Skip to main content

Adding Support for Salted Password Databases to EAP-pwd
draft-harkins-salted-eap-pwd-08

Revision differences

Document history

Date Rev. By Action
2017-04-19
08 (System) RFC Editor state changed to AUTH48-DONE from AUTH48
2017-03-31
08 (System) RFC Editor state changed to AUTH48 from EDIT
2017-03-02
08 (System) IANA Action state changed to RFC-Ed-Ack from Waiting on RFC Editor
2017-03-01
08 (System) IANA Action state changed to Waiting on RFC Editor from Waiting on Authors
2017-02-27
08 (System) IANA Action state changed to Waiting on Authors
2017-02-24
08 (System) RFC Editor state changed to EDIT
2017-02-24
08 (System) IESG state changed to RFC Ed Queue from Approved-announcement sent
2017-02-24
08 (System) Announcement was received by RFC Editor
2017-02-23
08 Cindy Morgan IESG state changed to Approved-announcement sent from Approved-announcement to be sent::AD Followup
2017-02-23
08 Cindy Morgan IESG has approved the document
2017-02-23
08 Cindy Morgan Closed "Approve" ballot
2017-02-23
08 Cindy Morgan Ballot approval text was generated
2016-11-23
08 (System) Sub state has been changed to AD Followup from Revised ID Needed
2016-11-23
08 (System) IANA Review state changed to Version Changed - Review Needed from IANA OK - Actions Needed
2016-11-23
08 Dan Harkins New version available: draft-harkins-salted-eap-pwd-08.txt
2016-11-23
08 (System) New version approved
2016-11-23
08 (System) Request for posting confirmation emailed to previous authors: "Dan Harkins"
2016-11-23
08 Dan Harkins Uploaded new revision
2016-11-10
07 Tero Kivinen Closed request for Telechat review by SECDIR with state 'No Response'
2016-11-03
07 Cindy Morgan IESG state changed to Approved-announcement to be sent::Revised I-D Needed from IESG Evaluation
2016-11-03
07 Jari Arkko [Ballot Position Update] New position, No Objection, has been recorded for Jari Arkko
2016-11-02
07 Joel Jaeggli [Ballot Position Update] New position, No Objection, has been recorded for Joel Jaeggli
2016-11-02
07 Alia Atlas [Ballot Position Update] New position, No Objection, has been recorded for Alia Atlas
2016-11-02
07 Ben Campbell [Ballot comment]
The abbreviated title on the top of pages after the first is "Abbreviated Title " :-)
2016-11-02
07 Ben Campbell [Ballot Position Update] New position, No Objection, has been recorded for Ben Campbell
2016-11-02
07 (System) IANA Review state changed to IANA OK - Actions Needed from Version Changed - Review Needed
2016-11-02
07 Spencer Dawkins [Ballot Position Update] New position, No Objection, has been recorded for Spencer Dawkins
2016-11-02
07 Deborah Brungard [Ballot Position Update] New position, No Objection, has been recorded for Deborah Brungard
2016-11-02
07 Suresh Krishnan [Ballot Position Update] New position, No Objection, has been recorded for Suresh Krishnan
2016-11-01
07 Terry Manderson [Ballot Position Update] New position, No Objection, has been recorded for Terry Manderson
2016-11-01
07 Stephen Farrell
[Ballot comment]

Thanks for the secdir discussion - it was thorough and lead
to good changes being made. (It took me longer to read that …
[Ballot comment]

Thanks for the secdir discussion - it was thorough and lead
to good changes being made. (It took me longer to read that
thread than the document:-)

I do think that some of the text doesn't flow as well as a
result of all those edits though, maybe a pass to improve
that would be good. (Though it is clear enough now for
implementers I think.)

Figure 1 means that implementing this requires changes to the
innards of your EAP-PWD implementation. It might be nice to a
random implementer (if there are some) to provide that hint
by saying this updates 7664.

I like Mirja's suggestion - that RECOMMENDED is a bit buried
right now. (Even if the main concern here is not new DB
records.) I'd also note that it's possible to switch to a new
alg on a per-record and not per-DB basis, if one's
implementation allows, so you could also encourage that.
(Well, unless EAP-PWD prevents it somehow but I'd be
surprised if it did.)
2016-11-01
07 Stephen Farrell [Ballot Position Update] New position, No Objection, has been recorded for Stephen Farrell
2016-11-01
07 Alexey Melnikov [Ballot Position Update] New position, No Objection, has been recorded for Alexey Melnikov
2016-11-01
07 Alissa Cooper [Ballot Position Update] New position, No Objection, has been recorded for Alissa Cooper
2016-10-31
07 Alvaro Retana [Ballot Position Update] New position, No Objection, has been recorded for Alvaro Retana
2016-10-30
07 Mirja Kühlewind
[Ballot comment]
Maybe put the folling warning also more clearly at the beginning of the doc or even in the abstract:
"Plain salting techniques are …
[Ballot comment]
Maybe put the folling warning also more clearly at the beginning of the doc or even in the abstract:
"Plain salting techniques are included for support of existing
  databases. scrypt and PBKDF2 techniques are RECOMMENDED for new
  password database deployments."
2016-10-30
07 Mirja Kühlewind [Ballot Position Update] New position, No Objection, has been recorded for Mirja Kühlewind
2016-10-28
07 Kathleen Moriarty Ballot has been issued
2016-10-28
07 Kathleen Moriarty [Ballot Position Update] New position, Yes, has been recorded for Kathleen Moriarty
2016-10-28
07 Kathleen Moriarty Created "Approve" ballot
2016-10-28
07 Kathleen Moriarty Ballot writeup was changed
2016-10-28
07 Kathleen Moriarty IESG state changed to IESG Evaluation from Waiting for AD Go-Ahead
2016-10-27
07 Tero Kivinen Request for Telechat review by SECDIR is assigned to Simon Josefsson
2016-10-27
07 Tero Kivinen Request for Telechat review by SECDIR is assigned to Simon Josefsson
2016-10-25
07 Dale Worley Request for Telechat review by GENART Completed: Ready. Reviewer: Dale Worley.
2016-10-22
07 Kathleen Moriarty Telechat date has been changed to 2016-11-03 from 2016-10-27
2016-10-20
07 Jean Mahoney Request for Telechat review by GENART is assigned to Dale Worley
2016-10-20
07 Jean Mahoney Request for Telechat review by GENART is assigned to Dale Worley
2016-10-19
07 (System) IANA Review state changed to Version Changed - Review Needed from IANA OK - Actions Needed
2016-10-19
07 Dan Harkins New version available: draft-harkins-salted-eap-pwd-07.txt
2016-10-19
07 (System) New version approved
2016-10-19
06 (System) Request for posting confirmation emailed to previous authors: "Dan Harkins"
2016-10-19
06 Dan Harkins Uploaded new revision
2016-10-15
06 Dale Worley Request for Telechat review by GENART Completed: Ready with Nits. Reviewer: Dale Worley.
2016-10-14
06 Tero Kivinen Closed request for Telechat review by SECDIR with state 'Withdrawn'
2016-10-14
06 Tero Kivinen Request for Telechat review by SECDIR is assigned to Rifaat Shekh-Yusef
2016-10-14
06 Tero Kivinen Request for Telechat review by SECDIR is assigned to Rifaat Shekh-Yusef
2016-10-09
06 Kathleen Moriarty Telechat date has been changed to 2016-10-27 from 2016-10-13
2016-10-07
06 Kathleen Moriarty Notification list changed to "Stefan Winter" <stefan.winter@restena.lu>, dharkins@arubanetworks.com from "Stefan Winter" <stefan.winter@restena.lu>
2016-10-06
06 Jean Mahoney Request for Telechat review by GENART is assigned to Dale Worley
2016-10-06
06 Jean Mahoney Request for Telechat review by GENART is assigned to Dale Worley
2016-10-05
06 Gunter Van de Velde Request for Last Call review by OPSDIR Completed: Has Nits. Reviewer: Mahesh Jethanandani.
2016-09-26
06 Sabrina Tanamal IANA Review state changed to IANA OK - Actions Needed from IANA - Not OK
2016-09-22
06 Tero Kivinen Request for Last Call review by SECDIR Completed: Has Issues. Reviewer: Simon Josefsson.
2016-09-22
06 Kathleen Moriarty Ballot writeup was changed
2016-09-22
06 (System) IESG state changed to Waiting for AD Go-Ahead from In Last Call
2016-09-21
06 Kathleen Moriarty Ballot writeup was changed
2016-09-21
06 Kathleen Moriarty Changed consensus to Yes from Unknown
2016-09-21
06 Kathleen Moriarty Placed on agenda for telechat - 2016-10-13
2016-09-20
06 (System) IANA Review state changed to IANA - Not OK from IANA - Review Needed
2016-09-20
06 Sabrina Tanamal
(Via drafts-lastcall-comment@iana.org): IESG/Authors/WG Chairs:

IANA has completed its review of draft-harkins-salted-eap-pwd-06.txt. If any part of this review is inaccurate, please let us know.

IANA …
(Via drafts-lastcall-comment@iana.org): IESG/Authors/WG Chairs:

IANA has completed its review of draft-harkins-salted-eap-pwd-06.txt. If any part of this review is inaccurate, please let us know.

IANA understands that, upon approval of this document, there is a single action which IANA must complete.

In the Password Preprocessing Methods subregistry of the EAP-pwd Parameters registry located at:

https://www.iana.org/assignments/eap-pwd-parameters/

Eight new values are to be registered as follows:

Value: [ TBD-at-registration ]
Name: Random salt with SHA-1
Reference: [ RFC-to-be ]

Value: [ TBD-at-registration ]
Name: Random salt with SHA-256
Reference: [ RFC-to-be ]

Value: [ TBD-at-registration ]
Name: Random salt with SHA-512
Reference: [ RFC-to-be ]

Value: [ TBD-at-registration ]
Name: UNIX crypt()
Reference: [ RFC-to-be ]

Value: [ TBD-at-registration ]
Name: OpaqueString and a random salt with SHA-1
Reference: [ RFC-to-be ]

Value: [ TBD-at-registration ]
Name: OpaqueString and a random salt with SHA-256
Reference: [ RFC-to-be ]

Value: [ TBD-at-registration ]
Name: OpaqueString and a random salt with SHA-512
Reference: [ RFC-to-be ]

Value: [ TBD-at-registration ]
Name: OpaqueString and a UNIX crypt()
Reference: [ RFC-to-be ]

As this document requests registrations in an Expert Review or Specification Required (see RFC 5226) registry, we will initiate the required Expert Review via a separate request. Expert review will need to be completed before your document can be approved for publication as an RFC.

IANA understands that this is the only action required to be completed upon approval of this document.

Note:  The actions requested in this document will not be completed until the document has been approved for publication as an RFC. This message is only to confirm what actions will be performed. 

Thank you,

Sabrina Tanamal
IANA Specialist
ICANN
2016-09-06
06 Dale Worley Request for Last Call review by GENART Completed: Ready with Nits. Reviewer: Dale Worley.
2016-09-01
06 Tero Kivinen Request for Last Call review by SECDIR is assigned to Simon Josefsson
2016-09-01
06 Tero Kivinen Request for Last Call review by SECDIR is assigned to Simon Josefsson
2016-08-31
06 Gunter Van de Velde Request for Last Call review by OPSDIR is assigned to Mahesh Jethanandani
2016-08-31
06 Gunter Van de Velde Request for Last Call review by OPSDIR is assigned to Mahesh Jethanandani
2016-08-25
06 Jean Mahoney Request for Last Call review by GENART is assigned to Dale Worley
2016-08-25
06 Jean Mahoney Request for Last Call review by GENART is assigned to Dale Worley
2016-08-25
06 Amy Vezza IANA Review state changed to IANA - Review Needed
2016-08-25
06 Amy Vezza
The following Last Call announcement was sent out:

From: The IESG
To: "IETF-Announce"
CC: stefan.winter@restena.lu, Kathleen.Moriarty.ietf@gmail.com, draft-harkins-salted-eap-pwd@ietf.org, "Stefan Winter"
Reply-To: ietf@ietf.org
Sender: …
The following Last Call announcement was sent out:

From: The IESG
To: "IETF-Announce"
CC: stefan.winter@restena.lu, Kathleen.Moriarty.ietf@gmail.com, draft-harkins-salted-eap-pwd@ietf.org, "Stefan Winter"
Reply-To: ietf@ietf.org
Sender:
Subject: Last Call:  (Adding Support for Salted Password Databases to EAP-pwd) to Informational RFC


The IESG has received a request from an individual submitter to consider
the following document:
- 'Adding Support for Salted Password Databases to EAP-pwd'
  as Informational RFC

The IESG plans to make a decision in the next few weeks, and solicits
final comments on this action. Please send substantive comments to the
ietf@ietf.org mailing lists by 2016-09-22. Exceptionally, comments may be
sent to iesg@ietf.org instead. In either case, please retain the
beginning of the Subject line to allow automated sorting.

Abstract


  EAP-pwd is an EAP method that uses a shared password for
  authentication using a technique that is resistant to dictionary
  attack.  It included support for raw keys and RFC2751-style double
  hashing of a password but did not include support for salted
  passwords.  There are many existing databases of salted passwords and
  it is desirable to allow their use with EAP-pwd.




The file can be obtained via
https://datatracker.ietf.org/doc/draft-harkins-salted-eap-pwd/

IESG discussion can be tracked via
https://datatracker.ietf.org/doc/draft-harkins-salted-eap-pwd/ballot/


No IPR declarations have been submitted directly on this I-D.




2016-08-25
06 Amy Vezza IESG state changed to In Last Call from Last Call Requested
2016-08-25
06 Kathleen Moriarty Last call was requested
2016-08-25
06 Kathleen Moriarty Ballot approval text was generated
2016-08-25
06 Kathleen Moriarty Ballot writeup was generated
2016-08-25
06 Kathleen Moriarty IESG state changed to Last Call Requested from Publication Requested
2016-08-25
06 Kathleen Moriarty IESG state changed to Publication Requested from Dead
2016-08-25
06 Kathleen Moriarty Last call announcement was generated
2016-08-25
06 Kathleen Moriarty Last call announcement was generated
2016-08-24
06 Stefan Winter
Document Writeup for draft-harkins-salted-eap-pwd-03
====================================================

(1) What type of RFC is being requested (BCP, Proposed Standard, Internet Standard, Informational, Experimental, or Historic)? Why is this …
Document Writeup for draft-harkins-salted-eap-pwd-03
====================================================

(1) What type of RFC is being requested (BCP, Proposed Standard, Internet Standard, Informational, Experimental, or Historic)? Why is this the proper type of RFC? Is this type of RFC indicated in the title page header?

The requested track is Informational. The document is an extension to RFC 5931 (EAP Authentication Using Only a Password) which is also informational. It is the right track because it makes sense to choose the same track for the base specification and the update. That said, it looks a bit odd that RFC 5931 itself was only Informational, but that question is out of scope for the draft currently under consideration.

(2) The IESG approval announcement includes a Document Announcement Write-Up. Please provide such a Document Announcement Write-Up. Recent examples can be found in the "Action" announcements for approved documents. The approval announcement contains the following sections:

Technical Summary


  EAP-pwd is an EAP method that uses a shared password for
  authentication using a technique that is resistant to dictionary
  attack.  It included support for raw keys and RFC2751-style double
  hashing of a password but did not include support for salted
  passwords.  There are many existing databases of salted passwords and
  it is desirable to allow their use with EAP-pwd.

Working Group Summary

The base specification RFC 5931 was considered by the EMU working group (but eventually published outside the WG). That working group is meanwhile concluded, and the current draft has no obvious "home" in any working group.

Document Quality

There are implementations of the EAP-pwd base specification for several operating systems (Windows, Linux, Android), originating from one vendor (Aruba Networks / HP Enterprise).
The same vendor (and in fact author of the spec) also has running code for this new draft. This code is unpublished due to the lack of code points. When this draft gets published as RFC with the corresponding IANA actions, it can be expected that the implementation will be out soon after.

Who is the Document Shepherd? Who is the Responsible Area Director?

The Document Shepherd is Stefan Winter .
The responsible Area Director is Kathleen Moriarty (kathleen.moriarty.ietf@gmail.com).

(3) Briefly describe the review of this document that was performed by the Document Shepherd. If this version of the document is not ready for publication, please explain why the document is being forwarded to the IESG.

The shepherd has been following this document since a long while, due to its potential usefulness in enterprise Wi-Fi. As such, the document was constantly reviewed.

In addition to that, the shepherd has read -03 with particular scrutiny. Subsequently, a number of clarification questions were asked and tackled in subsequent versions.

The shepherd now (version -06) believes this document is ready for publication.

(4) Does the document Shepherd have any concerns about the depth or breadth of the reviews that have been performed?

With this being an individual submission, the amount of review is more difficult to gauge than usually. The author presented his draft an several occasions, and got a few comments on it. In particular, it was sent to the emu mailing list which still has many subscribers from the now-concluded emu working group.

All in all, there are no concerns; the document has gotten its fair share of scrutiny.

(5) Do portions of the document need review from a particular or from broader perspective, e.g., security, operational complexity, AAA, DNS, DHCP, XML, or internationalization? If so, describe the review that took place.

The protocol exetensions in this draft definitely warrant a review from the security community. The comments the author got indicate that security people did take a look already. IETF last call and in particular the secdir review should provide for a comforting amount of security review.

(6) Describe any specific concerns or issues that the Document Shepherd has with this document that the Responsible Area Director and/or the IESG should be aware of? For example, perhaps he or she is uncomfortable with certain parts of the document, or has concerns whether there really is a need for it. In any event, if the interested community has discussed those issues and has indicated that it still wishes to advance the document, detail those concerns here.

The document is needed in order to support more database backends. The fact that it needs to transmit the salt on the wire in the clear is an unfortunate technical necessity; the salt is of not much use without the actual password. Whether or not this represents a problem worth noting in Security Considerations remains questionable. Text about this issue has been added to expose the question during IETF LC.

(7) Has each author confirmed that any and all appropriate IPR disclosures required for full conformance with the provisions of BCP 78 and BCP 79 have already been filed. If not, explain why.

The author has acked that any and all appropriate IPR disclosures required for full conformance with the provisions of BCP 78 and BCP 79 have already been filed.

(8) Has an IPR disclosure been filed that references this document? If so, summarize any discussion and conclusion regarding the IPR disclosures.

There is no IPR disclosure on this document.

(9) How solid is the consensus of the interested community behind this document? Does it represent the strong concurrence of a few individuals, with others being silent, or does the interested community as a whole understand and agree with it?

The community of people dealing with new EAP types is comparatively small. There is a significant amount of silence around this document; but this should in the shepherd's opinion not be considered as dissent; it's much rather that the existing EAP types cover a large amount of authentication needs "good enough" and that the new features of EAP-pwd are not urgent enough to get interest from a bigger set of people.

All existing password-based EAP methods either require a PKIX-style server certificate (which the EAP-pwd  base specification already fixes) and/or require storage of the user's password in either clear-text or NTHash formats (which the current draft fixes by adding numerous salted storage variants to the mix).

Only this new draft in combination with the base spec allows for user-friendly (no cert messing, no MITM password disclosure risks) and admin-friendly (storage of passwords in a non-weak format) EAP authentication.

(10) Has anyone threatened an appeal or otherwise indicated extreme discontent? If so, please summarise the areas of conflict in separate email messages to the Responsible Area Director. (It should be in a separate email because this questionnaire is publicly available.)

No such threat is known.

(11) Identify any ID nits the Document Shepherd has found in this document. (See http://www.ietf.org/tools/idnits/ and the Internet-Drafts Checklist). Boilerplate checks are not enough; this check needs to be thorough.

The version -06 has a minor style deviation as noted by idnits:


  == The 'Updates: ' line in the draft header should list only the _numbers_
    of the RFCs which will be updated by this document (if approved); it
    should not include the word 'RFC' in the list.

This minor issue can sure be fixed later in the publication process.
   
(12) Describe how the document meets any required formal review criteria, such as the MIB Doctor, media type, and URI type reviews.

No such formal review is required.

(13) Have all references within this document been identified as either normative or informative?

Yes.

(14) Are there normative references to documents that are not ready for advancement or are otherwise in an unclear state? If such normative references exist, what is the plan for their completion?

All IETF references are issued RFCs. The remaining are a published NIST document (stable) and a Unix man page of a very old part of Unix (crypt() ). All of these references can be considered stable.

(15) Are there downward normative references references (see RFC 3967)? If so, list these downward references to support the Area Director in the Last Call procedure.

No downward references.

(16) Will publication of this document change the status of any existing RFCs? Are those RFCs listed on the title page header, listed in the abstract, and discussed in the introduction? If the RFCs are not listed in the Abstract and Introduction, explain why, and point to the part of the document where the relationship of this document to the other RFCs is discussed. If this information is not in the document, explain why the interested community considers it unnecessary.

This document updates RFC 5931, but does not change its status.

(17) Describe the Document Shepherd's review of the IANA considerations section, especially with regard to its consistency with the body of the document. Confirm that all protocol extensions that the document makes are associated with the appropriate reservations in IANA registries. Confirm that any referenced IANA registries have been clearly identified. Confirm that newly created IANA registries include a detailed specification of the initial contents for the registry, that allocations procedures for future registrations are defined, and a reasonable name for the new registry has been suggested (see RFC 5226).

The document adds new entries to an existing registry. The IANA Considerations section is consistent with the document's main body. The registry in question is "Specification Required", which this draft satisfies.

(18) List any new IANA registries that require Expert Review for future allocations. Provide any public guidance that the IESG would find useful in selecting the IANA Experts for these new registries.

None.

(19) Describe reviews and automated checks performed by to validate sections of the document written in a formal language, such as XML code, BNF rules, MIB definitions, etc.

No such checks are necessary.
2016-08-24
06 Dan Harkins New version available: draft-harkins-salted-eap-pwd-06.txt
2016-08-19
05 Dan Harkins New version available: draft-harkins-salted-eap-pwd-05.txt
2016-08-05
04 Dan Harkins New version available: draft-harkins-salted-eap-pwd-04.txt
2016-06-17
03 Kathleen Moriarty Notification list changed to "Stefan Winter" <stefan.winter@restena.lu>
2016-06-17
03 Kathleen Moriarty Document shepherd changed to Stefan Winter
2016-02-19
03 Dan Harkins New version available: draft-harkins-salted-eap-pwd-03.txt
2016-02-14
02 (System) Document has expired
2016-02-14
02 (System) IESG state changed to Dead from AD is watching
2015-11-19
02 Kathleen Moriarty IESG process started in state AD is watching
2015-11-19
02 Kathleen Moriarty Intended Status changed to Informational from None
2015-11-19
02 Kathleen Moriarty Stream changed to IETF from None
2015-11-19
02 Kathleen Moriarty Shepherding AD changed to Kathleen Moriarty
2015-08-13
02 Dan Harkins New version available: draft-harkins-salted-eap-pwd-02.txt
2015-01-08
01 Dan Harkins New version available: draft-harkins-salted-eap-pwd-01.txt
2014-09-30
00 Dan Harkins New version available: draft-harkins-salted-eap-pwd-00.txt