On 4/27/20 2:19 AM, Russ Allbery wrote: > Thomas Goirand <z...@debian.org> writes: > >> Now, if you want something safer, maybe we could implement something >> that involves crypto a smarter way, like SQRL, so we avoid storing any >> password in Salsa, even hashed: >> https://www.grc.com/sqrl/sqrl.htm > > I don't know anything about SQRL (and am too lazy to try to digest the > PDFs on that web site), but I'll assume that this shares with PAKE schemes > the requirement that the client do crypto. PAKE has always looked like a > good idea up until one starts trying to tackle the problem of deploying > clients everywhere you need them, at which point it usually ends up > looking easier to just use TLS client certificates.
Except that SQRL has no password involved, just crypto. Since you are too lazy to read on, let me do a tl;dr. Simply put, the client holds a private key. From that private key, a new one is derived doing a HMAC of that key with the domain, meaning a client has a unique public/private keypair for each site. Then the site only holds the public key, and the client auth using his private key (again, unique to each site), presented a one time challenge. As a result, the site *never* store any secret from the client (again: no passwords involved), only the identity of the user (ie: his public key for that site). So there's nothing to be stolen from the server, which is the very point. Cheers, Thomas Goirand (zigo)