[Cryptography] Follow up on my password replacement idea

Ilya Kasnacheev ilya.kasnacheev at gmail.com
Mon Sep 21 03:28:16 EDT 2015

Hello again. It seems that I failed to bring my idea across.

It's not "just" S/Key, rather it is about hash sequence generation. It
should work as follows:

1) Generate N random secret codes: CG1, CG2...CGN.
2) Calculate root secret: Root = HASH(CG1 + CG2 ... + CGN), where + is
3) For M every devices (PC, mobile, cloud) generate device secret DS1, DS2
... DSM: DSx = HASH(Root + DeviceName)
4) Forget root secret.
5) Distribute secret codes CGx so you need, say, >50% of devices to make
root secret together once again. For example, for three devices, first has
CG1 CG2, second CG2 CG3, third CG1 CG3.
6) You may now create service secrets (for every device X every service):
SDxSy = HASH(DSx + ServiceYName). This does not require Root secret.
7) Compute a sequence of hashes starting from SDxSy and you can use them to
authenticate via S/Key - of course, every service has to keep track of
several hash sequences coming from your different devices on one account,
as e.g. github does with key pairs. Can also make service require more than
one S/Key sequence approval for sensitive operations like money transfer or
account removal.
8) When we need to add device to the loop / remove compromised or scrapped
device / etc - We bring enough devices together to have every CGx ready and
may recompute every S/Key sequence.

What do you think of that? Because current situation with passwords on the
internet is unmanageable and replacement is needed - waterproof enough to
do users more good than harm.

Sorry to bother you again.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20150921/82d5f1e0/attachment.html>

More information about the cryptography mailing list