[messaging] Passphrase-based key mobility (was: Peerio)

Michael Hamburg mike at shiftleft.org
Sun Mar 1 10:01:34 PST 2015

> On Mar 1, 2015, at 8:50 AM, Trevor Perrin <trevp at trevp.net> wrote:
> On Sat, Feb 28, 2015 at 11:24 PM, Michael Hamburg <mike at shiftleft.org> wrote:
>> Perhaps you should use oblivious function evaluation with a user-specific
>> secret at the server.  So for example, server has a per-user secret key e,
>> and user has a (salted, scrypted) password p.  Let h = hash(p) on some
>> curve.
>> client chooses a uniformly random scalar r.
>> client -> server: Q = h^r
>> server -> client: P = Q^e = h^er
>> client computers P^1/r = h^e, and uses the hash of that point as part of the
>> secret key derivation.
> The server can still attempt offline cracking of the user's password
> though.  So I don't think this is better than just storing a
> passphrase-encrypted private key on the user's server, and delivering
> that to the user once they log in with the passphrase (using PAKE or
> some challenge-response protocol).

Yeah, you’re right.  I was thinking that this might have some better property somehow, but actually it’s exactly the same.  I was thinking that it would be harder for the server to check its guesses, but it can just go and derive the public key to check.  Maybe with multiple servers (roughly as Jeff suggested) it adds something, but not terribly much.

> So my claims are:
> a) If you want passphrase-based mobility between devices, in a
> protocol where the user has a home server, just storing the
> passphrase-encrypted private key on the home server is the best
> approach.
> b) It's unclear in what use cases this is a good idea - I think
> multidevice or new device cases are better handled by device pairing
> (e.g. short-auth strings between two devices).  Maybe passphrase-based
> mobility is desirable for users who roam between Internet cafes
> without a flash drive, or for backup purposes, but at best this seems
> like an optional, opt-in feature for unusual users, not something that
> should be a default for a widely-used system.

> Trevor

I agree.  Unless we can find a new piece of magic, this sort of mobility probably comes at too high a cost.

— Mike

More information about the Messaging mailing list