[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Crypto agility in SCRAM + draft-josefsson-password-auth?

To: Chris Newman <Chris.Newman@xxxxxxx>
Subject: Re: Crypto agility in SCRAM + draft-josefsson-password-auth?
From: Nicolas Williams <Nicolas.Williams@xxxxxxx>
Date: Mon, 17 Mar 2008 21:49:11 -0500
Cc: Simon Josefsson <simon@xxxxxxxxxxxxx>, ietf-sasl@xxxxxxx
In-reply-to: <>
List-archive: <http://www.imc.org/ietf-sasl/mail-archive/>
List-id: <ietf-sasl.imc.org>
List-unsubscribe: <mailto:ietf-sasl-request@imc.org?body=unsubscribe>
Mail-followup-to: Chris Newman <Chris.Newman@xxxxxxx>, Simon Josefsson <simon@xxxxxxxxxxxxx>, ietf-sasl@xxxxxxx
References: <877ig12v5g.fsf@xxxxxxxxxxxxxxxxxxx> <>
Sender: owner-ietf-sasl@xxxxxxxxxxxx
User-agent: Mutt/1.5.7i

On Mon, Mar 17, 2008 at 05:48:14PM -0700, Chris Newman wrote:
> I am not convinced the security value of PBKDF-2 offsets the additional 
> complexity it adds.  Remember there is negative security benefit if we use 
> PBKDF-2 and the additional complexity pushes the mechanism over the edge 
> into the "not worth implementing" category.  It may be not a lot of 
> complexity, but every bit matters.

It adds very little additional complexity.  Give it a second read...

> While I would personally be fine with abandoning MD5 in favor of SHA1 given 
> my code toolkit has both algorithms, I'm concerned about the impact. 

Consider the possibility of widespread deployment.  Then will come the
FIPS certification requests, then we'll hate MD5.

> Everyone's code toolkit includes MD5, but use of SHA1 is quite rare in 

I don't believe that people don't have SHA-1.  On Linux?  On Solaris?
On Windows?  On *BSD?  And bindings to most populate languages?  With
most or all of the top FOSS licesnses (GPL, BSD, MPL, ...)?  I haven't
looked at all of them, but I'll eat a shoe (OK, maybe I won't eat a
shoe, but I'll buy a round of beers) if any major OS doesn't have it :)

I don't know enough about embedded devices, but I imagine J2ME, for
example, must have SHA-1 support by now.

Incidentally, for a mechanism like SCRAM deploying a new hash implies
re-enrolling all users (alternatively: the enrolment site keeps all
passwords in the clear; ugh).  This is one reason why picking a good
hash now matters.

> applications at the moment.  Switching away from MD5 will create a 
> deployment barrier.  Again, it doesn't matter how much more secure SHA1 is 
> than MD5 if the SHA1-based mechanism doesn't deploy and an MD5-based one 
> might have deployed.  I'd like to hear from other SASL implementers before 
> making a firm decision on this one: do you have SHA1 in your code toolkit? 
> If not, how hard would it be to add it and would that be a deployment 
> barrier?

I'd also like to hear about embedded environments...

Nico
--

Follow-Ups:
- Re: Crypto agility in SCRAM + draft-josefsson-password-auth?
  - From: Hallvard B Furuseth

References:
- Crypto agility in SCRAM + draft-josefsson-password-auth?
  - From: Simon Josefsson
- Re: Crypto agility in SCRAM + draft-josefsson-password-auth?
  - From: Chris Newman

Prev by Date: Re: Optional domain/realm for SCRAM? (Re: Crypto agility in SCRAM + draft-josefsson-password-auth?)
Next by Date: Re: Optional domain/realm for SCRAM? (Re: Crypto agility in SCRAM + draft-josefsson-password-auth?)
Previous by thread: Re: Crypto agility in SCRAM + draft-josefsson-password-auth?
Next by thread: Re: Crypto agility in SCRAM + draft-josefsson-password-auth?
Index(es):
- Date
- Thread