From owner-freebsd-security@FreeBSD.ORG Mon Jul 8 06:23:00 2013 Return-Path: Delivered-To: FreeBSD-security@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 3745E4C7; Mon, 8 Jul 2013 06:23:00 +0000 (UTC) (envelope-from nanoman@nanoman.ca) Received: from mail.nanoman.ca (mail.nanoman.ca [76.10.173.222]) by mx1.freebsd.org (Postfix) with ESMTP id B0BE91A91; Mon, 8 Jul 2013 06:22:59 +0000 (UTC) Received: from nanocomputer.nanoman.ca (nanocomputer.nanoman.ca [192.168.1.9]) by mail.nanoman.ca (Postfix) with ESMTP id B42E011608; Mon, 8 Jul 2013 02:22:57 -0400 (EDT) Received: by nanocomputer.nanoman.ca (Postfix, from userid 62661) id 5EA8E17296; Mon, 8 Jul 2013 02:22:57 -0400 (EDT) Date: Mon, 8 Jul 2013 02:22:57 -0400 From: "A.J. Kehoe IV (Nanoman)" To: Garance A Drosehn Subject: Re: Better Password Hashes Message-ID: <20130708062257.GD21309@nanocomputer.nanoman.ca> References: <20130707173622.GA21102@nanocomputer.nanoman.ca> <51D9CAE8.1080902@FreeBSD.org> MIME-Version: 1.0 Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=sha1; boundary="/3yNEOqWowh/8j+e" Content-Disposition: inline In-Reply-To: <51D9CAE8.1080902@FreeBSD.org> Organization: Nanoman's Company User-Agent: Mutt (FreeBSD) Cc: FreeBSD-security@FreeBSD.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list Reply-To: nanoman@nanoman.ca List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Jul 2013 06:23:00 -0000 --/3yNEOqWowh/8j+e Content-Type: text/plain; charset=iso-8859-1; format=flowed Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Garance A Drosehn wrote: >On 7/7/13 1:36 PM, A.J. Kehoe IV (Nanoman) wrote: >> I commissioned Derek to come up with a solution by either updating >> Steven's patch or by devising a new method. To paraphrase Derek's commen= ts: >> >> -----BEGIN PARAPHRASIS----- >> I did some research into what other *BSDs are doing. OpenBSD and NetBSD >> use the algorithm name, a comma, and then the number of rounds: >> >> http://www.openbsd.org/cgi-bin/man.cgi?query=3Dlogin.conf&sektion=3D5 >> >> localcipher=3Dblowfish,6 >> >> http://netbsd.gw.com/cgi-bin/man-cgi?passwd.conf+5+NetBSD-current >> >> localcipher=3Dblowfish,6 >> >> To me, this isn't a good way to do it because we'd need special >> rules to parse this extra field out of the previously unstructured >> data. This parsing would be algorithm dependant. > >To comment only on this point, I do not think it is a significant >issue. If OpenBSD and NetBSD are already doing this, then whatever >parsing issues are already being addressed by users on those OS's. > >I think there is a significant advantage in using something that >they are already using. Now, if they say "Wow, was this a bad >idea!", then obviously I wouldn't want to add it. But if their >security is better with this feature, and if *they* don't have >major regrets with using it, then I think we should consider it. I don't think the method used by OpenBSD and NetBSD is a bad idea, but ther= e are a couple reasons why I prefer Derek's method: 1. Convention. OpenBSD and NetBSD call it "blowfish", whereas FreeBSD call= s it "blf", and others call it "bcrypt". Modular Crypt Format, on the othe= r hand, is pretty consistent across various operating systems, languages, e= t cetera. 2. Implementation. Derek's method would be a relatively minimal change, wh= ereas the other method would be a more invasive change with more things tha= t could go wrong. >I'd certainly want to consider other ideas too. But I don't think >we should cross this idea off the list just because it would be >too much extra effort *if* we were the only OS which used it. I >run both FreeBSD and OpenBSD systems, and for people like me it >will be more effort if different BSD's use incompatible methods >to achieve better password security. You won't be saving me any >effort, you'll only be adding to the effort I already have. > >[admittedly that isn't much effort. :) ] Maybe our OpenBSD and NetBSD colleagues will prefer Derek's idea too? As D= erek has demonstrated, it's fairly simple to implement while maintaining co= mpatibility with the existing method. --=20 A.J. Kehoe IV (Nanoman) | /"\ ASCII Ribbon Campaign Nanoman's Company | \ / - No HTML/RTF in E-mail E-mail: nanoman@nanoman.ca | X - No proprietary attachments WWW: http://www.nanoman.ca/ | / \ - Respect for open standards --/3yNEOqWowh/8j+e Content-Type: application/x-pkcs7-signature Content-Disposition: attachment; filename="smime.p7s" Content-Transfer-Encoding: base64 MIIPUAYJKoZIhvcNAQcCoIIPQTCCDz0CAQExCzAJBgUrDgMCGgUAMAsGCSqGSIb3DQEHAaCC DLwwggV3MIIDX6ADAgECAgMM9zQwDQYJKoZIhvcNAQEFBQAweTEQMA4GA1UEChMHUm9vdCBD QTEeMBwGA1UECxMVaHR0cDovL3d3dy5jYWNlcnQub3JnMSIwIAYDVQQDExlDQSBDZXJ0IFNp Z25pbmcgQXV0aG9yaXR5MSEwHwYJKoZIhvcNAQkBFhJzdXBwb3J0QGNhY2VydC5vcmcwHhcN MTMwMzExMjMyMzI2WhcNMTMwOTA3MjMyMzI2WjA9MRgwFgYDVQQDEw9DQWNlcnQgV29UIFVz ZXIxITAfBgkqhkiG9w0BCQEWEm5hbm9tYW5AbmFub21hbi5jYTCCASIwDQYJKoZIhvcNAQEB BQADggEPADCCAQoCggEBAK9WRGqRDUDjWwNIfZTBp4FL5bI0kY3ZqvM6tEO+Sqp5YxATre8F a+BYbeNp/8MKfuPrRgE2jRzlePAx7kpvZUhRTGAZpncmHC7Z3FDl8Ugid4193ReCfPypb9Gs 3ZgPfzJyNuDeCM3amz/cDXC/makJLpmLzu95D91hD+V30iActE5j1tNewMq9qJRoEdr5Tqus bUjjDm8kiK5sz9JzQjFoufuaWIR57w2Sm1gDVZ0MH46fxZ/SwLDDzt4VC2u+1oS4KSmVUm6X Wv1/Fmdf2sOOu9Ro2xVjJHW+j16lsFPPj+lkDv5tb0G7I2vBoKEQg/s+h8J4F+l/xPL3O5xB c68CAwEAAaOCAUIwggE+MAwGA1UdEwEB/wQCMAAwVgYJYIZIAYb4QgENBEkWR1RvIGdldCB5 b3VyIG93biBjZXJ0aWZpY2F0ZSBmb3IgRlJFRSBoZWFkIG92ZXIgdG8gaHR0cDovL3d3dy5D QWNlcnQub3JnMA4GA1UdDwEB/wQEAwIDqDBABgNVHSUEOTA3BggrBgEFBQcDBAYIKwYBBQUH AwIGCisGAQQBgjcKAwQGCisGAQQBgjcKAwMGCWCGSAGG+EIEATAyBggrBgEFBQcBAQQmMCQw IgYIKwYBBQUHMAGGFmh0dHA6Ly9vY3NwLmNhY2VydC5vcmcwMQYDVR0fBCowKDAmoCSgIoYg aHR0cDovL2NybC5jYWNlcnQub3JnL3Jldm9rZS5jcmwwHQYDVR0RBBYwFIESbmFub21hbkBu YW5vbWFuLmNhMA0GCSqGSIb3DQEBBQUAA4ICAQCnV4v+VWIuG3iB7apL1Ht4m86rttYwtG/r JTuacyE7NB2nhK5/MIj3+bVy73g9hxco7FF+L+wMvEm7J19Z6f97p7LlfN0JASWEEDpnzzyZ RCHktiO7IYWGNWGEhR1WDJfalqupo33x0Z7vs51koZuxW1yJV+ZQTzBIJRKWcENA3r2pVhRm L32yzw0qx+JXGSimcpKRv45xl2bPQjF0vEFr69ur74YDQc9k0DH/ZWzbOayq3PDzrRBzQTZ5 8rS95EqFNAR3lNDZ9OABCD/L6XcJB5KIntY3DrL9p1zni9NhWPkcXYDY9xfyfI4dMbQUD/WY tgn13Ihu5QUgNZ9VePIAKbtJZBsptEoKSHnQx2upcEYmyEIaH8lm6iOsC6uBfCSjYyp3W1BK eW95/pRkMWWBt65WEe55sxEEMM40SBT4+ycjvw1UWB2R4aRdgDlLLZK5/uvBP0mVzYO0Mi3g E8UD+tNKEhlo8H9t8AXLrij1mStSFsF3C76DN5YuBFaKr4odQHaJskyz9oxAX0nwqwJbjoYI Z3RhxNXd1DK1hIEWclEqdnuRSICEqqI3htG85SyVr62OZJg2zml2swhZLg2Q9yrCnZGCy46N lLAzoV3tEG9Oh4MTsa+1hzJeNLXnvUWE5jHku9SeClmDM6J0Bp9FnsSnDNlUEYYL443qFBz7 zzCCBz0wggUloAMCAQICAQAwDQYJKoZIhvcNAQEEBQAweTEQMA4GA1UEChMHUm9vdCBDQTEe MBwGA1UECxMVaHR0cDovL3d3dy5jYWNlcnQub3JnMSIwIAYDVQQDExlDQSBDZXJ0IFNpZ25p bmcgQXV0aG9yaXR5MSEwHwYJKoZIhvcNAQkBFhJzdXBwb3J0QGNhY2VydC5vcmcwHhcNMDMw MzMwMTIyOTQ5WhcNMzMwMzI5MTIyOTQ5WjB5MRAwDgYDVQQKEwdSb290IENBMR4wHAYDVQQL ExVodHRwOi8vd3d3LmNhY2VydC5vcmcxIjAgBgNVBAMTGUNBIENlcnQgU2lnbmluZyBBdXRo b3JpdHkxITAfBgkqhkiG9w0BCQEWEnN1cHBvcnRAY2FjZXJ0Lm9yZzCCAiIwDQYJKoZIhvcN AQEBBQADggIPADCCAgoCggIBAM4iwOJGfew2KAdQlvKgM0CMS/E7Zj8x5WsCNtvWfPbxiI9O dzYFQZX5CfASz0aGc2C3bn7owFhkrs2wrUUXDGP6Zwro1tK/PueYxPBM+uADuzVdbCHeniDZ us1mMjdy+vcI9cfNWMmO5w5e6j7+HKEUChVshoRbZGYqeqlLU3n1iKJ77i8KYSuNsn5NVqUT 7Orakp6sREEeWGBlBWb4wES9y5T3Qn4L92VomFEF8PMFkQQdGxeC7MhXu8NreojxsHLMJVsg kewWAhKPMukXGEjQxwUuAjBCuCWcBWs/qjqn61NI9+jStgeY3BvGNH9/yRyCegVYKwhb8zii qxddZsmY154Qi6LS3XSa93EMcmDfzW+YM52WNHY+JHqSsA6VHm/moEU4R6rXQe1KtxL21xuD ig8u2Am2WdeqBP/Sk31oLt2LS6tYui+N6pWnoMNUiaX724tRIp2yw74RviyRhouWeK0g04ov Gj/G0FFlhyGxGQFlf0Uch/V80EFMTymYIf0zH3UMBFH6GXfb1BQc7oHDHfWYt2kGkSLdAFDM gTGsEgd7ONpoW+Yr1H7JX63o63JM8wHlSyC/mqZXypEAAYuhdSE3tWMNZz5GT3AgZ87F1lnb AuDw0svNumK3kEHo3SDkKbxkKULIItx4mv9D7JgbCVFLWlrCcfHEy3Op5aELAgMBAAGjggHO MIIByjAdBgNVHQ4EFgQUFrUyG9TH8+DmjvO90rA67rI5GNEwgaMGA1UdIwSBmzCBmIAUFrUy G9TH8+DmjvO90rA67rI5GNGhfaR7MHkxEDAOBgNVBAoTB1Jvb3QgQ0ExHjAcBgNVBAsTFWh0 dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAGA1UEAxMZQ0EgQ2VydCBTaWduaW5nIEF1dGhvcml0 eTEhMB8GCSqGSIb3DQEJARYSc3VwcG9ydEBjYWNlcnQub3JnggEAMA8GA1UdEwEB/wQFMAMB Af8wMgYDVR0fBCswKTAnoCWgI4YhaHR0cHM6Ly93d3cuY2FjZXJ0Lm9yZy9yZXZva2UuY3Js MDAGCWCGSAGG+EIBBAQjFiFodHRwczovL3d3dy5jYWNlcnQub3JnL3Jldm9rZS5jcmwwNAYJ YIZIAYb4QgEIBCcWJWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZy9pbmRleC5waHA/aWQ9MTAwVgYJ YIZIAYb4QgENBEkWR1RvIGdldCB5b3VyIG93biBjZXJ0aWZpY2F0ZSBmb3IgRlJFRSBoZWFk IG92ZXIgdG8gaHR0cDovL3d3dy5jYWNlcnQub3JnMA0GCSqGSIb3DQEBBAUAA4ICAQAox+6c ggK6XIASyjUKHYFviWqZzPJoD3+n4Y1YlT698gbDkFqstWD2mUMBo4hwnJ1inaSHr2dYDTA2 O+atSNPLdAKGcT7iKwNo8TRiQEY7U+oo9Kz7ZpVTik1d/TvZYNfKeWk7sWWSpsaBglyczetN AYql3xFVqhXKHzfAgphwYdtqfJajji5UPk8hqZDv3IK/3OhFrU2Qcwg8lGWwBJl2f+K8wmoV qpcENyTYHpRObQ5RvtbEj8qWbfdD3+gwZSc7e7tDQ2PEQ/ey7GjM4RmOIvuY4XtaPgE3O4sI sKLzlU4ay5vNmrHbsnDwLUrb2LDjb0VIMxL//jwyKlT3xPeK8Igjwkf+ZHpxwNEepmOwB36k L9MBj9yfK7bGCKkPk0gl/BL9n0Lc88Q+9lew191p0QZ3NApL0sqg/xzGjMkWvsTMMjdoc18I +1H3SVM2BQqVAkzyeRoQ9tg6dZzzHfGiDXBnhhuzFvUv5aTreYb5PQvCcwulmaxv/Ge45S8L phgkjXvRSDUpGECsk2DhloZQtHpZ2I8hC5/PgpHGO79r3AeRuZdWI6q2bJTGSAY85M5OquT2 LwncU28u/HTrOmOZwqasibynskSgDYoQ42zyJMv6m59wRy7eFIvUsiAJlqJk8SQc3KE1nBWy 1LxVLn0G9ZwOVfRa1pPadq0lc0zFQzGCAlwwggJYAgEBMIGAMHkxEDAOBgNVBAoTB1Jvb3Qg Q0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAGA1UEAxMZQ0EgQ2VydCBT aWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYSc3VwcG9ydEBjYWNlcnQub3JnAgMM 9zQwCQYFKw4DAhoFAKCBsTAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJ BTEPFw0xMzA3MDgwNjIyNTdaMCMGCSqGSIb3DQEJBDEWBBQlVBww1qEXkK2W6hakxkLvRw9v wzBSBgkqhkiG9w0BCQ8xRTBDMAoGCCqGSIb3DQMHMA4GCCqGSIb3DQMCAgIAgDANBggqhkiG 9w0DAgIBQDAHBgUrDgMCBzANBggqhkiG9w0DAgIBKDANBgkqhkiG9w0BAQEFAASCAQCLcbrk WZpxAQLg9uSNpAPUALlrvEiYtdaUVqoNj2bXl03Lm1iyk0K+fA32IN42AJ1Rq/plQL0g46wy tZR7lXCLrhCjE5vBdaT8Fp7EiGfrJfagR727A1Wm8HE1FHaBNJI8sbKb5UeLem0Mm/nwsgjp LAO5/6Td49ugbvrWgPMjpTQiMlcarai2y/vqRnYEVkiBh0W71YJRhOScmiBA9VAnBUGt7EAE 67FEIdd6lLb/D8BzqBNiSmKM2E4PiCNHccgX2A9JTeXurc2jD0o7vDoboGKZv3JyWRLyQmg2 1agqSrL1X6obHCoj4UULm1Mq+BGSHdy+89uRoiqXZAXx8PD2 --/3yNEOqWowh/8j+e--