XSF Discussion - 2020-05-11

  1. govanify has left
  2. govanify has joined
  3. pdurbin has left
  4. chyna has joined
  5. mukt2 has left
  6. moparisthebest has joined
  7. Neustradamus_ has left
  8. Neustradamus has left
  9. govanify has left
  10. govanify has joined
  11. govanify has left
  12. govanify has joined
  13. emus has left
  14. stpeter has joined
  15. calvin has left
  16. sonny has left
  17. sonny has joined
  18. sonny has left
  19. sonny has joined
  20. moparisthebest has left
  21. govanify has left
  22. govanify has joined
  23. govanify has left
  24. govanify has joined
  25. stpeter has left
  26. govanify has left
  27. govanify has joined
  28. govanify has left
  29. govanify has joined
  30. arc has left
  31. arc has joined
  32. govanify has left
  33. govanify has joined
  34. govanify has left
  35. govanify has joined
  36. govanify has left
  37. govanify has joined
  38. govanify has left
  39. govanify has joined
  40. paul has left
  41. Neustradamus_ has joined
  42. Neustradamus_ has left
  43. Neustradamus_ has joined
  44. govanify has left
  45. govanify has joined
  46. karoshi has left
  47. Neustradamus_ has left
  48. Neustradamus_ has joined
  49. arc has left
  50. arc has joined
  51. sonny has left
  52. sonny has joined
  53. Maranda has left
  54. pdurbin has joined
  55. Maranda has joined
  56. govanify has left
  57. govanify has joined
  58. pdurbin has left
  59. sonny has left
  60. sonny has joined
  61. govanify has left
  62. govanify has joined
  63. dr.json has joined
  64. APach has left
  65. APach has joined
  66. xsf has left
  67. xsf has joined
  68. sonny has left
  69. sonny has joined
  70. dr.json has left
  71. dr.json has joined
  72. govanify has left
  73. govanify has joined
  74. pdurbin has joined
  75. calvin has joined
  76. dr.json has left
  77. stpeter has joined
  78. govanify has left
  79. govanify has joined
  80. bear has left
  81. govanify has left
  82. govanify has joined
  83. arc has left
  84. arc has joined
  85. Zash has left
  86. calvin has left
  87. calvin has joined
  88. calvin has left
  89. calvin has joined
  90. arc has left
  91. arc has joined
  92. stpeter has left
  93. Zash has joined
  94. dr.json has joined
  95. Neustradamus_ has left
  96. sonny has left
  97. sonny has joined
  98. Neustradamus_ has joined
  99. calvin has left
  100. sonny has left
  101. sonny has joined
  102. dr.json has left
  103. arc has left
  104. arc has joined
  105. arc has left
  106. arc has joined
  107. j.r has left
  108. arc has left
  109. arc has joined
  110. arc has left
  111. arc has joined
  112. arc has left
  113. arc has joined
  114. arc has left
  115. arc has joined
  116. gav has left
  117. j.r has joined
  118. waqas has left
  119. bear has joined
  120. andy has joined
  121. govanify has left
  122. govanify has joined
  123. govanify has left
  124. govanify has joined
  125. govanify has left
  126. govanify has joined
  127. Seve has joined
  128. xsf has left
  129. xsf has joined
  130. arc has left
  131. arc has joined
  132. xsf has left
  133. xsf has joined
  134. andrey.g has joined
  135. DebXWoody has joined
  136. Yagiza has joined
  137. xsf has left
  138. xsf has joined
  139. j.r has left
  140. xsf has left
  141. xsf has joined
  142. govanify has left
  143. govanify has joined
  144. mimi89999 has left
  145. mimi89999 has joined
  146. xsf has left
  147. xsf has joined
  148. j.r has joined
  149. DebXWoody has left
  150. lovetox has joined
  151. mukt2 has joined
  152. Tobias has joined
  153. stpeter has joined
  154. larma has left
  155. lovetox has left
  156. Mikaela has joined
  157. larma has joined
  158. lovetox has joined
  159. lorddavidiii has joined
  160. arc has left
  161. arc has joined
  162. paul has joined
  163. arc has left
  164. arc has joined
  165. stpeter has left
  166. Jeybe has joined
  167. gav has joined
  168. j.r has left
  169. sonny has left
  170. sonny has joined
  171. sonny has left
  172. sonny has joined
  173. LNJ has joined
  174. bear has left
  175. mukt2 has left
  176. j.r has joined
  177. govanify has left
  178. govanify has joined
  179. LNJ has left
  180. LNJ has joined
  181. mukt2 has joined
  182. chyna has left
  183. bear has joined
  184. arc has left
  185. arc has joined
  186. chyna has joined
  187. LNJ has left
  188. lovetox has left
  189. mukt2 has left
  190. arc has left
  191. arc has joined
  192. emus has joined
  193. jonas’ has left
  194. jonas’ has joined
  195. jonas’ has left
  196. jonas’ has joined
  197. Maranda Metronome if the internal hashed auth backend is used just stores sha-1/256/384/512 server keys hash variants in the account credentials datastore whenever a password is generated
  198. DebXWoody has joined
  199. stpeter has joined
  200. mukt2 has joined
  201. arc has left
  202. arc has joined
  203. Maranda So it's more if you see DIGEST-MD5 offered to be a symptom that passwords are stored in plain
  204. sonny has left
  205. sonny has joined
  206. krauq has left
  207. krauq has joined
  208. arc has left
  209. arc has joined
  210. arc has left
  211. arc has joined
  212. stpeter has left
  213. arc has left
  214. arc has joined
  215. arc has left
  216. arc has joined
  217. lovetox has joined
  218. adiaholic_ has left
  219. adiaholic_ has joined
  220. goffi has joined
  221. xecks has joined
  222. mukt2 has left
  223. adiaholic_ has left
  224. adiaholic_ has joined
  225. Jeybe has left
  226. Jeybe has joined
  227. Jeybe has left
  228. Jeybe has joined
  229. sonny has left
  230. sonny has joined
  231. sonny has left
  232. sonny has joined
  233. mukt2 has joined
  234. Daniel has left
  235. Daniel has joined
  236. mukt2 has left
  237. nyco has left
  238. mukt2 has joined
  239. dwd has joined
  240. debacle has joined
  241. dwd Just reading back, I'm not actually sure of the reason I made SASL2 use a distinct stream feature. But as I've previously said, anything that makes SASL2 have a namespace bump to urn:xmpp:sasl:2 is fine by me. :-)
  242. dwd Also: https://tools.ietf.org/html/rfc5802#section-6.1 does indeed say that servers MUST tls-unique, and that clients SHOULD. But all normative requirements can be altered by negotiation, meaning that clients implicitly MAY use anything that the server explicitly says it can support.
  243. debacle has left
  244. sonny has left
  245. sonny has joined
  246. sonny has left
  247. sonny has joined
  248. Neustradamus_ Thanks people to look SCRAM-SHA-256 and TLS Binding for -PLUS SCRAM variants.
  249. dwd larma, Final note - we're stuck with -PLUS because that comes from the SASL layer (or quite possibly the GS2 layer).
  250. nyco has joined
  251. dwd Maranda, DIGEST-MD% doesn't need to store a plaintext password, though it does essentially mandate a plaintext equivalent. CRAM-MD5 has to store plaintext passwords, though, unless you do really shady things with partially computed HMACs.
  252. mukt2 has left
  253. lovetox has left
  254. Neustradamus_ If you search more informations: Do not lost this link: https://github.com/scram-xmpp/info/issues/1
  255. rion has left
  256. karoshi has joined
  257. rion has joined
  258. larma dwd: I don't read the SCRAM RFC as if there was no way to work without -PLUS.
  259. paul has left
  260. mukt2 has joined
  261. Dele Olajide has joined
  262. Neustradamus_ Do not forget the RFC 8600: https://tools.ietf.org/html/rfc8600 which it was published 2019-06-21 (soon one year): "When using the SASL SCRAM mechanism, the SCRAM-SHA-256-PLUS variant SHOULD be preferred over the SCRAM-SHA-256 variant, and SHA-256 variants [RFC7677] SHOULD be preferred over SHA-1 variants [RFC5802]".
  263. Neustradamus_ Do not forget the RFC 8600: https://tools.ietf.org/html/rfc8600 which has been published 2019-06-21 (soon one year): "When using the SASL SCRAM mechanism, the SCRAM-SHA-256-PLUS variant SHOULD be preferred over the SCRAM-SHA-256 variant, and SHA-256 variants [RFC7677] SHOULD be preferred over SHA-1 variants [RFC5802]".
  264. krauq has left
  265. Guus Is there someone in here with administrative powers on tigase.org ?
  266. Neustradamus_ Guus: tigase@muc.tigase.org
  267. Guus Given that I want to discuss connectivity issues, that's not ideal. 🙂
  268. Neustradamus_ I have informed you some days ago ;)
  269. Neustradamus_ I have invited people here
  270. Dele Olajide has left
  271. Guus Thanks
  272. Dele Olajide has joined
  273. larma Neustradamus_: RFC 8600 is not relevant for most XMPP software (especially anything chat related). It merely "defines how to use XMPP for the exchange of security notifications on a controlled-access network among authorized entities"
  274. stpeter has joined
  275. Neustradamus_ Maybe but SCRAM part is important.
  276. Neustradamus_ And it is logic.
  277. debacle has joined
  278. Andrzej has joined
  279. adiaholic_ has left
  280. adiaholic_ has joined
  281. dwd But it's largely a profile of XMPP for a specific purpose - specifically, it doesn't update RFC 6120.
  282. Neustradamus_ Guus: Andrzej from Tigase here
  283. dwd And if it had tried to, I would have shot that one down.
  284. sonny has left
  285. sonny has joined
  286. sonny has left
  287. sonny has joined
  288. larma It also says servers MUST support at least SCRAM or EXTERNAL. Which obviously should not apply to all XMPP usecases.
  289. krauq has joined
  290. Dele Olajide has left
  291. Dele Olajide has joined
  292. mukt2 has left
  293. emus has left
  294. stpeter has left
  295. mukt2 has joined
  296. emus has joined
  297. debacle has left
  298. Neustradamus_ larma: XMPP server softwares do it: - Prosody IM: https://modules.prosody.im/mod_auth_external.html - Metronome IM: https://github.com/maranda/metronome/blob/master/plugins/mod_auth_external.lua - ejabberd: https://github.com/processone/ejabberd/blob/master/src/ejabberd_auth_external.erl - Mongoose IM: https://github.com/esl/MongooseIM/tree/master/src/auth
  299. larma Neustradamus_: that doesn't make RFC8600 relevant in this context
  300. reedhhw has joined
  301. sonny has left
  302. sonny has joined
  303. sonny has left
  304. sonny has joined
  305. reedhhw has left
  306. larma Nobody is saying implementing SCRAM-SHA-256/-512 is a bad idea. But that doesn't mean it necessarily has the priority you are suggesting everywhere.
  307. reedhhw has joined
  308. larma I bet that if you do a pull request to any software that doesn't implement it yet, it would be accepted. But you can't blame developers for not giving it the priority you'd like.
  309. Steve Kille has left
  310. Neustradamus_ larma: the point is have the good order from best to worst SCRAM and RFC 8600 (stpeter is an author): "When using the SASL SCRAM mechanism, the SCRAM-SHA-256-PLUS variant SHOULD be preferred over the SCRAM-SHA-256 variant, and SHA-256 variants [RFC7677] SHOULD be preferred over SHA-1 variants [RFC5802]".
  311. Neustradamus_ It is not SCRAM-SHA-256 = SCRAM-SHA-1 or SCRAM-SHA-1 is preferred to SCRAM-SHA-256...
  312. Neustradamus_ We can understand: SCRAM-SHA-256-PLUS > SCRAM-SHA-256 > SCRAM-SHA-1-PLUS > SCRAM-SHA-1
  313. Steve Kille has joined
  314. Neustradamus_ It is like DIGEST-MD5 > CRAM-MD5
  315. Neustradamus_ Of course if the XMPP server supports, we can see in XMPP clients: - if only SCRAM-SHA-1 it is easy - if only SCRAM-SHA-256 it is easy - if SCRAM-SHA-1-PLUS and SCRAM-SHA-1 // SCRAM-SHA-1-PLUS > SCRAM-SHA-1 - if SCRAM-SHA-256 and SCRAM-SHA-1 // SCRAM-SHA-256 > SCRAM-SHA-1 - if SCRAM-SHA-256-PLUS, SCRAM-SHA-256, SCRAM-SHA-1-PLUS, SCRAM-SHA-1 // SCRAM-SHA-256-PLUS > SCRAM-SHA-256 > SCRAM-SHA-1-PLUS > SCRAM-SHA-1 - if SCRAM-SHA-256-PLUS, SCRAM-SHA-1-PLUS // SCRAM-SHA-256-PLUS > SCRAM-SHA-1-PLUS
  316. Neustradamus_ Of course if the XMPP server supports, we can see in XMPP clients: - if only SCRAM-SHA-1 it is easy - if SCRAM-SHA-1-PLUS and SCRAM-SHA-1 // SCRAM-SHA-1-PLUS > SCRAM-SHA-1 - if only SCRAM-SHA-256 it is easy - if SCRAM-SHA-256-PLUS and SCRAM-SHA-256 // SCRAM-SHA-256-PLUS > SCRAM-SHA-256 - if SCRAM-SHA-256 and SCRAM-SHA-1 // SCRAM-SHA-256 > SCRAM-SHA-1 - if SCRAM-SHA-256-PLUS, SCRAM-SHA-256, SCRAM-SHA-1-PLUS, SCRAM-SHA-1 // SCRAM-SHA-256-PLUS > SCRAM-SHA-256 > SCRAM-SHA-1-PLUS > SCRAM-SHA-1 - if SCRAM-SHA-256-PLUS, SCRAM-SHA-1-PLUS // SCRAM-SHA-256-PLUS > SCRAM-SHA-1-PLUS
  317. Maranda dwd: I didn't say it does, I said that "in Metronome it does"
  318. dwd Maranda, Ah, gotcha.
  319. debacle has joined
  320. Maranda The only auth backend that does provide DIGEST-MD5 is the internal plain one
  321. paul has joined
  322. adiaholic_ has left
  323. adiaholic_ has joined
  324. lovetox has joined
  325. xsf has left
  326. Neustradamus_ has left
  327. Neustradamus_ has joined
  328. lskdjf has joined
  329. larma Neustradamus_, I think it's clear to everyone that IF both server and client support both SHA-1 and SHA-256, SHA-256 should be preferred. And that IF both server and client support -PLUS, -PLUS should be preferred. You apparently left out the small sidecase where SCRAM-SHA-1-PLUS and SCRAM-SHA-256 are supported, because it's not obvious what is to be preferred then (IMO it's -PLUS).
  330. jonas’ (agreed on -PLUS over SHA2)
  331. larma However the default today is a) servers typically don't offer SHA-256 because the password is hashed with SHA-1 in database, making it impossible to offer SHA-256. There is no proper upgrade path from SHA-1 to SHA-256. b) clients don't offer SHA-256 because servers typically don't and it's not worth the effort to implement it for the very few cases where servers do. Because basically in all cases one can just fallback to PLAIN anyway without significant loss in security (if users follow best practices for passwords)
  332. jonas’ in my arrogant developer opinion, if implementing SHA-256 is hard after you have the SHA-1 variant implemented, you are in dire need of refactoring.
  333. larma jonas’, that is indeed true 😉
  334. larma but it needs to be tested, which is already hard enough given there are so few servers in practice supporting it 😉
  335. jonas’ I’m a believer in test-driven development, and if my SHA-1 implementation passes the test vectors, I’m confident enough that the SHA-256 variant will work flawlessly.
  336. larma IMO there is also a design fail in how we login that I have to present the mechanisms *before* knowing the login name.
  337. larma Was that tackled by sasl2?
  338. jonas’ larma, presenting the mechanisms afterwards would be a security problem
  339. jonas’ you could test user existence then
  340. larma as if that wasn't possible already through various ways...
  341. larma also servers could answer with fake mechanisms if user doesn't exist...
  342. sonny has left
  343. sonny has joined
  344. jonas’ larma, the fake mechanisms would still look different than some user’s real mechanisms
  345. sonny has left
  346. sonny has joined
  347. jonas’ and AFAIK user enumeration is a problem we generally avoid *by default* if possible.
  348. larma server could send the mechanisms that are send to the largest amount of users on the server. Than it's still possible to detect some users, but not all.
  349. jonas’ yeah, and expensive to figure that out.
  350. larma However the advantage is huge as that would allow an upgrade path for the hash algorithm
  351. jonas’ could do that with SASL2 already, though it requires offering *only* the old mechanism until all accounts have been upgraded.
  352. larma even in that case you have to store both password hashes for the time until all accounts upgraded. If it was per user, you could just do it per user. You could even decide server-side based on the clients that connected previously if you want to upgrade a user or not.
  353. jonas’ yes, but that’s not feasible unless you want to allow user enumeration.
  354. jonas’ yes, but that’s not feasible unless you want to allow user probing.
  355. jonas’ which RFC 6120 and RFC 6121 go a long way to avoid.
  356. jonas’ nevermind that vcard-temp and possibly other things allow it if the user explicitly published some data
  357. larma IMO, user enumeration is when I can get a list of users, not when I can try out every possible JID.
  358. jonas’ but the default is that you can’t enumerate accounts.
  359. jonas’ larma, that’s why I /correct’d my message.
  360. larma right.
  361. jonas’ s/enumerate/probe/
  362. larma well there are a ton of XEPs where you can probe users
  363. jonas’ but only after the users did sometihng to allow that
  364. larma not even sure if it's not possible by RFC, but certainly by CS2020
  365. larma PEP for example makes users probe-able
  366. jonas’ I’m aware of that
  367. jonas’ but it shouldn’t be the default.
  368. jonas’ (and it isn’t)
  369. larma that you have PEP?
  370. jonas’ that you have a PEP node which is world-readable
  371. larma you don't need that
  372. jonas’ you don’t?
  373. larma even if it's not readable, you get different errors
  374. jonas’ that’s a bug then
  375. jonas’ either in the standard or in the implementations
  376. larma also pubsub nodes MUST be disco-able
  377. jonas’ I’m fairly certain that you can always return <forbidden/> if you don’t want to let someone read nodes
  378. larma jonas’, you could but it wouldn't be XEP-compliant. Also that doesn't solve the pubsub must be disco-able. If it wasn't you couldn't have world-readable PEP nodes.
  379. jonas’ larma, then the XEP needs to be fixed
  380. jonas’ but I’m sitll fairly certain that you can do that without having to fix the XEP
  381. jonas’ ah, maybe only returning the items you can actually see would suffice already
  382. karoshi has left
  383. jonas’ my point is: those are issues which can and need to be fixed
  384. karoshi has joined
  385. jonas’ that they exist is no reason to open more issues.
  386. larma but if a user doesn't exist it also doesn't have a pep service on it's jid
  387. jonas’ larma, servers could easily pretend that
  388. jonas’ larma, servers could easily pretend that there is an empty pep service.
  389. larma I think it's just plain ignorant to claim that users are not probe-able and thus we should design protocols such that this remains true.
  390. jonas’ that’s a valid opinion. I disagree.
  391. Nekit has left
  392. Nekit has joined
  393. larma Do you think it's likely we'll ever reach the state where user probing is not possible?
  394. jonas’ yes
  395. pdurbin has left
  396. nyco has left
  397. nyco has joined
  398. larma ok, so how would you like to do the upgrade then?
  399. jonas’ as I wrote above
  400. jonas’ you’ll have to wait for all accounts to be upgraded
  401. jonas’ typically that’s done with a deadline after which users have to use a password reset facility to regain access
  402. jonas’ or their account is deleted
  403. Neustradamus_ It is possible to have SCRAM-SHA-256(-PLUS) and SCRAM-SHA-1(-PLUS) enabled on an XMPP server but some users with only SCRAM-SHA-1 passwords (if originally not in PLAIN). If the user change of password, SCRAM-SHA-1 and SCRAM-SHA-256 will be here.
  404. Holger Users love changing passwords for random reasons.
  405. larma Neustradamus_, upgrade only makes sense when we don't support SHA-1 afterwards (or at least that's when it really makes a difference)
  406. Neustradamus_ Currently: Jackal XMPP server, Metronome IM, Mongoose IM master (soon a release), Prosody 0.12-dev, Tigase are already good.
  407. Holger We should just switch *TODAY*.
  408. Zash Flag day?
  409. Holger (kk I'll get coffee and quite trolling.)
  410. Holger quit
  411. Daniel This will instantly make xmpp 256 times more secure
  412. larma Neustradamus_, they all store passwords in both sha1 and sha256? doubt that... They probably support sha1 and sha256 when password is stored in plaintext
  413. Zash I'll get right to work hacking into every existing deployment and invalidating all credentials!
  414. jonas’ Zash, easy!
  415. jonas’ just publish mod_av which claims to enable A/V support immediately
  416. Zash larma, correct in the case of Prosody 0.12. Hashed credentials are stored in one or the other and can't be changed afterwards.
  417. stpeter has joined
  418. larma Zash, which means *proper* setups have no upgrade path to sha-256, which is exactly what I'd like to tackle somehow before we blame everyone for not implementing things that can't be upgraded on anyway
  419. Zash There's no upgrade path anyways
  420. larma There could be, we just don't have one yet.
  421. larma even if the upgrade only happens when you do your next password change, that's an upgrade path
  422. larma or it happens when you next sign in with a device that does PLAIN
  423. larma (which happens as soon as a client only supports PLAIN and SHA-256 and your server is still on SHA-1)
  424. larma however the upgrade path requires a way for the server to signal that they currently don't have the sha256 hash and thus can't use SCRAM-SHA-256
  425. larma and this should be per user.
  426. jonas’ which is indistinguishable from a downgrade attack, by the way.
  427. Zash this
  428. larma a downgrade attack through an authenticated channel?
  429. Zash If I somehow steal your cert+privkey and get your clients to connect to me and I only offer PLAIN, I can steal their passwords.
  430. larma only if they have the passwod in cleartext, which they shouldn't if your server supported scram
  431. larma I was talking about a newly connecting client, and that would be fooled by such attack anyways
  432. jonas’ FTR, we do have: https://tools.ietf.org/html/rfc6120#section-6.5.9
  433. larma also when I can get you to connect to me without -PLUS I can already steal all your messages from MAM which is probably worth way more than the password...
  434. jonas’ given that the initial data in SCRAM is enough to identify the user, servers could reply with mechanism-too-weak on a migrated account
  435. jonas’ not sure what to do with a non-migrated account though
  436. Zash Is there an "upgrade required"?
  437. larma jonas’, but then I can probe users again
  438. jonas’ larma, yes
  439. larma also mechanism-too-weak will probably fail on clients
  440. jonas’ can I swing my "arrogant developer hammer" again? ;)
  441. larma assuming clients exist that only do plain and sha-1 and server supports plain,sha-1 and sha-256 in general, but for a specific account only plain+sha-256 (because account was upgraded), the client should try sha-1 and then would get <mechanism-too-weak/> which shouldn't be interpreted as "try plain instead"
  442. stpeter has left
  443. larma = in this upgrade path a proper client would stop working for no good reason.
  444. mukt2 has left
  445. mukt2 has joined
  446. Neustradamus_ larma: if an XMPP client has only SCRAM-SHA-1 and server has PLAIN and SCRAM-SHA-256, it fails.
  447. Maranda has left
  448. Maranda has joined
  449. Neustradamus_ Note that an XMPP client can have in settings : force PLAIN password, ...
  450. Neustradamus_ Screenshots: - https://i.ibb.co/RzgYTRS/psi-plus-allow-plaintext-authentication.png - https://i.ibb.co/n3vxnyT/psi-plus-encrypt-connection.png
  451. Neustradamus_ Gajim via nbxmpp has SCRAM-SHA-256(-PLUS) and SCRAM-SHA-1(-PLUS) https://dev.gajim.org/gajim/python-nbxmpp/commit/f2a203387891455c052d44f8b1ceae711773cb81
  452. Neustradamus_ lovetox: ^
  453. sonny has left
  454. sonny has joined
  455. sonny has left
  456. sonny has joined
  457. mukt2 has left
  458. larma Neustradamus_, I think you are missing the point here really. There is no client that does not support PLAIN. And it's unlikely there ever will be.
  459. mukt2 has joined
  460. calvin has joined
  461. LNJ has joined
  462. Dele Olajide has left
  463. mukt2 has left
  464. calvin has left
  465. eta has left
  466. eta has joined
  467. mukt2 has joined
  468. Ge0rG has left
  469. Maranda > Neustradamus_, they all store passwords in both sha1 and sha256? doubt that... They probably support sha1 and sha256 when password is stored in plaintext Why not that's what I exactly do
  470. Maranda > Neustradamus_, they all store passwords in both sha1 and sha256? doubt that... They probably support sha1 and sha256 when password is stored in plaintext Why not that's what I exactly do larma
  471. Ge0rG has joined
  472. Neustradamus_ Maranda: How it is done with Metronome and your XMPP server?
  473. Maranda I just said that I generate server keys for each hashing algorythm I support for SCRAM
  474. larma Maranda, but then you don't have the advantage of the more secure hashing algorithm to protect password from cracking (if password database is leaked). Because I can just attack the hash with the lowest security (sha-1)
  475. moparisthebest has joined
  476. larma which kind of is the point of using sha-256 over sha-1
  477. Maranda And then most bussness infrastructures out there do still have the requirement to have at least reversible encrypted passwords, so the whole argument is kind of "a good purpose" one but again all it matters is safety and trust of the who deals with 'em.
  478. Zash Could someone find a cryptomath wizard and ask them to calculate the ratio of securityness between sha-256 and sha-1
  479. Zash ... and then we just increase the minimum iteration count by that ratio!!!
  480. Zash bam, sha1 forever
  481. pdurbin has joined
  482. larma .... that's not how this works...
  483. Maranda larma: i'd ditch all other mechanisms for scram-sha-512-plus already just get all clients to support that and channel binding and we have a deal
  484. larma Maranda, sounds like a great plan, except it doesn't work because legacy clients will always be around.
  485. Maranda larma: oh really? 😘
  486. larma 😉
  487. Zash (and scram-sha-512-plus is undefined and doesn't exist)
  488. larma can we do scram-argon2d-plus please?
  489. Zash sure
  490. larma *Argon2id
  491. Zash I the SCRAM construct doesn't depend that much on PBKDF2
  492. Zash The SCRAM construct doesn't depend that much on PBKDF2
  493. Zash any ƒ(password, salt, iterations) → blob would do in theory
  494. Zash Gets weird if it takes other parameters than those tho
  495. larma well, it already does that
  496. larma SCRAM-SHA-256 has ƒ(password, salt, iterations) = sha2(32, password, salt, iterations)
  497. Zash You mean PBKDF2(hmac-sha-256, ..., output size)
  498. karoshi has left
  499. karoshi has joined
  500. Zash Hi() is a special case of PBKDF2 with some predefined parameters
  501. larma whatever 😉 sha-256 already is sha-2 + 32 byte. So any SCRAM-ARGON-X could do the same
  502. sonny has left
  503. sonny has joined
  504. sonny has left
  505. sonny has joined
  506. larma but probably not gonna happen soonish anyway 🙁
  507. larma probably never
  508. Zash Not with that attitude :P
  509. larma would be too good if we weren't discussing upgrading to something that's already outdated...
  510. Zash SHA-2 isn't outdated?
  511. larma there is SHA-3, so by definition SHA-2 is outdated
  512. Zash SHA-2 isn't broken yet afaik
  513. larma yeah, wasn't saying broken
  514. larma sha-1 also isn't broken for our usage
  515. Zash I thought the point of picking a SHA-3 was to have something in case the very foundational concepts that SHA-2 (and SHA-1) are built on were broken, and that's not happen yet
  516. Zash Yeah, so why the push to SHA-2?
  517. Zash We gain nothing but pain atm
  518. larma It's not me who is pushing 😉
  519. larma I am just pushing for an upgrade path, so we can handle it should it become necessary
  520. larma plan the upgrade now so it can happen in 10 years or so
  521. larma don't do another 12-byte IV 😀
  522. Zash Invent a better SCRAM, one that can tell the client in a secure manner "yo, you gonna need to reset your password for security upgrade reasons"
  523. jonas’ Zash, you can do that with SASL2 after successfully authenticating with SCRAM first
  524. Zash Sure
  525. stpeter has joined
  526. Neustradamus_ SCRAM SHA-3 is planned yes
  527. larma And SCRAM Argon2id?
  528. pdurbin has left
  529. calvin has joined
  530. Zash It's tricky since you don't know at the time when you're offering mechanisms whether the user supports them.
  531. !XSF_Martin has left
  532. !XSF_Martin has joined
  533. jonas’ we’ve been at this point two hours ago
  534. Zash :)
  535. Zash And weeks/months ago.
  536. larma maybe we should have clients propose mechanism to the server not the other way round
  537. Zash I'm just copying from a script actually :P
  538. jonas’ larma, and then what? you can still probe by looking at the mechanisms accepted for $randomUUID vs. $guessedUsername
  539. larma it adds complexity to the attack
  540. jonas’ not much though
  541. Maranda Oh heaven so this is about brute forcing SCRAM?
  542. larma maybe we need a stateful authentication protocol and abandon passwords after first login
  543. jonas’ Maranda, no
  544. jonas’ larma, like the thing dave wrote?
  545. Maranda And/or possibility of
  546. jonas’ also, I’m all for it
  547. jonas’ Maranda, no
  548. Maranda jonas’: better
  549. Jeybe has left
  550. Maranda has a log tail which could have been more interesting in that case 👨‍💻
  551. larma jonas’, not sure about the exact protocol, but yeah something that gives you a per-client token that can be stored by the client and also can be revoked if necessary.
  552. Zash OAuth?
  553. larma Alternatively we could only announce PLAIN in mechanisms, than get told the mechanisms supported by server *after* succesful login and be able to use SCRAM-* on later logins, ignoring that only PLAIN is announced.
  554. Zash What was that combined auth and stream resumption token spec called?
  555. Zash larma, haha
  556. larma Zash, 397?
  557. Zash That's the one
  558. jonas’ https://tools.ietf.org/html/draft-cridland-kitten-clientkey-00 that’s the one I meant
  559. andrey.g has left
  561. Zash Bring back https://xmpp.org/extensions/xep-0078.html !!!!11! /s
  562. larma Zash, IIRC in OAuth the client has to register a-priori with the service to receive the client-key, no?
  563. Zash It Depends!
  564. larma which is also why OAuth for email got no traction. email clients only support Google and Microsoft for OAuth
  565. Zash If you use deprecated parts of OAuth you can get a token using a password.
  566. larma Ah, right. But that's not how it's supposed to be.
  567. larma Because you can't make use of service specific login pages that do 2fa and alike then.
  568. stpeter has left
  569. Zash If you're going to use OAuth "as it's supposed to be" then you can't have nice things, only browser and web services.
  570. larma well non-browser clients can open a web browser to authenticate than callback to the client
  571. larma that's how thunderbird does googlemail
  572. Zash from another part of my script, I say "if I have to open a browser then I hate it"
  573. larma that's ok, you can still do PLAIN
  574. larma with a single-use password you somehow retrieved from your service
  575. larma (probably using a browser)
  576. Dele Olajide has joined
  577. robertooo has left
  578. robertooo has joined
  579. govanify has left
  580. govanify has joined
  581. govanify has left
  582. govanify has joined
  583. adiaholic_ has left
  584. adiaholic_ has joined
  585. andrey.g has joined
  586. waqas has joined
  587. dwd XEP-0397 is CLIENTKEY, but the SASL bits live in the I-D. The other thing you could do is XEP-0257 (or similar).
  588. emus has left
  589. emus has joined
  590. larma dwd, xep-0397 doesn't have the counter part built-in. And it's also not asking for TOTP (which probably shouldn't have been in clientkey anyway)
  591. dwd Oh, wait. Wrong XEP.
  592. larma oh, and xep-0397 also doesn't have expiry
  593. dwd XEP-0399.
  594. larma I kind of wonder why all the TOTP is part of those XEPs
  595. larma seems kind of arbitrary to put it in there, as it could be completely ignored
  596. larma I see it makes things easier if TOTP is required, but it also works and makes sense without TOTP
  597. andy has left
  598. larma but in general, I'd rather see 399 being pushed than SCRAM-SHA-256
  599. dwd For '399? That was the driving factor for Surevine, as it happens.
  600. larma I mean TOTP is obviously non-normative in '399, so I am fine with that, but I'd probably want to get rid of that before moving it to draft.
  601. dwd So we had a requirement from the market for second-factor, based on TOTP. So we had SASL2+TOTP (in Openfire, code public), but it was a browser-based client, so we needed to avoid forcing the user to re-enter TOTP every time they refreshed, hence '399.
  602. larma Also CLIENT-KEY and CLIENT-KEY-PLUS would need to be IANA registered first, right?
  603. dwd The '399 code is also public, but it's an earlier design.
  604. larma dwd, yeah I guessed that TOTP was the driving force here 😉
  605. dwd larma, Sorta. Eventually. But they're in I-D form now.
  606. dwd larma, But I wouldn't remove 2FA entirely from '399 - while CLIENTKEY isn't dependent on it, it feels important that a client shouldn't ordinarily get a TOTP challenge when using CLIENTKEY, since the client installation has become the second factor, sort of.
  607. larma Yes, I am fine with mentioning that, basically the 4th sentence in §2.
  608. larma Also probably the other way round, mention it in 400, no?
  609. larma *mention '399 in '400
  610. karoshi has left
  611. karoshi has joined
  612. Yagiza has left
  613. andy has joined
  614. paul has left
  615. Zash has left
  616. Zash has joined
  617. sonny has left
  618. sonny has joined
  619. sonny has left
  620. sonny has joined
  621. Zash has left
  622. Zash has joined
  623. APach has left
  624. APach has joined
  625. mukt2 has left
  626. gav has left
  627. Mikaela has left
  628. pdurbin has joined
  629. govanify has left
  630. mukt2 has joined
  631. govanify has joined
  632. pdurbin has left
  633. debacle has left
  634. debacle has joined
  635. stpeter has joined
  636. eta has left
  637. eta has joined
  638. andy has left
  639. sonny has left
  640. sonny has joined
  641. sonny has left
  642. sonny has joined
  643. mukt2 has left
  644. mukt2 has joined
  645. andy has joined
  646. Yagiza has joined
  647. Dele Olajide has left
  648. andy has left
  649. arc has left
  650. arc has joined
  651. arc has left
  652. arc has joined
  653. arc has left
  654. arc has joined
  655. andy has joined
  656. Wojtek has joined
  657. Jeybe has joined
  658. mukt2 has left
  659. mukt2 has joined
  660. karoshi has left
  661. karoshi has joined
  662. paul has joined
  663. xsf has joined
  664. werdan has joined
  665. Jeybe has left
  666. Jeybe has joined
  667. sonny has left
  668. sonny has joined
  669. sonny has left
  670. sonny has joined
  671. Wojtek has left
  672. Wojtek has joined
  673. Nekit has left
  674. Nekit has joined
  675. Jeybe has left
  676. Jeybe has joined
  677. Wojtek has left
  678. Wojtek has joined
  679. nyco has left
  680. nyco has joined
  681. arc has left
  682. arc has joined
  683. krauq has left
  684. krauq has joined
  685. Steve Kille has left
  686. Nekit has left
  687. Steve Kille has joined
  688. rion has left
  689. rion has joined
  690. krauq has left
  691. krauq has joined
  692. Nekit has joined
  693. karoshi has left
  694. karoshi has joined
  695. Mikaela has joined
  696. mukt2 has left
  697. debacle has left
  698. mukt2 has joined
  699. adiaholic_ has left
  700. adiaholic_ has joined
  701. Nekit has left
  702. pdurbin has joined
  703. Yagiza has left
  704. pdurbin has left
  705. karoshi has left
  706. karoshi has joined
  707. mukt2 has left
  708. mukt2 has joined
  709. sonny has left
  710. sonny has joined
  711. sonny has left
  712. sonny has joined
  713. mukt2 has left
  714. mukt2 has joined
  715. nyco has left
  716. karoshi has left
  717. karoshi has joined
  718. govanify has left
  719. govanify has joined
  720. sonny has left
  721. sonny has joined
  722. govanify has left
  723. Bezi has joined
  724. govanify has joined
  725. debacle has joined
  726. debacle has left
  727. debacle has joined
  728. nyco has joined
  729. Nekit has joined
  730. Dele Olajide has joined
  731. Dele Olajide has left
  732. adiaholic_ has left
  733. adiaholic_ has joined
  734. govanify has left
  735. govanify has joined
  736. karoshi has left
  737. Seve has left
  738. Vaulor has left
  739. Vaulor has joined
  740. Seve has joined
  741. Andrzej has left
  742. karoshi has joined
  743. eta has left
  744. eta has joined
  745. lorddavidiii has left
  746. nyco has left
  747. xsf has left
  748. xsf has joined
  749. nyco has joined
  750. pdurbin has joined
  751. nyco has left
  752. DebXWoody has left
  753. mukt2 has left
  754. mukt2 has joined
  755. pdurbin has left
  756. arc has left
  757. arc has joined
  758. nyco has joined
  759. adiaholic_ has left
  760. adiaholic_ has joined
  761. mukt2 has left
  762. arc has left
  763. mukt2 has joined
  764. arc has joined
  765. Tobias has left
  766. Mikaela has left
  767. Daniel has left
  768. werdan has left
  769. Daniel has joined
  770. goffi has left
  771. rion has left
  772. goffi has joined
  773. goffi has left
  774. Daniel has left
  775. Daniel has joined
  776. karoshi has left
  777. karoshi has joined
  778. Mikaela has joined
  779. wurstsalat has left
  780. Mikaela has left
  781. Mikaela has joined
  782. paul has left
  783. paul has joined
  784. wurstsalat has joined
  785. mukt2 has left
  786. mukt2 has joined
  787. robertooo has left
  788. robertooo has joined
  789. calvin has left
  790. lorddavidiii has joined
  791. eta has left
  792. eta has joined
  793. Jeybe has left
  794. Jeybe has joined
  795. Daniel has left
  796. arc has left
  797. arc has joined
  798. Daniel has joined
  799. Mikaela has left
  800. arc has left
  801. arc has joined
  802. LNJ has left
  803. lorddavidiii has left
  804. pdurbin has joined
  805. sonny has left
  806. sonny has joined
  807. sonny has left
  808. sonny has joined
  809. Jeybe has left
  810. Jeybe has joined
  811. mimi89999 has left
  812. mimi89999 has joined
  813. moparisthebest has left
  814. moparisthebest has joined
  815. Jeybe has left
  816. pdurbin has left
  817. mukt2 has left
  818. andy has left
  819. mukt2 has joined
  820. Wojtek has left
  821. Wojtek has joined
  822. Wojtek has left
  823. robertooo has left
  824. karoshi has left
  825. karoshi has joined
  826. arc has left
  827. arc has joined
  828. Daniel has left
  829. Nekit has left
  830. Daniel has joined
  831. arc has left
  832. arc has joined
  833. Wojtek has joined
  834. Wojtek has left
  835. debacle has left
  836. sonny has left
  837. sonny has joined
  838. sonny has left
  839. sonny has joined
  840. rion has joined
  841. emus has left
  842. Wojtek has joined
  843. Wojtek has left
  844. Wojtek has joined
  845. Wojtek has left
  846. stpeter has left
  847. lskdjf has left
  848. mukt2 has left
  849. lskdjf has joined
  850. Seve has left
  851. mukt2 has joined
  852. bear has left
  853. Wojtek has joined
  854. mimi89999 has left
  855. mimi89999 has joined
  856. waqas has left
  857. stpeter has joined
  858. mimi89999 has left
  859. mimi89999 has joined
  860. calvin has joined
  861. arc has left
  862. arc has joined