[messaging] "Short" authentication strings

Michael Rogers michael at briarproject.org
Sun Jul 27 04:32:19 PDT 2014

Hash: SHA256

Hi Tony,

I finally got a chance to watch your SOUPS video, and I wanted to ask
why you've chosen to stretch a low-entropy string rather than doing
things ZRTP-style: commit to ephemeral public keys, exchange ephemeral
public keys, derive short authentication string from the shared
secret. Is there something about the broadcast channel you're using
that would make that approach unsuitable?


On 08/07/14 06:18, Tony Arcieri wrote:
> I'm working on a program which authenticates public keys using a 
> symmetric key derived from a "short authentication string" (five
> random words). I'm using scrypt as a KDF in conjunction with a
> 32-bit random salt (this is actually the only salt size libsodium's
> implementation of scrypt will accept), and encrypting public keys
> with xsalsa20poly1305 (this will likely change to chacha20poly1305
> soon if you care). The salt is appended to the ciphertext and both
> are sent over the wire.
> I'm trying to randomly select a passphrase as users are
> notoriously terrible at picking passwords. I've settled on this
> 4096 "most commonly used" word list for English (so each word is
> 12-bits of entropy):
> https://raw.githubusercontent.com/cryptosphere/confusion/master/wordlists/en.txt
>  For now I've somewhat arbitrarily chosen 5 words as being "secure 
> enough" for authentication purposes. This gives 60-bits of
> entropy, which serves as an input to scrypt.
> The short authentication strings I'm generating seem palatable
> enough to be easily exchanged in person or over the phone. Here are
> some samples:
> shared metaphor property sigh capture yeah gravity cycle struggle
> parental recipient briefly payment schedule target stare educator
> ally peak employ
> I've also added a refresh button so if the first try gives people
> too big a mouthful, they can refresh until they find a palatable
> enough phrase.
> Some questions:
> - Is 60-bits entropy too little, even "stretching" it with scrypt? 
> - What scrypt parameters are needed to make this actually secure?
> Keep in mind here the main goal is authentication, not
> confidentiality. Once two users have authenticated each other's
> keys, it doesn't really matter that much if someone cracks the
> password, as it would only reveal their public keys. Once the
> public keys have been authenticated, the construct has more or less
> done its job.
> -- Tony Arcieri
> _______________________________________________ Messaging mailing
> list Messaging at moderncrypto.org 
> https://moderncrypto.org/mailman/listinfo/messaging
Version: GnuPG v1.4.12 (GNU/Linux)


More information about the Messaging mailing list