[messaging] Passphrase-based key mobility (was: Peerio)

Nadim Kobeissi nadim at nadim.computer
Sun Mar 1 10:21:52 PST 2015

On Sun, Mar 1, 2015 at 5:50 PM, Trevor Perrin <trevp at trevp.net> wrote:

> On Sat, Feb 28, 2015 at 11:24 PM, Michael Hamburg <mike at shiftleft.org>
> wrote:
> > Perhaps you should use oblivious function evaluation with a user-specific
> > secret at the server.  So for example, server has a per-user secret key
> e,
> > and user has a (salted, scrypted) password p.  Let h = hash(p) on some
> > curve.
> >
> > client chooses a uniformly random scalar r.
> > client -> server: Q = h^r
> > server -> client: P = Q^e = h^er
> > client computers P^1/r = h^e, and uses the hash of that point as part of
> the
> > secret key derivation.
> The server can still attempt offline cracking of the user's password
> though.  So I don't think this is better than just storing a
> passphrase-encrypted private key on the user's server, and delivering
> that to the user once they log in with the passphrase (using PAKE or
> some challenge-response protocol).
> So my claims are:
>  a) If you want passphrase-based mobility between devices, in a
> protocol where the user has a home server, just storing the
> passphrase-encrypted private key on the home server is the best
> approach.

Yup, I've already said this isn't a bad idea, and I think by this point it
seems to be the most reasonable way to move forward. This is the best time
to tighten the treat model/security guarantees.

>  b) It's unclear in what use cases this is a good idea - I think
> multidevice or new device cases are better handled by device pairing
> (e.g. short-auth strings between two devices).  Maybe passphrase-based
> mobility is desirable for users who roam between Internet cafes
> without a flash drive, or for backup purposes, but at best this seems
> like an optional, opt-in feature for unusual users, not something that
> should be a default for a widely-used system.

This becomes a substantially more subjective discussion on
user-friendliness, subjective to the degree where I'm not sure it can lead
to a fruitful discussion here. Based on my experience making software, I
strongly believe that relying on a passphrase model will allow people
portability that's meaningful enough to stand on its own. I think there's
something to be said for the fact that you can lose all your devices (which
in the majority of cases is just one device) and still be able to access
your data.

If the tradeoff is a simple improvement like the one Trevor is suggesting,
then that's something we can do and push to spec in a week. It'll certainly
be worth it.

> Trevor
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/messaging/attachments/20150301/9b8dc8b8/attachment.html>

More information about the Messaging mailing list