[noise] Wrong arguments for KDF in PSK mode

Trevor Perrin trevp at trevp.net
Thu Apr 21 15:09:31 PDT 2016


On Thu, Apr 21, 2016 at 2:11 PM, Rhys Weatherley
<rhys.weatherley at gmail.com> wrote:
> On Fri, Apr 22, 2016 at 5:25 AM, Trevor Perrin <trevp at trevp.net> wrote:
>>
>> I'd also like to consider whether we should be more restrictive in
>> what we allow as PSK inputs, so people don't misuse PSKs with
>> low-entropy data, but I'll bring that up separately.
>
>
> "PSK's should be pseudorandom data with at least 256 bits of entropy.  It is
> not recommended for PSK's to be based on human-typed passwords.  But if they
> are, then the password together with a salt should be preprocessed with a
> KDF function like PBKDF2 or scrypt before using it as a PSK".


I think we should discourage password PSKs even more than that - a
typical user-chosen password plus PBKDF2 or scrypt still has a good
chance of being vulnerable to offline guessing.

So you are better off dealing with passwords as a separate protocol
inside of Noise, or using a PAKE protocol (like SPAKE2, SRP, etc),
which Noise is not.

Trevor


More information about the Noise mailing list