[sasl] draft-ietf-sasl-scram-11: why don't include the authentication identity in the stored key?
Jehan Pagès <jehan.marmottard@gmail.com> Tue, 22 June 2010 08:05 UTC
Return-Path: <jehan.marmottard@gmail.com>
X-Original-To: sasl@core3.amsl.com
Delivered-To: sasl@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id EF23C3A6959 for <sasl@core3.amsl.com>; Tue, 22 Jun 2010 01:05:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.115
X-Spam-Level:
X-Spam-Status: No, score=0.115 tagged_above=-999 required=5 tests=[AWL=-0.186, BAYES_50=0.001, MIME_8BIT_HEADER=0.3]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cD6oYDLoI8Pi for <sasl@core3.amsl.com>; Tue, 22 Jun 2010 01:05:31 -0700 (PDT)
Received: from mail-iw0-f172.google.com (mail-iw0-f172.google.com [209.85.214.172]) by core3.amsl.com (Postfix) with ESMTP id 9D6D23A6813 for <sasl@ietf.org>; Tue, 22 Jun 2010 01:05:31 -0700 (PDT)
Received: by iwn9 with SMTP id 9so1441277iwn.31 for <sasl@ietf.org>; Tue, 22 Jun 2010 01:05:36 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:date:message-id :subject:from:to:content-type:content-transfer-encoding; bh=1Nq0hi7VRnoMWPZdqYPF5fLgWpIjB5Y+deCmC8Mrhk4=; b=X12CedZYocvefTpqCASHnocWuEpUm6n4oyw4UIkSeRM/H5/c8lNGymRz59NvY9FYnM kxzHfS5dk1RIFbVSVL9pWpNPByuYn7hq24LfkHd+LfjowG6Qdj9bGvxDqb4pMmhmWyzQ U6zPfE43b5ppNuEkyY1gfvHE0pfalwREOs4/k=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type :content-transfer-encoding; b=iOW077UQbsQ+uWY2ng1XtVGSr2aAUdQfSmWkMaee74sr7VB9GSw+ATzcoP220DAMQo nrE8rhuZFru1CX+WKdWnZ3hF2YN5NN0qZxldYYr8a17vy+KLxh5HkA35pnHrBHZ1ET7S jJBRVq6WBtLQT1FjEBYG78xxz1wLnTVDpqoTY=
MIME-Version: 1.0
Received: by 10.231.207.225 with SMTP id fz33mr6300339ibb.173.1277193936251; Tue, 22 Jun 2010 01:05:36 -0700 (PDT)
Received: by 10.231.35.137 with HTTP; Tue, 22 Jun 2010 01:05:36 -0700 (PDT)
Date: Tue, 22 Jun 2010 17:05:36 +0900
Message-ID: <AANLkTinl6-npKB1MjYmQIVehy4yqwgnWzipvPr7AaeYd@mail.gmail.com>
From: Jehan Pagès <jehan.marmottard@gmail.com>
To: sasl@ietf.org
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
Subject: [sasl] draft-ietf-sasl-scram-11: why don't include the authentication identity in the stored key?
X-BeenThere: sasl@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: SASL Working Group <sasl.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/sasl>, <mailto:sasl-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sasl>
List-Post: <mailto:sasl@ietf.org>
List-Help: <mailto:sasl-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sasl>, <mailto:sasl-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 22 Jun 2010 08:05:33 -0000
Hello,
I am reading the SCRAM draft for an implementation and had a remark.
The SCRAM's design motivations states this:
«
The server does not gain the ability to impersonate the client to
other servers (with an exception for server-authorized proxies),
unless such other servers allow SCRAM authentication and use the
same salt and iteration count for the user.
»
But if the username was included in the StoredKey algorithm (for
instance instead of salting the password only, you could salt
[authentication identity + UTF8NUL + password]), noone having the
stored key (whether the server itself or someone having gained access
to it on the user's computer for instance) could use it to access any
service other than the one it was stored for, EVEN IF this other
service has the same salt and iteration count by some extraordinary
chance, unless the same authentication identity is also used on both
service (which might be improbable, though not impossible, as such
identity often include a service domain).
Isn't it better for security (though I agree that the chances of
having same salt and iteration count are weak, here they would be even
weaker)? Moreover in my opinion, associating the
username/authentication identity and the password seems a nicer design
(by including them both into the Stored key).
Am I missing something?
Thanks.
Jehan
- [sasl] draft-ietf-sasl-scram-11: why don't includ… Jehan Pagès
- Re: [sasl] draft-ietf-sasl-scram-11: why don't in… Alexey Melnikov
- Re: [sasl] draft-ietf-sasl-scram-11: why don't in… Jehan Pagès
- Re: [sasl] draft-ietf-sasl-scram-11: why don't in… Simon Josefsson