On 2015-04-18 11:59, Thijs Alkemade wrote: > What do you mean with “SASL state”? All of the data the server has after a > SCRAM-SHA-1 exchange is either a) stored on the server, b) session specific. > You can’t derive a key from that which the server could not derive on its own.
During SCRAM, the client sends data that is used to reconstruct the ClientKey value. H(ClientKey) then compared to StoredKey, and the result is the result of the authentication attempt. So the ClientKey could be used to open an encrypted storage backend¹. Either directly or deriving another key from it (like SCRAM does using HMAC in a few places). If you use this ClientKey-based secret to encrypt the private part of an asymetric key, you could use that to unlock MAM storage and use the public key to append to it. ¹ FWIW, I experimented with using a ClientKey-derived secret feed to encfs for storage. Turned out to not be very useful for things other than Private XML Storage, as the server often needs access to most other data even when the user is offline. -- Kim "Zash" Alvefur
signature.asc
Description: OpenPGP digital signature
