Skip to content
June 11, 2018 / Jim Fenton

The need for provenance with BYO authenticators

The alternative to BYO authenticators

There is a strong desire to allow users of two-factor authentication to “bring your own” (BYO) physical authenticator (often referred to as a “token”). This relieves the user from keeping (and keeping track of) separate physical authenticators for each service, and spreads the cost of authenticators among multiple services. It also simplifies the process of enrolling a new user in an account when a physical authenticator does not need to be conveyed (e.g., mail, in person) to that user. Bringing your own authenticator, however, adds a new element of uncertainty.

The impact of an account breach is not limited to the user: the service, and often other users, are often also impacted. The service, at a minimum, has to bear the cost of incident response, even if that only involves aid to the user. Account breaches may affect other users on the service or impact the service itself (consider industrial control systems and critical infrastructure here). It isn’t just the user that has a stake in the security of authentication.

When authenticators, particularly hardware-based physical authenticators, are issued by the service itself, the service knows all about their strength. For example, if the user is issued a one-time password (OTP) device, the service knows that the authenticator secret is embedded in hardware, what the characteristics of that hardware are, and can assess the strength of authentication accordingly.

If the user brings their own authenticator, how can the service make that determination? For many authenticator types, particularly where the strength is determined by the authenticator’s hardware characteristics, more information is needed.  For example, it is generally not possible to distinguish an authentication made using a cryptographic device (e.g., smart card) from one made using a software-based cryptographic certificate. The protocols for those two authenticators can be identical.

Fortunately, some authenticators are beginning to provide assertions of their provenance along with the authentication transaction. Most notably, FIDO authenticators supply signed assertions about the type of authenticator used, assuming of course that the authenticator maintains its integrity. In practice, this information is most valuable for high assurance authenticators, and these are the ones that protect their integrity the best.

For other BYO authenticators, it’s probably safest to assume the worst: that a relatively weak authenticator is being used. For client certificate-based authentication, assume that the certificate is held in software and is not protected by a passphrase. For one-time passwords, assume that a software implementation is being used in the absence of reliable information to the contrary.

It took me a while to appreciate the value of provenance assertions; at first, I had viewed them as a DRM-like feature to allow only licensed authenticators to be used. But they have real value in establishing the strength of the authentication transaction.

Image “RSA Tokens” by Flickr user Edwin Sarmiento used under Creative Commons BY-SA 2.0 license.


March 8, 2018 / Jim Fenton

Passwords: what minimum length?

Recently there has been a fair amount of discussion about what the minimum acceptable length of passwords should be. NIST SP 800-63B sets a minimum of 8 characters. Some people think the minimum should be considerably more than that, perhaps 16 characters. The following is some rationale for why 8 is a reasonable minimum.

A 2014 research paper[1] was a significant factor in informing this guideline. As discussed in Section 3.2, guessing attacks on passwords can be categorized into online and offline attacks. Online attacks are limited by available bandwidth, response time of the verifier, and hopefully by active throttling of the number of guesses allowed (as specified in SP 800-63B section 5.2.2). Offline attacks, where the attacker has been able to obtain a password database (hopefully salted and iteratively hashed), can make many more guesses, with guessing rates in excess of 1 billion guesses per second depending on the attacker’s hardware capabilities. There isn’t anything in between: either the attacker has a password database to use and mounts an offline attack, or they don’t and mount an online attack.

As a result, there is a significant range in password lengths, shown in Figure 2 of the paper (reproduced above), where passwords are long enough to be resistant to online guessing attacks, but are not long enough to be resistant to offline attacks. Within this range, increasing the minimum password length adds to the burden on users, but does not significantly increase security. While SP 800-63B does not attempt to estimate entropy (or the estimated number of guesses required) for a given password length, the current guideline of 8 characters exceeds the length needed to protect against online attacks, particularly since the paper doesn’t assume intentional rate limiting by the verifier.  However, a considerably longer minimum password length, probably at least 16 characters, would be needed to protect against offline attacks, and that would increase with computing speed.

Users do predictable things when subjected to onerous authentication requirements, such as the common behavior to append an exclamation point to their password when required to use a special character. Rather than impose an onerous length requirement (which might cause them, for example, to just use their shorter password twice), the decision was made to set the minimum password length to be resistant to online but not offline attacks. Instead, the burden was placed on the verifier: SP 800-63 section calls for verifiers to store memorized secrets in a form that is resistant to offline attacks, including use of a salted key derivation function and also suggests an additional keyed hash with a secret key that is stored separately.

SP 800-63-3, which contains guidelines on selection of the Authenticator Assurance Level (AAL), calls for two-factor authentication in a number of situations where it has not typically been used. In particular, Executive Order 13681 requires federal agencies to use two-factor authentication whenever a user’s personal data is being released. This is largely in recognition of the limited security that passwords can provide due to not only the guessing attacks discussed above but also other threats such as key loggers. Given the modest security that can be achieved, increasing the minimum password length would be an inconvenient and incomplete solution to authentication security.

Note: While I am a co-author of NIST SP 800-63-3 and SP 800-63B, I am an independent consultant and the above discussion is my opinion only and does not necessarily represent the position of the National Institute of Standards and Technology.

Illustration above is from reference [1].

[1] Florêncio, Dinei, Cormac Herley, and Paul C. van Oorschot. “An Administrator’s Guide to Internet Password Research.” Usenix LISA, November 2014.

December 5, 2017 / Jim Fenton

Protecting passwords against cracking with rehash

One of the problems with the way that passwords are usually verified is that all of the information needed to do the verification is in one place. The password table contains everything that is needed (salt + hash) to verify a password. So if that table is compromised, and that seems to happen a lot, most users are vulnerable because hash cracking technology is, sooner or later, going to crack the vast majority of those passwords by dictionary attack and brute force. Efforts to defeat this have mostly centered around making it harder for the crackers by using iterated memory- and time-intensive algorithms to do the hashing.

Another (an additional) approach is to also hash using a secret value that is stored securely. This is recommended in NIST SP 800-63B, Digital Identity Guidelines: Authentication and Lifecycle Management, in the last paragraph of Section This keyed (or “secret salt”) hashing step can be isolated from everything else and treated as a black box that accepts password hashes and outputs a rehashed value. The premise is that it’s easier to protect a secret in a black box than it is to protect a database of hashes and salt values that is used directly by the verifying application.

With the additional use of a secret-keyed hash with a sufficiently complex key, it is impractical to dictionary attack a database of hashed secrets unless the key is known.

Hashing passwords with individual random salt values is still essential. Without that step, it might be possible for an attacker to create fake accounts with known passwords, then compromise the password file and see if any of those hash values appear elsewhere in the database. I am also a believer in defense-in-depth, so I also recommend continued use of iterated hashing so that security is no weaker than the current situation if the key is somehow obtained by an attacker.

Some people have commented that this requires the use of a hardware security module (HSM). While HSMs are the ideal black boxes and provide excellent protection for the key, they can be expensive to obtain and deploy, especially in cloud environments. As an alternative, I have written a sample application, rehash, that implements a very simple web API to accept a hashed password, hash it with a private key, and return the result. The rehash application should run on a machine separate from that doing the password verification, and separate from anything else that could compromise the secret key. The rehashed password would be stored in the password verification table and, when a password is entered, the iterated hashed password is rehashed and that value checked against the table.

I have huge respect for the people in the password cracking community that I have met. They have done groundbreaking work in understanding user behavior and using that to optimize the search for passwords in their cracking process. But it is time that we implement something that makes this sort of cracking entirely impractical, rather than just ratcheting up the work factor for them.

I welcome any comments on the rehash application, either through comments here or (perhaps better) by opening an issue on GitHub.

September 23, 2017 / Jim Fenton

Colorado Road Trip Day 16: Homeward

Saturday, September 3, 2017
Trip Odometer: 3376

We were able to start the day in Visalia with a short walk to a nearby Starbucks for breakfast before getting back on the road. We checked in with Kenna’s folks in Stockton, which isn’t far out of our way, and decided to visit (and eat lunch there) on the way home. It was a record hot day, so we weren’t anxious to get to home too early since our house isn’t air conditioned.

Fortunately the house, having been closed up during our trip, wasn’t too warm when we returned. We quickly unloaded the car and took off the car-top carrier, and drove our other car to grab some pizza. We are thankful for a safe and enjoyable trip.

Ending Trip Odometer: 3641

This article is the last in a series about our recent road trip to Colorado and back. To see the introductory article in the series, click here.

September 22, 2017 / Jim Fenton

Colorado Road Trip Day 15: Neon

Friday, September 1, 2017
Trip Odometer: 2993

NeonWe rose and checked out of our hotel somewhat early this morning because we had a reservation at the Neon Museum, a collection of lighted signs of Las Vegas’s past. The museum, located just north of downtown Las Vegas, provides guided tours of their collection during the morning and evening (mid-day being too hot). Our 9 am tour was led by a UNLV history major who was definitely into the history and stories behind the signs, which added a lot to our appreciation of the collection.

As in Silicon Valley, “history” in Las Vegas does not necessarily mean “old” in the usual sense. We were amused that some of the signs in the collection had been put up in the 1990s and were already obsolete — all happening since we were married in 1991.


Solar Collectors on I-15

Leaving Las Vegas, we drove down I-15 to Barstow, stopping for lunch in Baker. We then turned west to Bakersfield. I had always been curious about signs for California City along that route, and it wasn’t very far out of our way, so we drove through there (partly because there was allegedly an ice cream shop there). California City is a planned city in the desert north of Edwards AFB; it wasn’t very successful although it seems to have some new development due to employees at Edwards. It has that “planned community” look, similar to communities like Sun City, Arizona, but generally looking less prosperous. We found the promised ice cream shop, but it appeared to be out of business.

From Bakersfield, we continued north on Highway 99 to Visalia, our planned stop for the night. We had considered trying to visit Sequoia National Park on the way home (which prompted this choice) but unusually warm temperatures, along with the start of the Labor Day weekend, convinced us that we should visit another time. Nevertheless, Visalia was a surprisingly nice small city in California’s Central Valley. There were many good restaurants in the downtown, as well as theaters, concert venues, and stores. We counted about six bridal shops. We don’t have any idea why there are so many; maybe Visalia is the wedding dress capital of the Central Valley.

This article is part of a series about our recent road trip to Colorado and back. To see the introductory article in the series, click here.

September 21, 2017 / Jim Fenton

Colorado Road Trip Day 14: Meteor Crater

Thursday, August 31, 2017
Trip Odometer: 2653

WinslowCornerWe decided to take a short walk for breakfast. The Yelp app said there was a good breakfast place just a few blocks away. Along the way, I took a picture of an empty corner, somewhat as a gag: “Standin’ on a corner in Winslow, Arizona…”. But when we came to the next corner, there were statues standin’ in front of a large mural celebrating exactly that song lyric. Apparently I had just picked the wrong corner.

A short drive from Winslow was the Meteor Crater, which Kenna had previously seen but I had not. The admission fee gave us access to not just the crater but to a well-maintained museum dealing with a number of related topics, such as comets, asteroids, and the extinction of the dinosaurs. While the admission fee ($14 each or $12 for seniors) was not insignificant, it was a good value in terms of the work that had gone into presenting the information to us. The view of the crater was impressive as well.

MeteorCraterContinuing past Prescott, we stopped in Williams, Arizona for lunch. Williams is the southern terminus of the Grand Canyon Railway, which we have twice previously taken. Williams seems to be thriving from the presence of the railway.

We proceeded to Las Vegas through a couple of rain showers. We decided to take the route on the western side of the Colorado River, through Laughlin. Our room for the night was at the Platinum Hotel, a non-smoking and casino-free hotel on Flamingo that I had stayed at on previous trips for BSides Las Vegas and DEFCON. For a relatively modest price, we had a large suite with a full kitchen.

We took a walk around the nearby portions of The Strip before stopping for a small dinner at Jimmy Buffett’s Margaritaville restaurant. The restaurant earns its name; our margaritas were tasty but strong.

This article is part of a series about our recent road trip to Colorado and back. To see the introductory article in the series, click here.

September 20, 2017 / Jim Fenton

Colorado Road Trip Day 13: Petrified Forest

Wednesday, August 30, 2017
Trip Odometer: 2411

I woke in the middle of the night to a dazzling display of stars. The previous evening’s clouds had left, and the moon had set, so I got to see the stars as they were visible to most people prior to the invention of the light bulb.

LightningFieldPerimeterWe all rose just before sunrise to see the sun again reflect off the poles. It wasn’t quite as picturesque as the previous evening because the clouds were gone, but very nice nonetheless. After breakfast, we took a walk around the perimeter of the lightning field; judging from the path in the field, this seems to be a popular activity for visitors. There was surprising variation in the plant life in some areas, including a section of flowers that reminded us of the flower field in The Wizard of Oz. I brought my GPS on the hike, and recorded the locations of each of the poles we walked along to compare against Google Earth after the trip.

About 11 am, Kim returned to retrieve us and we left the solitude of the Lightning Field. We returned to Quemado, where Dave’s Tesla had been charging — slowly — while we were at the Field. Being about lunchtime, Kenna and I opted to drive back to Pie Town for lunch with the rest of the group, where Dave was able to get some more charge on the car at the RV park.


Petrified Logs

After lunch, we said our good-byes and headed west, back through Quemado and into Arizona. We drove next to Petrified Forest National Park, which neither of us had visited before. The Petrified Forest is, of course, nothing like a forest — it’s basically desert with calcified tree trunks scattered around. The trunks are colorful, due to impurities such as iron and manganese that are part of the millions of years of calcification. The geology of the Petrified Forest was also interesting in other ways. The hills had very distinct and colorful layers of soil that were deposited as the area migrated from close to the equator to its current position. There is obviously quite a story that a geologist could tell about this.

Proceeding out the north exit from the park, we were now on Interstate 40, the old Route 66. It was quite a change in culture from the rural roads we had been traveling the past couple of days. I-40 had extensive truck traffic, but the BNSF railway that paralleled it was also very active, with long trains hauling shipping containers in both directions. We were thankful for the trains, realizing that all of those containers could be on I-40 with us.

We had considered pressing onward to Flagstaff, but decided to stop at Winslow, partly due to a recommendation we received from David and Kelly to stay at La Posada, one of the classic “Harvey House” hotels there. The hotel had been extensively restored; our room had elegant wood floors and area rugs, leather furniture, and a small reading library of its own. We decided to eat dinner at the Turquoise Room, the hotel’s similarly classic restaurant. Kenna and I had a somewhat dressy dinner there (at least by road trip standards), and it was excellent.

This article is part of a series about our recent road trip to Colorado and back. To see the introductory article in the series, click here.

September 19, 2017 / Jim Fenton

Colorado Road Trip Day 12: Lightning Field

Tuesday, August 29, 2017
Trip Odometer: 2162

We all rose early to make our way to The Lightning Field, an art installation in a remote location near Quemado, a small village in western New Mexico. Jan had made very hard-to-get reservations as a birthday gift for Dave, and invited their friends David and Kelly as well as us to join them.

GatherinDave, Jan, David, and Kelly took Jan’s Tesla X for the trip, which required planning because of the distance involved and the lack of charging facilities in rural New Mexico. Dave had arranged for the use of a hook-up at an RV park in Pie Town, New Mexico, about 20 miles from Quemado. We charged the car while eating lunch at The Gatherin’ Place, one of three pie shops in this village of about 60 people.

While we were there, the owners of The Gatherin’ Place chatted with us at length about the history of the town, what it’s like there in the winter, where the students go to school, the local economy, etc. This is a really remote place — the nearest law enforcement is nearly an hour away, and we were told that residents of that county are required to carry guns.

After lunch, we retrieved Dave’s car and drove the last 20 miles to Quemado, the headquarters for The Lightning Field. We parked our cars and were met by Kim, our host, who drove us to the site, about 45 minutes over mostly dirt roads. The Lightning Field site includes a log cabin which sleeps six people, and includes a kitchen, electric power, and running water from a well. The Lightning Field itself is an array of 400 stainless steel poles with pointed tips laid out over a 1 km by 1 mile area. In a lightning storm, the poles act as lightning rods, which is one of the attractions of the Field.

After introducing us to the cabin and its facilities, Kim left us, to return tomorrow morning to retrieve us. We settled in and moved to the back porch, with a hopeful eye toward the storm clouds in the sky. We got a few light showers and heard a bit of thunder, but also had time to examine a couple of the poles and for some of us to take a more extended hike.

As sunset approached, the sun fell below the clouds and reflected off the poles, making them much more visible than earlier. This was followed by a beautiful and peaceful sunset, although no lightning on the field this evening. We enjoyed dinner provided by the Lightning Field people as well as excellent wine brought by Dave and Jan.

Per the request of the artist and the Dia Art Foundation, which operates the Lightning Field, I have no pictures of the Lightning Field or the cabin.

This article is part of a series about our recent road trip to Colorado and back. To see the introductory article in the series, click here.

September 18, 2017 / Jim Fenton

Colorado Road Trip Day 11: Santa Fe

Monday, August 28, 2017
Trip Odometer: 1831

After breakfast, we continued south on Interstate 25 through varied terrain as we entered New Mexico. Due to mountains, I-25 follows a somewhat roundabout route to Santa Fe, approaching it from the southeast rather than directly from the north. This made the drive somewhat longer than the direct distance would suggest.


Santa Fe Hills

Our destination for the day is the home of our friends Dave and Jan, who live in a beautiful home in the hills north of Santa Fe. We arrived mid-afternoon and went for an early dinner at Tesuque Village Market, a favorite of ours from previous visits. Jan and Kenna then went to a quilting meeting, while Dave and I discussed improvements to the WiFi system at their home.

This article is part of a series about our recent road trip to Colorado and back. To see the introductory article in the series, click here.

September 17, 2017 / Jim Fenton

Colorado Road Trip Day 10: Resumption

Sunday, August 27, 2017
Trip Odometer: 1679

Our flight back to Colorado was at 10:50 am, so we were able to leave home at a “civilized” hour, which was good because we got to bed rather late after last night’s concert and last-minute repacking.

We had one significant additional item, Celeste’s guitar, which wouldn’t really fit into the car on the trip to Colorado. Thankfully, there was open space in the overhead bin near our seat just big enough for the guitar. The flight left on time, and we retrieved our car and drove back to Boulder to drop off the guitar and a couple of other items. We got a chance to see Celeste’s room and apartment in its unpacked and decorated condition; looks like it will be comfortable and work well as a study venue.


KC-97 refueling area

After a little while chatting, we dropped Celeste off at a school event about 5:30 and drove to Colorado Springs, our planned stop for the night. The hotel we had booked was a little out of town, near the airport, and it didn’t look like there was much around. The hotel clerk told us of a restaurant, The Airplane, a short drive away that sounded unusual. Indeed it was: we ate in inside a restored KC-97 tanker dating from the 1950s. The theme of the restaurant was entirely aviation: the waitstaff referred to themselves as “flight attendants” and we were thanked for “flying with them” as we left.

This article is part of a series about our recent road trip to Colorado and back. To see the introductory article in the series, click here.