From e2031ae53fd91898b5a8715261b5df2b50ec9455 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jonas=20Sch=C3=A4fer?= Date: Wed, 28 Oct 2020 17:21:45 +0100 Subject: [PATCH 1/2] XEP-0045: specify use of in subject message --- xep-0045.xml | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/xep-0045.xml b/xep-0045.xml index 5506e664..f80f0d45 100644 --- a/xep-0045.xml +++ b/xep-0045.xml @@ -45,6 +45,12 @@ &stpeter; + + 1.34.0 + 2020-10-28 + jsc +

Specify the use of a delay element in the initial subject message.

+
1.33.0 2020-04-15 @@ -1841,7 +1847,7 @@ -

After the room has optionally sent the discussion history to the new occupant, it SHALL send the current room subject. This is a &MESSAGE; stanza from the room JID (or from the occupant JID of the entity that set the subject), with a &SUBJECT; element but no &BODY; element, as shown in the following example.

+

After the room has optionally sent the discussion history to the new occupant, it SHALL send the current room subject. This is a &MESSAGE; stanza from the room JID (or from the occupant JID of the entity that set the subject), with a &SUBJECT; element but no &BODY; element, as shown in the following example. In addition, the subject SHOULD be stamped with &xep0203; information qualified by the 'urn:xmpp:delay' namespace to indicate the time at which the subject was last modified. If the <delay/> element is included, its 'from' attribute MUST be set to the JID of the room itself.

Fire Burn and Cauldron Bubble! + ]]> -

If there is no subject set, the room MUST return an empty &SUBJECT; element.

+

Interoperability Note: The <delay/> element has been specified in version 1.34.0 of this document. Hence, consuming entities need to be able to deal with servers which do not send a <delay/> element. Most notably, this means that the presence of the <delay/> element cannot be used to distinguish a historic vs. a live subject change.

+

If there is no subject set, the room MUST return an empty &SUBJECT; element. The <delay/> SHOULD be included if the subject was actively cleared and MAY be omitted if the room never had a subject set.

Date: Fri, 30 Oct 2020 17:34:00 -0400 Subject: [PATCH 2/2] XEP-0438: update to match draft-ietf-kitten-password-storage-01 Signed-off-by: Sam Whited --- xep-0438.xml | 162 +++++++++++++++++++++++++++++++++++++++++++++------ 1 file changed, 143 insertions(+), 19 deletions(-) diff --git a/xep-0438.xml b/xep-0438.xml index f3733941..17c95657 100644 --- a/xep-0438.xml +++ b/xep-0438.xml @@ -3,6 +3,7 @@ Open Web Application Security Project (OWASP) The Open Web Application Security Project (OWASP, or OWASP Foundation) is a nonprofit foundation that works to improve the security of software. For further information, see <https://owasp.org/>." > OWASP Password Storage Cheat Sheet OWASP Cheat Sheet Series for password storage <https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html>." > RFC 2195 RFC 2195: IMAP/POP AUTHorize Extension for Simple Challenge/Response <http://tools.ietf.org/html/rfc2195>." > + RFC 5746 RFC 5746: Transport Layer Security (TLS) Renegotiation Indication Extension <http://tools.ietf.org/html/rfc5746>." > RFC 7677 RFC 7677: SCRAM-SHA-256 and SCRAM-SHA-256-PLUS Simple Authentication and Security Layer (SASL) Mechanisms <http://tools.ietf.org/html/rfc7677>." > RFC 8018 RFC 8018: PKCS #5: Password-Based Cryptography Specification Version 2.1 <http://tools.ietf.org/html/rfc8018>." > RFC 8265 RFC 8265: Preparation, Enforcement, and Comparison of Internationalized Strings Representing Usernames and Passwords <http://tools.ietf.org/html/rfc8265>." > @@ -31,11 +32,17 @@ passwords &sam; + + 0.2.0 + 2020-10-30 + ssw +

Update to match draft-ietf-kitten-password-storage-01.

+
0.1.1 2020-05-05 ssw -

Fix reference to external document

+

Fix reference to external document.

0.1.0 @@ -87,12 +94,30 @@

- Many terms used in this document are defined in &nistsp800-63-3; Appendix - A.1 and in &nistsp800-132; §3.1. + Various security-related terms are to be understood in the sense + defined in &rfc4949; + Some may also be defined in defined in &nistsp800-63-3; Appendix A.1 and in + &nistsp800-132; §3.1. +

+

Throughout this document the term "password" is used to mean any password, passphrase, PIN, or other memorized secret.

+

+ Other common terms used throughout this document include: +

+ +
Mechanism Pinning
+
+ Mechanism pinning A security mechanism which allows SASL clients to + resist downgrade attacks. + Clients that implement mechanism pinning remember the perceived strength + of the SASL mechanism used in a previous successful authentication + attempt and thereafter only authenticate using mechanisms of equal or + higher perceived strength. +
+
Pepper
@@ -101,6 +126,12 @@ They must not be stored alongside the hashed password.
+ +
Salt
+
+ In this document salt is used as defined in &rfc4949;. +
+
@@ -166,6 +197,30 @@
  • PLAIN
  • DIGEST-MD5, CRAM-MD5
  • +

    + The EXTERNAL mechanism defined in &rfc4422; appendix A is placed at + the top of the list. + However, its perceived strength depends on the underlying authentication + protocol. + In this example, we assume that TLS (&rfc8446;) services are being used. +

    +

    + The channel binding ("-PLUS") variants of SCRAM (&rfc5802;) are listed + above their non-channel binding cousins, but may not always be + available depending on the type of channel binding data available to + the SASL negotiator. +

    +

    + The PLAIN mechanism sends the username and password in plain text, + but does allow for the use of a strong key derivation function (KDF) + for the stored version of the password on the server. +

    +

    + Finally, the DIGEST-MD5 and CRAM-MD5 mechanisms are listed last + because they use weak hashes and ciphers and prevent the server from + storing passwords using a KDF. For a list of problems with DIGEST- + MD5 see &rfc6331;. +

    @@ -200,7 +255,7 @@

    Servers MUST always store passwords only after they have been salted and - hashed. + hashed using a strong KDF. If multiple hashes are supported for use with SCRAM, for example SCRAM-SHA-1 and SCRAM-SHA-256, separate salted and hashed passwords SHOULD be calculated and stored for each mechanism so that users can log in with @@ -216,6 +271,25 @@ pepper stored in the application configuration, an environment variable, or some other location other than the datastore containing the salts.

    +

    + The following minimum restrictions MUST be observed when generating salts + and peppers. + More up to date numbers may be found in &owasppasswords; +

    +
    + +
    Minimum Salt Length
    +
    + 16 bytes +
    +
    + +
    Minimum Pepper Length
    +
    + 32 bytes +
    +
    +

    @@ -251,16 +325,16 @@

    -
    Minimum iterations
    +
    Minimum iteration count (c)
    10,000 (100,000 for higher security environments)
    -
    Minimum salt length
    -
    16 bytes
    +
    Hash
    +
    SHA256
    -
    Minimum pepper length
    -
    32 bytes
    +
    Output length (dkLen)
    +
    hLen (length of the chosen hash)

    @@ -270,17 +344,34 @@

    - Clients and servers SHOULD enforce a minimum length of 8 characters for user - passwords. + Before any other password complexity requirements are checked, the + preparation and enforcement steps of the OpaqueString profile of &rfc8265; + SHOULD be applied (for more information see the Internationalization + Considerations section). + Entities SHOULD enforce a minimum length of 8 characters for user passwords. If using a mechanism such as PLAIN where the server performs hashing on the original password, a maximum length between 64 and 128 characters MAY be imposed to prevent denial of service (DoS) attacks. - Passwords SHOULD be required to conform to the Opaque String profile of - &rfc8265;. - No other password restrictions should be applied. + Entities SHOULD NOT apply any other password restrictions. +

    +

    + In addition to these password complexity requirements, servers SHOULD + maintain a password blocklist and reject attempts by a claimant to use + passwords on the blocklist during registration or password reset. + The contents of this blocklist are a matter of server policy. + Some common recommendations include lists of common passwords that are not + otherwise prevented by length requirements, and passwords present in known + breaches.

    +

    + This document contains recommendations that are likely to change over time. + It should be reviewed regularly to ensure that it remains accurate and up to + date. + Many of the recommendations in this document were taken from + &owasppasswords;, &nistsp800-63b;, and &nistsp800-132;. +

    The SCRAM suite of SASL mechanisms are recommended in this document, however, there is currently no way to force a password reset. @@ -288,6 +379,22 @@ that new, untested, SCRAM-based or SCRAM-like mechanisms should be added with caution.

    +

    + The "-PLUS" variants of SCRAM support channel binding to their underlying + security layer, but lack a mechanism for negotiating what type of channel + binding to use. + In &rfc5802; the tls-unique (&rfc5929;) channel + binding mechanism is specified as the default, and it is therefore likely to + be used in most applications that support channel binding. + However, in the absence of the TLS extended master secret fix (&rfc7627;) + and the renegotiation indication TLS extension (&rfc5746;) the tls-unique + and tls-server-endpoint channel binding data can be forged by an attacker + that can MITM the connection. + Before advertising a channel binding SASL mechanism, entities MUST ensure + that both the TLS extended master secret fix and the renegotiation + indication extension are in place and that the connection has not been + renegotiated. +

    This document mentions many hash functions that are already in use in the XMPP ecosystem, or that have been used in the past. @@ -297,11 +404,28 @@ implications, see &xep0414;

    - This document contains recommendations that are likely to change over time. - It should be reviewed yearly to ensure that it remains accurate and up to - date. - Many of the recommendations in this document were taken from the - &owasppasswords;, which can be used as a reference when making updates. + For TLS 1.3 no channel binding types are currently defined. Channel binding + SASL mechanisms MUST NOT be advertised or negotiated over a TLS 1.3 channel + until such types are defined. +

    +
    + +

    + The PRECIS framework (Preparation, Enforcement, and Comparison of + Internationalized Strings) defined in &rfc8264; is used to enforce + internationalization rules on strings and to prevent common application + security issues arrising from allowing the full range of Unicode codepoints + in usernames, passwords, and other identifiers. + The OpaqueString profile of &rfc8265; is used in this document to ensure + that codepoints in passwords are treated carefully and consistently. + This ensures that users typing certain characters on different keyboards + that may provide different versions of the same character will still be able + to log in. + For example, some keyboards may output the full-width version of a character + while other keyboards output the half-width version of the same character. + The Width Mapping rule of the OpaqueString profile addresses this and + ensures that comparison succeeds and the claimant is able to be + authenticated.