[curves] PAKE use cases & requirements

Damien Miller djm at mindrot.org
Mon Oct 20 18:18:59 PDT 2014

On Mon, 20 Oct 2014, Watson Ladd wrote:

> Based on that it seems that the Secret Millionaire Protocol is a
> possibility, but could load the server more than necessary. SPAKE2 is
> also worthy of consideration.

AFAIK none of these solve:

> > 3. Can work with hashed passwords.
> >
> > I.e. the server stores some H=F(password, salt) but the client gets
> > to use the password directly. Disclosure of H yields no more to the
> > attacker than disclosure of a password file that has been sensibly
> > hashed today (e.g. with bcrypt).
> >
> > The password hash should probably reuse one of the good current
> > ones (bcrypt or scrypt). E.g. by storing something like
> > G^{BCRYPT(pw,salt) mod P}

My somewhat clumsy experimental JPAKE implementation for OpenSSH
didn't either - it used the password hash as the shared secret to be
authenticated against and therefore would allow logins (via JPAKE) to an
attacker with access to the password hashes alone.


More information about the Curves mailing list