[Cryptography] Low-tech password safe was: Passwords (Smallest feasible work factor today?

Ralf Senderek crypto at senderek.ie
Mon Oct 3 12:11:17 EDT 2022



On Mon, 3 Oct 2022, Natanael wrote:

> Den fre 16 sep. 2022 kl 21:42 skrev Ralf Senderek <crypto at senderek.ie>:
[...]
>
>       It might as well mean that we need to add an external device to the
>       mix to ensure that manual actions on such a device is necessary to
>       enable the use of stored passwords. So I'd like to ask people on
>       the list who might have experience of using external security devices
>       (like for example the yubikey, or similar) to share their experience
>       in order to integrate this into the best electronic password safe
>       solution.
> 
[...]

> Some banks have also started switching to security tokens with a built in 
> camera for when you want to log in without
> a smartphone app;
> 
> https://www.swedbank.se/privat/digitala-tjanster/sakerhetsdosor.html
> 
> The top device scans a Qr code and shows you what you're approving. The message is encrypted so the browser don't
> know what it says, and the device has to generate an appropriate one-time response code for you to enter.

The problem I have with such one-time response codes is that in order to create
such one-time responses an AES session key must be stored both on the
user's device and on the provider's server. Instead, I am looking for a
solution where secrets only reside on the user's device, preferably
not accessible by the malware running in the user's ID on the main
machine.

I have been experimenting lately with RSA private keys generated on a
Yubikey, which will never leave the Yubikey. But so far I am unable to
encrypt a password with "openssl rsautl" and decrypting it on the Yubikey.
If anyone out there has a solution for that I'd be all ears to hear it.

     --ralf


More information about the cryptography mailing list