[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sat, 18 Jan 2014 15:03:37 -0500
From: Bill Cox <waywardgeek@...il.com>
To: discussions@...sword-hashing.net
Subject: Re: [PHC] Native server relief support for password hashing in browsers
On Sat, Jan 18, 2014 at 2:44 PM, Tony Arcieri <bascule@...il.com> wrote:
> I suggested to Brendan Eich (via Twitter) that browsers directly implement
> server relief for password hashing functions:
>
> https://twitter.com/BrendanEich/status/424282367335731201
>
> I think it'd be pretty cool if that happened!
I agree. One thing I haven't figured out is how to do Blakerypt style
session key protection with server relief. A Blakerypt session key is
a secret associated with the password which is decrypted with a secret
master key on the server. So long as it remains a secret, off-line
brute-force attacks become impractical. It's an awesome extra level
of protection for servers that implement it. The problem is how can
we keep the session key secret if we broadcast it to clients? I
suspect this is solvable...
Bill
Powered by blists - more mailing lists