[zeromq-dev] Certificate formats

T. Linden tlinden at cpan.org
Thu Oct 10 19:23:36 CEST 2013


On Thu, Oct 10, 2013 at 06:06:51PM +0200, Pieter Hintjens wrote:
> > - user enters password
> > - a hash is generated from it (128.000 times recursively)
> What does that do?

It creates a hash from the password and then a hash from that hash,
128.000 times. I admit that this kind of key derivation is simple. But
libsodium doesn't provide one currently. Actually the libsodium
developers discussed about incorporationg the scrypt scheme (it's part
of the star distribution). The idea behind it is to increase the costs
for an attacker to get access to an encrypted key using brute-force. But
it's little effort for the user, since it's being executed only once.

As long scrypt is not part of libsodium, I had to implement my own key
derivation style and this one is a widely used technique.
> I'd thought of doing this asymmetrically for at least the classic
> client-server use case that covers 80% of our use cases:
> * server public key is provided in a truly public fashion (and can be
> verified as such)
> * clients generate their own keys and encrypt them to the server's secret key
> * clients can then send their public keys safely to the server, no-one
> else can decrypt them
> It's vulnerable to an imposter guessing meta-data and creating
> fraudulent keys to imitate a client. However a MIM attack will fail,
> since an imposter cannot create valid HELLO nor WELCOME messages. (I
> think, but a triple check here would be good).

That's right and it would work, but you can't authenticate clients based
on their public key then, can you? If it's the client itself who
provides the public key, then every one can do so. But if only used for
encryption and not authentication this would be sufficient.

best regards,

    PGP Key: https://www.daemon.de/txt/tom-pgp-pubkey.txt
S/Mime Cert: https://www.daemon.de/txt/tom-smime-cert.pem
 Bitmessage: BM-2DAcYUx3xByfwbx2bYYxeXgq3zDscez8wC

This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

More information about the zeromq-dev mailing list