1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
|
Internet Engineering Task Force (IETF) D. Harkins
Request for Comments: 8146 HP Enterprise
Updates: 5931 April 2017
Category: Informational
ISSN: 2070-1721
Adding Support for Salted Password Databases to EAP-pwd
Abstract
EAP-pwd is an Extensible Authentication Protocol (EAP) method that
utilizes a shared password for authentication using a technique that
is resistant to dictionary attacks. It includes support for raw keys
and double hashing of a password in the style of Microsoft Challenge
Handshake Authentication Protocol version 2 (MSCHAPv2), but it does
not include support for salted passwords. There are many existing
databases of salted passwords, and it is desirable to allow their use
with EAP-pwd.
Status of This Memo
This document is not an Internet Standards Track specification; it is
published for informational purposes.
This document is a product of the Internet Engineering Task Force
(IETF). It represents the consensus of the IETF community. It has
received public review and has been approved for publication by the
Internet Engineering Steering Group (IESG). Not all documents
approved by the IESG are a candidate for any level of Internet
Standard; see Section 2 of RFC 7841.
Information about the current status of this document, any errata,
and how to provide feedback on it may be obtained at
http://www.rfc-editor.org/info/rfc8146.
Harkins Informational [Page 1]
^L
RFC 8146 NaCled EAP-pwd April 2017
Copyright Notice
Copyright (c) 2017 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
1. Introduction ....................................................3
1.1. Background .................................................3
1.2. Keyword Definition .........................................3
2. Salted Passwords in EAP-pwd .....................................3
2.1. Password Preprocessing .....................................3
2.2. The Salting of a Password ..................................5
2.3. Using UNIX crypt ...........................................5
2.4. Using scrypt ...............................................6
2.5. Using PBKDF2 ...............................................6
2.6. Protocol Modifications .....................................7
2.7. Payload Modifications ......................................8
3. IANA Considerations .............................................8
4. Security Considerations .........................................9
5. References ......................................................9
5.1. Normative References .......................................9
5.2. Informative References ....................................10
Acknowledgements ..................................................11
Author's Address ..................................................11
Harkins Informational [Page 2]
^L
RFC 8146 NaCled EAP-pwd April 2017
1. Introduction
1.1. Background
Databases of stored passwords present an attractive target for attack
-- get access to the database, learn the passwords. To confound such
attacks, a random "salt" was hashed with the password and the
resulting digest stored, along with the salt, instead of the raw
password. This has the effect of randomizing the password; even if
two, distinct users have chosen the same password, the stored, and
salted, password will be different. It also requires an adversary
who has compromised the security of the stored database to launch a
dictionary attack per entry to recover passwords.
Dictionary attacks, especially using custom hardware, represent real-
world attacks and merely salting a password is insufficient to
protect a password database. To address these attacks, a sequential
memory hard function, such as described in [RFC7914], is used.
While salting a password database is not sufficient to deal with many
real-world attacks, the historic popularity of password salting means
there are a large number of such databases deployed, and EAP-pwd
needs to be able to support them. In addition, EAP-pwd needs to be
able to support databases using more modern sequential memory hard
functions for protection.
EAP-pwd imposes an additional security requirement on a database of
salted passwords that otherwise would not exist, see Section 4.
1.2. Keyword Definition
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119].
2. Salted Passwords in EAP-pwd
2.1. Password Preprocessing
EAP-pwd is based on the "dragonfly" Password-Authenticated Key
Exchange (PAKE) -- see [RFC7664]. This is a balanced PAKE and
requires that each party to the protocol obtain an identical
representation of a processed password (see Section 4). Therefore,
salting of a password is treated as an additional password
preprocessing technique of EAP-pwd. The salt and digest to use are
conveyed to the peer by the server, and the password is processed
prior to fixing the password element (see Section 2.8.3 of
[RFC5931]).
Harkins Informational [Page 3]
^L
RFC 8146 NaCled EAP-pwd April 2017
This memo defines eight (8) new password preprocessing techniques for
EAP-pwd:
o 0x03: a random salt with SHA-1
o 0x04: a random salt with SHA-256
o 0x05: a random salt with SHA-512
o 0x06: UNIX crypt()
o 0x07: scrypt
o 0x08: PBKDF2 with SHA-256
o 0x09: PBKDF2 with SHA-512
o 0x0A: SASLprep then a random salt with SHA-1
o 0x0B: SASLprep then a random salt with SHA-256
o 0x0C: SASLprep then a random salt with SHA-512
o 0x0D: SASLprep then UNIX crypt()
o 0x0E: OpaqueString then scrypt
o 0x0F: OpaqueString then PBKDF2 with SHA-256
o 0x10: OpaqueString then PBKDF2 with SHA-512
When passing salt, the size of the salt SHOULD be at least as long as
the message digest of the hash algorithm used. There is no guarantee
that deployed salted databases have followed this rule, and in the
interest of interoperability, an EAP peer SHOULD NOT abort an EAP-pwd
exchange if the length of the salt conveyed during the exchange is
less than the message digest of the indicated hash algorithm.
UNIX crypt() ([CRY]), scrypt ([RFC7914]), and PBKDF2 ([RFC8018])
impose additional formatting requirements on the passed salt. See
below.
Plain salting techniques using [SHS] are included for support of
existing databases. scrypt and PBKDF2 techniques are RECOMMENDED for
new password database deployments.
SASLprep has been deprecated, but databases treated with SASLprep
exist; it is necessary to provide code points for them. When using
Harkins Informational [Page 4]
^L
RFC 8146 NaCled EAP-pwd April 2017
SASLprep, a password SHALL be considered a "stored string" per
[RFC3454]; therefore, unassigned code points are prohibited. The
output of SASLprep SHALL be the binary representation of the
processed UTF-8 character string. Prohibited output and unassigned
code points encountered in SASLprep preprocessing SHALL cause a
failure of preprocessing, and the output SHALL NOT be used with EAP-
pwd.
When performing one of the preprocessing techniques (0x0E-0x10), the
password SHALL be a UTF-8 string and SHALL be preprocessed by
applying the Preparation and Enforcement steps of the OpaqueString
profile in [RFC7613] to the password. The output of OpaqueString,
also a UTF-8 string, becomes the EAP-pwd password and SHALL be hashed
with the indicated algorithm.
There is a large number of deployed password databases that use
salting and hashing in the style of [RFC7616], but these deployments
require a nonce contribution by the client (as well as the server),
and EAP-pwd does not have the capability to provide that information.
2.2. The Salting of a Password
For both parties to derive the same salted password, there needs to
be a canonical method of salting a password. When using EAP-pwd, a
password SHALL be salted by hashing the password followed by the salt
using the designated hash function:
salted-password = Hash(password | salt)
The server stores the salted-password, and the salt, in its database
and the client derives the salted password on the fly.
2.3. Using UNIX crypt
Different algorithms are supported with the UNIX crypt() function.
The particular algorithm used is indicated by prepending an encoding
of "setting" to the passed salt. The specific algorithm used is
opaque to EAP-pwd as the entire salt, including the encoded
"setting", is passed as an opaque string for interpretation by
crypt(). The salted password used for EAP-pwd SHALL be the output of
crypt():
salted-password = crypt(password, salt)
The server stores the salted-password, and the encoded algorithm plus
salt, in its database and the client derives the salted-password on-
the-fly.
Harkins Informational [Page 5]
^L
RFC 8146 NaCled EAP-pwd April 2017
If the server indicates a crypt() algorithm that is unsupported by
the client, the exchange fails and the client MUST terminate the
connection.
2.4. Using scrypt
The scrypt function takes several parameters:
o N, the cost parameter
o r, the block size
o p, the parallelization parameter
o dkLen, the length of the output
These parameters are encoded into the "salt" field of the modified
EAP-pwd message. Parameters r and dkLen SHALL be 16-bit integers in
network order. The other parameters SHALL each be 32-bit integers in
network order. The "salt" field that gets transmitted in EAP-pwd
SHALL therefore be:
N || r || p || dkLen || salt
where || represents concatenation.
The value of N represents the exponent taken to the power of two in
order to determine the CPU/Memory cost of scrypt -- i.e., the value
is 2^N. Per [RFC7914], the resulting CPU/Memory cost value SHALL be
less than 2^(128 * r / 8), and the value p SHALL be less than or
equal to ((2^32 - 1) * 32) / (128 * r).
Note: EAP-pwd uses the salted password directly as the authentication
credential and will hash it with a counter in order to obtain a
secret element in a finite field. Therefore, it makes little sense
to use dkLen greater than the length of the digest produced by the
underlying hash function, but the capability is provided to do so
anyway.
2.5. Using PBKDF2
The PBKDF2 function requires two parameters:
o c, the iteration count
o dkLen, the length of the output
Harkins Informational [Page 6]
^L
RFC 8146 NaCled EAP-pwd April 2017
These parameters are encoded into the "salt" field of the modified
EAP-pwd message. The parameters SHALL be 16-bit integers in network
order. The "salt" field that gets transmitted in EAP-pwd SHALL
therefore be:
c || dkLen || salt
where || represents concatenation.
Note: EAP-pwd uses the salted password directly as the authentication
credential and will hash it with a counter in order to obtain a
secret element in a finite field. Therefore, it makes little sense
to use a dkLen greater than the length of the digest produced by the
underlying hash function, but the capability is provided to do so
anyway.
2.6. Protocol Modifications
Like all EAP methods, EAP-pwd is server initiated, and the initial
identity supplied by the client is not useful for authentication
purposes. Because of this, the server is required to indicate its
intentions, including the password preprocessing it wishes to use,
before it knows the true identity of the client. This prevents the
server from supporting multiple salt digests simultaneously in a
single password database. To support multiple salt digests
simultaneously, it is necessary to maintain multiple password
databases and use the routable portion of the client identity to
select one when initiating EAP-pwd.
The server uses the EAP-pwd-ID/Request to indicate the password
preprocessing technique. The client indicates its acceptance of the
password preprocessing technique and identifies itself in the EAP-
pwd-ID/Response. If the client does not accept any of the offered
preprocessing techniques, it SHALL terminate the exchange. Upon
receipt of the EAP-pwd-ID/Response, the server knows the identity of
the client and can look up the client's salted password and the salt
from the database. The server adds the length of the salt and the
salt itself to the EAP-pwd-Commit/Request message (see Section 2.7).
The server can fix the password element (Section 2.8.3 of [RFC5931])
as soon as the salted password has been looked up in the database.
The client, though, is required to wait until receipt of the server's
EAP-pwd-Commit/Request before it begins fixing the password element.
Harkins Informational [Page 7]
^L
RFC 8146 NaCled EAP-pwd April 2017
2.7. Payload Modifications
When a salted password preprocessing technique is agreed upon during
the EAP-pwd-ID exchange, the EAP-pwd-Commit payload is modified to
include the salt and salt length (see Figure 1). The server passes
the salt and salt length in the EAP-pwd-Commit/Request; the client's
EAP-pwd-Commit/Response is unchanged, and it MUST NOT echo the salt
length and salt in its EAP-pwd-Commit/Response.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Salt-len | |
+-+-+-+-+-+-+-+-+ ~
~ Salt +-+-+-+-+-+-+-+-+-+
| | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ~
| |
~ Element ~
| |
~ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ~
| |
~ Scalar +-+-+-+-+-+-+-+-+
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 1: Salted EAP-pwd-Commit/Request
The "salt-len" SHALL be non-zero, and it indicates the length, in
octets, of the salt that follows. The "Salt" SHALL be a binary
string. The "Element" and "Scalar" are encoded according to
Section 3.3 of [RFC5931].
Note: when a non-salted password preprocessing method is used, for
example, any of the methods from [RFC5931], the EAP-pwd-Commit
payload MUST NOT be modified to include the salt and salt length.
3. IANA Considerations
IANA has allocated fourteen (14) values from the "password
preprocessing method registry" established by [RFC5931].
Harkins Informational [Page 8]
^L
RFC 8146 NaCled EAP-pwd April 2017
4. Security Considerations
EAP-pwd requires each side to produce an identical representation of
the (processed) password before the password element can be fixed.
This symmetry undercuts one of the benefits to salting a password
database because the salted password from a compromised database can
be used directly to impersonate the EAP-pwd client -- since the
plaintext password need not be recovered, no dictionary attack is
needed. While the immediate effect of such a compromise would be
compromise of the server, the per-user salt would still prevent the
adversary from recovering the password, barring a successful
dictionary attack, to use for other purposes.
Salted password databases used with EAP-pwd MUST be afforded the same
level of protection as databases of plaintext passwords.
Hashing a password with a salt increases the work factor for an
attacker to obtain the cleartext password, but dedicated hardware
makes this increased work factor increasingly negligible in real-
world scenarios. Cleartext password databases SHOULD be protected
with a scheme that uses a sequential memory hard function such as
[RFC7914].
EAP-pwd sends the salt in the clear. If EAP-pwd is not tunneled in
another, encrypting, EAP method, an adversary that can observe
traffic from server to authenticator or from authenticator to client
would learn the salt used for a particular user. While knowledge of
a salt by an adversary may be of a somewhat dubious nature (pre-image
resistance of the hash function used will protect the client's
password and, as noted above, the database of salted passwords must
still be protected from disclosure), it does represent potential
additional meta-data in the hands of a untrusted third party.
5. References
5.1. Normative References
[CRY] Linux Programmer's Manual, "CRYPT(3)", August 2015,
<http://man7.org/linux/man-pages/man3/crypt.3.html>.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997,
<http://www.rfc-editor.org/info/rfc2119>.
Harkins Informational [Page 9]
^L
RFC 8146 NaCled EAP-pwd April 2017
[RFC3454] Hoffman, P. and M. Blanchet, "Preparation of
Internationalized Strings ("stringprep")", RFC 3454,
DOI 10.17487/RFC3454, December 2002,
<http://www.rfc-editor.org/info/rfc3454>.
[RFC5931] Harkins, D. and G. Zorn, "Extensible Authentication
Protocol (EAP) Authentication Using Only a Password",
RFC 5931, DOI 10.17487/RFC5931, August 2010,
<http://www.rfc-editor.org/info/rfc5931>.
[RFC7613] Saint-Andre, P. and A. Melnikov, "Preparation,
Enforcement, and Comparison of Internationalized Strings
Representing Usernames and Passwords", RFC 7613,
DOI 10.17487/RFC7613, August 2015,
<http://www.rfc-editor.org/info/rfc7613>.
[RFC7914] Percival, C. and S. Josefsson, "The scrypt Password-Based
Key Derivation Function", RFC 7914, DOI 10.17487/RFC7914,
August 2016, <http://www.rfc-editor.org/info/rfc7914>.
[RFC8018] Moriarty, K., Ed., Kaliski, B., and A. Rusch, "PKCS #5:
Password-Based Cryptography Specification Version 2.1",
RFC 8018, DOI 10.17487/RFC8018, January 2017,
<http://www.rfc-editor.org/info/rfc8018>.
[SHS] National Institute of Standards and Technology, "Secure
Hash Standard (SHS)", FIPS PUB 180-4,
DOI 10.6028/NIST.FIPS.180-4, August 2015,
<http://csrc.nist.gov/publications/fips/fips180-4/
fips-180-4.pdf>.
5.2. Informative References
[RFC7616] Shekh-Yusef, R., Ed., Ahrens, D., and S. Bremer, "HTTP
Digest Access Authentication", RFC 7616,
DOI 10.17487/RFC7616, September 2015,
<http://www.rfc-editor.org/info/rfc7616>.
[RFC7664] Harkins, D., Ed., "Dragonfly Key Exchange", RFC 7664,
DOI 10.17487/RFC7664, November 2015,
<http://www.rfc-editor.org/info/rfc7664>.
Harkins Informational [Page 10]
^L
RFC 8146 NaCled EAP-pwd April 2017
Acknowledgements
Thanks to Stefan Winter and the eduroam project for its continued
interest in using EAP-pwd. Thanks to Simon Josefsson for his advice
on support for scrypt and PBKDF2.
Author's Address
Dan Harkins
HP Enterprise
3333 Scott Boulevard
Santa Clara, CA 95054
United States of America
Email: dharkins@arubanetworks.com
Harkins Informational [Page 11]
^L
|