[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Crypto agility in SCRAM + draft-josefsson-password-auth?

To: Frank Ellermann <hmdmhdfmhdjmzdtjmzdtzktdkztdjz@xxxxxxxxx>
Subject: Re: Crypto agility in SCRAM + draft-josefsson-password-auth?
From: Simon Josefsson <simon@xxxxxxxxxxxxx>
Date: Tue, 18 Mar 2008 20:19:16 +0100
Cc: ietf-sasl@xxxxxxx
In-reply-to: <20080318182510.GC16998@xxxxxxx> (Nicolas Williams's message of "Tue, 18 Mar 2008 13:25:11 -0500")
List-archive: <http://www.imc.org/ietf-sasl/mail-archive/>
List-id: <ietf-sasl.imc.org>
List-unsubscribe: <mailto:ietf-sasl-request@imc.org?body=unsubscribe>
Openpgp: id=B565716F; url=http://josefsson.org/key.txt
References: <877ig12v5g.fsf@xxxxxxxxxxxxxxxxxxx> <frmdmk$h1o$1@xxxxxxxxxxxxx> <87od9dszmh.fsf@xxxxxxxxxxxxxxxxxxx> <frnouh$se3$1@xxxxxxxxxxxxx> <87d4psghws.fsf@xxxxxxxxxxxxxxxxxxx> <20080318160958.GW16998@xxxxxxx> <87r6e87x0a.fsf@xxxxxxxxxxxxxxxxxxx> <20080318182510.GC16998@xxxxxxx>
Sender: owner-ietf-sasl@xxxxxxxxxxxx
User-agent: Gnus/5.110007 (No Gnus v0.7) Emacs/22.1 (gnu/linux)

Nicolas Williams <Nicolas.Williams@xxxxxxx> writes:

> On Tue, Mar 18, 2008 at 06:38:45PM +0100, Simon Josefsson wrote:
>> One argument in favor of SHA-1 could be that SHA-1's total life-time in
>> service (1995-2010?) appears likely be longer than what SHA-256's total
>> life-time in service will be (2002-?).  I assume that once the SHA-3
>> competition is finished, that SHA-2 will be deprecated.
>> 
>> The total life-time in service corresponds to the amount of security
>> critical purposes the hash is used for.  Which consequently corresponds
>> to the amount of time researchers spend on trying to attack it.  That is
>> the best measure on a cryptographic algorithm's quality that we can use
>> in the IETF, I think.
>
> Whereas I think that consensus is the best "measure of a cryptographic
> algorithm's quality that we can use in the IETF."
>
> Look, if a paper comes out tomorrow that shows a reduction in strength
> of SHA-1 to the point that it's worthless, then all those "years in
> service" will no longer be a useful measure of SHA-1's strength.

Then the researchers aren't "trying to attack it" anymore, they have
succeeded. ;)

> IETF consensus on these issues will have to be informed by cryptographer
> consensus, and by what non-cryptographers can understand the state of
> the art and the trends to be.  That's much too subjective, yes, but
> "years in service" is only deceptively objective.

Sure.

>> I don't think we should specify both, it will cause interop problems.
>
> None that we didn't already know we'd have as a result of having hash
> agility in the first place.

True.  Hm.  Perhaps specifying both actually isn't such a poor idea.

Can we get away with specifying both SCRAM-SHA1 and SCRAM-SHA224 and say
that servers MUST support both and clients MAY support either?

>> I would be fine with HMAC-SHA-256.  It will take at least one year until
>> this RFC is published (if we are optimistic) and then it is even more
>> likely that all relevant platforms will have SHA-256.
>
> I can agree with that.  I don't think Chriss will like that answer
> though.

I feel the same, but I wonder what platforms Chris works with where even
SHA-1 could be a problem.  When we get the published specification
deployed, I wouldn't be surprised if SHA-1 wasn't already officially
deprecated.

/Simon

Follow-Ups:
- Re: Crypto agility in SCRAM + draft-josefsson-password-auth?
  - From: Hallvard B Furuseth

References:
- Crypto agility in SCRAM + draft-josefsson-password-auth?
  - From: Simon Josefsson
- Re: Crypto agility in SCRAM + draft-josefsson-password-auth?
  - From: Frank Ellermann
- Re: Crypto agility in SCRAM + draft-josefsson-password-auth?
  - From: Simon Josefsson
- Re: Crypto agility in SCRAM + draft-josefsson-password-auth?
  - From: Frank Ellermann
- Re: Crypto agility in SCRAM + draft-josefsson-password-auth?
  - From: Simon Josefsson
- Re: Crypto agility in SCRAM + draft-josefsson-password-auth?
  - From: Nicolas Williams
- Re: Crypto agility in SCRAM + draft-josefsson-password-auth?
  - From: Simon Josefsson
- Re: Crypto agility in SCRAM + draft-josefsson-password-auth?
  - From: Nicolas Williams

Prev by Date: Re: Crypto agility in SCRAM + draft-josefsson-password-auth?
Next by Date: Re: Crypto agility in SCRAM + draft-josefsson-password-auth?
Previous by thread: Re: Crypto agility in SCRAM + draft-josefsson-password-auth?
Next by thread: Re: Crypto agility in SCRAM + draft-josefsson-password-auth?
Index(es):
- Date
- Thread