Re: [secdir] Review of draft-ietf-httpauth-digest-15
Rifaat Shekh-Yusef <rifaat.ietf@gmail.com> Thu, 09 April 2015 00:56 UTC
Return-Path: <rifaat.ietf@gmail.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 22BFF1ACCE5; Wed, 8 Apr 2015 17:56:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.799
X-Spam-Level:
X-Spam-Status: No, score=-0.799 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, J_CHICKENPOX_21=0.6, J_CHICKENPOX_41=0.6, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id J4GwyilqEjOV; Wed, 8 Apr 2015 17:56:40 -0700 (PDT)
Received: from mail-ob0-x229.google.com (mail-ob0-x229.google.com [IPv6:2607:f8b0:4003:c01::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D22551AC44B; Wed, 8 Apr 2015 17:56:39 -0700 (PDT)
Received: by oblw8 with SMTP id w8so114435213obl.0; Wed, 08 Apr 2015 17:56:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=MZ07QGiXu4CEoIGBlmC9K0PlCUCpPQCSFjSt7/YQT/Q=; b=MS9tT8qeCr8iowqm4YfROl2RxdIdQLuw5of89lCCWPr7tS5o/nb1MLblaeOaKoQQCC kTMWjVDChn8i8rks+PJ7OZ+XObXFtaE/SK6A0HsWjYAmDQYzVjypTMqcPh+6lhccIax8 PxyDQRI1JtfgLUWrRGUx2VWXSUfEb/Wrr1OGb7/Xl8RA+Rm9u4Co652GAl4FCNKvPWP/ xGDTQ5ScCzY3dkSPdnVBMTI6mIWHPQVHaVqH8Ts/QFj8C1R/+xfL6h2S5NABFaCI6kFv S4ej2NxcFtifZjh+YYmzG0XsSHHezvdYP2l8d08DwiU59BQPmwczKq7fa0+KaSSeNf2I ZWyw==
MIME-Version: 1.0
X-Received: by 10.182.255.195 with SMTP id as3mr35617592obd.56.1428540999430; Wed, 08 Apr 2015 17:56:39 -0700 (PDT)
Received: by 10.202.93.69 with HTTP; Wed, 8 Apr 2015 17:56:39 -0700 (PDT)
In-Reply-To: <201504082304.t38N48Ga016518@sylvester.rhmr.com>
References: <201504082304.t38N48Ga016518@sylvester.rhmr.com>
Date: Wed, 08 Apr 2015 20:56:39 -0400
Message-ID: <CAGL6epJofSrCc=A4caBZ+cYiAgR2eeRBnCra06w9ACmsVyub+g@mail.gmail.com>
From: Rifaat Shekh-Yusef <rifaat.ietf@gmail.com>
To: Hilarie Orman <hilarie@purplestreak.com>
Content-Type: multipart/alternative; boundary="001a1134a616d1779f0513401e2e"
Archived-At: <http://mailarchive.ietf.org/arch/msg/secdir/oUvbEWKCF2kfnFNoJ3zk6FZMOkQ>
X-Mailman-Approved-At: Wed, 08 Apr 2015 18:00:08 -0700
Cc: draft-ietf-httpauth-digest.all@tools.ietf.org, The IESG <iesg@ietf.org>, secdir@ietf.org
Subject: Re: [secdir] Review of draft-ietf-httpauth-digest-15
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Apr 2015 00:56:42 -0000
Hi Hilarie, Thanks for your review and comments. Please, see my reply inline... Regards, Rifaat On Wed, Apr 8, 2015 at 7:04 PM, Hilarie Orman <hilarie@purplestreak.com> wrote: > Security review of > HTTP Digest Access Authentication > draft-ietf-httpauth-digest-15 > > Do not be alarmed. I have reviewed this document as part of the > security directorate's ongoing effort to review all IETF documents > being processed by the IESG. These comments were written primarily > for the benefit of the security area directors. Document editors and > WG chairs should treat these comments just like any other last call > comments. > > HTTP authentication can be done via username and password. This > document defines two hash function based methods for sending a binding > between the password, username, and other information. The password > can be verified on a server by checking the hash using the recorded > password and the current information. The method defines the use of > newer hash functions but keeps backwards compatibility with MD5. > > "Section 3.1 Overall Operation > .... > The security of this protocol is critically dependent on the > randomness of the randomly chosen parameters, such as client and > server nonces. These should be generated by a strong random or > properly seeded pseudorandom source (see [RFC4086])." > > The above seems to be something that should go into the noticeably > absent "Security Considerations" section. > > Hmmm, did you miss section 5? > Page 5, discussions the "nonce". The "secret-data" is what requires > the high-quality randomness mentioned in section 3.1. This should be > explicitly noted. There should be some guidance on the minimum > acceptable length of the secret-data ... 128 bits seems reasonable to > me. The maximum length should also be specified, and I would > recommend that it be no more than 512 bits at most. > > I would further recommend that the secret data be generated explicitly > for digest authentication and not copied from some other random value > used by the server for other security purposes. Further, the > "secret-data" should be changed periodically, not just on server > restart. > > The document explicitly states that "The contents of the nonce are implementation dependent". The text was copied from RFC2617, and unless there is a good chance that people would be interested in implementing these new ideas, I would rather we keep it as is. Also, can you explain why do you recommend 128 bits as minimum and 512 bits as maximum? > "Also, IP address spoofing is not that hard." would be better stated > as "Source IP addresses are no guarantee of end-to-end integrity." > > Well, the existing text at least states why you should not rely on IP address. With your proposed text, you state something but do not explain what is that the case. > Page 5, "opaque" data string. What is the minimum acceptable length? > 16 bytes? Maximum? There should be a maximum. > > Again, this is implementation dependent. > Page 6 > " algorithm > > A string indicating a pair of algorithms used to produce the > digest and a checksum. If this is not present it is assumed to be > "MD5". > " > > How is "MD5" a pair of algorithms? Is "MD5,MD5" a pair? Or is the > there actually a single algorithm that will be used in two ways (keyed > and unkeyed digest)? > > This is the way it was stated in RFC2617. It is the same algorithm used to hash different things. I will fix it. > It would be helpful to note that "KD" means "Keyed digest". Ok. > It would > be better to use HMAC than the concatenation shown. > > Yeah, as I mentioned in a response to a previous review, and I would be happy to do that if there is interest and support for adding HMAC support. > Rather than "checksum", it would be more appropriate to say "digest" > or "unkeyed digest". E.g, "to produce a keyed digest and an unkeyed > digest." > > Ok. > Page 8, what is the minimum acceptable length for cnonce? Maximum length? > > This is implementation dependent. > Page 10, "cnounce" should be "cnonce". > > Ok > I would recommend that the keyed digest be done in the following way: > > K = H(password) > C = concatenation of a bunch of non-secret stuff > KD(K, C) = HMAC(K, C) = H(K, H(K, C)) > > For the H-ness calculations, > > C' = unq(username) ":" unq(realm) ":" unq(nonce-prime) ":" > unq(cnonce-prime) > > A1 = HMAC(K, C') > > and then > > KD ( A1, C ) = HMAC(A1, C) = H(A2, H(A1, C)) > > Let's first see if there is support for the idea of adding HMAC support; after that we will deal with these details. Regards, Rifaat > Hilarie >
- Re: [secdir] Review of draft-ietf-httpauth-digest… Rifaat Shekh-Yusef
- [secdir] Review of draft-ietf-httpauth-digest-15 Hilarie Orman