[Openid-specs-risc] "Compromised credential" event - background information

Stan Bounev stanb at vericlouds.com
Tue Feb 4 23:12:26 UTC 2020 

Hello everyone,

I want to share with you the background information we had so far about this event. See attached a high-level use case. Below I’ve added some points Annabelle raised below in the past, plus a sample event code Marius suggested.


Feedback from Annabelle:


·         A hash of a partial password is not really useful on its own. There are ways to make it useful, but a lot of them are likely to decrease overall security of the recipient system in non-obvious ways. The safer ways to use this information aren’t obvious and are harder to implement. We need to be careful that we do not inadvertently promote anti-patterns. I’m not saying we that can’t define this event, we have to be careful about it, and make sure we provide the right guidance.
·         Are you thinking at all about “batch” cases, e.g., a big password file gets dumped on pastebin?
·         We need to be very careful if we’re going to include credentials or artifacts derived from credentials in events. A plain hash of the password is vulnerable to rainbow tables and cracking rigs. A hash of a PIN is especially vulnerable, given the reduced search space.







On Dec 20, 2019, at 8:13 PM, Marius Scurtescu via Openid-specs-risc <openid-specs-risc at lists.openid.net<mailto:openid-specs-risc at lists.openid.net>> wrote:



A new RISC event type came up while looking at clearing house use cases, see meeting notes for December 10.

   Event Type URI:

   https://schemas.openid.net/secevent/risc/event-type/credential-compromised



   Credential Compromised signals that a given credential for the account identified

   by the subject was compromised. If the exact same credential is used by the same

   account then the Receiver should take action.



   Attributes:

     - credential-type:

       - password

       - PIN

       - ...

     - credential-hash

     - hash-method:

       - SHA-256

       - ...



   {

     "iss": "https://idp.example.com/",

     "jti": "756E69717565206964656E746966696572",

     "iat": 1508184845,

     "aud": "636C69656E745F6964",

     "events": {

       "https://schemas.openid.net/secevent/risc/event-type/credential-compromised": {

         "subject": {

           "subject_type": "iss-sub",

           "iss": "https://idp.example.com/",

           "sub": "7375626A656374",

         },

         "credential-type": "password",

         "credential-hash": "41ef4bb0b23661e66301aac36066912dac037827b4ae63a7b1165a5aa93ed4eb",

         "hash-method": "SHA-256",

       }

     }

   }





Keep in mind that an event like this is useful not only for a clearing house use case but for all implicit and pseudo implicit use cases, see sections 3.3, 3.4 and 3.5:

https://tools.ietf.org/html/draft-scurtescu-secevent-risc-use-cases

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-risc/attachments/20200204/25df7623/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Compromised Event Use Case.doc
Type: application/msword
Size: 38400 bytes
Desc: Compromised Event Use Case.doc
URL: <http://lists.openid.net/pipermail/openid-specs-risc/attachments/20200204/25df7623/attachment-0001.doc>

More information about the Openid-specs-risc mailing list