[Cryptography] Secure password verifiers (Re: Passwords (Smallest feasible work factor today?))

[Nico Williams]

On Wed, Feb 01, 2023 at 10:24:18AM -0600, Jeffrey Goldberg wrote:
> Yup. Typically the scheme is to have your HSM or TPM perform an HMAC
> with a high entropy key that never leaves the module.

Pretty much.  Aside from the fact that dTPMs are slow, this is quite
fast, so the only missing component is a fast remote HSM/TPM.

> Augmented PAKEs are a nice approach. No secrets are transmitted to the
> server. But it requires that clients support them. 

I mentioned that in a follow-on.  I wasn't going to mention it
because there's so much work to do there that it seems unlikely to
happen soon, but then, the sooner we start...

> > We really need to make sure that traditional password verifiers
> > everywhere are replaced with ones based on HSM/TPM/similar.  Then we
> > can still haz passwords, even fairly weak ones.
> 
> I do agree. As you correctly said, the technology and proposals to
> prevent off-line attacks isn’t new. But this needs to be really plug
> and play and cheap for people deploying services. One reason that
> traditional passwords and traditional password verification remains so
> prevalent  is because there is a great deal of very easy to deploy
> mechanisms to set up services with those systems.

The business model idea I considered pursuing in 2012 was to sell a
remote HSM service, and also maybe to sell a co-located HSM service,
maybe even the device itself.

The reason I didn't go for it was that in the end it's too easy for
would-be customers to do this themselves (though without a proper HSM,
just well-secured servers) without violating any patents (since only the
business method could have been patented), so they would, so there would
be little revenue to be had.  I imagine that's the reason that no one
else (I think) is offering anything like it.

Nico
--