On Sat, Feb 28, 2015 at 11:24 PM, Michael Hamburg <[email protected]> wrote: > Perhaps you should use oblivious function evaluation with a user-specific > secret at the server. So for example, server has a per-user secret key e, > and user has a (salted, scrypted) password p. Let h = hash(p) on some > curve. > > client chooses a uniformly random scalar r. > client -> server: Q = h^r > server -> client: P = Q^e = h^er > client computers P^1/r = h^e, and uses the hash of that point as part of the > secret key derivation.
The server can still attempt offline cracking of the user's password though. So I don't think this is better than just storing a passphrase-encrypted private key on the user's server, and delivering that to the user once they log in with the passphrase (using PAKE or some challenge-response protocol). So my claims are: a) If you want passphrase-based mobility between devices, in a protocol where the user has a home server, just storing the passphrase-encrypted private key on the home server is the best approach. b) It's unclear in what use cases this is a good idea - I think multidevice or new device cases are better handled by device pairing (e.g. short-auth strings between two devices). Maybe passphrase-based mobility is desirable for users who roam between Internet cafes without a flash drive, or for backup purposes, but at best this seems like an optional, opt-in feature for unusual users, not something that should be a default for a widely-used system. Trevor _______________________________________________ Messaging mailing list [email protected] https://moderncrypto.org/mailman/listinfo/messaging
