Re: [secdir] secdir review of draft-harkins-salted-eap-pwd-06

Stefan Winter <> Mon, 10 October 2016 07:03 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 035C3129413; Mon, 10 Oct 2016 00:03:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -4.895
X-Spam-Status: No, score=-4.895 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-2.996, WEIRD_PORT=0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 5SiE-sT2REXD; Mon, 10 Oct 2016 00:03:24 -0700 (PDT)
Received: from ( [IPv6:2001:a18:1::62]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 6769A128E18; Mon, 10 Oct 2016 00:03:24 -0700 (PDT)
Received: from ( [IPv6:2001:a18:1:8::155]) by (Postfix) with ESMTPS id B678243A7A; Mon, 10 Oct 2016 09:03:22 +0200 (CEST)
To: Simon Josefsson <>, Kathleen Moriarty <>
References: <> <> <> <> <> <>
From: Stefan Winter <>
Openpgp: id=AD3091F3AB24E05F4F722C03C0DE6A358A39DC66; url=
Message-ID: <>
Date: Mon, 10 Oct 2016 09:03:22 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.3.0
MIME-Version: 1.0
In-Reply-To: <>
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="hrKatsw4Q6t4NNH830pfUTQEgVtvQ09hv"
Archived-At: <>
Cc:, "" <>
Subject: Re: [secdir] secdir review of draft-harkins-salted-eap-pwd-06
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Security Area Directorate <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 10 Oct 2016 07:03:27 -0000


> I still believe it is a bad idea to describe non-iterative password
> protection schemes at all.  We have had 15+ years of bad incidents with
> salted password databases that suggest it is time to stop doing that.

This is not the ocean this draft attempts to boil.

The draft does not make any recommendations about how to store passwords.

It attempts to make password databases usable with a new EAP type.

I don't think you are actually stating that salt-hash databases don't
exist in massive amounts in deployed reality? Because saying so would be
quite silly; they do exist.

If we were to ignore that deployed reality and spec the draft merely
around PBKDF2 and some, we'd have an EAP type supporting only a tiny
fraction of password databases out there. All the rest of deployed
reality is left without a good zero-knowledge EAP type and is remains
stranded with "traditional" PKIX-style server validations with either a
cleartext password or a lousy NT-Hash inside the TLS tunnel - which, as
our experience in a world-scale EAP-based roaming consortium shows,
means: no protection at all for many because end users ignore all
certificate warnings given half a chance to.

It is actually quite easy to improve security for virtually everybody
using EAP: it's these few paragraphs in the draft which describe how to
use salted databases.


Stefan Winter

Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
de la Recherche
2, avenue de l'Université
L-4365 Esch-sur-Alzette

Tel: +352 424409 1
Fax: +352 422473

PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
recipient's key is known to me