PAKEs icon indicating copy to clipboard operation
PAKEs copied to clipboard
verified publisher icon RustCrypto

spake2: password not passed to memory-hard hash function

Open ayyghost opened this issue 5 years ago • 2 comments

Hi,

I noticed that the spake2 crate uses HKDF instead of a memory-hard hash function when converting the password to a scalar: https://github.com/RustCrypto/PAKEs/blob/04ca077f2706fbd4bb5ed903a22bdcd2f20b2b0a/spake2/src/lib.rs#L473

According to the draft specification, as well as this analysis, implementers should use a function like scrypt to slow down brute-force attacks. My guess is that HKDF was used for interoperability with Magic Wormhole's Python implementation, where the one-time nature of passwords means brute force isn't a viable attack. However, this may be a problem for other use cases where a password can be attempted more than once without manual intervention from the other side.

Workarounds include request rate limiting or for callers to send the password through something like scrypt first, using the derived key as input to SPAKE2. However, many users of the library won't know to do this, since the lack of a memory-hard function is not necessarily clear from the documentation.

ayyghost avatar Dec 21 '20 17:12 ayyghost

Semi-related: there's a WIP PR for a password-hash crate here:

https://github.com/RustCrypto/traits/pull/437

That said, for this use case, it may make more sense to define a kdf crate (which I went ahead and snagged) with traits for KDFs, including a marker trait for memory-hard KDFs.

tarcieri avatar Jan 04 '21 17:01 tarcieri

It looks like you have scrypt and Argon2 available here now:

https://github.com/RustCrypto/password-hashes

ayyghost avatar Dec 31 '21 16:12 ayyghost