Re: Gen-ART LC Review of draft-ietf-sasl-scram-07

Nicolas Williams wrote:

On Wed, Sep 23, 2009 at 08:22:25PM -0500, Ben Campbell wrote:

-- 2nd paragraph: " ...increase the iteration count over time."
Can you elaborate on how this helps, and possibly offer guidance onhow implementations should use it?

Good point.  With SCRAM as specified, a server cannot increase the
iteration count without somehow getting access to the cleartext
password.  If the server were to store SaltedPassword _and_
U_iteration_count (from Hi()'s internals), then the server could compute
a new SaltedPassword and U_iteration_count with a higher iteration
count.  However, the server isn't intended to store SaltedPassword,
rather, the server stores StoredKey and ServerKey, and there's a reason
for this: a server that's never authenticated a given user before cannot
impersonate that user, but if the server were to store SaltedPassword,
then the server could impersonate the user.

Thus, to "increase the iteration count over time" requires, effectively,
changing the user's password.  This is probably worth pointing out.

I tried to clarify that.

_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf

<Prev in Thread]

Current Thread

[Next in Thread>

Previous by Date:

Re: Gen-ART LC Review of draft-ietf-sasl-scram-07, Alexey Melnikov

Next by Date:

RE: [mpls] Last Call: draft-ietf-mpls-tp-oam-requirements (Requirementsfor OAM in MPLS Transport Networks) to Proposed Standard, Rui Costa

Previous by Thread:

Re: Gen-ART LC Review of draft-ietf-sasl-scram-07, Nicolas Williams

Next by Thread:

Followup on Gen-ART review of draft-ietf-mext-binding-revocation (was Re: Gen-ART LC and Telechat Review of draft-ietf-mext-binding-revocation-10), Ben Campbell

Indexes:

[Date] [Thread] [Top] [All Lists]