IETF Logo Mail Archive

Re: [saag] Feedback on Salted EAP draft

Sam Hartman <hartmans-ietf@mit.edu> Tue, 14 July 2015 20:05 UTC

Return-Path: <hartmans@mit.edu>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F2D401B2C21; Tue, 14 Jul 2015 13:05:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.235
X-Spam-Level:
X-Spam-Status: No, score=-1.235 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_SOFTFAIL=0.665] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id s7dwYNawylz3; Tue, 14 Jul 2015 13:05:55 -0700 (PDT)
Received: from mail.painless-security.com (mail.painless-security.com [23.30.188.241]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7F25F1B2C1F; Tue, 14 Jul 2015 13:05:55 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mail.painless-security.com (Postfix) with ESMTP id 064A020739; Tue, 14 Jul 2015 16:05:49 -0400 (EDT)
Received: from mail.painless-security.com ([127.0.0.1]) by localhost (mail.suchdamage.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id buzZNjPINghP; Tue, 14 Jul 2015 16:05:48 -0400 (EDT)
Received: from carter-zimmerman.suchdamage.org (unknown [10.1.10.105]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "laptop", Issuer "laptop" (not verified)) by mail.painless-security.com (Postfix) with ESMTPS; Tue, 14 Jul 2015 16:05:48 -0400 (EDT)
Received: by carter-zimmerman.suchdamage.org (Postfix, from userid 8042) id 4A02688EE8; Tue, 14 Jul 2015 16:05:53 -0400 (EDT)
From: Sam Hartman <hartmans-ietf@mit.edu>
To: Christian Huitema <huitema@microsoft.com>
References: <CAHbuEH5u=Q_h4L4yNdrpPw1J3fAsr1MfEMBV84TgdnHVWcxX0w@mail.gmail.com> <CAHbuEH4--TP0duM-8GSaR4RaUG5DoL=QtnCFE3shHbaUNPvwVg@mail.gmail.com> <tsloane9wff.fsf@mit.edu> <CAHbuEH5cGW3pknnwseEnp=mqzrMLPFBh-bN4pd2wKKDgpS08wQ@mail.gmail.com> <DM2PR0301MB06558BFBD0251595A3B4B0B9A89B0@DM2PR0301MB0655.namprd03.prod.outlook.com>
Date: Tue, 14 Jul 2015 16:05:53 -0400
In-Reply-To: <DM2PR0301MB06558BFBD0251595A3B4B0B9A89B0@DM2PR0301MB0655.namprd03.prod.outlook.com> (Christian Huitema's message of "Tue, 14 Jul 2015 17:50:33 +0000")
Message-ID: <tslr3oabj32.fsf@mit.edu>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.3 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <http://mailarchive.ietf.org/arch/msg/saag/nQd9XEyavEOn0oWH6g53iZFHMOc>
Cc: Sam Hartman <hartmans-ietf@mit.edu>, "saag@ietf.org" <saag@ietf.org>, "emu@ietf.org" <emu@ietf.org>
Subject: Re: [saag] Feedback on Salted EAP draft
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Jul 2015 20:05:57 -0000

>>>>> "Christian" == Christian Huitema <huitema@microsoft.com> writes:

    Christian> On Tuesday, July 14, 2015 9:01 AM, Kathleen Moriarty wrote:
    >> Is there interest in reviewing this draft?  Sam pointed out the
    >> importance of moving this work forward, it would be helpful to
    >> have volunteers to review the work and also to understand the
    >> level of interest (if any) before this goes forward as AD
    >> sponsored.

    Christian> The draft is short and clear enough, but it acknowledges
    Christian> a pretty big security issue: "the salted password from a
    Christian> compromised database can be used directly to impersonate
    Christian> the client-- there is no dictionary attack needed to
    Christian> recover the plaintext password."

If you want to use an pre-existing salted database and you want to use some
cryptographic mechanism rather than transporting plaintext passwords
over encrypted transport, I think you have to accept that particular
vulnerability or something similar.

To defeat this you'd need some function that the peer, knowing the full
plaintext password could compute, and the EAP server knowing the salted
database entry could verify, but an attacker could not verify.
Most of the ways I can think of of doing that would defeat other
properties that the eap-pwd designers would probably consider
important. You might be able to do something with a secondary
authentication after the primary authentication had succeeded
(vulnerable to attackers who own your database).  Of course once an attacker gets your database, they could impersonate
the server towards the peer and defeate this secondary authentication.
However if the plaintext password were strong enough they could not log
into the original server.

Which is to say there are probably different tradeoffs that could be
made, but the ones in this protocol are ones that reasonable folks have
considered acceptable in the past.


I'll note that password-protected Kerberos as described in RFC 4120/6112
is an example of another system with this vulnerability.

v2.23.0 | Report a Bug | By Email