Hi Dale, On 9/5/16, 6:30 PM, "Dale R. Worley" <worley@xxxxxxxxxxx> wrote: >Document: draft-harkins-salted-eap-pwd-06 >Reviewer: Dale R. Worley >Review Date: 2016-09-05 >IETF LC End Date: 2016-09-22 > >I am the assigned Gen-ART reviewer for this draft. The General Area >Review Team (Gen-ART) reviews all IETF documents being processed >by the IESG for the IETF Chair. Please treat these comments just >like any other last call comments. Thank you for the review! >For more information, please see the FAQ at ><http://wiki.tools.ietf.org/area/gen/trac/wiki/GenArtfaq>. > >This draft is basically ready for publication, but has possible nits >that should be considered for fixing before publication. > >Minor issues: > >2.5. Payload Modifications > >The construction of the EAP-pwd-Commit/Request message limits the salt >to 255 octets, or 2040 bits. This probably ought to be mentioned in >section 2.1 where the length of the salt is discussed. > >Is there any reason to be concerned that 2040 bits will be inadequate >in the near-to-medium future? Good point. I will mention salt length limits in 2.1. I do not believe this will provide any issues in the future. >Nits/editorial comments: > >Abstract > > It included support for raw keys and RFC2751-style double > hashing of a password but did not include support for salted > passwords. > >I believe that the reference to RFC 2751 is incorrect. Probably what >is meant is RFC 2759 (see the reference thereto in RFC 5931). In any >case, the referenced RFC should be listed as a reference. Yes, it's RFC 2759. Will fix and add to references. >1.1. Background > > Databases of stored passwords present an attractive target for > attack-- get access to the database, learn the passwords. > >Normally, the spacing before and after "--" is the same. There are >also examples of this in sections 2.1 and 5. Perhaps discuss this >with the RFC Editor concerning the meaning the authors want to >associate with this punctuation. I'll get rid of the space and if the RFC Editor wants to add it back I won't complain. >2.1. Password Pre-Processing > > o TBD8: OpaqueString and a UNIX crypt() ([CRY]) > >Probably change "a UNIX crypt" to "UNIX crypt". Yes. > o TBD5: OpaqueString and a random salt with SHA-1 ([SHS]) > >For TBD5-TBD8, it might be clearer to say "OpaqueString and then ...", >as all of them have a two-phase structure. Yes, that reads better. >2.3. Using UNIX crypt > > Different algorithms are supported with the UNIX crypt() function. > The particular algorithm used is indicated by prepending an encoding > of "setting" to the passed salt. The specific algorithm used is > opaque to EAP-pwd as the entire salt, including the encoded > "setting", is passed as an opaque string for interpretation by > crypt(). > >This seems to be an awkward way to phrase this. From the outside, >there appears to be one crypt() function with two arguments. The >"particular algorithm used" is just crypt() specialized with a fixed >value of one argument. But any two-argument function can be >specialized with a fixed argument, and usually one does not describe >all the resulting functions as a "particular algorithm". > >This text did deceive me upon the first reading. I thought that >different versions of Unix provided different crypt functions and the >salt included a selector value to select the correct version. But >looking at the referenced cypt manual page corrected me. > >Perhaps this section could be left out entirely, as the details aren't >needed in this specification, and the referenced crypt manual page >gives the needed information. I agree this sounds weird at first blush but I think I’m going to keep the text. I want to ensure that implementations pass the salt en masse to crypt() and the encoded setting is not removed. >5. Security Considerations > > there is no dictionary attack needed to recover the plaintext > password. > >This is correct but doesn't emphasize the important point. Perhaps > > since the plaintext password need not be recovered, no dictionary > attack is needed Yes that is better. Thanks. >-- > > While the immediate effect of such a compromise would be the > compromised server, > >I think changing "would be the compromised server" to "would be the >compromise of the server" would make this clearer. That does make it clearer, thanks. >It might be worth noting that any salted password remote authorization >protocol has the same limitation as this draft's method, viz., that >disclosure of the hash of the salted password allows an attacker to >impersonate a client. That is, that this method is not somehow >deficient because it also has that property. I don't think that is true. The client needs to know the password, not the salted hash. >(What makes the Unix salted-password database immune to disclosure is >that the OS controls the preparation of the user-given password; it's >not a remote authorization system and so an attacker must enter the >unsalted password.) Indeed. Thanks for your helpful review. I will be incorporating the agreed-to resolutions in the next version of the draft. best regards, Dan.