Schneier on Security

Clive Robinson • November 15, 2024 9:22 AM

@ Bruce “Only”

The authors name sounded familiar so I “followed a trail” to,

https://dicekeys.com

Where under “leadership” I found two names well known to me, Joseph Bonneau and you.

I know this is only a “personal blog” not a Journal or other Academic Publication, but over the past decade with increasing “federalism” of “Social Media” and similar people are getting not just “Snarky” but are looking for “authors” to “Declare Interests” in things other than “Papers”.

So you might want to consider “staying ahead of the mob” and putting in a footer to mention close, business, etc associations when they arise.

Clive Robinson • November 17, 2024 6:46 AM

@ Rac, All,

With regards,

“This is the first I’ve heard of criticism of password hashing in general.”

The form of hashing being used is supposadly a “One Way Function”(OWF) andvis a form of encryption. The use of the OWF in theory means that once hashed the only way to find the original “plaintext” is to either intercept it before it’s hashed or by running a form of “Brut Force” or “Dictionary” search to make “Rainbow Tables” and similar,

‘https://en.wikipedia.org/wiki/Rainbow_table

Like all technology this is “agnostic to use”, that is it’s the “observers view point” that decides “good or bad” and for the “directing mind” what they are trying to achieve.

The use of passwords is an “adversarial game” with more than two players, but can be reduced for most arguments to,

1, Owner of system
2, User of system
3, Attacker of System

The aim of the Owner is to protect against both Attackers and Users.

The thing is that the two aims are in many respects “mutually exclusive”.

That is Users find passwords nothing but an inhibitory intrusion into their work flow, something our host @Bruce has talked about in a more general way in the past.

So many users would if they could make their password as simple as possible if they were allowed to do so[1].

However short passwords of low complexity are the first things an Attacker would try[2].

So the issue for the Owner is how to ensure both,

1, Users have long complex passwords.
2, Attackers can not find the password.

Thus the Owner want’s to see the User password in “plaintext” to check it is not short or of low complexity, but also stop the Attacker seeing the “plaintext” even in part[3].

This means that for the Owner they want the Plaintext to get to the system, this makes the password vulnerable in all sorts of ways even with modern encrypted communications[4].

The flip side is that “Owners need” to “Police the User” is in effect a crack an attacker can use to their advantage.

One obvious solution these days of PC’s and Smart Devices is to move the hashing of the plaintext password to before the vulnerable communications. But unless carefully thought out this means the Owner can not “Police Passwords”.

Which is why “premature hashing” is seen by some as a real issue, as they know Users will quickly fall back to the weakest of passwords.

Yes there are ways to mitigate this, but it falls to the issue nobody has really solved,

“How to exchange root of trust secrets securely without doing it in person?”

Which is where the fun really starts.

[1] Many users would like to “just press enter” if they could, or something else that is both very short and easily memorable “to them”. Thus if allowed most user selected passwords would be of at best “minimal value” from the security aspect.

[2] The problem these days is Attackers can fairly easily try passwords of a length and complexity most Users can not remember…

[3] The problem with humans is in general they don’t do Random, or Complex, and they have terrible memories. Thus there is almost always some kind of structure to User selected passwords that an Attacker will exploit. Thus knowing as little as the password length aids the Attacker.

[4] Back when terminal were connected to a system over short lengths of “serial cable” the only comms security available to most was the physical protection of the cable and the signals on it. With the advent of affordable modems and thus “remote working” this was very insecure at best. Even when encryption of the line became possible, users expected “Full Duplex” behaviour which ment each plaintext character got sent individually. Thus no matter how complex the encryption algorithm it was in effect reduced to a “simple substitution cipher”. Thus the encryption algorithm had to be used in some form of wrapper we now call a “mode” that mixed things up. Often but not always this was by “chaining” which is the equivalent of a “poormans stream cipher”. Then there is the problem of “Man In The Middle”(MITM) attacks on the encryption setup that still work very effectively today. So even with the use of much stronger encryption like those used in HTTPS TLS etc these issues still exist.

Clive Robinson • November 18, 2024 1:55 PM

@ Winter, ALL,

With regards,

“The obvious conclusion is that passwords have failed as a secure authentication solution and should be retired.”

From a security and human user management issue, this has been true for this century so far at least. It’s also why I keep saying they should be replaced and have done so for more than the past couple of decades.

The question is,

“Why have we not replaced them yet?”

The answer is multifaceted and changes with time.

Firstly is “storage cost” when passwords first came about hard drive storage was up in the $1/character or greater range. Whilst the per character storage cost has dropped to the point it is very small, there are other costs like access speed and availability and the fact we now store “salts and extended hashes” that take us up to 1KByte per user or even higher with other types of non-flat-file DB etc system.

Whilst perhaps not to much of an issue with SoHo or MeSE organisations, for modern cloud and social media sites that have upwards of tens of millions of users… Worse for them they also tend to store profile information per user and that can be hundreds of thousands of bytes per user. So the cost of Security authentication (AuthN) and authorization (AuthZ) is still quite high for some even now.

Secondly text based pass words/phrases are or should still be “Simple Plain Text”, which is a “lowest common denominator” that should work every where… However as some have found trying to use extended character sets is problematic, especially when “internationalisation” has to be accounted for. In effect it’s one of those “serialisation edge cases” with overtones of “gallons into pint pots” if you try to “get clever” with modern languages and libraries when you’ve not yet learned to “drain the swamp” (we get the same problem with nearly all things involving encryption algorithms).

Thirdly, but if we don’t use “plain ASCII text” pass word/phrases what else are we going to use. Put simply,

“We’ve been seeking but not finding.”

Just about every alternative has issues with issues like standards and protocols giving rise to implementation issues.

Fourthly is the “route of trust” issue. To get a sufficient increase in end to end security to prevent attackers being successful needs a two part system of a “high entropy” “shared secret” and of necessity a “low entropy” “something the user knows” to gate it’s use.

Fifthly is that the shared secret needs to be protected in some way. A software vault is defeated by an attacker getting access to the stored “shared secret” in any one of hundreds of different ways. One of which can be as simple as “key logging” the user input.

Sixthly the use of a hardware token is often security wise less secure than a software vault. They are also expensive, not just for the hardware but all the “user issues” arising.

Which brings us to what has for decades been the killer,

“The cost of user management.”

If you want real security then the cost of this is in many cases quite extraordinary.

In part the drive to “Single Sign On” systems was to cut this cost. But in reality it was not very successful,

“Because users are human and statistically bad news.”

There are other issues I could list, but untill fairly recently passwords were the “most cost effective” at low security.

But some have realised there is a catch in “legislative changes”. The way some “child protection” legislation is written, the service provider carries liability for children getting access to what the legislation says the should not. As with a lot of ICT legislation the scope is not just overly broad but close to impossibly broad for service providers, especially with other “Data Protection Legislation”.

In effect passwords and passphrases are now being legislated against by child protection and other legislation.

Clive Robinson • December 15, 2024 7:44 PM

@ Bogdanovic, All,

“The Idea of “storing the secret key safely somewhere” reminds me a lot of those “key escrow” or “government backdoor” ideas…”

The issue of encryption “keys” is one that makes life interesting and falls into the philosophical group of things where,

“The only three numbers that make sense are Zero, One, and Infinity.”

That is you can have crypto with,

1, Zero Keys (Hash Algorithms).
2, One Key (Symmetric Algorithms).
3, Multiple Keys (Asymmetric, N of M, etc Algorithms).

In some respects “Zero Key” or Hash systems are not just harder to design, they are actually weaker on a “gate count” basis.

Or software for them is more complex, fragile, and less efficient or non optimal.

Thus unless the Hash comes for free –and it never does–, designers have wanted to go with symmetric encryption first or asymmetric encryption second.

The Morris Unix Password system for instance was based around using a modified symmetric encryption algorithm in a “mode” where you did not need a “secret” key.

You can do this because you are not looking for a Hash with all it’s properties but in effect just a limited “One Way Function”(OWF) any crypto function can be bent into with a little bit of hammering.

In fact you can hammer any keyed algorithm out of shape into another algorithm using lesser numbers of keys when you only want a limited OWF functionality for certain uses like the storing of partial or full passwords.