W3C home > Mailing lists > Public > public-webcrypto@w3.org > March 2014

Re: PBKDF2 questions

From: Ryan Sleevi <sleevi@google.com>
Date: Wed, 5 Mar 2014 13:46:35 -0800
Message-ID: <CACvaWvZAHCTdGo8eowYYSnqP9bF=S9gjjJi03js3yv0Qh4XjSw@mail.gmail.com>
To: Mark Watson <watsonm@netflix.com>
Cc: Vijay Bharadwaj <Vijay.Bharadwaj@microsoft.com>, "public-webcrypto@w3.org" <public-webcrypto@w3.org>
On Wed, Mar 5, 2014 at 12:43 PM, Mark Watson <watsonm@netflix.com> wrote:

> I have another question about PBKDF2.
>
> We have decided that generateKey will explicitly ask the user for a
> password. The advantage is that the UA can implement a non-spoofable UI and
> the user will have the advantage that the site will never see the clear
> password, only the derived key (for this reason, I required that
> extractable be false when generateKey is called here).
>
> There are two issues (neither of which should block last call):
> - do we need to place any requirements on the deriveKey parameters that
> the site can use to avoid it being easy to work backwards from derived keys
> to the password ?
>

No. The site is choosing it's own security parameters. The UA is making no
statement about them, merely facilitating the 'hands off approach'


> - it seems it is non-trivial for UAs to implement this in such a way that
> the UX will be one that sites will choose to use. A plain dialog saying "
> www.blah.com wants you to enter a password" is not very user-friendly.
> Sites will generally want to provide some prompt explaining what the
> password is for and also often sites want to place restrictions on password
> strength (minimum length, contains upper and lower case etc.). If the UA's
> native dialog doesn't have these properties, sites will likely choose to
> prompt for the password the old-fashioned way, to the user's detriment. Do
> we need to consider whether the site should provide prompt text, a strength
> test callback etc.
>

No. If a site wants to trade deniability for usability, it can.

The generateKey is not at all about improving security for users, per se.
Sites can still misbehave. It's a way for sites or applications that want
to be able to state "I didn't have the key" to be able to state so.


>
> ...Mark
>
>
>
>
> On Wed, Mar 5, 2014 at 11:52 AM, Mark Watson <watsonm@netflix.com> wrote:
>
>> Ok, I will specify with HMAC for the moment. SP 800-132 has a normative
>> minimum output length of 112 bits, which the RFC does not have. Do we want
>> that ?
>>
>> ...Mark
>>
>>
>> On Wed, Mar 5, 2014 at 10:01 AM, Vijay Bharadwaj <
>> Vijay.Bharadwaj@microsoft.com> wrote:
>>
>>>  I doubt anyone uses PBKDF2 with something other than HMAC. In fact SP
>>> 800-132 explicitly limits it to HMAC. So if you incorporate that limitation
>>> then maybe SP 800-132 is a better reference.
>>>
>>>
>>>
>>> *From:* Mark Watson [mailto:watsonm@netflix.com]
>>> *Sent:* Wednesday, March 5, 2014 9:54 AM
>>> *To:* public-webcrypto@w3.org
>>> *Subject:* PBKDF2 questions
>>>
>>>
>>>
>>> (1) I assume the correct reference is RFC2898
>>>
>>> (2) Do we need to support PBKDF2 with pseudo-random functions other than
>>> HMAC ? Presently the parameters dictionary allows us to specify the
>>> pseudo-random function, prf, in contrast to HKDF where we are allowed only
>>> to specify the hash function to be used with HMAC
>>>
>>>
>>>
>>> Restricting to HMAC is much simpler to specify. If we allow arbitrary
>>> PRFs, we need to define what properties they must have: support of sign
>>> operation and import of arbitrary size raw key. These requirements restrict
>>> us to HMAC anyway (from the existing algorithms).
>>>
>>>
>>>
>>> Does anyone use PBKDF with a PRF other than HMAC ? What ?
>>>
>>>
>>>
>>> ...Mark
>>>
>>
>>
>
Received on Wednesday, 5 March 2014 21:47:03 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 21:17:21 UTC