W3C home > Mailing lists > Public > public-webcrypto@w3.org > March 2014

Re: PBKDF2 questions

From: Mark Watson <watsonm@netflix.com>
Date: Wed, 5 Mar 2014 14:01:33 -0800
Message-ID: <CAEnTvdDn9ZuqYXZu=LZdFvJj9+iq_ygRtkAv-vYFkJB39gEscQ@mail.gmail.com>
To: Ryan Sleevi <sleevi@google.com>
Cc: Vijay Bharadwaj <Vijay.Bharadwaj@microsoft.com>, "public-webcrypto@w3.org" <public-webcrypto@w3.org>
On Wed, Mar 5, 2014 at 1:46 PM, Ryan Sleevi <sleevi@google.com> wrote:

>
>
>
> On Wed, Mar 5, 2014 at 12:43 PM, Mark Watson <watsonm@netflix.com> wrote:
>
>> I have another question about PBKDF2.
>>
>> We have decided that generateKey will explicitly ask the user for a
>> password. The advantage is that the UA can implement a non-spoofable UI and
>> the user will have the advantage that the site will never see the clear
>> password, only the derived key (for this reason, I required that
>> extractable be false when generateKey is called here).
>>
>> There are two issues (neither of which should block last call):
>> - do we need to place any requirements on the deriveKey parameters that
>> the site can use to avoid it being easy to work backwards from derived keys
>> to the password ?
>>
>
> No. The site is choosing it's own security parameters. The UA is making no
> statement about them, merely facilitating the 'hands off approach'
>
>
>> - it seems it is non-trivial for UAs to implement this in such a way that
>> the UX will be one that sites will choose to use. A plain dialog saying "
>> www.blah.com wants you to enter a password" is not very user-friendly.
>> Sites will generally want to provide some prompt explaining what the
>> password is for and also often sites want to place restrictions on password
>> strength (minimum length, contains upper and lower case etc.). If the UA's
>> native dialog doesn't have these properties, sites will likely choose to
>> prompt for the password the old-fashioned way, to the user's detriment. Do
>> we need to consider whether the site should provide prompt text, a strength
>> test callback etc.
>>
>
> No. If a site wants to trade deniability for usability, it can.
>
> The generateKey is not at all about improving security for users, per se.
> Sites can still misbehave. It's a way for sites or applications that want
> to be able to state "I didn't have the key" to be able to state so.
>

In which case, it better be difficult for them to obtain the password. If
a site could trivially obtain the password, it's hard for them to credibly
say "I didn't have the password" - or at least, that promise is no more
reliable than if they did have the password in JS and claimed "I didn't
send the password to the server" - you're just trusting them to be truthful.

We want a site to be able to say "I can prove that I didn't have the
password, because you can see that I used a UA method that the UA
guarantees keeps the password from me.". So, then, the UA better be sure
the site can't get the password by specifying weak parameters (weak hash, 1
iteration, specially chosen salt etc.)

Equally, if we want this function to be attractive to sites, it had better
be capable of offering a good UX or else noone will use it.

...Mark



>
>
>>
>> ...Mark
>>
>>
>>
>>
>> On Wed, Mar 5, 2014 at 11:52 AM, Mark Watson <watsonm@netflix.com> wrote:
>>
>>> Ok, I will specify with HMAC for the moment. SP 800-132 has a normative
>>> minimum output length of 112 bits, which the RFC does not have. Do we want
>>> that ?
>>>
>>> ...Mark
>>>
>>>
>>> On Wed, Mar 5, 2014 at 10:01 AM, Vijay Bharadwaj <
>>> Vijay.Bharadwaj@microsoft.com> wrote:
>>>
>>>>  I doubt anyone uses PBKDF2 with something other than HMAC. In fact SP
>>>> 800-132 explicitly limits it to HMAC. So if you incorporate that limitation
>>>> then maybe SP 800-132 is a better reference.
>>>>
>>>>
>>>>
>>>> *From:* Mark Watson [mailto:watsonm@netflix.com]
>>>> *Sent:* Wednesday, March 5, 2014 9:54 AM
>>>> *To:* public-webcrypto@w3.org
>>>> *Subject:* PBKDF2 questions
>>>>
>>>>
>>>>
>>>> (1) I assume the correct reference is RFC2898
>>>>
>>>> (2) Do we need to support PBKDF2 with pseudo-random functions other
>>>> than HMAC ? Presently the parameters dictionary allows us to specify the
>>>> pseudo-random function, prf, in contrast to HKDF where we are allowed only
>>>> to specify the hash function to be used with HMAC
>>>>
>>>>
>>>>
>>>> Restricting to HMAC is much simpler to specify. If we allow arbitrary
>>>> PRFs, we need to define what properties they must have: support of sign
>>>> operation and import of arbitrary size raw key. These requirements restrict
>>>> us to HMAC anyway (from the existing algorithms).
>>>>
>>>>
>>>>
>>>> Does anyone use PBKDF with a PRF other than HMAC ? What ?
>>>>
>>>>
>>>>
>>>> ...Mark
>>>>
>>>
>>>
>>
>
Received on Wednesday, 5 March 2014 22:02:01 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 21:17:21 UTC