Re: [TLS] Working Group Last Call for draft-ietf-tls-pwd

Joseph Birr-Pixton <jpixton@gmail.com> Fri, 06 December 2013 23:25 UTC

Return-Path: <jpixton@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8B6E21ADF63 for <tls@ietfa.amsl.com>; Fri, 6 Dec 2013 15:25:53 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7o6lHFsLGGZ2 for <tls@ietfa.amsl.com>; Fri, 6 Dec 2013 15:25:49 -0800 (PST)
Received: from mail-qe0-x22c.google.com (mail-qe0-x22c.google.com [IPv6:2607:f8b0:400d:c02::22c]) by ietfa.amsl.com (Postfix) with ESMTP id DB9E21ADE87 for <tls@ietf.org>; Fri, 6 Dec 2013 15:25:48 -0800 (PST)
Received: by mail-qe0-f44.google.com with SMTP id nd7so1090990qeb.3 for <tls@ietf.org>; Fri, 06 Dec 2013 15:25:44 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=poPAyj2TGJYLxpDTNPid5BT0d7tm+YM6MZXkzrMjXxM=; b=gV4X/pP8/J0X5DqZksudoVKZZAKLy0SrohgMPZTtzeW7uiCXk28Kk0R5iR+v6h4s6/ vzrECwCq3feQUWxWBOXR8ltYnX6nhJzN0RBAXrEPPRuKA5KZnNVZEDi0qe0kx/f8ConE SEhgPQRVJ59xolaFt7UclNP1sINCjzea9dU1DOJV7uhyKKBgoOvu+xDtHTsgc9W2JKBM /by/I2LBnFVc8oZ3Ldnq+8mNgJS5bUWhamS0wCeLgtB6lPorshY/dWUWzkG890uY5MM/ qT5QbP2VOmjOpK67shFpC7AOmJ0iyoMABa82t/9tRYa+2K+DDWIyeOinm/igPTHiVlfJ PdhA==
MIME-Version: 1.0
X-Received: by 10.224.47.3 with SMTP id l3mr11181825qaf.25.1386372344811; Fri, 06 Dec 2013 15:25:44 -0800 (PST)
Received: by 10.224.172.130 with HTTP; Fri, 6 Dec 2013 15:25:44 -0800 (PST)
Date: Fri, 6 Dec 2013 23:25:44 +0000
Message-ID: <CACaGApmwcaZuicbdk8zC7K+KPa4=Rav95GJU3t4ALLq3ENwVeg@mail.gmail.com>
From: Joseph Birr-Pixton <jpixton@gmail.com>
To: tls@ietf.org, dharkins@lounge.org
Content-Type: text/plain; charset=UTF-8
Subject: Re: [TLS] Working Group Last Call for draft-ietf-tls-pwd
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 06 Dec 2013 23:25:53 -0000

On 6 December 2013 20:00,  <tls-request@ietf.org> wrote:
> From: "Dan Harkins" <dharkins@lounge.org>
> To: "CodesInChaos" <codesinchaos@gmail.com>
> Cc: "tls@ietf.org" <tls@ietf.org>
> Date: Fri, 6 Dec 2013 10:29:22 -0800 (PST)
> Subject: Re: [TLS] Working Group Last Call for draft-ietf-tls-pwd
>
> On Fri, December 6, 2013 3:14 am, CodesInChaos wrote:
>> Database compromises happen all the time, and forcing the server to
>> store a weakly hashed password
>> isn't acceptable IMO.
>
>   You're absolutely right, that would not be acceptable.
>
>   TLS-pwd uses HMAC-SHA256 with a 32 byte random key (salt) to
> hash passwords that the server stores.

How does this not constitute an immensely fast password oracle?

If the server stores (username, base, salt) per user with base :=
HMAC-SHA256(salt, username || password) you'd only need to compute
about 3 SHA256 blocks to check each candidate password.

Cheers,
Joe