Re: Last Call: <draft-harkins-salted-eap-pwd-06.txt> (Adding Support for

Hello,

> The IESG has received a request from an individual submitter to consider
> the following document:
> - 'Adding Support for Salted Password Databases to EAP-pwd'
>   <draft-harkins-salted-eap-pwd-06.txt> as Informational RFC
Kathleen Moriarty as the shepherding AD has asked me in my function as
doc shepherd to point the community to one particular statement in
Security Considerations:

There is a paragraph starting with the sentence:

"EAP-pwd sends the salt in the clear."

The basic question behind that whole paragraph is: is this an issue at
all? The salt itself is not very critical information; the (salted)
password itself never is transmitted over the wire with EAP-pwd even.

So, there is a small, but non-zero amount of meta-information about the
password salting that can be learned by adversaries on the wire.

We've had some discussion whether it is worth noting this in Sec Con at
all; or if that's already overkill. The new (and maybe even
unprecedented) aspect here is that salts are usually local pieces of
information inside a password database which do not move or are exposed
at all. Here they are, and in cleartext.

So, there is a paragraph in the draft now, but it can go away if it's
superfluous. If you have any substantial comment about this, please let
the list know.

Greetings,

Stefan Winter

-- 
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la 
Recherche
2, avenue de l'Université
L-4365 Esch-sur-Alzette

Tel: +352 424409 1
Fax: +352 422473

PGP key updated to 4096 Bit RSA - I will encrypt all mails if the recipient's 
key is known to me

http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66

0x8A39DC66.asc
Description: application/pgp-keys

signature.asc
Description: OpenPGP digital signature