[messaging] Password reset mechanisms with an SRP authentication framework

[Trevor Perrin]

On Tue, Apr 22, 2014 at 9:15 AM, Michael Rogers
<michael at briarproject.org> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Hi Dave,
>
> I've recently been thinking about a similar problem for a P2P
> messaging app I'm working on, where the messages and contact list are
> stored on the user's device, encrypted with a key derived from her
> password. If the user forgets the password, everything's lost.
>
> The approach I'm considering may or may not be suitable for Inky -
> it's based on some assumptions about users being able to meet face to
> face, bringing with them the devices they use for messaging. But if
> that sounds like it might be suitable for some of your users, here's
> the idea:
>
> * Derive a key from the user's password
> * Split the key into n shares using a secret-sharing algorithm, such
> that any k shares are sufficient to reconstruct the key, 2 < k < n
> * Store two shares unencrypted on the user's device
> * Give the other n-2 shares to trusted friends (this can be done
> in-band, and the shares can be stored in the friends' own accounts)
> * The friends don't have enough shares to reconstruct the key even if
> they collude

They do, if n-2 >= k.

But I like the idea of doing backup with a k-of-n quorum of friends
(or more generally - public keys).

I would assume you know your friends' public keys, do a k-of-n share
of a symmetric key used to encrypt the backup data, then encrypt each
share under one of the public keys.  Then store all ciphertext in a
backup file you widely distribute (containing both the encrypted
shares and encrypted backup data).

The nice thing about this is you can use your friends for backup
without ever contacting them, except in the event of recovery.


Trevor