W3C home > Mailing lists > Public > whatwg@whatwg.org > May 2010

[whatwg] meta="encrypt" tag is needed

From: Mikko Rantalainen <mikko.rantalainen@peda.net>
Date: Tue, 11 May 2010 17:00:02 +0300
Message-ID: <4BE962E2.90103@peda.net>
Juuso Hukkanen wrote:
> Mikko Rantalainen wrote:
>> Are you trying to suggest an user agent implementation of something
>> similar to this: http://angel.net/~nic/passwdlet.html ?
> Thanks Mikko for linking to those passsalt generator tools.

In truth, I was asking to figure out if that's what you're aiming for.
If I've understood correctly, this is the feature that you think should
be implemented.

I'm afraid that such system would not be safe and would not give all the
protection you're looking for.

Basically if you have a function

f(x) = sha256(domain + userpassword)

in reality you just have a SHA256 of userpassword with a custom IV
(initialization vector). A more secure hashing method would be along the
lines

f2(x) = sha256(sha256(userpassword) + domain)

where the output of sha256 is hex in ascii and "+" is string
concatenating operator. This would effectively prevent use of rainbow
tables contrary to f(x) above.

However, it wouldn't still be safe to use the same password for multiple
sites because the attack could be implemented offline against the salted
hash. If one has possession of database of salted hashes, figuring out a
single password is roughly equivalent processing to figuring out
(almost) all of the passwords. The complexity of processing is only
dependent on the length and complexity of user's password (and if it's
something in a dictionary, it's way too simple here).

Notice that the salting method described and implemented in URL above is
safe only if it's not too widely used, or if the master password is
complex enough for offline brute force attack. As such, it's not
suitable for common implementation in user agents. Notice that it does
not matter if the hash algorithm is md5 or sha1 or whatever. The problem
is that the user's master password is the only secret and that's almost
always too weak secret for brute force offline attack.

> PASSSALT:
> ^^^^^^^^^^
> Attributes:
> <meta encrypt <=> Identification tag for html 5.01 content for 5.01
> conforming UAs

If something like this will be ever implemented, it should definitely be
a form input specific attribute, not a single meta element for the whole
page.


> passsalt="no|domainname"
> ^^^^^^^^^^^^^^^^^^^^^^^
> 1) no <=> UAs should send passwords unsalted (e.g. for the sake of
> compatibility)
> 
> 2) yes <=> (default value, 5.01 conforming UAs will salt passwords using
> domain name)
> 
> 3) domainname <=> domain(+TLD), if site wants hashes salted using it's
> current or some another domain name

How about just a simple extension to input type=password field instead?
Let's add a new attribute 'salt' with the following definition:

If 'salt' is defined for input element of type 'password', it will be
used as a string "domain" in the f2() function above. The output of that
function will be transferred as form data instead of real password.

This has all the security of your proposed scheme (because there's no
safety against MitM attack, there's no point to try to include any
external information into the hash -- including the domain name). The
server may use domain name as the salt or any random string it prefers.
If server uses the same salt every time, it does not ever need to know
the actual password. On the other hand, using the same salt makes the
database more vulnerable to offline attack if the database is ever leaked.

However, the server must be coded to accept BOTH salted password and
plain text password to support existing user agents.

It could be specified that entire ascii/UTF-8 (identical) hex encoded
sha256 output must be used as the form value. The length of inputted
password would then be a pretty good indicator of salted and hashed
password.


> Why passsalt in html5.xx specification
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> 1) multi-use of same passwords is a growing security problem. A
> successfull stealing single sites unencrypted real person names +
> passwords can lead to thousands of ID theft cases.

It is not safe to use the same password on multiple sites, hashed or
not. The only safe method is to use random password for every site and
use (real, not obfuscated) encrypted local storage for real passwords.

I do understand that the secure scheme is hard to implement if you're
using multiple devices to access the service. In addition, it's not
usable or safe on untrusted devices (but neither is any other scheme).

Allowing a scheme suggested here would allow something slightly better
than the current situation but it should be said plain and clear in the
spec that this is not a replacement for real security.

> 2) Voluntary salting of passwords has failed even on reputable sites.

The server must have knowledge of real password to use powerful salt
(that is, the salt is not shared)

> 3) Forcing the passwords salted is one solution. But the UA needs to
> know if it should send password salted or unsalted. Situation where one
> UA would send salted password and another unsalted is unacceptable

Why do you think so? If the server knows only salted version and gets
unsalted version, it will be able to check that the password is the
correct one. It's only a issue for the user of such user agent (the user
agent just transferred the password in plain text).

>> You referred to "alypaa.com" case in your original post. Could you
>> explain why do you think this would prevent from similar information
>> leak in the future?
> 
> 1) Site had stored the it's email addresses and passwords in unsalted
> format.
> And as often is the case, same password had been multi-used on many sites.
> If the alypaa.com had only gotten salted passwords from UA, it could not
> have
> leaked out the passwords to peoples email, blog and facebook accounts.

The alypaa.com would have still leaked a database of hashed passwords.
If every password uses the same salt, it does not make offline attack
much harder if attacker accepts any broken password from database (as
opposed to some specific password).

-- 
Mikko

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: OpenPGP digital signature
URL: <http://lists.whatwg.org/pipermail/whatwg-whatwg.org/attachments/20100511/313591e9/attachment.pgp>
Received on Tuesday, 11 May 2010 07:00:02 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:59:23 UTC