Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1p3fdb-0003Qh-4E for pgsql-hackers@arkaria.postgresql.org; Fri, 09 Dec 2022 15:50:11 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.92) (envelope-from ) id 1p3fdZ-0006zI-Kc for pgsql-hackers@arkaria.postgresql.org; Fri, 09 Dec 2022 15:50:09 +0000 Received: from makus.postgresql.org ([2001:4800:3e1:1::229]) by malur.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1p3fdZ-0006z8-8P for pgsql-hackers@lists.postgresql.org; Fri, 09 Dec 2022 15:50:09 +0000 Received: from meesny.iki.fi ([2001:67c:2b0:1c1::201]) by makus.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1p3fdW-0003YP-0i for pgsql-hackers@lists.postgresql.org; Fri, 09 Dec 2022 15:50:08 +0000 Received: from [192.168.1.113] (dsl-hkibng22-54f8db-125.dhcp.inet.fi [84.248.219.125]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) (Authenticated sender: hlinnaka) by meesny.iki.fi (Postfix) with ESMTPSA id 3ACB0201AE; Fri, 9 Dec 2022 17:50:01 +0200 (EET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=iki.fi; s=meesny; t=1670601001; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=HecTkNHPXRNejeJrBeXlOkTtTkKIbPA8Do68u/1YHzY=; b=yWDVueKIIBW4brvV56TLs30rNhx+odP85ZuITmd8xJwGGHgIQrpOy7ymOe8xqom0l+IKns up+yXXq9i46l3xnrOTcTyYpxwYwxgfKNCfkQPF+PYdZ7b3nNtt8dkG7ZzYwHilT8AK9z3+ v3F2cIRg9u1I4cW+go51fHLlMrdfaTs= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=iki.fi; s=meesny; t=1670601001; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=HecTkNHPXRNejeJrBeXlOkTtTkKIbPA8Do68u/1YHzY=; b=T1MD0NHRITssE5aCqRsY/gce7OHBaXCRuEdLWzwyLIokv28D/plA4CoFSQAGN7wZYlo7eZ oJENjPQxPyiDyKdXxjbVYdnZRQJYS957sYxAUMXe61PlPkwaJzEnIWukBimiATp+gKg/PX aBZiLeYx4+3Ze//nVll0vX7ajngI/ZA= ARC-Seal: i=1; s=meesny; d=iki.fi; t=1670601001; a=rsa-sha256; cv=none; b=QtQuMp8fqB8mOdn/0luCt3NZ7VHA12ax+M1bdvjcKYtpi+3H6eV/XxVqnZZpHDgGa0C5hu hPwEGGBWMglJJAvPZiSwRxZt9IQ2vHDOIi6E6A2pM8Kjfrp1S72nbAedQjVr4j4O8lfJU5 750POOCye4eG527Ag+6I20z7bLle/xE= ARC-Authentication-Results: i=1; ORIGINATING; auth=pass smtp.auth=hlinnaka smtp.mailfrom=hlinnaka@iki.fi Message-ID: <1d669d97-86b3-a5dc-9f02-c368bca911f6@iki.fi> Date: Fri, 9 Dec 2022 17:50:00 +0200 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.5.0 Subject: Re: Raising the SCRAM iteration count Content-Language: en-US To: Daniel Gustafsson , PostgreSQL Hackers References: From: Heikki Linnakangas In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk On 09/12/2022 12:55, Daniel Gustafsson wrote: > In the thread about user space SCRAM functions [0] I mentioned that it might be > wise to consider raising our SCRAM iteration count. The iteration count is an > important defence against brute-force attacks. > > Our current hardcoded value for iteration count is 4096, which is based on a > recommendation from RFC 7677. This is however the lower end of the scale, and > is related to computing power in 2015 generation handheld devices. The > relevant paragraph in section 4 of RFC 7677 [1] reads: > > "As a rule of thumb, the hash iteration-count should be such that a modern > machine will take 0.1 seconds to perform the complete algorithm; however, > this is unlikely to be practical on mobile devices and other relatively low- > performance systems. At the time this was written, the rule of thumb gives > around 15,000 iterations required; however, a hash iteration- count of 4096 > takes around 0.5 seconds on current mobile handsets." > > It goes on to say: > > "..the recommendation of this specification is that the hash iteration- count > SHOULD be at least 4096, but careful consideration ought to be given to > using a significantly higher value, particularly where mobile use is less > important." > > Selecting 4096 was thus a conservative take already in 2015, and is now very > much so. On my 2020-vintage Macbook I need ~200k iterations to consume 0.1 > seconds (in a build with assertions). Calculating tens of thousands of hashes > per second on a consumer laptop at a 4096 iteration count is no stretch. A > brief look shows that MongoDB has a minimum of 5000 with a default of 15000 > [2]; Kafka has a minimum of 4096 [3]. > > Making the iteration count a configurable setting would allow installations to > raise the iteration count to strengthen against brute force attacks, while > still supporting those with lower end clients who prefer the trade-off of > shorter authentication times. > > The attached introduces a scram_iteration_count GUC with a default of 15000 > (still conservative, from RFC7677) and a minimum of 4096. Since the iterations > are stored per secret it can be altered with backwards compatibility. We just had a discussion with a colleague about using a *smaller* iteration count. Why? To make the connection startup faster. We're experimenting with a client that runs in a Cloudflare worker, which is a wasm runtime with very small limits on how much CPU time you're allowed to use (without paying extra). And we know that the password is randomly generated and long enough. If I understand correctly, the point of iterations is to slow down brute-force or dictionary attacks, but if the password is strong enough to begin with, those attacks are not possible regardless of iteration count. So I would actually like to set the minimum iteration count all the way down to 1. - Heikki