[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: SHA-2 support (was: Permissions, users, startup when install from source)

On Jan 16, 2013, at 1:05 PM, Ori Bani <oribani@gmail.com> wrote:

> On Wed, Jan 16, 2013 at 11:18 AM, Pierangelo Masarati
> <masarati@aero.polimi.it> wrote:
>>> --On Wednesday, January 16, 2013 7:39 AM +0100 Michael Ströder
>>> <michael@stroeder.com> wrote:
>>>> Quanah Gibson-Mount wrote:
>>>>> --On Tuesday, January 15, 2013 2:35 PM -0800 Ori Bani
>>>>> <oribani@gmail.com> wrote:
>>>>>> Why hasn't the sha2 module been migrated out of the
>>>>>> contrib directory
>>>>> The "core" of OpenLDAP tries to be as RFC compliant as possible.  There
>>>>> is no RFC that I'm aware of that adds SHA2 support.
>>>> Sorry, this is an artificial argument which is simply not valid!
>>>> Can you tell me which RFC specifies how to handle LANMAN hashes
>>>> (--enable-lmpasswd)? There are plenty similar examples...
>>> OpenLDAP, like many software projects that have existed for numerous
>>> years,
>>> has grown in its development practices.  Just because something was done
>>> incorrectly in the past is not a reason to continue doing so.  Feel free
>>> to
>>> port lanman hashes to a contrib module.
>> I'm not an expert in security, so this is just my 2c.  In general, as far
>> as I recall, we tend to be pragmatic when appropriate.  So asking a fancy
>> useless feature to become mainstream because other fancy useless features
>> made it long ago is pointless.  But when it comes to security, I think it
>> may be wise to break the rule every now and then.
> I'd add that things like sha2 aren't "fancy" and frivolous at all, but
> commonly recommended.

I think Ando was simply pointing out that the arguing that SHA-2 password schemes should be included because LANMAN hash schemes are currently included is lame.  I have to agree with him there.

> As I mentioned, the more adoption it gets, the
> more the RFC authors will be encouraged to update, but even if not,
> deferring to the (outdated, if it in fact mentions SHA1 and nothing
> better) RFC on an issue like this may not be the best approach.

SHA-2 is not significantly better here!  It's not about bits of hash, it's about compute cost of dictionary and brute force attacks.  SHA-2 is only marginally more expensive than SHA-1 or even MD-5.

Any effort to induce new password hash schemes should make dictionary and brute force attacks many orders of magnitude more expensive, as this is by far the most feasible attack we face.  There are a few other areas of concern... including the continued reliance on human generated passwords, but I digress.

Anyways, the interop argument Michael made is valid.

Also, at times, one just has to hold their nose.  IMO, if you going to do password authentication, you should be using SCRAM-SHA-1-PLUS authentication and using the compatible hashed storage format (SHA-1 based, of course) or, the more practical, clear-text. 

Odd that, SCRAM using SHA-1 not SHA-2.  :-)

-- Kurt