[cryptography] replacing passwords with keys is not so hard (Re: PBKDF2 + current GPU or ASIC farms = game over for passwords)

Adam Back adam at cypherspace.org
Tue Oct 1 05:12:54 EDT 2013

On Mon, Sep 30, 2013 at 10:00:12PM -0400, dan at geer.org wrote:
> Dr Adam Back wrote:
> > PBKDF2 + current GPU or ASIC farms = game over for passwords.
>Before discarding passwords as yesterday's fish, glance at this:

Well OK switching to physical fingerprints (fingerprint reader, iphone etc)
is actually a step backwards, or only usable as a second factor.  I imagine
people have seen the gumi bear attacks, and someone already cracked the
iphone fingerprint reader using a photograph of a print and some
postprocessing, and fingerprints can be stolen.  And Lucky has some gruesome
alternatively low tech version also which doesnt bear thinking about. 
Fingerprints are a bad idea for those multiple reasons (stealable,
non-secret (5th amendment argument in the article), have no secure challenge
response possibility, left around via latent prints, lead to gruesome risks
where you'd sooner give up the password if rubberhosed than have...)

The point is rather to switch to keys.  I was resisting referencing it (as
its impolite to point at your own designs with commercial backing (*)) but I
guess it needs spelling out that yes you can do this, and yes it can be easy
to use and secure.  Check out oneid.com.  The federation server stores
password verifiers - that are not grindable via theft, needing simultaneous
compromise of the account holders smart phone/laptop (split keys).  The
smartphone/laptop has encrypted keys, with encryption that is also not
offline grindable without simultaneously compromising the server verifier
(more split-keys).  Devices have unique keys and so can be offline revoked
if stolen.  Security is end to end between the client and the relying party
(oneid or other party runnng the federation server cant even tell which
relying parties users are enrolled with nor logging into).  Stolen/broken
devices can be replaced via secure pairing with remaining devices. 
Simutlaneous theft of all devices is coped with via a recovery code, or
re-enrollment with a new identity (and new relying party account
re-association via the respective relying party enrollment process) if the
user ignores the recovery code setup.  

There is still login & transaction security in the system if the pc has
malware, the attacker has root on the federation server, the attacker has
all of your pins and passwords (that protect device private keys), and the
attacker has remote compromise but not code modification ability on the
relying party, just so long as you have your smartphone without targetted
malware, in your control.  That could and should be extended with a key
contribution from the smartphone SIM or TPM trusted-agent once hardware
catches up.

Its easy to use, just read the transaction confirmation on your smart phone
and click a button, thats the user experience.  Even if the laptop is
compromised by malware targetting your transaction (eg say online bitcoin
wallet auth) the worst it can do is block your transaction - presuming you
actually carefully read the transaction before approving on your smartphone


(*) historically I designed their crypto protocols as a consultant but I
have no financial stake.  oneid are khosla ventures funded the CEO is Steve
Kirsch a serial entrepreneur with > $1b of previous company exits to his

More information about the cryptography mailing list