[curves] PAKE use cases & requirements

Damien Miller djm at mindrot.org
Mon Oct 20 18:18:59 PDT 2014


On Mon, 20 Oct 2014, Watson Ladd wrote:

> Based on that it seems that the Secret Millionaire Protocol is a
> possibility, but could load the server more than necessary. SPAKE2 is
> also worthy of consideration.

AFAIK none of these solve:

> > 3. Can work with hashed passwords.
> >
> > I.e. the server stores some H=F(password, salt) but the client gets
> > to use the password directly. Disclosure of H yields no more to the
> > attacker than disclosure of a password file that has been sensibly
> > hashed today (e.g. with bcrypt).
> >
> > The password hash should probably reuse one of the good current
> > ones (bcrypt or scrypt). E.g. by storing something like
> > G^{BCRYPT(pw,salt) mod P}

My somewhat clumsy experimental JPAKE implementation for OpenSSH
didn't either - it used the password hash as the shared secret to be
authenticated against and therefore would allow logins (via JPAKE) to an
attacker with access to the password hashes alone.

-d


More information about the Curves mailing list