[vwrap] MD5 must die [was: Re: authentication : remove reference to MD5]
Meadhbh Hamrick <ohmeadhbh@gmail.com> Tue, 06 July 2010 19:19 UTC
Return-Path: <ohmeadhbh@gmail.com>
X-Original-To: vwrap@core3.amsl.com
Delivered-To: vwrap@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix)
with ESMTP id 0032E3A6830 for <vwrap@core3.amsl.com>;
Tue, 6 Jul 2010 12:19:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.299
X-Spam-Level:
X-Spam-Status: No, score=-1.299 tagged_above=-999 required=5 tests=[AWL=-1.300,
BAYES_50=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com
[127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XQSjKRw--r8B for
<vwrap@core3.amsl.com>; Tue, 6 Jul 2010 12:19:47 -0700 (PDT)
Received: from mail-qw0-f44.google.com (mail-qw0-f44.google.com
[209.85.216.44]) by core3.amsl.com (Postfix) with ESMTP id C44C33A692C for
<vwrap@ietf.org>; Tue, 6 Jul 2010 12:19:46 -0700 (PDT)
Received: by qwe5 with SMTP id 5so2357358qwe.31 for <vwrap@ietf.org>;
Tue, 06 Jul 2010 12:19:46 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma;
h=domainkey-signature:received:mime-version:received:from:date
:message-id:subject:to:content-type:content-transfer-encoding;
bh=LRvU/FZ8E/ngQ0ziAX4FBhv0Iqgoaz1W+PLMBKBY9YM=;
b=GIjESfVIKIbcFBaRgey+kUdyd+ymBf8QXkftwatKltKSDIiGng6d6PIkxBv61Uxf2n
L2UgzM/Z092jf2oApnWET7PKpeppZwUo0Cakf6/xFXUJpwGvI4J/QK17rhVjSvOKFA5D
BtlZw/xGEXBodFGza6l25XIuuPanwEIcpnlzc=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma;
h=mime-version:from:date:message-id:subject:to:content-type
:content-transfer-encoding;
b=Kbk9Lp03CQMwuTt2CCET2SDVnCbyBmyPyFdOssOsw/M8+ElXjk5Gvenz0bYD54Wy9Q
wAsyHdufLXqiN+GhwQ5jxpj1y1G/46jc0iafMEdnUFMPcB+78X8CH4mcDHf5ZVHE4CUl
1M/MMWD8SJggLu54JKoKEVbChUmhwl1Tg2c7s=
Received: by 10.224.66.88 with SMTP id m24mr2785932qai.217.1278443986265;
Tue, 06 Jul 2010 12:19:46 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.229.185.73 with HTTP; Tue, 6 Jul 2010 12:19:26 -0700 (PDT)
From: Meadhbh Hamrick <ohmeadhbh@gmail.com>
Date: Tue, 6 Jul 2010 12:19:26 -0700
Message-ID: <AANLkTinO1OF59fjL9O97lFmvxK01_3YBmnWs5_dCeNbr@mail.gmail.com>
To: vwrap@ietf.org
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Subject: [vwrap] MD5 must die [was: Re: authentication : remove reference to
MD5]
X-BeenThere: vwrap@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Virtual World Region Agent Protocol - IETF working group
<vwrap.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/vwrap>,
<mailto:vwrap-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/vwrap>
List-Post: <mailto:vwrap@ietf.org>
List-Help: <mailto:vwrap-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/vwrap>,
<mailto:vwrap-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 06 Jul 2010 19:19:49 -0000
so i was thinking about auth things and thought i would revive this thread... MD5 is bad, i think we all agree. US-CERT's advisory "MD5 vulnerable to collision attacks" @ http://www.kb.cert.org/vuls/id/836068 explains why. we had a couple of good recommendations: 1. patnad and barry said, "just force people to re-register and store the new password hash." and that's probably a good idea. 2. sean mentioned, "just keep legacy SL running the old system while everyone else uses the new." and that's probably a good idea too. 3. we could also do something funky like say that for peeps like SL, hash the password first with MD5, and then with SHA256. (i.e. - you use the MD5 hash as the shared secret instead of the password.) linden unfortunately has a bazillion users whose passwords are "stored" as MD5 hashes. and i wanted to ask josh and/or joe (who as far as i know) still work at linden... what do you think about this? is there a preference from linden? you guys are going to be the most affected. so to paraphrase winston churchill: "we know it will be hard; we expect it to be long, we cannot predict or measure its episodes or its tribulations. but one thing is certain, one thing is sure, one thing stands out stark and undeniable, massive and unassailable for all the world to see. we cannot see how deliverance will come or when it will come, but nothing is more certain that every trace of MD5's footsteps, every stain of its infected, corroding fingers will be expunged and purged and, if need be, blasted from the surface of the (virtual) earth." -cheers, etc. -meadhbh -- meadhbh hamrick * it's pronounced "maeve" @OhMeadhbh * http://meadhbh.org/ * OhMeadhbh@gmail.com On Wed, Apr 7, 2010 at 9:58 AM, Sean Hennessee <sean@uci.edu> wrote: > If VWRAP has no legacy support, can't the implementors still have mixed mode > support as long as they decide to? Just because an implementor supports > VWRAP, (with no legacy support), doesn't necessarily mean they can't support > legacy protocols as well. Eventually one would hope all would transition to > only VWRAP, but implementors are really the determining factor of how long > that transition takes. Even many web browsers continue to support old > versions of the HTML spec while still supporting newer versions. > > Perhaps VWRAP should include a protocol negotiation protocol allowing > services to determine what protocols and versions of protocols are supported > on each end. "Sorry, your client is not supported on this sim" should be an > option. I see (saw) it often when connecting to SL after major client/server > updates. > > Peace, > Sean > > Meadhbh Hamrick wrote: >> >> actually. that does bring up a good point. LL _could_ just invalidate >> everyone's password and make them go through password reset. >> >> i agree, patnad, i would do it too, but it may be difficult to >> convince everyone to do it, and i'm not sure it's the kind of thing a >> standards organization should require of one of it's implementers. >> >> just my $0.02, but yeah, i'll let the lindens speak for themselves. >> -- >> meadhbh hamrick * it's pronounced "maeve" >> @OhMeadhbh * http://meadhbh.org/ * OhMeadhbh@gmail.com >> >> >> >> On Tue, Apr 6, 2010 at 4:18 PM, Patnad Babii <djshag@hotmail.com> wrote: >>> >>> I think if someday LL ask me to change my password because they made >>> their >>> security system better i would really not mind. So typing a password take >>> 1 >>> minute for changing it. >>> >>> Same for all opensim grid if they someday ask me to change my password >>> because they enforced security i'd be more than happy to provide them >>> with a >>> new one. >>> >>> I don't think people will leave SL just because you "forced" them to >>> change >>> a password honestly. >>> >>> -------------------------------------------------- >>> From: "Meadhbh Hamrick" <ohmeadhbh@gmail.com> >>> Sent: Tuesday, April 06, 2010 2:22 PM >>> To: "Peter Saint-Andre" <stpeter@stpeter.im> >>> Cc: <vwrap@ietf.org> >>> Subject: Re: [vwrap] authentication : remove reference to MD5 >>> >>>> we need clarification about how much of the second life legacy >>>> protocol will be used in VWRAP. >>>> >>>> for instance. second life stores the MD5 hash of user passwords in the >>>> user database and uses it to authenticate users when logging in. >>>> >>>> but MD5 has some significant problems which were exacerbated several >>>> years ago when there was a security breach of linden's servers. >>>> >>>> so if we simply said "we're going to ditch MD5 in favor of SHA256" >>>> there would be a problem with reverse compatibility of the >>>> authentication data. this is because you can't generate the pre-image >>>> from an MD5 MIC and then use it to generate a SHA256 MIC. (or you >>>> can't do that in a way that insures that your MD5 pre image is the >>>> same as the password.) >>>> >>>> so in other words, there is an action we could take in this group that >>>> COULD make it very difficult for linden and presumably existing >>>> OpenSim instances to use the authentication protocol. >>>> >>>> so the question is, to which degree do we add an engineering burden to >>>> existing implementations that would like to adopt this group's output? >>>> the question of the two string identifier is a good one. linden could >>>> probably make systems that adhere to all sorts of different changes. >>>> but to what degree to we make it easy for existing implementers vs. >>>> the desires of people who have yet to build and implementation? >>>> >>>> -cheers >>>> -meadhbh >>>> >>>> >>>> -- >>>> meadhbh hamrick * it's pronounced "maeve" >>>> @OhMeadhbh * http://meadhbh.org/ * OhMeadhbh@gmail.com >>>> >>>> >>>> >>>> On Tue, Apr 6, 2010 at 11:01 AM, Peter Saint-Andre <stpeter@stpeter.im> >>>> wrote: >>>>> >>>>> On 4/6/10 8:19 AM, Meadhbh Hamrick wrote: >>>>>> >>>>>> okay. >>>>>> >>>>>> if we're going to remove VWRAP from all current implementations, >>>>> >>>>> What does that mean? I thought we were trying to build VWRAP into >>>>> implementations, not rip it out. :) >>>>> >>>>>> i >>>>>> vote we remove MD5 from the auth spec and replace it with a MIC with >>>>>> better security properties, like SHA224 or SHA256. >>>>> >>>>> +1 to more secure authentication. >>>>> >>>>> My quick reading of the authentication draft led me to think that it >>>>> needed a thorough review, but unfortunately I haven't had time to do >>>>> that yet. >>>>> >>>>> Peter >>>>> >>>>> -- >>>>> Peter Saint-Andre >>>>> https://stpeter.im/ > > -- > > Sean Hennessee > Central Computing Support > Office of Information Technology > UC Irvine > > > ... . .- -. / .... . -. -. . ... ... . . >
- [vwrap] MD5 must die [was: Re: authentication : r… Meadhbh Hamrick
- Re: [vwrap] MD5 must die [was: Re: authentication… Peter Saint-Andre
- Re: [vwrap] MD5 must die [was: Re: authentication… Marshall Eubanks
- Re: [vwrap] MD5 must die [was: Re: authentication… Joshua Bell