lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sun, 19 Jan 2014 21:21:51 +0000
From: "Poul-Henning Kamp" <phk@....freebsd.dk>
To: discussions@...sword-hashing.net, Larry Bugbee <bugbee@....com>
Subject: Re: [PHC] Native server relief support for password hashing in browsers

In message <3E7F59A0-A69C-45EF-9D39-68622DA14C7D@....com>, Larry Bugbee writes:

>Will the submissions be designed so client-side assistance will be
>practical?

Is client-side assistance without a secure tunnel ever practical ?

I spent a lot of time researching this some years back, and concluded
that it wasn't worth it.

It may be my lack of imagination, but every scheme I came up with,
required strong privacy for the connection, or the NSA[1] would be able
to deduce the password given a small-ish number of session taps.

Without going into too much detail, I don't think the salt should
be revealed to the client and the eavesdroppers, so we cannot involve
the client in anything from the point in the algorithm where the
salt is mixed in.

Any algorithm along the general scheme:

	a = password
	for i in N:
		a = crypto_graphic_hash(a)
	[...]

Would allow some fraction of N to be offloaded to the client, but this
is a lot less useful than you'd think.

If the number of rounds we ask the client to perform is constant,
a trivial replay is possible.

If we ask for a variable number of rounds, you can always use a
recorded session with a lower round-count to replay into a higher
asked-for round-count (hint: OPIE and S/KEY)

To work around that, we could ask the client to throw half the
entropy away:

	a = password
	for i in N:
		a = crypto_graphic_hash(first_half_of(a))
	[...]

If the hash were wide, something like SHA512, that *may* be defensible
behaviour:  Given the lack of entropy in real-world passwords, the
actual loss of entropy is limited, but it makes me feel very, very
uncomfortable doing so.

It should not be overlooked that the client and server do in fact
have a shared secret, even though the server does not keep it around
in readble form.

It would be possible to modify the above algorithm to something
like:

	a = password
	b = make_integer_from(cryptographic_hash(a)):
	for i N + b:
		a = cryptographic_hash(a)
	[...]

And hand the client a random number X, and have it perform a
hardly predictable number of rounds, maybe ((X * b) mod (N + b)) or
similar.

The server would have to store b along with the password for this
to work.  The parameters can probably be tuned so that it only
leaves a real replay opening, if the server happens to ask for the
same X again.

But would it be worth the extra complexity ?

Only if you can *always* mandate client-assist, will there be any
benefit of the "make botnets work for it" type, and I think what
little benefit that might give is better handled by ratelimiting
attempts at the server side.

If you need to enter passwords over a non-private channel, you
want to use *real* one-time-passwords (S/KEY or OPIE) you don't
want some "ersatz" which gives you security "most of the time",
but which fails fatally without any indication, if some bonehead
somewhere f**ks up the implementation.

So my conclusion was that client-assist is not worth it.

I'm willing to be convinced otherwise, but it wont be easy.

Poul-Henning

[1] We now know that's where Eve works.


-- 
Poul-Henning Kamp       | UNIX since Zilog Zeus 3.20
phk@...eBSD.ORG         | TCP/IP since RFC 956
FreeBSD committer       | BSD since 4.3-tahoe    
Never attribute to malice what can adequately be explained by incompetence.

Powered by blists - more mailing lists