[messaging] "Short" authentication strings
bascule at gmail.com
Mon Jul 7 22:18:20 PDT 2014
I'm working on a program which authenticates public keys using a symmetric
key derived from a "short authentication string" (five random words). I'm
using scrypt as a KDF in conjunction with a 32-bit random salt (this is
actually the only salt size libsodium's implementation of scrypt will
accept), and encrypting public keys with xsalsa20poly1305 (this will likely
change to chacha20poly1305 soon if you care). The salt is appended to the
ciphertext and both are sent over the wire.
I'm trying to randomly select a passphrase as users are notoriously
terrible at picking passwords. I've settled on this 4096 "most commonly
used" word list for English (so each word is 12-bits of entropy):
For now I've somewhat arbitrarily chosen 5 words as being "secure enough"
for authentication purposes. This gives 60-bits of entropy, which serves as
an input to scrypt.
The short authentication strings I'm generating seem palatable enough to be
easily exchanged in person or over the phone. Here are some samples:
shared metaphor property sigh capture
yeah gravity cycle struggle parental
recipient briefly payment schedule target
stare educator ally peak employ
I've also added a refresh button so if the first try gives people too big a
mouthful, they can refresh until they find a palatable enough phrase.
- Is 60-bits entropy too little, even "stretching" it with scrypt?
- What scrypt parameters are needed to make this actually secure?
Keep in mind here the main goal is authentication, not confidentiality.
Once two users have authenticated each other's keys, it doesn't really
matter that much if someone cracks the password, as it would only reveal
their public keys. Once the public keys have been authenticated, the
construct has more or less done its job.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Messaging