Re: [saag] Feedback on Salted EAP draft
Sam Hartman <hartmans-ietf@mit.edu> Tue, 14 July 2015 20:05 UTC
Return-Path: <hartmans@mit.edu>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F2D401B2C21; Tue, 14 Jul 2015 13:05:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.235
X-Spam-Level:
X-Spam-Status: No, score=-1.235 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_SOFTFAIL=0.665] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id s7dwYNawylz3; Tue, 14 Jul 2015 13:05:55 -0700 (PDT)
Received: from mail.painless-security.com (mail.painless-security.com [23.30.188.241]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7F25F1B2C1F; Tue, 14 Jul 2015 13:05:55 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mail.painless-security.com (Postfix) with ESMTP id 064A020739; Tue, 14 Jul 2015 16:05:49 -0400 (EDT)
Received: from mail.painless-security.com ([127.0.0.1]) by localhost (mail.suchdamage.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id buzZNjPINghP; Tue, 14 Jul 2015 16:05:48 -0400 (EDT)
Received: from carter-zimmerman.suchdamage.org (unknown [10.1.10.105]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "laptop", Issuer "laptop" (not verified)) by mail.painless-security.com (Postfix) with ESMTPS; Tue, 14 Jul 2015 16:05:48 -0400 (EDT)
Received: by carter-zimmerman.suchdamage.org (Postfix, from userid 8042) id 4A02688EE8; Tue, 14 Jul 2015 16:05:53 -0400 (EDT)
From: Sam Hartman <hartmans-ietf@mit.edu>
To: Christian Huitema <huitema@microsoft.com>
References: <CAHbuEH5u=Q_h4L4yNdrpPw1J3fAsr1MfEMBV84TgdnHVWcxX0w@mail.gmail.com> <CAHbuEH4--TP0duM-8GSaR4RaUG5DoL=QtnCFE3shHbaUNPvwVg@mail.gmail.com> <tsloane9wff.fsf@mit.edu> <CAHbuEH5cGW3pknnwseEnp=mqzrMLPFBh-bN4pd2wKKDgpS08wQ@mail.gmail.com> <DM2PR0301MB06558BFBD0251595A3B4B0B9A89B0@DM2PR0301MB0655.namprd03.prod.outlook.com>
Date: Tue, 14 Jul 2015 16:05:53 -0400
In-Reply-To: <DM2PR0301MB06558BFBD0251595A3B4B0B9A89B0@DM2PR0301MB0655.namprd03.prod.outlook.com> (Christian Huitema's message of "Tue, 14 Jul 2015 17:50:33 +0000")
Message-ID: <tslr3oabj32.fsf@mit.edu>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.3 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <http://mailarchive.ietf.org/arch/msg/saag/nQd9XEyavEOn0oWH6g53iZFHMOc>
Cc: Sam Hartman <hartmans-ietf@mit.edu>, "saag@ietf.org" <saag@ietf.org>, "emu@ietf.org" <emu@ietf.org>
Subject: Re: [saag] Feedback on Salted EAP draft
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Jul 2015 20:05:57 -0000
>>>>> "Christian" == Christian Huitema <huitema@microsoft.com> writes: Christian> On Tuesday, July 14, 2015 9:01 AM, Kathleen Moriarty wrote: >> Is there interest in reviewing this draft? Sam pointed out the >> importance of moving this work forward, it would be helpful to >> have volunteers to review the work and also to understand the >> level of interest (if any) before this goes forward as AD >> sponsored. Christian> The draft is short and clear enough, but it acknowledges Christian> a pretty big security issue: "the salted password from a Christian> compromised database can be used directly to impersonate Christian> the client-- there is no dictionary attack needed to Christian> recover the plaintext password." If you want to use an pre-existing salted database and you want to use some cryptographic mechanism rather than transporting plaintext passwords over encrypted transport, I think you have to accept that particular vulnerability or something similar. To defeat this you'd need some function that the peer, knowing the full plaintext password could compute, and the EAP server knowing the salted database entry could verify, but an attacker could not verify. Most of the ways I can think of of doing that would defeat other properties that the eap-pwd designers would probably consider important. You might be able to do something with a secondary authentication after the primary authentication had succeeded (vulnerable to attackers who own your database). Of course once an attacker gets your database, they could impersonate the server towards the peer and defeate this secondary authentication. However if the plaintext password were strong enough they could not log into the original server. Which is to say there are probably different tradeoffs that could be made, but the ones in this protocol are ones that reasonable folks have considered acceptable in the past. I'll note that password-protected Kerberos as described in RFC 4120/6112 is an example of another system with this vulnerability.
- [saag] Feedback on Salted EAP draft Kathleen Moriarty
- Re: [saag] Feedback on Salted EAP draft Kathleen Moriarty
- Re: [saag] Feedback on Salted EAP draft Sam Hartman
- Re: [saag] Feedback on Salted EAP draft Kathleen Moriarty
- Re: [saag] Feedback on Salted EAP draft Christian Huitema
- Re: [saag] Feedback on Salted EAP draft Dan Harkins
- Re: [saag] Feedback on Salted EAP draft Sam Hartman
- Re: [saag] [Emu] Feedback on Salted EAP draft Stefan Winter
- Re: [saag] Feedback on Salted EAP draft Dan Harkins
- Re: [saag] Feedback on Salted EAP draft Joseph Salowey
- Re: [saag] Feedback on Salted EAP draft Dan Harkins