One problem which exists in most password encryption schemes is that you either need to transmit passwords in the clear (or using a reversible encryption scheme), or you need to store them in the clear (or using a reversible encryption scheme).
While transmitting the passwords in a reversible encryption scheme protects against third party eavesdroppers, it does not protect against rogue servers.
Traditional Unix passwords are stored using an irreversible encryption scheme, but must be transmitted from client to server in the clear (or using a reversible scheme).
Samba and CHAP passwords are transmitted using an irreversible encryption scheme, but must be stored in the clear, which makes them vulnerable to compromise of the password data base.
Now, I've found a method which allows to have it both ways:
passwords may be stored with an irreversible scheme.
transmission is done using a challenge-response system which does not reveal password or password-equivalent hashes
The method is a variant of Diffie Hellman key exchange, relying on the difficulty of calculation a discrete logarithm. Let p be the pasword, g a generator and Q a large safe prime. g and Q are constants in the algorithms.
Passwords are stored as g^p mod Q
When authenticating a client, the server picks a secret k, only known to itself. It transmits C=g^k to the client as a challenge.
The client calculates R=C^p, which is equal to g^pk
Upon receipt, the server strips k by raising the client's response to the 1/k th power: g^p = R^(1/k)
Finally it compares g^p against the stored hash g^p
Benefits: The server cannot the client to another server authenticating against the same password base, because at no time it knows p. Even if the server machine is compromised, passwords are still safe, even if unwitting clients logged in during the compromise.
This post was brought to you by the antisoftpat fairy. If, several years from now, you use this as prior art to bust an obnoxious software patent, please chant three times "de Juncker as ee Kallef, a gehéiert oofesaat!" as a thank you gesture for the fairy;-)
Note to moderators: hmm, isn't this story about patents?
One problem which exists in most password encryption schemes is that you either need to transmit passwords in the clear (or using a reversible encryption scheme), or you need to store them in the clear (or using a reversible encryption scheme).
While transmitting the passwords in a reversible encryption scheme protects against third party eavesdroppers, it does not protect against rogue servers.
Traditional Unix passwords are stored using an irreversible encryption scheme, but must be transmitted from client to server in the clear (or using a reversible scheme).
Samba and CHAP passwords are transmitted using an irreversible encryption scheme, but must be stored in the clear, which makes them vulnerable to compromise of the password data base.
Now, I've found a method which allows to have it both ways:
passwords may be stored with an irreversible scheme.
transmission is done using a challenge-response system which does not reveal password or password-equivalent hashes
The method is a variant of Diffie Hellman key exchange, relying on the difficulty of calculation a discrete logarithm. Let p be the pasword, g a generator and Q a large safe prime. g and Q are constants in the algorithms.
Passwords are stored as g^p mod Q
When authenticating a client, the server picks a secret k, only known to itself. It transmits C=g^k to the client as a challenge.
The client calculates R=C^p, which is equal to g^pk
Upon receipt, the server strips k by raising the client's response to the 1/k th power: g^p = R^(1/k)
Finally it compares g^p against the stored hash g^p
Benefits: The server cannot the client to another server authenticating against the same password base, because at no time it knows p. Even if the server machine is compromised, passwords are still safe, even if unwitting clients logged in during the compromise.
This post was brought to you by the antisoftpat fairy. If, several years from now, you use this as prior art to bust an obnoxious software patent, please chant three times "de Juncker as ee Kallef, a gehéiert oofesaat!" as a thank you gesture for the fairy;-)
Slashdot Mirror
While transmitting the passwords in a reversible encryption scheme protects against third party eavesdroppers, it does not protect against rogue servers.
Traditional Unix passwords are stored using an irreversible encryption scheme, but must be transmitted from client to server in the clear (or using a reversible scheme).
Samba and CHAP passwords are transmitted using an irreversible encryption scheme, but must be stored in the clear, which makes them vulnerable to compromise of the password data base.
Now, I've found a method which allows to have it both ways:
The method is a variant of Diffie Hellman key exchange, relying on the difficulty of calculation a discrete logarithm. Let p be the pasword, g a generator and Q a large safe prime. g and Q are constants in the algorithms.
- Passwords are stored as g^p mod Q
- When authenticating a client, the server picks a secret k, only known to itself. It transmits C=g^k to the client as a challenge.
- The client calculates R=C^p, which is equal to g^pk
- Upon receipt, the server strips k by raising the client's response to the 1/k th power: g^p = R^(1/k)
- Finally it compares g^p against the stored hash g^p
Benefits: The server cannot the client to another server authenticating against the same password base, because at no time it knows p. Even if the server machine is compromised, passwords are still safe, even if unwitting clients logged in during the compromise.This post was brought to you by the antisoftpat fairy. If, several years from now, you use this as prior art to bust an obnoxious software patent, please chant three times "de Juncker as ee Kallef, a gehéiert oofesaat!" as a thank you gesture for the fairy ;-)
Note to moderators: hmm, isn't this story about patents?
While transmitting the passwords in a reversible encryption scheme protects against third party eavesdroppers, it does not protect against rogue servers.
Traditional Unix passwords are stored using an irreversible encryption scheme, but must be transmitted from client to server in the clear (or using a reversible scheme).
Samba and CHAP passwords are transmitted using an irreversible encryption scheme, but must be stored in the clear, which makes them vulnerable to compromise of the password data base.
Now, I've found a method which allows to have it both ways:
- passwords may be stored with an irreversible scheme.
- transmission is done using a challenge-response system which does not reveal password or password-equivalent hashes
The method is a variant of Diffie Hellman key exchange, relying on the difficulty of calculation a discrete logarithm. Let p be the pasword, g a generator and Q a large safe prime. g and Q are constants in the algorithms.- Passwords are stored as g^p mod Q
- When authenticating a client, the server picks a secret k, only known to itself. It transmits C=g^k to the client as a challenge.
- The client calculates R=C^p, which is equal to g^pk
- Upon receipt, the server strips k by raising the client's response to the 1/k th power: g^p = R^(1/k)
- Finally it compares g^p against the stored hash g^p
Benefits: The server cannot the client to another server authenticating against the same password base, because at no time it knows p. Even if the server machine is compromised, passwords are still safe, even if unwitting clients logged in during the compromise.This post was brought to you by the antisoftpat fairy. If, several years from now, you use this as prior art to bust an obnoxious software patent, please chant three times "de Juncker as ee Kallef, a gehéiert oofesaat!" as a thank you gesture for the fairy ;-)