Re: [secdir] secdir review of draft-harkins-salted-eap-pwd-06

Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com> Fri, 07 October 2016 17:58 UTC

Return-Path: <kathleen.moriarty.ietf@gmail.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1AFE81296AA; Fri, 7 Oct 2016 10:58:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level:
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YBj7YsPkI-2s; Fri, 7 Oct 2016 10:58:01 -0700 (PDT)
Received: from mail-vk0-x234.google.com (mail-vk0-x234.google.com [IPv6:2607:f8b0:400c:c05::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0A84C129694; Fri, 7 Oct 2016 10:58:01 -0700 (PDT)
Received: by mail-vk0-x234.google.com with SMTP id b186so51718698vkb.1; Fri, 07 Oct 2016 10:58:00 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=1tIycrKKQbeHBeQ+mJUhkMTf+u0R9P4/WxJGuOJjaCo=; b=1ATP1vFuuyuSfeVs4vuJum7kquCu6Hx6sm9ccVT9TDAxJPdGP7HMpWVR9Ivx2jX3xk mZ5Y8imtRm2arcQ58tFm0retgQgSbtbSSVcnxWsCZsB0AKk/BcnTDB86J9RgzKIQ7IAd e5jZbMpuTY+XWY5sVkZUK6cZ2h5yDMd1ZJl6SGpZMx9Vhn5bjLCr+Uu36ZMNF8lraqXE CR9nqCASQEnBaPtsMuBd90wquv2wc5+zg4D7zzBRP8ilFbB0dlYSsVLRcDHQWJNQntKn mtfAvIIXH83WfRi9pDwNZNi/hQZM8V6I2CQMoRwea/kwcVdADqr1d7Qkf+3ylLNw4AM6 ejgQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=1tIycrKKQbeHBeQ+mJUhkMTf+u0R9P4/WxJGuOJjaCo=; b=S0tHgVQseGBNM7efE6K1T9mknWiJ/FAB9J/bMaA+GFde1VNLIs4135WoEffWwL6bdl 9mS8ADjnAwW7z3cNrrThr5LUA5V2JE9jrTizeIv/MPvBVL2cnb2J6AOCqMiMUUOdvhGZ Knupd9eNjxMr5Z4abwlvE9FLgD3n182uMBpzSzMAK3CORe9Yw5pb3ICywQpxGlWh4GLm nK7x9v33mnL6x/JW3qwoJ/C2jIlsOaCoKqw6QkpH51oi/vbwWjUp2knGxdthBOXxcrND Ov5PsRFe/SaiueIU+vzoR2qaxz7RoqEK5hcfihRIxbYSNIrn8m7FbRHLj7uolarM9wPc QfYA==
X-Gm-Message-State: AA6/9RmS87Zl626LbzMjseI4aPBaLXASB7lUIQ9aARMfPGDEryU/XEMOUnYD4iZmgl17UdRc38xqqNiNWvr2sA==
X-Received: by 10.31.228.3 with SMTP id b3mr13983322vkh.49.1475863080073; Fri, 07 Oct 2016 10:58:00 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.176.82.68 with HTTP; Fri, 7 Oct 2016 10:57:59 -0700 (PDT)
In-Reply-To: <69d90890-3c84-46e2-d1ef-0e264e28d568@lounge.org>
References: <87fuosqtkh.fsf@latte.josefsson.org> <66a779c8-d87b-7c70-c7cf-7eabc48f9880@lounge.org> <20160924111622.6d1308ce@latte.josefsson.org> <69d90890-3c84-46e2-d1ef-0e264e28d568@lounge.org>
From: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
Date: Fri, 7 Oct 2016 13:57:59 -0400
Message-ID: <CAHbuEH5U5HmAkxhVqv_z9pB98bH6FcdYb3SJV5Odr88bUJYowQ@mail.gmail.com>
To: Dan Harkins <dharkins@lounge.org>, "secdir@ietf.org" <secdir@ietf.org>
Content-Type: multipart/alternative; boundary=94eb2c0960549ffd35053e4a265c
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/JrcNV0qgeufe1ilDLlsE8xJY8JQ>
Cc: draft-harkins-salted-eap-pwd.all@ietf.org
Subject: Re: [secdir] secdir review of draft-harkins-salted-eap-pwd-06
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 07 Oct 2016 17:58:04 -0000

Simon,

Have you had a chance to look at this yet?  I'd like to make sure a new
version is posted by Dan before I put this for IESG review.  I'm looking at
Dan's suggestions now as well.  The draft is supposed to be on next week's
telechat, but I'll delay if needed.

Thank you,
Kathleen

On Thu, Sep 29, 2016 at 4:10 PM, Dan Harkins <dharkins@lounge.org> wrote:

>
>   Hi Simon,
>
>   Please take a look at the attached and let me know whether it addresses
> your concerns. I decided against adding support for HTTP Digest-style MD5
> because it requires a client contribution and EAP-pwd doesn't have a way
> to provide that.
>
>   regards,
>
>   Dan.
>
>
>
> On 9/24/16 2:16 AM, Simon Josefsson wrote:
>
>> Den Fri, 23 Sep 2016 10:37:25 -0700
>> skrev Re: [secdir] secdir review of draft-harkins-salted-eap-pwd-06:
>>
>>     Hi Simon,
>>>
>>> On 9/22/16 12:31 AM, Simon Josefsson wrote:
>>>
>>>> Hello,
>>>>
>>>> I have reviewed this document as part of the security directorate's
>>>> ongoing effort to review all IETF documents being processed by the
>>>> IESG. These comments were written primarily for the benefit of the
>>>> security area directors.  Document editors and WG chairs should
>>>> treat these comments just like any other last call comments.
>>>>
>>>     Thank you for your review and comments.
>>>
>> Hi Dan.  Thanks for quick response.
>>
>> This document adds support for salted password databases to EAP-pwd
>>>> (RFC5931).  I believe the document is Not Ready for the following
>>>> reasons:
>>>>
>>>>     1) The introduction and security considerations fails to
>>>> acknowledge that password salting is not sufficient to protect
>>>> against real-world password recovery attacks.  Iterative constructs
>>>> are needed.  This knowledge is old, PBKDF2/RFC2898 (which is one
>>>> standard technique to address the problem) was published in 2000
>>>> and has been widely deployed since then.  The document should
>>>> mention this aspect.  There have been many successful attacks
>>>> against pure-salted password databases in the real world, for
>>>> example: https://en.wikipedia.org/wiki/2012_LinkedIn_hack
>>>>
>>>     The intent is to support existing databases that RFC 5931 could
>>> not. I guess it deserves to be mentioned in case someone wants to
>>> create a new salted password database. I will add something regarding
>>> real-world attacks to recover passwords given a salted/encrypted
>>> database.
>>>
>> Thank you.
>>
>> I believe the experience and understanding in this field is that it is
>> not responsible to publish a document suggesting to use only salted
>> password databases today, or even 10 years ago.  Anything in that
>> direction should come with serious warnings that you are doing
>> something that the community believe is a bad idea, combined with
>> guidelines on how to do it properly (PBKDF2/scrypt).  It seems we are
>> on the same page here, and the detail is how to get the document to say
>> that.
>>
>>     2) Code points for the pre-processing techniques PBKDF2 (RFC
>>>> 2898) and scrypt (RFC 7914) should be added, to support use of best
>>>> security practices.
>>>>
>>>     Great suggestion, I will add these.
>>>
>> Thank you.  Some way to encode the PBKDF2/scrypt parameters in the salt
>> field is required, which require some additional specification work.  I
>> am happy to review text here.
>>
>>     3) There are interop concerns with crypt() when discussion about
>>>> which crypt algorithms (DES, MD5, etc) are to be used is lacking.
>>>> The page <https://en.wikipedia.org/wiki/Crypt_%28C%29> mentions a
>>>> couple of algorithms, but several others exist out there.  Consider
>>>> if the server tells the client to use an exotic crypt() schema like
>>>> BSDi or NTHASH, and the client does not support this algorithm.
>>>> The document should discuss the sub-negotiation problem.  The
>>>> document should mention what happens when the server choses an
>>>> algorithm the client doesn't support.  The document should
>>>> recommend that servers use widely-implemented schemas, like DES,
>>>> md5, or sha256.
>>>>
>>>     Yes, there needs to be something to deal with failure of a client
>>> to support a server's crypt algorithm. Since this is not a dynamic
>>> sort of thing-- oh, you don't like BSDi, how about sha256?-- so I
>>> think the only option is failure, but it should be mentioned.
>>>
>> Agreed.  Failure appears like the only option, but it should be made
>> clear.  It should also be made clear that servers ought to pick common
>> algorithms to avoid this problem, even though the strategy isn't 100%.
>>
>>     4) Introducing a new pre-processing technique like
>>>> OpaqueString+SHA1 or OpaqueString+crypt() add complexity.  As far
>>>> as I understand, there are no password databases with
>>>> OpaqueString-processed passwords which are hashed with SHA-1 or
>>>> crypt out there today.  Thus there is no interop argument for
>>>> introducing the methods.  Please confirm that the intention is to
>>>> introduce these methods as new ideas.  Then let me suggest that you
>>>> only describe OpaqueString+SHA256 and skip OpaqueString+SHA1,
>>>> OpaqueString+SHA512, OpaqueString+crypt.  This reduces complexity
>>>> and does not cause a reduction of security.
>>>>
>>>     Actually no, these aren't for new databases. There has to be some
>>> canonical way to deal with "international" character sets. RFC 5931
>>> used to refer to SASLprep but that's been obsoleted. So I MUST now
>>> refer to OpaqueString.
>>>
>>>     I went to the OpaqueString tutorial a couple of IETFs ago and asked
>>> whether passwords treated with SASLprep would map 1:1 to passwords
>>> treated with OpaqueString and the answer I got was something like,
>>> "uhm, well, I'm not sure. I think so." So the expectation is that a
>>> passphrase of "Eu amo São Paulo" (with the problematic diacritical)
>>> in an existing database created by SASLprep could be used with salted
>>> EAP-pwd and the corresponding OpaqueString pre-processing technique.
>>> And that means that every non-internationalized salting technique
>>> needs an OpaqueString version, including SHA1 and crypt.
>>>
>> I do not understand.
>>
>> Are you saying that you know of implemented/deployed password databases
>> that uses PRECIS OpaqueString processed passwords that are salted and
>> then hashed, the way described by your document?  This would surprise
>> me greatly, but of course it is not impossible.  In my experience,
>> people who are aware of PRECIS/OpaqueString for password processing
>> are aware of iterated password processing algorithms like PBKDF2.
>> I would say more people are aware of PBKDF2 than PRECIS/OpaqueString.
>>
>> Or are you saying that your intent is to support existing deployed
>> SASLprep prepared databases?  Do you know of any that use each of SHA1,
>> SHA256, SHA512 or crypt()?  Or was the addition of all algorithms for
>> completness?
>>
>> SASLprep and OpaqueString are not the same algorithm, and they don't
>> map 1:1, otherwise there wouldn't be any need to have two algorithms.
>>
>> If the intent is to support existing salted+hashed password databases
>> with SASLprep, refering to OpaqueString won't work.
>>
>> This may be a similar situation as with iterated vs non-iterated
>> algorithms.  You could include SASLprep for legacy reasons, but
>> recommend use of OpaqueString going forward.  Same as including
>> SHA1(salt|password) for legacy but recommend use of PBKDF2/scrypt going
>> forward.
>>
>> Further, password databases with HTTP Digest MD5 passwords are
>>>> widely used.  For added legacy compatibility, consider support it
>>>> too.  This is not a show stopper, but failure to mentioning it in
>>>> the context of deployed password databases appears to me like an
>>>> elephant in the room. Where there conscious reasons for not
>>>> including it?  It may be worth stating those reasons in the
>>>> document, if that is the case.
>>>>
>>>     Good suggestion. I'll add MD5 too.
>>>
>> Refer to RFC 7616 for details, it is not as easy as MD5(salt|password),
>> and the document covers SHA-256 and SHA-512/256 too.  If you add this,
>> you will need to discuss what the username and realm should be.  I don't
>> think you must add this if you have no direct use for it, but
>> acknowledging this widely deployed salted password database appears
>> relevant.  It is more important to add PBKDF2/scrypt in my opinion.
>>
>> Thanks,
>> /Simon
>>
>
>


-- 

Best regards,
Kathleen