmf2WFq/MeC55m8OjIr824ViMiI8gKZzButE0kjBum
MIME-Version: 1.0
X-Received: by 10.112.142.196 with SMTP id ry4mr54085692lbb.68.1439785996265; Sun, 16 Aug 2015 21:33:16 -0700 (PDT)
Received: by 10.112.122.17 with HTTP; Sun, 16 Aug 2015 21:33:16 -0700 (PDT)
In-Reply-To: <449964e467e0347db185eb787db71efd.squirrel@www.trepanning.net>
References: <CAHbuEH5u=Q_h4L4yNdrpPw1J3fAsr1MfEMBV84TgdnHVWcxX0w@mail.gmail.com> <CAHbuEH4--TP0duM-8GSaR4RaUG5DoL=QtnCFE3shHbaUNPvwVg@mail.gmail.com> <tsloane9wff.fsf@mit.edu> <CAHbuEH5cGW3pknnwseEnp=mqzrMLPFBh-bN4pd2wKKDgpS08wQ@mail.gmail.com> <DM2PR0301MB06558BFBD0251595A3B4B0B9A89B0@DM2PR0301MB0655.namprd03.prod.outlook.com> <449964e467e0347db185eb787db71efd.squirrel@www.trepanning.net>
Date: Sun, 16 Aug 2015 21:33:16 -0700
Message-ID: <CAOgPGoB_EEZEi0_SsFyq2jWkWvb7TM9tSN40UO52DGjH42YkLw@mail.gmail.com>
From: Joseph Salowey <joe@salowey.net>
To: Dan Harkins <dharkins@lounge.org>
Content-Type: multipart/alternative; boundary=089e0112bf7edc4370051d7a4ce2
Archived-At: <http://mailarchive.ietf.org/arch/msg/saag/MqND8-JH-sqDueAuVNYrR2RfyvA>
Cc: Sam Hartman <hartmans-ietf@mit.edu>, "saag@ietf.org" <saag@ietf.org>, "emu@ietf.org" <emu@ietf.org>
Subject: Re: [saag] Feedback on Salted EAP draft
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 17 Aug 2015 04:33:19 -0000

Hi Dan,

I read the latest version of the draft (-02) and it looks mostly good to
me.   some comments:

I think you want to change the RFC references in the abstract from RFC 2751
to RFC 2759.

One question I have is there any reason why you specify the input of the
hash function as password | salt instead of the other way around?  Is this
the way it is done in practice?

Thanks,

Joe

On Thu, Aug 13, 2015 at 2:35 PM, Dan Harkins <dharkins@lounge.org>; wrote:

>
>   Hi Christian,
>
> On Tue, July 14, 2015 10:50 am, Christian Huitema wrote:
> [snip]
> > The draft is short and clear enough, but it acknowledges a pretty big
> > security issue: "the salted
> > password from a compromised database can be used directly to impersonate
> > the client-- there
> > is no dictionary attack needed to recover the plaintext password."
> >
> > That's a pretty big caveat, but there are still some advantages over
> > operating with unsalted passwords. The draft aligns server side password
> > management for EAP-pwd  with standard industry practices, which is good.
> > In case of server compromise, the immediate effect of the compromise is
> an
> > attack on the already compromised server, and the per-user salt make
> > password discovery harder. The security section should be expanded to
> > explain this tradeoff.
>
>   Yes, it's a big caveat and, as I mentioned, I'm trying to
> be as blunt as possible about it. I have updated the Security
> Considerations to include the point you are making about server
> compromise and the per-user salt still making password recovery
> harder.
>
> > Nits:
> >
> > - in the abstract, missing "not" in " but did (not?) include support for
> > salted passwords."
>
>   Nice catch.
>
>   An -02 version has been posted. Would you please take a look
> and let me know whether it satisfactorily addresses your comments?
>
>   regards,
>
>   Dan.
>
>
> _______________________________________________
> saag mailing list
> saag@ietf.org
> https://www.ietf.org/mailman/listinfo/saag
>