[messaging] "Short" authentication strings
steveweis at gmail.com
Tue Jul 8 12:12:47 PDT 2014
To make it a bit more memorable, you can generate random word strings with
some grammatical structure. Here's a quick script to generate output using
different grammar templates:
Here are some sample output lines with > 60 bits of entropy each:
* greedily model until overjoyed self till transport*
* concerning these burst afterwards dress fretful account*
* into myself texture likely twist spooky nut*
* innocently jog atop young cry without oranges*
* deranged apples obnoxiously delegate atop one gold*
* fatally fold towards wholesale nerve off observation*
On Mon, Jul 7, 2014 at 10:18 PM, Tony Arcieri <bascule at gmail.com> wrote:
> I'm working on a program which authenticates public keys using a symmetric
> key derived from a "short authentication string" (five random words). I'm
> using scrypt as a KDF in conjunction with a 32-bit random salt (this is
> actually the only salt size libsodium's implementation of scrypt will
> accept), and encrypting public keys with xsalsa20poly1305 (this will likely
> change to chacha20poly1305 soon if you care). The salt is appended to the
> ciphertext and both are sent over the wire.
> I'm trying to randomly select a passphrase as users are notoriously
> terrible at picking passwords. I've settled on this 4096 "most commonly
> used" word list for English (so each word is 12-bits of entropy):
> For now I've somewhat arbitrarily chosen 5 words as being "secure enough"
> for authentication purposes. This gives 60-bits of entropy, which serves as
> an input to scrypt.
> The short authentication strings I'm generating seem palatable enough to
> be easily exchanged in person or over the phone. Here are some samples:
> shared metaphor property sigh capture
> yeah gravity cycle struggle parental
> recipient briefly payment schedule target
> stare educator ally peak employ
> I've also added a refresh button so if the first try gives people too big
> a mouthful, they can refresh until they find a palatable enough phrase.
> Some questions:
> - Is 60-bits entropy too little, even "stretching" it with scrypt?
> - What scrypt parameters are needed to make this actually secure?
> Keep in mind here the main goal is authentication, not confidentiality.
> Once two users have authenticated each other's keys, it doesn't really
> matter that much if someone cracks the password, as it would only reveal
> their public keys. Once the public keys have been authenticated, the
> construct has more or less done its job.
> Tony Arcieri
> Messaging mailing list
> Messaging at moderncrypto.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Messaging