[Cryptography] NIST SP 800-63-3

Jerry Leichter leichter at lrw.com
Mon Aug 14 06:04:52 EDT 2017 

Two comments on this:

> o Limiting the rate and number of failed attempts (100 max) before a successful authentication.
What happens after the 100 failed attempts?  As has been pointed out many times in the past, locking out the account gives an attacker a simple denial of service attack.

I've always liked the VMS approach - dating back to the 1980's:  After some threshold of incorrect attempts within a defined period (say, 5 within 2 minutes) is reached, the account is put into "evasion mode" for a random period of time between (say, 2 to 10 minutes).  In evasion mode, *all* passwords are rejected.  As long as attempts to log in continue, evasion mode is extended.  Once they stop, evasion mode times out and the correct password will work again.  Yes, denial of service is possible - but the attack has to continue indefinitely.

>   “In addition, verifiers SHOULD perform an additional iteration of a key derivation function using a salt value that is secret and known only to the verifier.
This has a downside:  It may make it more difficult to recover from a lost password.

A system I work on stores passwords suitably one-way hashed.  The way the system is structured, there's relatively little reason for the administrator to have to log in - though it does happen now and then.  Our support guys receive a significant number of calls from admins who's forgotten their administrator password.  Assuming they haven't also forgotten the root password on the box :-), we can get them back in operation by inserting a known hashed password/salt value into the password file.  Were we to also encrypt using a secret key, this would be much harder.

Yes, we already have a secret key for other purposes; and, yes, we could presumably write some code to generate a new admin password from it.  FYI, we use the secret key for a related, but different, purpose:  As part of encrypting customer information that we don't want to see in diagnostic uploads.  Our diagnostic procedures never look at the area where the secret is kept, so even though we get encrypted copies of some of their sensitive information, we can't decrypt it.

                                                        -- Jerry

More information about the cryptography mailing list