[Cryptography] Secure password verifiers (Re: Passwords (Smallest feasible work factor today?))

[Nico Williams]

>                     [...].  Imposing trial rate limits at an HSM/TPM is
> hard to do if you want them to be stateless.  TPM 2.0 has a way to lock
> itself out when the failed attempt counter exceeds a threshold, but this
> is TPM-wide not key-/user-specific so it's not really appropriate for
> use as a trial rate limit.

One could probably use a bloom filter in a networked TPM implementation
to make the DA lockout feature roughly per-key object while still
approximating statelessnes.  I think that might actually be compliant
with TPM 2.0 specs, though one would have to check carefully, and also
maybe it doesn't matter for this sort of thing anyways.

Ideally we could have HTTP user-agents run PAKEs by proxy to the TPMs
that sites use, then have the outcome of the authentication communicated
to the site.  The site would still be responsible for the user database
that contains the wrapped PAKE verifiers, so the TPMs would still be
stateless.  Then the only time passwords would be in memory on servers
would be during enrollment, and even this could be fixed.  But this
requires standardization (at up to three SDOs: IETF, W3C[?], and even
the TCG because TPM 2.0 does not include a suitable PAKE) and browser
(and other) implementation work, so it would take a long time to get
done.  One can dream.

Nico
--