On Sep 23, 2009, at 12:34 PM, Santosh Chokhani wrote:
Kurt, I am not sure if I fully understand the context, but whoever gave DUA the encrypted password can supply the salt.
When setting a password, yes, the DUA can generate the salt. But how does a DUA authenticating a user come to know what salt to use? Is the user expected to provide the algorithm, salt, and password to the DUA so they can use encrypted credentials choice in binding to the directory?
The salt is not a secret.
Yes, but I see no mechanism for exposing the algorithm and salt to DUAs wishing to authenticate users via the method.
Its sole purpose is to make dictionary attack less effective by forcingthe attack to compute encrypted text for all the salts.
Yes, but that's assuming the attacker needs to brute force attack the encrypted text. With the encrypted credentials choice, the attacker just provides the encrypted text to the DSA. It's become a password equivalent.
Seems this choice makes it easier on the attacker but hard on the legitimate DUA.
-- Kurt
-----Original Message----- From: x500standard-bounce@xxxxxxxxxxxxx [mailto:x500standard-bounce@xxxxxxxxxxxxx] On Behalf Of Kurt Zeilenga Sent: Wednesday, September 23, 2009 3:25 PM To: x500standard@xxxxxxxxxxxxx Subject: [x500standard] Re: New draft on password policy On Sep 23, 2009, at 9:52 AM, Kemp, David P. wrote:The password equivalent applies to the DSA that has storedthe hashedpassword. But a hashed password is not equivalent to aclear passwordif the DSA attempts to use it in a different context (e.g. to impersonate the user on a different DSA). Of course, humans never reuse passwords or use related passwords on more than onesystem, sothis should never be a problem :-).How does a DUA determine which salt to use? -- KurtDave -----Original Message----- From: x500standard-bounce@xxxxxxxxxxxxx [mailto:x500standard-bounce@xxxxxxxxxxxxx] On Behalf OfKurt ZeilengaSent: Wednesday, September 23, 2009 12:41 PM To: x500standard@xxxxxxxxxxxxx Subject: [x500standard] Re: New draft on password policy On Sep 21, 2009, at 9:28 AM, David Chadwick wrote:Hi Howard Here are our responses from today to the issues you raisedbelow. Ifan issue has not been answered, this means we have not had time to address it yet and will do so tomorrow. Any comments youhave on ourdeliberations so far will be appreciated Howard Chu wrote:Erik Andersen wrote:Hi Folks, SC6 has made the latest draft of Password Policyavailable. It maybe downloaded from http://www.x500standard.com/index.php? n=Ig.Extension. SC6 has authorised that we bring this document forward to PDAM status during the September 2009 meeting. Please provide comments in time for that meeting.Based on experience implementing various revisions of the LDAP Password Policy Draft http://tools.ietf.org/draft/draft-behera-ldap-password-policy/ and concerns raised in Kurt's newer draft http://tools.ietf.org/html/draft-zeilenga-ldap-passwords-00 I have several concerns, some related to keeping this X.500 draft cross-compatible with LDAP, and some related to password policy management in general. 1) relying on clients to know that they should be usingan encryptedpassword, and to know which algorithm to use, seemsimpractical inthe real world. IMO whether and how the password isencrypted shouldbe a matter private to the DSA.we still allow this as an option, but we think it is moresecure ifthe directory never knows the user's password so is notable to storeit in audit trails or anywhere.If that's the rationale then shouldn't it apply to all password equivalents. If the protocol allows a DUA knowing only theencryptedpassword to gain access, the encrypted password is a password equivalent. -- Kurt ----- www.x500standard.com: The central source for information onthe X.500Directory Standard. ----- www.x500standard.com: The central source for information on the X. 500 Directory Standard.----- www.x500standard.com: The central source for information on the X.500 Directory Standard.-----www.x500standard.com: The central source for information on the X. 500 Directory Standard.
----- www.x500standard.com: The central source for information on the X.500 Directory Standard.