IETF Logo Mail Archive

Re: [vwrap] authentication : remove reference to MD5

"Patnad Babii" <djshag@hotmail.com> Tue, 06 April 2010 23:18 UTC

Return-Path: <djshag@hotmail.com>
X-Original-To: vwrap@core3.amsl.com
Delivered-To: vwrap@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id EE6853A68AE for <vwrap@core3.amsl.com>; Tue, 6 Apr 2010 16:18:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.638
X-Spam-Level:
X-Spam-Status: No, score=-0.638 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_BL_SPAMCOP_NET=1.96, STOX_REPLY_TYPE=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 61vmkJNF058i for <vwrap@core3.amsl.com>; Tue, 6 Apr 2010 16:18:45 -0700 (PDT)
Received: from bay0-omc2-s20.bay0.hotmail.com (bay0-omc2-s20.bay0.hotmail.com [65.54.190.95]) by core3.amsl.com (Postfix) with ESMTP id 940CF3A67E1 for <vwrap@ietf.org>; Tue, 6 Apr 2010 16:18:45 -0700 (PDT)
Received: from BAY136-DS4 ([65.54.190.125]) by bay0-omc2-s20.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.3959); Tue, 6 Apr 2010 16:18:43 -0700
X-Originating-IP: [74.57.140.246]
X-Originating-Email: [djshag@hotmail.com]
Message-ID: <BAY136-DS4DA33BAEC1C8B7F2E09C4DC180@phx.gbl>
From: "Patnad Babii" <djshag@hotmail.com>
To: "Meadhbh Hamrick" <ohmeadhbh@gmail.com>
References: <v2zb325928b1004060719nadbc4f76h1be1c4463578fc4a@mail.gmail.com> <4BBB7705.4060206@stpeter.im> <u2vb325928b1004061122u36b2d85cs2a243f2de9231505@mail.gmail.com>
In-Reply-To: <u2vb325928b1004061122u36b2d85cs2a243f2de9231505@mail.gmail.com>
Date: Tue, 6 Apr 2010 19:18:40 -0400
MIME-Version: 1.0
Content-Type: text/plain; format=flowed; charset="iso-8859-1"; reply-type=original
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
Importance: Normal
X-Mailer: Microsoft Windows Live Mail 14.0.8089.726
X-MimeOLE: Produced By Microsoft MimeOLE V14.0.8089.726
X-OriginalArrivalTime: 06 Apr 2010 23:18:43.0410 (UTC) FILETIME=[7FEC5B20:01CAD5DF]
Cc: vwrap@ietf.org
Subject: Re: [vwrap] authentication : remove reference to MD5
X-BeenThere: vwrap@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Virtual World Region Agent Protocol - IETF working group <vwrap.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/vwrap>, <mailto:vwrap-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/vwrap>
List-Post: <mailto:vwrap@ietf.org>
List-Help: <mailto:vwrap-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/vwrap>, <mailto:vwrap-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 06 Apr 2010 23:18:47 -0000

I think if someday LL ask me to change my password because they made their 
security system better i would really not mind. So typing a password take 1 
minute for changing it.

Same for all opensim grid if they someday ask me to change my password 
because they enforced security i'd be more than happy to provide them with a 
new one.

I don't think people will leave SL just because you "forced" them to change 
a password honestly.

--------------------------------------------------
From: "Meadhbh Hamrick" <ohmeadhbh@gmail.com>
Sent: Tuesday, April 06, 2010 2:22 PM
To: "Peter Saint-Andre" <stpeter@stpeter.im>
Cc: <vwrap@ietf.org>
Subject: Re: [vwrap] authentication : remove reference to MD5

> we need clarification about how much of the second life legacy
> protocol will be used in VWRAP.
>
> for instance. second life stores the MD5 hash of user passwords in the
> user database and uses it to authenticate users when logging in.
>
> but MD5 has some significant problems which were exacerbated several
> years ago when there was a security breach of linden's servers.
>
> so if we simply said "we're going to ditch MD5 in favor of SHA256"
> there would be a problem with reverse compatibility of the
> authentication data. this is because you can't generate the pre-image
> from an MD5 MIC and then use it to generate a SHA256 MIC. (or you
> can't do that in a way that insures that your MD5 pre image is the
> same as the password.)
>
> so in other words, there is an action we could take in this group that
> COULD make it very difficult for linden and presumably existing
> OpenSim instances to use the authentication protocol.
>
> so the question is, to which degree do we add an engineering burden to
> existing implementations that would like to adopt this group's output?
> the question of the two string identifier is a good one. linden could
> probably make systems that adhere to all sorts of different changes.
> but to what degree to we make it easy for existing implementers vs.
> the desires of people who have yet to build and implementation?
>
> -cheers
> -meadhbh
>
>
> --
> meadhbh hamrick * it's pronounced "maeve"
> @OhMeadhbh * http://meadhbh.org/ * OhMeadhbh@gmail.com
>
>
>
> On Tue, Apr 6, 2010 at 11:01 AM, Peter Saint-Andre <stpeter@stpeter.im> 
> wrote:
>> On 4/6/10 8:19 AM, Meadhbh Hamrick wrote:
>>> okay.
>>>
>>> if we're going to remove VWRAP from all current implementations,
>>
>> What does that mean? I thought we were trying to build VWRAP into
>> implementations, not rip it out. :)
>>
>>> i
>>> vote we remove MD5 from the auth spec and replace it with a MIC with
>>> better security properties, like SHA224 or SHA256.
>>
>> +1 to more secure authentication.
>>
>> My quick reading of the authentication draft led me to think that it
>> needed a thorough review, but unfortunately I haven't had time to do
>> that yet.
>>
>> Peter
>>
>> --
>> Peter Saint-Andre
>> https://stpeter.im/
>>
>>
>>
>>
>> _______________________________________________
>> vwrap mailing list
>> vwrap@ietf.org
>> https://www.ietf.org/mailman/listinfo/vwrap
>>
>>
> _______________________________________________
> vwrap mailing list
> vwrap@ietf.org
> https://www.ietf.org/mailman/listinfo/vwrap
>

v2.8.7 | Report a Bug | By Email