Re: [TLS] Working Group Last Call for draft-ietf-tls-pwd

"Dan Harkins" <dharkins@lounge.org> Fri, 06 December 2013 23:39 UTC

Return-Path: <dharkins@lounge.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7CB871AE13B for <tls@ietfa.amsl.com>; Fri, 6 Dec 2013 15:39:00 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.867
X-Spam-Level:
X-Spam-Status: No, score=-3.867 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0khfrzGEOlGD for <tls@ietfa.amsl.com>; Fri, 6 Dec 2013 15:38:59 -0800 (PST)
Received: from colo.trepanning.net (colo.trepanning.net [69.55.226.174]) by ietfa.amsl.com (Postfix) with ESMTP id 5ED7A1AE0EA for <tls@ietf.org>; Fri, 6 Dec 2013 15:38:59 -0800 (PST)
Received: from www.trepanning.net (localhost [127.0.0.1]) by colo.trepanning.net (Postfix) with ESMTP id 581DC1022404C; Fri, 6 Dec 2013 15:38:55 -0800 (PST)
Received: from 69.12.173.8 (SquirrelMail authenticated user dharkins@lounge.org) by www.trepanning.net with HTTP; Fri, 6 Dec 2013 15:38:55 -0800 (PST)
Message-ID: <6f16d6d556c68a58918423e0419d31eb.squirrel@www.trepanning.net>
In-Reply-To: <CACaGApmwcaZuicbdk8zC7K+KPa4=Rav95GJU3t4ALLq3ENwVeg@mail.gmail.com>
References: <CACaGApmwcaZuicbdk8zC7K+KPa4=Rav95GJU3t4ALLq3ENwVeg@mail.gmail.com>
Date: Fri, 6 Dec 2013 15:38:55 -0800 (PST)
From: "Dan Harkins" <dharkins@lounge.org>
To: "Joseph Birr-Pixton" <jpixton@gmail.com>
User-Agent: SquirrelMail/1.4.14 [SVN]
MIME-Version: 1.0
Content-Type: text/plain;charset=iso-8859-1
Content-Transfer-Encoding: 8bit
X-Priority: 3 (Normal)
Importance: Normal
Cc: tls@ietf.org
Subject: Re: [TLS] Working Group Last Call for draft-ietf-tls-pwd
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 06 Dec 2013 23:39:00 -0000

On Fri, December 6, 2013 3:25 pm, Joseph Birr-Pixton wrote:
> On 6 December 2013 20:00,  <tls-request@ietf.org> wrote:
>> From: "Dan Harkins" <dharkins@lounge.org>
>> To: "CodesInChaos" <codesinchaos@gmail.com>
>> Cc: "tls@ietf.org" <tls@ietf.org>
>> Date: Fri, 6 Dec 2013 10:29:22 -0800 (PST)
>> Subject: Re: [TLS] Working Group Last Call for draft-ietf-tls-pwd
>>
>> On Fri, December 6, 2013 3:14 am, CodesInChaos wrote:
>>> Database compromises happen all the time, and forcing the server to
>>> store a weakly hashed password
>>> isn't acceptable IMO.
>>
>>   You're absolutely right, that would not be acceptable.
>>
>>   TLS-pwd uses HMAC-SHA256 with a 32 byte random key (salt) to
>> hash passwords that the server stores.
>
> How does this not constitute an immensely fast password oracle?
>
> If the server stores (username, base, salt) per user with base :=
> HMAC-SHA256(salt, username || password) you'd only need to compute
> about 3 SHA256 blocks to check each candidate password.

  It's a balanced PAKE protocol. Like all such schemes (e.g EKE, J-PAKE)
the database of passwords is presumed to not be available to the
attacker.

  Dan.