Re: [HACKERS] MD5 authentication needs help -SCRAM
At 2015-03-14 09:44:02 +0200, hlinn...@iki.fi wrote: Perhaps it would be time to restart the discussion on standardizing SRP as a SASL mechanism in IETF. I haven't seen much evidence that there's any interest in doing this; in fact, I can't remember the author of the draft you pointed to being very active in the discussions either. Assume that the connection is not encrypted, and Eve captures the SCRAM handshake between Alice and Bob. Using the captured handshake, she can try to guess the password, offline. With a PAKE protocol, she cannot do that. OK. I agree that this is a nice property. SCRAM made the design decision to hinder such attacks by using PBKDF2 rather than a zero-knowledge key exchange mechanism as SRP does. This was partly due to the trend that I mentioned of wanting to require TLS everywhere. I'm obviously biased in this matter, but I think it's acceptable for the potential attack to be frustrated by the use of PBKDF2 and defeated by the use of TLS (which is already possible with Postgres); and that in the balance, SCRAM is easier to implement securely than SRP. Of course, if you want to use x as your password everywhere, then SRP is preferable. ;-) -- Abhijit P.S. I don't know why the SRP code was removed from LibreSSL; nor am I sure how seriously to take that. It's possible that it's only because it's (still) rather obscure. -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
Re: [HACKERS] MD5 authentication needs help -SCRAM
As a followup, I spoke to an IETF friend who's used and implemented both SRP and SCRAM. He agrees that SRP is cryptographically solid, that it's significantly more difficult to implement (and therefore has a bit of a monoculture risk overall, though of course that wouldn't apply to us if we were to write the code from scratch). Apparently the patent status is still not entirely clear. Two of the patents expired, but there are others that may be relevant. Stanford claims a patent, but apparently grant a free license if you do meet certain conditions. But he doesn't know of anyone having to go to court over the use of SRP. -- Abhijit -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
Re: [HACKERS] MD5 authentication needs help -SCRAM
Abhijit Menon-Sen wrote: P.S. I don't know why the SRP code was removed from LibreSSL; nor am I sure how seriously to take that. It's possible that it's only because it's (still) rather obscure. As I recall, the working principle of the LibreSSL guys is to remove everything that can't be understood quickly, to reduce the code base to the minimum required to support the basic features they want, and still be sure that there are little or no security holes. In a later stage their intention is to re-add interesting features as they have time to audit the code. -- Álvaro Herrerahttp://www.2ndQuadrant.com/ PostgreSQL Development, 24x7 Support, Remote DBA, Training Services -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
Re: [HACKERS] MD5 authentication needs help -SCRAM
* Abhijit Menon-Sen (a...@2ndquadrant.com) wrote: As a followup, I spoke to an IETF friend who's used and implemented both SRP and SCRAM. He agrees that SRP is cryptographically solid, that it's significantly more difficult to implement (and therefore has a bit of a monoculture risk overall, though of course that wouldn't apply to us if we were to write the code from scratch). There is also 'JPAKE': http://en.wikipedia.org/wiki/Password_Authenticated_Key_Exchange_by_Juggling Which had been in OpenSSH and OpenSSL and is still in NSS and Firefox Sync. Thanks! Stephen signature.asc Description: Digital signature
Re: [HACKERS] MD5 authentication needs help -SCRAM
On 03/09/2015 04:43 PM, Abhijit Menon-Sen wrote: At 2015-03-09 13:52:10 +0200, hlinn...@iki.fi wrote: Do you have any insight on why the IETF working group didn't choose a PAKE protocol instead of or in addition to SCRAM, when SCRAM was standardized? Hi Heikki. It was a long time ago, but I recall that SRP was patent-encumbered: https://datatracker.ietf.org/ipr/search/?rfc=2945submit=rfc The Wikipedia page says the relevant patents expired in 2011 and 2013. I haven't followed SRP development since then, maybe it's been revised. When SCRAM was being discussed, I can't recall any other proposals for PAKE protocols. Besides, as you may already know, anyone can submit an internet-draft about anything. It needs to gain general support for an extended period in order to advance through the standards process. Ok, makes sense. Perhaps it would be time to restart the discussion on standardizing SRP as a SASL mechanism in IETF. Or we could just implement the draft as it is. Could you please explain what exactly you mean about a SCRAM eavesdropper gaining some advantage in being able to mount a dictionary attack? I didn't follow that part. Assume that the connection is not encrypted, and Eve captures the SCRAM handshake between Alice and Bob. Using the captured handshake, she can try to guess the password, offline. With a PAKE protocol, she cannot do that. - Heikki -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
Re: [HACKERS] MD5 authentication needs help -SCRAM
Hi Abhijit, I didn't realize you were involved in the IETF process on SCRAM :-). On 03/09/2015 09:21 AM, Abhijit Menon-Sen wrote: At 2015-03-08 12:48:44 -0700, j...@agliodbs.com wrote: Since SCRAM has been brought up a number of times here, I thought I'd loop in the PostgreSQL contributor who is co-author of the SCRAM standard to see if he has anything to say about implementing SCRAM as a built-in auth method for Postgres. I think it's a good idea. Having done some googling, SCRAM seems like a good choice to me too. Another one is SRP. The important difference between SRP and SCRAM is that in SRP, an eavesdropper cannot capture information needed to brute-force the password. The class of protocols that have that property are called Password-authenticated key agreement protocols (PAKE) [1]. SRP seems to be the most common one of those, although there are others. On the face of it, it seems like PAKE protocols are superior. There is an IETF draft for SRP as a SASL authentication mechanism [2], and even some implementations of that (e.g. Cyrus-SASL), but for some reason that draft never became a standard and expired. Do you have any insight on why the IETF working group didn't choose a PAKE protocol instead of or in addition to SCRAM, when SCRAM was standardized? [1] https://en.wikipedia.org/wiki/Password-authenticated_key_agreement [2] https://tools.ietf.org/html/draft-burdis-cat-srp-sasl-08 - Heikki -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
Re: [HACKERS] MD5 authentication needs help -SCRAM
At 2015-03-09 13:52:10 +0200, hlinn...@iki.fi wrote: Do you have any insight on why the IETF working group didn't choose a PAKE protocol instead of or in addition to SCRAM, when SCRAM was standardized? Hi Heikki. It was a long time ago, but I recall that SRP was patent-encumbered: https://datatracker.ietf.org/ipr/search/?rfc=2945submit=rfc The Wikipedia page says the relevant patents expired in 2011 and 2013. I haven't followed SRP development since then, maybe it's been revised. When SCRAM was being discussed, I can't recall any other proposals for PAKE protocols. Besides, as you may already know, anyone can submit an internet-draft about anything. It needs to gain general support for an extended period in order to advance through the standards process. Could you please explain what exactly you mean about a SCRAM eavesdropper gaining some advantage in being able to mount a dictionary attack? I didn't follow that part. -- Abhijit -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
Re: [HACKERS] MD5 authentication needs help -SCRAM
At 2015-03-08 12:48:44 -0700, j...@agliodbs.com wrote: Since SCRAM has been brought up a number of times here, I thought I'd loop in the PostgreSQL contributor who is co-author of the SCRAM standard to see if he has anything to say about implementing SCRAM as a built-in auth method for Postgres. I think it's a good idea. -- Abhijit -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
Re: [HACKERS] MD5 authentication needs help -SCRAM
All, Since SCRAM has been brought up a number of times here, I thought I'd loop in the PostgreSQL contributor who is co-author of the SCRAM standard to see if he has anything to say about implementing SCRAM as a built-in auth method for Postgres. Abhijit? -- Josh Berkus PostgreSQL Experts Inc. http://pgexperts.com -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers