[curves] PAKE use cases & requirements
Damien Miller
djm at mindrot.org
Mon Oct 20 18:18:59 PDT 2014
On Mon, 20 Oct 2014, Watson Ladd wrote:
> Based on that it seems that the Secret Millionaire Protocol is a
> possibility, but could load the server more than necessary. SPAKE2 is
> also worthy of consideration.
AFAIK none of these solve:
> > 3. Can work with hashed passwords.
> >
> > I.e. the server stores some H=F(password, salt) but the client gets
> > to use the password directly. Disclosure of H yields no more to the
> > attacker than disclosure of a password file that has been sensibly
> > hashed today (e.g. with bcrypt).
> >
> > The password hash should probably reuse one of the good current
> > ones (bcrypt or scrypt). E.g. by storing something like
> > G^{BCRYPT(pw,salt) mod P}
My somewhat clumsy experimental JPAKE implementation for OpenSSH
didn't either - it used the password hash as the shared secret to be
authenticated against and therefore would allow logins (via JPAKE) to an
attacker with access to the password hashes alone.
-d
More information about the Curves
mailing list