SPAKE2: Password not passed to memory-hard hash function #39
Comments
|
Semi-related: there's a WIP PR for a That said, for this use case, it may make more sense to define a |
|
It looks like you have scrypt and Argon2 available here now: |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hi,
I noticed that the spake2 crate uses HKDF instead of a memory-hard hash function when converting the password to a scalar:
PAKEs/spake2/src/lib.rs
Line 473 in 04ca077
According to the draft specification, as well as this analysis, implementers should use a function like scrypt to slow down brute-force attacks. My guess is that HKDF was used for interoperability with Magic Wormhole's Python implementation, where the one-time nature of passwords means brute force isn't a viable attack. However, this may be a problem for other use cases where a password can be attempted more than once without manual intervention from the other side.
Workarounds include request rate limiting or for callers to send the password through something like scrypt first, using the derived key as input to SPAKE2. However, many users of the library won't know to do this, since the lack of a memory-hard function is not necessarily clear from the documentation.
The text was updated successfully, but these errors were encountered: