Re: [HACKERS] SCRAM salt length
On 8/17/17 17:00, Joe Conway wrote: >> Hence my original inquiry: "I suspect that this length was chosen based >> on the example in RFC 5802 (SCRAM-SHA-1) section 5. But the analogous >> example in RFC 7677 (SCRAM-SHA-256) section 3 uses a length of 16. >> Should we use that instead?" > Unless there is some significant downside to using 16 byte salt, that > would be my vote. committed -- Peter Eisentraut http://www.2ndQuadrant.com/ PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
Re: [HACKERS] SCRAM salt length
On 08/17/2017 01:50 PM, Peter Eisentraut wrote: > On 8/17/17 12:10, Heikki Linnakangas wrote: >> On 08/17/2017 05:23 PM, Peter Eisentraut wrote: >>> On 8/17/17 09:21, Heikki Linnakangas wrote: The RFC doesn't say anything about salt length, but the one example in it uses a 16 byte string as the salt. That's more or less equal to the current default of 12 raw bytes, after base64-encoding. >>> >>> The example is >>> >>> S: r=rOprNGfwEbeRWgbNEkqO%hvYDpWUa2RaTCAfuxFIlj)hNlF$k0, >>>s=W22ZaJ0SNY7soEsUEjb6gQ==,i=4096 >>> >>> That salt is 24 characters and 16 raw bytes. >> >> Ah, I see, that's from the SCRAM-SHA-256 spec. I was looking at the >> example in the original SCRAM-SHA-1 spec: >> >> S: r=fyko+d2lbbFgONRv9qkxdawL3rfcNHYJY1ZVvWVs7j,s=QSXCR+Q6sek8bf92, >>i=4096 > > Hence my original inquiry: "I suspect that this length was chosen based > on the example in RFC 5802 (SCRAM-SHA-1) section 5. But the analogous > example in RFC 7677 (SCRAM-SHA-256) section 3 uses a length of 16. > Should we use that instead?" Unless there is some significant downside to using 16 byte salt, that would be my vote. Joe -- Crunchy Data - http://crunchydata.com PostgreSQL Support for Secure Enterprises Consulting, Training, & Open Source Development signature.asc Description: OpenPGP digital signature
Re: [HACKERS] SCRAM salt length
On 8/17/17 12:10, Heikki Linnakangas wrote: > On 08/17/2017 05:23 PM, Peter Eisentraut wrote: >> On 8/17/17 09:21, Heikki Linnakangas wrote: >>> The RFC doesn't say anything about salt >>> length, but the one example in it uses a 16 byte string as the salt. >>> That's more or less equal to the current default of 12 raw bytes, after >>> base64-encoding. >> >> The example is >> >> S: r=rOprNGfwEbeRWgbNEkqO%hvYDpWUa2RaTCAfuxFIlj)hNlF$k0, >>s=W22ZaJ0SNY7soEsUEjb6gQ==,i=4096 >> >> That salt is 24 characters and 16 raw bytes. > > Ah, I see, that's from the SCRAM-SHA-256 spec. I was looking at the > example in the original SCRAM-SHA-1 spec: > > S: r=fyko+d2lbbFgONRv9qkxdawL3rfcNHYJY1ZVvWVs7j,s=QSXCR+Q6sek8bf92, >i=4096 Hence my original inquiry: "I suspect that this length was chosen based on the example in RFC 5802 (SCRAM-SHA-1) section 5. But the analogous example in RFC 7677 (SCRAM-SHA-256) section 3 uses a length of 16. Should we use that instead?" -- Peter Eisentraut http://www.2ndQuadrant.com/ PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
Re: [HACKERS] SCRAM salt length
On 08/17/2017 05:23 PM, Peter Eisentraut wrote: On 8/17/17 09:21, Heikki Linnakangas wrote: The RFC doesn't say anything about salt length, but the one example in it uses a 16 byte string as the salt. That's more or less equal to the current default of 12 raw bytes, after base64-encoding. The example is S: r=rOprNGfwEbeRWgbNEkqO%hvYDpWUa2RaTCAfuxFIlj)hNlF$k0, s=W22ZaJ0SNY7soEsUEjb6gQ==,i=4096 That salt is 24 characters and 16 raw bytes. Ah, I see, that's from the SCRAM-SHA-256 spec. I was looking at the example in the original SCRAM-SHA-1 spec: S: r=fyko+d2lbbFgONRv9qkxdawL3rfcNHYJY1ZVvWVs7j,s=QSXCR+Q6sek8bf92, i=4096 - Heikki -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
Re: [HACKERS] SCRAM salt length
On Thu, Aug 17, 2017 at 10:21 PM, Heikki Linnakangaswrote: > On 08/17/2017 05:42 AM, Michael Paquier wrote: >> That's now or never. > > Not really. That constant is just the default to use when creating new > password verifiers, but the code can handle any salt length, and different > verifiers can have different lengths. Indeed, fuzzy memory here. I thought that parse_scram_verifier() checked the salt length with the default value, but that's not the case. Perhaps at some point in the development there was a check of this kind.. -- Michael -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
Re: [HACKERS] SCRAM salt length
On 8/17/17 09:21, Heikki Linnakangas wrote: > The RFC doesn't say anything about salt > length, but the one example in it uses a 16 byte string as the salt. > That's more or less equal to the current default of 12 raw bytes, after > base64-encoding. The example is S: r=rOprNGfwEbeRWgbNEkqO%hvYDpWUa2RaTCAfuxFIlj)hNlF$k0, s=W22ZaJ0SNY7soEsUEjb6gQ==,i=4096 That salt is 24 characters and 16 raw bytes. -- Peter Eisentraut http://www.2ndQuadrant.com/ PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
Re: [HACKERS] SCRAM salt length
On Thu, Aug 17, 2017 at 9:21 AM, Heikki Linnakangaswrote: > Different thing. That was the nonce length, now we're talking about salt > length. Actually that commit (0557a5dc2cf845639d384801b6861ebbd35dc7ee) changed both: -#define SCRAM_RAW_NONCE_LEN 10 +#define SCRAM_RAW_NONCE_LEN 18 /* length of salt when generating new verifiers */ -#define SCRAM_DEFAULT_SALT_LEN 10 +#define SCRAM_DEFAULT_SALT_LEN 12 I don't think I understand exactly how they're different; especially, I don't quite understand how the nonce is used. -- Robert Haas EnterpriseDB: http://www.enterprisedb.com The Enterprise PostgreSQL Company -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
Re: [HACKERS] SCRAM salt length
On 08/17/2017 04:04 PM, Robert Haas wrote: On Wed, Aug 16, 2017 at 10:42 PM, Michael Paquierwrote: In the initial discussions there was as well a mention about using 16 bytes. https://www.postgresql.org/message-id/507550bd.2030...@vmware.com As we are using SCRAM-SHA-256, let's bump it up and be consistent. That's now or never. This was discussed and changed once before at https://www.postgresql.org/message-id/df8c6e27-4d8e-5281-96e5-131a4e638...@8kdata.com Different thing. That was the nonce length, now we're talking about salt length. I think 2^96 is large enough. The RFC doesn't say anything about salt length, but the one example in it uses a 16 byte string as the salt. That's more or less equal to the current default of 12 raw bytes, after base64-encoding. On 08/17/2017 05:42 AM, Michael Paquier wrote: > That's now or never. Not really. That constant is just the default to use when creating new password verifiers, but the code can handle any salt length, and different verifiers can have different lengths. - Heikki -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
Re: [HACKERS] SCRAM salt length
On Wed, Aug 16, 2017 at 10:42 PM, Michael Paquierwrote: > In the initial discussions there was as well a mention about using 16 bytes. > https://www.postgresql.org/message-id/507550bd.2030...@vmware.com > As we are using SCRAM-SHA-256, let's bump it up and be consistent. > That's now or never. This was discussed and changed once before at https://www.postgresql.org/message-id/df8c6e27-4d8e-5281-96e5-131a4e638...@8kdata.com -- Robert Haas EnterpriseDB: http://www.enterprisedb.com The Enterprise PostgreSQL Company -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
Re: [HACKERS] SCRAM salt length
On 16 August 2017 at 14:10, Peter Eisentrautwrote: > The SCRAM salt length is currently set as > > /* length of salt when generating new verifiers */ > #define SCRAM_DEFAULT_SALT_LEN 12 > > without further comment. > > I suspect that this length was chosen based on the example in RFC 5802 > (SCRAM-SHA-1) section 5. But the analogous example in RFC 7677 > (SCRAM-SHA-256) section 3 uses a length of 16. Should we use that instead? 16 preferred, IMHO -- Simon Riggshttp://www.2ndQuadrant.com/ PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
Re: [HACKERS] SCRAM salt length
On Thu, Aug 17, 2017 at 12:10 AM, Aleksander Alekseevwrote: >> The SCRAM salt length is currently set as >> >> /* length of salt when generating new verifiers */ >> #define SCRAM_DEFAULT_SALT_LEN 12 >> >> without further comment. >> >> I suspect that this length was chosen based on the example in RFC 5802 >> (SCRAM-SHA-1) section 5. But the analogous example in RFC 7677 >> (SCRAM-SHA-256) section 3 uses a length of 16. Should we use that instead? In the initial discussions there was as well a mention about using 16 bytes. https://www.postgresql.org/message-id/507550bd.2030...@vmware.com As we are using SCRAM-SHA-256, let's bump it up and be consistent. That's now or never. > Maybe this length was chosen just because it becomes a 16-characters > string after base64encode. If I understand correctly RFC 5802 and RFC > 7677 don't say much about the required or recommended length of the > salt. Yep, it doesn't provide any recommendation. > I personally believe that 2^96 of possible salts is consistent with both > RFCs and should be enough in practice. (12 bytes * 8) = 96, so you would favor 12 as length. -- Michael -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
Re: [HACKERS] SCRAM salt length
He Peter, > The SCRAM salt length is currently set as > > /* length of salt when generating new verifiers */ > #define SCRAM_DEFAULT_SALT_LEN 12 > > without further comment. > > I suspect that this length was chosen based on the example in RFC 5802 > (SCRAM-SHA-1) section 5. But the analogous example in RFC 7677 > (SCRAM-SHA-256) section 3 uses a length of 16. Should we use that instead? Maybe this length was chosen just because it becomes a 16-characters string after base64encode. If I understand correctly RFC 5802 and RFC 7677 don't say much about the required or recommended length of the salt. I personally believe that 2^96 of possible salts is consistent with both RFCs and should be enough in practice. -- Best regards, Aleksander Alekseev signature.asc Description: PGP signature