draft-josefsson-password-auth-00.txt
Simon Josefsson
simon at josefsson.org
Thu Mar 29 15:33:33 CEST 2007
Nicolas Williams <Nicolas.Williams at sun.com> writes:
> On Thu, Mar 29, 2007 at 03:03:42PM +0200, Simon Josefsson wrote:
>> My idea is to specify a challenge/response protocol that is (somewhat)
>> agnostic to the framework (GSS-API or SASL) and then specify how that
>> protocol is used in these two frameworks. Since the wire protocol is
>> highly influenced by GSS-API and SASL concepts, the mappings for how
>> to use the protocol in GSS-API or SASL is just one page. The
>
> I guess it can be one page, since for GSS challenge/response password-
> based mechs there won't be many name types available, thus not much
> discussion of naming. Right? Maybe not: presumably acceptor names are
> used to salt the password, in which case any name type goes and the mech
> has to specify the relevant mappings from generic name syntax to
> whatever the mech uses internally. And there's the exported name token
> format to consider also.
I'm not really that familiar with the naming corners of GSS-API... In
any case, how to salt the password is an open question. Perhaps the
exported name format can be used as the salt value with PKCS#5 PBKDF2?
But then you'll need to transfer the PBKDF2 iteration counter, or
(worse) fixate it. The iteration counter question is the main reason
why I haven't used PBKDF2 yet. That, and I'm not sure PBKDF2 in this
protocol actually protects against any valid security threats.
> But in any case, it needn't be much text, and I've volunteered to write
> that text.
Excellent!
/Simon
More information about the Password-auth
mailing list