[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Crypto agility in SCRAM + draft-josefsson-password-auth?

To: ietf-sasl@xxxxxxx
Subject: Re: Crypto agility in SCRAM + draft-josefsson-password-auth?
From: Simon Josefsson <simon@xxxxxxxxxxxxx>
Date: Tue, 18 Mar 2008 00:11:15 +0100
In-reply-to: <20080317170341.GA16998@xxxxxxx> (Nicolas Williams's message of "Mon, 17 Mar 2008 12:03:41 -0500")
List-archive: <http://www.imc.org/ietf-sasl/mail-archive/>
List-id: <ietf-sasl.imc.org>
List-unsubscribe: <mailto:ietf-sasl-request@imc.org?body=unsubscribe>
Openpgp: id=B565716F; url=http://josefsson.org/key.txt
References: <877ig12v5g.fsf@xxxxxxxxxxxxxxxxxxx> <20080317170341.GA16998@xxxxxxx>
Sender: owner-ietf-sasl@xxxxxxxxxxxx
User-agent: Gnus/5.110007 (No Gnus v0.7) Emacs/22.1 (gnu/linux)

Nicolas Williams <Nicolas.Williams@xxxxxxx> writes:

> On Mon, Mar 17, 2008 at 05:05:31PM +0100, Simon Josefsson wrote:
>> While thinking about merging SCRAM with my document, I thought about how
>> to handle crypto algorithm agility.  To recap what we have today:
>
> Funny you should ask.  Sam and I, while discussing how to represent
> SCRAM+GS2 in ABNF, both agreed that the hash function used by SCRAM
> should be part of its OID.

Great.

> We also agreed that SCRAM should use PBKDF-2 instead of that Hi()
> function (PBKDF-2 does nto add much complexity).

I have suggested PBKDF-2 to the SCRAM authors as well.

> In particular putting algos into the mech name/OID may leak into user
> visible UIs in ways that may not seem helpful.
>
> E.g., imagine that we did this for the krb5 GSS mech, and so for
> RPCSEC_GSS, so then when sharing via NFS one would would have a larger
> choice of RPCSEC_GSS triples to select from -- "share -o
> sec=krb5-aes256-i,..." instead of "share -o sec=krb5i ...", say.
>
> At first glance that's annoying, but on the other hand, it gives the
> administrator (and user) better control over what algorithms are used.
> That may be a good thing.  And we can always have a special alias in the
> UI that refers to the set of mechanisms based on SCRAM/krb5/... but
> without regard to algorithms.

I'm not sure the comparison with Kerberos is fair since Kerberos has
internal encryption strength negotiations.  Anyway, until we know this
algorithm leakage is a disadvantage, let's assume it is an advantage. ;)

>> As for the mechanism to use, I would prefer HMAC-SHA1 or HMAC-SHA256
>> over HMAC-MD5.  I think there are some arguments for moving away from
>> HMAC, and use things like OMAC, but I don't think this mechanism is the
>> best place to experiment with that.
>
> Absolutely.  No more MD5 anywhere.

I tend to agree, but I'm not aware of any scientific papers that
suggests HMAC-MD5 is weak.  There is a recent paper that says, IIRC,
that HMAC is stronger than we thought it was, even when used with a
somewhat weak hash function.

/Simon

References:
- Crypto agility in SCRAM + draft-josefsson-password-auth?
  - From: Simon Josefsson
- Re: Crypto agility in SCRAM + draft-josefsson-password-auth?
  - From: Nicolas Williams

Prev by Date: Re: Crypto agility in SCRAM + draft-josefsson-password-auth?
Next by Date: Re: Crypto agility in SCRAM + draft-josefsson-password-auth?
Previous by thread: Re: Crypto agility in SCRAM + draft-josefsson-password-auth?
Next by thread: Optional domain/realm for SCRAM? (Re: Crypto agility in SCRAM + draft-josefsson-password-auth?)
Index(es):
- Date
- Thread