[messaging] Passphrase-based key mobility (was: Peerio)

Trevor Perrin trevp at trevp.net
Sun Mar 1 08:50:54 PST 2015

On Sat, Feb 28, 2015 at 11:24 PM, Michael Hamburg <mike at shiftleft.org> wrote:
> Perhaps you should use oblivious function evaluation with a user-specific
> secret at the server.  So for example, server has a per-user secret key e,
> and user has a (salted, scrypted) password p.  Let h = hash(p) on some
> curve.
> client chooses a uniformly random scalar r.
> client -> server: Q = h^r
> server -> client: P = Q^e = h^er
> client computers P^1/r = h^e, and uses the hash of that point as part of the
> secret key derivation.

The server can still attempt offline cracking of the user's password
though.  So I don't think this is better than just storing a
passphrase-encrypted private key on the user's server, and delivering
that to the user once they log in with the passphrase (using PAKE or
some challenge-response protocol).

So my claims are:
 a) If you want passphrase-based mobility between devices, in a
protocol where the user has a home server, just storing the
passphrase-encrypted private key on the home server is the best

 b) It's unclear in what use cases this is a good idea - I think
multidevice or new device cases are better handled by device pairing
(e.g. short-auth strings between two devices).  Maybe passphrase-based
mobility is desirable for users who roam between Internet cafes
without a flash drive, or for backup purposes, but at best this seems
like an optional, opt-in feature for unusual users, not something that
should be a default for a widely-used system.


More information about the Messaging mailing list