Re: [sasl] SCRAM: PBKDF2 algorithm description wrong?!?
Simon Josefsson <simon@josefsson.org> Mon, 09 November 2009 15:29 UTC
Return-Path: <simon@josefsson.org>
X-Original-To: sasl@core3.amsl.com
Delivered-To: sasl@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 76BE73A6942 for <sasl@core3.amsl.com>; Mon, 9 Nov 2009 07:29:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.394
X-Spam-Level:
X-Spam-Status: No, score=-1.394 tagged_above=-999 required=5 tests=[AWL=-1.385, BAYES_00=-2.599, J_CHICKENPOX_23=0.6, J_CHICKENPOX_43=0.6, PLING_QUERY=1.39]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UroVDiQhue9I for <sasl@core3.amsl.com>; Mon, 9 Nov 2009 07:29:46 -0800 (PST)
Received: from yxa-v.extundo.com (yxa-v.extundo.com [83.241.177.39]) by core3.amsl.com (Postfix) with ESMTP id 3C9EE3A69A1 for <sasl@ietf.org>; Mon, 9 Nov 2009 07:29:34 -0800 (PST)
Received: from mocca.josefsson.org (c80-216-24-211.bredband.comhem.se [80.216.24.211]) (authenticated bits=0) by yxa-v.extundo.com (8.14.3/8.14.3/Debian-5) with ESMTP id nA9FTtba020269 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Mon, 9 Nov 2009 16:29:57 +0100
From: Simon Josefsson <simon@josefsson.org>
To: Tobias Markmann <tmarkmann@googlemail.com>
References: <5cfc0a8e0911070435s5f894c48rd916f887fb5842d5@mail.gmail.com>
OpenPGP: id=B565716F; url=http://josefsson.org/key.txt
X-Hashcash: 1:22:091109:tmarkmann@googlemail.com::u0NRS2FN78kXtyQF:FDpO
X-Hashcash: 1:22:091109:sasl@ietf.org::Q4YjVuLJSXA6jKsK:d+mJ
Date: Mon, 09 Nov 2009 16:29:55 +0100
In-Reply-To: <5cfc0a8e0911070435s5f894c48rd916f887fb5842d5@mail.gmail.com> (Tobias Markmann's message of "Sat, 7 Nov 2009 13:35:15 +0100")
Message-ID: <871vk7wwb0.fsf@mocca.josefsson.org>
User-Agent: Gnus/5.110011 (No Gnus v0.11) Emacs/23.1 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
X-Virus-Scanned: clamav-milter 0.95.2 at yxa-v
X-Virus-Status: Clean
Cc: sasl@ietf.org
Subject: Re: [sasl] SCRAM: PBKDF2 algorithm description wrong?!?
X-BeenThere: sasl@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: SASL Working Group <sasl.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/sasl>, <mailto:sasl-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sasl>
List-Post: <mailto:sasl@ietf.org>
List-Help: <mailto:sasl-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sasl>, <mailto:sasl-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Nov 2009 15:29:47 -0000
Tobias Markmann <tmarkmann@googlemail.com> writes: > Hi, > > http://tools.ietf.org/html/draft-ietf-sasl-scram-10 describes the Hi > function this way: > > Hi(str, salt, i): > > U0 := HMAC(str, salt + INT(1)) > U1 := HMAC(str, U0) > U2 := HMAC(str, U1) > ... > Ui-1 := HMAC(str, Ui-2) > Ui := HMAC(str, Ui-1) > > Hi := U0 XOR U1 XOR U2 XOR ... XOR Ui > > If I interpret this correctly for i = 1 you have to calculate U0 and U1 and > XOR those values. > However this isn't compatible to existing implementations. For i = 1 you > seem to have to return only U0. Thanks for posting this Tobias. I believe scram -10 is broken here, the Hi function should not differ from PBKDF2 in any important way. Implementers may have access to PBKDF2 from crypto libraries, and we should encourage them to use it that way instead of re-implementing a slightly different PBKDF2 algorithm. The current definition of Hi cannot be implemented using PBKDF2 due to the +-1 mistake. Fixing this should be simple, see below for a editing suggestion from Dave Cridland & me -- although I haven't verified that it is complete because I would prefer to use a normative reference to RFC 2898 instead. > So my question: Did I interpret the pseudo code wrong or is the pseudo code > wrong? I believe the pseudo code in the -10 document is sub-optimal. > Would it be problematic to include a couple of test vectors, like > those Simon published ( > http://josefsson.org/sasl-gs2/draft-josefsson-pbkdf2-test-vectors.txt) > in the RFC? I have submitted that draft to the IETF now. It would indeed be useful to include SCRAM test vectors in the core SCRAM document though. /Simon Simon Josefsson <simon@josefsson.org> writes: > Dave Cridland <dave.cridland@isode.com> writes: > >> On Fri Nov 6 14:10:56 2009, Simon Josefsson wrote: >>> Here is what I'd prefer. >>> >>> OLD: >>> o Hi(str, salt, i): >>> >>> U0 := HMAC(str, salt + INT(1)) >> >> Change this line to start with U1 instead of U0 >> >> >>> U1 := HMAC(str, U0) >> >> Remove this one. >> >> >>> U2 := HMAC(str, U1) >>> ... >>> Ui-1 := HMAC(str, Ui-2) >>> Ui := HMAC(str, Ui-1) >>> >>> Hi := U0 XOR U1 XOR U2 XOR ... XOR Ui > > This has to be 'U1 XOR U2 ... Ui' too.
- [sasl] SCRAM: PBKDF2 algorithm description wrong?… Tobias Markmann
- Re: [sasl] SCRAM: PBKDF2 algorithm description wr… Simon Josefsson