[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Crypto agility in SCRAM + draft-josefsson-password-auth?

To: Chris Newman <Chris.Newman@xxxxxxx>
Subject: Re: Crypto agility in SCRAM + draft-josefsson-password-auth?
From: Simon Josefsson <simon@xxxxxxxxxxxxx>
Date: Tue, 18 Mar 2008 02:12:48 +0100
Cc: ietf-sasl@xxxxxxx
In-reply-to: <> (Chris Newman's message of "Mon, 17 Mar 2008 17:48:14 -0700")
List-archive: <http://www.imc.org/ietf-sasl/mail-archive/>
List-id: <ietf-sasl.imc.org>
List-unsubscribe: <mailto:ietf-sasl-request@imc.org?body=unsubscribe>
Openpgp: id=B565716F; url=http://josefsson.org/key.txt
References: <877ig12v5g.fsf@xxxxxxxxxxxxxxxxxxx> <>
Sender: owner-ietf-sasl@xxxxxxxxxxxx
User-agent: Gnus/5.110007 (No Gnus v0.7) Emacs/22.1 (gnu/linux)

Chris Newman <Chris.Newman@xxxxxxx> writes:

> I am not convinced the security value of PBKDF-2 offsets the
> additional complexity it adds.  Remember there is negative security
> benefit if we use PBKDF-2 and the additional complexity pushes the
> mechanism over the edge into the "not worth implementing" category.
> It may be not a lot of complexity, but every bit matters.

Implementing PBKDF-2 is easy:

http://git.sv.gnu.org/gitweb/?p=gnulib.git;a=blob;f=lib/gc-pbkdf2-sha1.c;hb=HEAD

You can find PBKDF-2 implemented in some crypto toolkits.  Using such
toolkits may reduce implementation complexity in some environments.

There are test vectors available for PBKDF-2 and also source code
examples.  Neither is available for the Hi(HMAC()) idea in SCRAM, as far
as I can tell.

> While I would personally be fine with abandoning MD5 in favor of SHA1
> given my code toolkit has both algorithms, I'm concerned about the
> impact. Everyone's code toolkit includes MD5, but use of SHA1 is quite
> rare in applications at the moment.  Switching away from MD5 will
> create a deployment barrier.  Again, it doesn't matter how much more
> secure SHA1 is than MD5 if the SHA1-based mechanism doesn't deploy and
> an MD5-based one might have deployed.  I'd like to hear from other
> SASL implementers before making a firm decision on this one: do you
> have SHA1 in your code toolkit? If not, how hard would it be to add it
> and would that be a deployment barrier?

In my experience, these days SHA-1 is as widely available as MD5.  Any
applications that implement TLS has a SHA-1 implementation somewhere.
Certainly my SASL library has no problem using SHA-1.

/Simon

References:
- Crypto agility in SCRAM + draft-josefsson-password-auth?
  - From: Simon Josefsson
- Re: Crypto agility in SCRAM + draft-josefsson-password-auth?
  - From: Chris Newman

Prev by Date: Re: Optional domain/realm for SCRAM? (Re: Crypto agility in SCRAM + draft-josefsson-password-auth?)
Next by Date: Re: Optional domain/realm for SCRAM? (Re: Crypto agility in SCRAM + draft-josefsson-password-auth?)
Previous by thread: Re: Crypto agility in SCRAM + draft-josefsson-password-auth?
Index(es):
- Date
- Thread