Re: [TLS] about the PWD Proposal
Matt DeMoss <demoss.matt@gmail.com> Mon, 12 December 2011 18:52 UTC
Return-Path: <demoss.matt@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7F8C421F8783 for <tls@ietfa.amsl.com>; Mon, 12 Dec 2011 10:52:52 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.999
X-Spam-Level:
X-Spam-Status: No, score=-2.999 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, J_CHICKENPOX_43=0.6, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MkiYosn+wlOt for <tls@ietfa.amsl.com>; Mon, 12 Dec 2011 10:52:51 -0800 (PST)
Received: from mail-ey0-f172.google.com (mail-ey0-f172.google.com [209.85.215.172]) by ietfa.amsl.com (Postfix) with ESMTP id B1D3621F8A6C for <tls@ietf.org>; Mon, 12 Dec 2011 10:52:44 -0800 (PST)
Received: by eaad1 with SMTP id d1so1624817eaa.31 for <tls@ietf.org>; Mon, 12 Dec 2011 10:52:43 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=hKOfGFyfJPzFgBvVzWcIZEFqyu3wg6zcn7Kp5sJDfHA=; b=wzMF5f+/lZsDhoAsSL8zRMGH5oCxXFR8dGYb8hh10IupLUmxqP/SzFiG3pqbDQhLbE mmFQ92L5m9wez8B8eusWWmyOFT+Xsaug5k1/yN5kfYSaLFuHoROIm8B+FC3ZM/sHlDc6 L+SqsiPkmWGH4Z4OnwDLOsV3qmFcw+jBMNkRI=
MIME-Version: 1.0
Received: by 10.216.46.148 with SMTP id r20mr2438517web.114.1323715963451; Mon, 12 Dec 2011 10:52:43 -0800 (PST)
Received: by 10.223.88.134 with HTTP; Mon, 12 Dec 2011 10:52:43 -0800 (PST)
In-Reply-To: <4ECACDA3.4000003@gmail.com>
References: <mailman.1210.1321701345.3024.tls@ietf.org> <4ECACDA3.4000003@gmail.com>
Date: Mon, 12 Dec 2011 13:52:43 -0500
Message-ID: <CAAJxWYTQwL3=fpf-vF6QYfsJRur2uJJQYeOc+X8DG9zxCsWZQg@mail.gmail.com>
From: Matt DeMoss <demoss.matt@gmail.com>
To: Yaron Sheffer <yaronf.ietf@gmail.com>
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: quoted-printable
Cc: tls@ietf.org
Subject: Re: [TLS] about the PWD Proposal
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 12 Dec 2011 18:52:52 -0000
Does it make sense to suggest that the server could store long term only a salt and the result of PBKDF2? I believe that could be done without altering the proposal, but would be too much work for the server. If the protocol was altered, client and server could negotiate the number of iterations and the work of performing PBKDF2 could be moved to the client. Wifi-Protected Access includes a "pass-phrase–to–PSK mapping" using PBKDF2, but possibly with different goals. On Mon, Nov 21, 2011 at 5:16 PM, Yaron Sheffer <yaronf.ietf@gmail.com> wrote: > In a somewhat related protocol (IKEv2 with PACE for authentication), we > added an appendix on password salting: > http://tools.ietf.org/html/draft-kuegler-ipsecme-pace-ikev2-08#appendix-B. > The setting there is a little different from tls-pwd, because IKE is > normally symmetric (peer to peer vs. client to server). But some of our > analysis does apply. In particular, dynamically replacing the short > credentials by a long shared secret ( > http://tools.ietf.org/html/draft-kuegler-ipsecme-pace-ikev2-08#appendix-B.3) > would mitigate much of the risk. > > Thanks, > Yaron > > ----- > Hi, > I am interested in the PWD proposal at the meeting, and run through > it(http://tools.ietf.org/html/draft-harkins-tls-pwd-01#section-3.4), > > and have the following concerns: > > 1. In the document, it says both Client and Server should be able to > compute PE, which is derived from username, password, salt,etc. > That means Client or the user should also remember the salt value, in that > case, salt is meaningless and can be replaced by a longer password. > This is quite different from the widely known usage of salt, e.g. in UNIX > operating system, salt is not required to remember by the user, but by > server to fetch locally by reference to the username. > And as far as I know, I am sure the authors also know that, other password > based key exchanges protocols don't involve salt, but store a hash value of > password among other things locally. > >> I realize that this is very different from the usage in UNIX operating >> systems, but it is necessary, as the UNIX (or other) operating system >> running the web server has to store the password. Storing the password in >> the clear on as an unsalted hash is worse than storing a salted hash (or >> "base" in the draft's terminology), so that is what the TLS server does. The >> use of base instead of password is not to protect the password during >> handshake, but to protect it during storage on the server. >> >> Having said that, I think it is now very practical to take a list of the >> 100,000 most popular passwords on the web, a database of 10,000 salted >> hashes (the file described in section 3.4), and find all the matches. That's >> 1,000,000,000 operations, which would take 15 minutes on a MacBook Air (1.4 >> GHz). I think the days of saying that a database of salted hashes makes >> theft of the password file irrelevant should be over. Yes, I know that with >> unsalted hash it would be practical to test the 100,000,000 most popular >> passwords. >> >> session cookies somehow (e.g., via the BEAST attack): but if you don't >> have my OBCs' private keys then you can't actually make use of my >> cookies. >> >> With OBC cookie theft is not enough. With OBC the attacker must get >> at the private keys for the OBCs. >> >> Also, with OBC you get closer to true logout: destroy ("forget") your >> OBC private keys and your sessions are as good as dead. Moreover, the >> user-agent, not the server, is in control of maximum session lifetime, >> since there's no point in the server setting cookies that will outlive >> the OBCs. >> I we can find no other use case, we might want to rename it to "Origin >> Bound Cookie". >> >> But that would require some interesting interaction between layers. >> >> Are all cookies received while using OBC considered (by the client!) bound >> to the OBC? If not, the client might use an old cookie after a logout event, >> leading to the server falsely detecting an attempt to forge a cookie. Maybe >> we need a new keyword on the cookie header. >> >> Where is the "logout" button? If it's part of the website (in the >> "canvas") how does the HTML/HTTP tell the browser to log out? Probably best >> to have it in the Chrome for sites where OBC are supported. > > > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls
- [TLS] about the PWD Proposal zhou.sujing
- Re: [TLS] about the PWD Proposal Yoav Nir
- Re: [TLS] about the PWD Proposal Dan Harkins
- Re: [TLS] about the PWD Proposal Yaron Sheffer
- Re: [TLS] about the PWD Proposal SeongHan Shin
- Re: [TLS] about the PWD Proposal Matt DeMoss
- Re: [TLS] about the PWD Proposal Dan Harkins
- Re: [TLS] about the PWD Proposal Nico Williams
- [TLS] OT: WPA2-PSK vs. TLS-PSK (was about the PWD… Martin Rex
- Re: [TLS] OT: WPA2-PSK vs. TLS-PSK (was about the… Dan Harkins
- Re: [TLS] about the PWD Proposal Dan Brown
- Re: [TLS] about the PWD Proposal Dan Harkins