[Cryptography] Passwords (Smallest feasible work factor today?)
Adam P. Goucher
apgoucher at gmx.com
Sun Sep 11 12:26:43 EDT 2022
> If we had an open password manager infrastructure (open standard, everyone
> picks their own service, works with every browser etc) that syncs passwords
> across all the user's devices it would be MUCH easier for persuade people
> to use them.
An alternative approach (that doesn't require explicitly 'syncing' passwords)
is the one used by Pieter Wuille's BIP32 standard:
https://en.bitcoin.it/wiki/BIP_0032
It means that you only need to have a single 'seed' which is used to generate
an unlimited number of ECDSA keypairs, so that the individual passwords don't
need to be explicitly stored anywhere.
> Now imagine that password manager is also a credential manager that can
> either sync private keys for use in SSH/ FIDO2/ TLS Client Auth etc. or
> provision separate keys to each device and credential them.
The Trezor hardware wallet supports the same elliptic curves used by OpenSSH,
so it's already possible to use your Trezor wallet to do SSH authentication:
https://wiki.trezor.io/Apps:SSH_agent
If you lose the hardware wallet, you can reconstruct it from the 12-word
(128 bits of entropy) mnemonic; the keypair is a deterministic function of:
-- the master key;
-- the server and username into which you're SSH-ing.
The way that the master key is derived from the mnemonic involves running
PBKDF2_HMAC_SHA512 with 2048 iterations, so the overall work factor is 2^139.
If you use a BIP39 passphrase (this is the thing that you need to enter each
time, whereas the 128-bit mnemonic is remembered by the device), then you
can multiply the work factor by this: a passphrase with 40 bits of entropy
will boost the work factor to 2^179. (That said, you only get 128 bits of
security against Pollard-rho attacks on the elliptic curve.)
> So now the password manager is also the transition strategy to ubiquitous
> deployment of strong public key authentication.
Exactly! It's a shame that it isn't more widely known that hardware wallets
can be used for non-cryptocurrency-related applications (not that the word
'wallet' particularly helps here!) because they're actually general public
key managers.
Best wishes,
Adam P. Goucher
More information about the cryptography
mailing list