[noise] Could we use Noise as a PAKE?

Loup Vaillant David loup at loup-vaillant.fr
Sat Jul 13 15:21:31 PDT 2019


My question is simple: could we use Noise as a Password Authenticated
Key Exchange?

For instance, we could use the NN pattern and the password as a
prelude. Or a hash of the password. Or a slow, memory intensive, salted
hash of the password (The client would set the salt and send it over
the network just before the first message).

I mean, I've heard of PAKE several times, but it only occurred to me
now that it might be that simple. Is it that simple?


PS: If we can use Noise, we could imagine an even simpler protocol:

    - Client & server generate ephemeral key pairs.
    - Client generates salt.
    - Client hashes password with salt (possibly with a slow hash).
    - Client sends ephemeral and salt.
    - Server hashes password with salt (gets the same result).
    - Server sends ephemeral.
    - Client and server exchange the keys
    - Client and server HMAC the shared secret, using the hashed
      password as a key. The resulting hash is the session key.
    - Optional: Client and server send empty messages to each other to
      make sure they have the same session key.

    Leveraging Noise could take even less effort, so…

More information about the Noise mailing list