Re: [secdir] secdir review of draft-harkins-salted-eap-pwd-06

Simon Josefsson <> Mon, 10 October 2016 07:18 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 1B68D1294A5; Mon, 10 Oct 2016 00:18:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -4.201
X-Spam-Status: No, score=-4.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 2k694xbzlXDD; Mon, 10 Oct 2016 00:18:31 -0700 (PDT)
Received: from ( [IPv6:2001:9b0:1:1702::100]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 698E2127076; Mon, 10 Oct 2016 00:18:31 -0700 (PDT)
Received: from iller ( []) (authenticated bits=0) by (8.14.4/8.14.4/Debian-4+deb7u1) with ESMTP id u9A7IRWu020622 (version=TLSv1/SSLv3 cipher=AES128-GCM-SHA256 bits=128 verify=NOT); Mon, 10 Oct 2016 09:18:28 +0200
Message-ID: <>
From: Simon Josefsson <>
To: Stefan Winter <>
Date: Mon, 10 Oct 2016 09:18:24 +0200
In-Reply-To: <>
References: <> <> <> <> <> <> <>
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="=-oGyocCCHUzcxfOshI7aa"
X-Mailer: Evolution 3.12.9-1+b1
Mime-Version: 1.0
X-Virus-Scanned: clamav-milter 0.99.2 at
X-Virus-Status: Clean
Archived-At: <>
Cc:, Kathleen Moriarty <>, "" <>
Subject: Re: [secdir] secdir review of draft-harkins-salted-eap-pwd-06
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Security Area Directorate <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 10 Oct 2016 07:18:33 -0000

mån 2016-10-10 klockan 09:03 +0200 skrev Stefan Winter:
> Hello,
> > I still believe it is a bad idea to describe non-iterative password
> > protection schemes at all.  We have had 15+ years of bad incidents with
> > salted password databases that suggest it is time to stop doing that.
> This is not the ocean this draft attempts to boil.
> The draft does not make any recommendations about how to store passwords.

Hello Stefan.

Recommendations ought to be part of the security considerations.  It
already is part of the document, to some extent.

> It attempts to make password databases usable with a new EAP type.
> I don't think you are actually stating that salt-hash databases don't
> exist in massive amounts in deployed reality? Because saying so would be
> quite silly; they do exist.

Of course.  I did not say that, and if you got that impression, I must
have been terribly unclear in what I wrote.

I question whether deployed PRECIS/OpaqueString databases prepared
passwords salted+hashed with SHA1 exists.  PRECIS/OpaqueString is fairly
new.  My perception is that people who are knowledgeable enough to use
PRECIS/OpaqueString to prepare passwords in general also know that
salting passwords is not sufficient.

> If we were to ignore that deployed reality and spec the draft merely
> around PBKDF2 and some, we'd have an EAP type supporting only a tiny
> fraction of password databases out there. All the rest of deployed
> reality is left without a good zero-knowledge EAP type and is remains
> stranded with "traditional" PKIX-style server validations with either a
> cleartext password or a lousy NT-Hash inside the TLS tunnel - which, as
> our experience in a world-scale EAP-based roaming consortium shows,
> means: no protection at all for many because end users ignore all
> certificate warnings given half a chance to.
> It is actually quite easy to improve security for virtually everybody
> using EAP: it's these few paragraphs in the draft which describe how to
> use salted databases.

I'm with you on the high-level discussion.  So let's discuss details.
My assertions are:

1) Drafts dealing with password hashing should not ignore security
practices around password hashing.  Supporting PBKDF2 is a hygiene
factor, scrypt gives bonus points.

2) Complexity leads to reduced security.  Is there legacy justification
for all variants of hashes specified in the document?  Is there legacy
justification for both SASLprep and PRECIS/OpaqueString?

3) I challenge that PRECIS/OpaqueString-prepared passwords are deployed
in a salted+hashed way but without iterative constructs.  If you have
pointers to the opposite, for each of the specified hashes, I'm happy to
learn something new.

What do you think?

I'm aware of password databases that use raw salt+hash on (unprepared)
UTF-8 encoded password strings.  In my experience, that is more common
than salt+hash of SASLprep or PRECIS/OpaqueString passwords.  The draft
does not discuss how the password is encoded for TBD1-TBD10, which seems
like another missing piece.