3

I'd like to avoid sending user passwords over the wire. Would the following challenge response protocol be secure (served over TLS)? I know this is similar to SRP.

Sign-up

  1. Client takes password and randomly generated salt and inputs them into scrypt.
  2. Client takes scrypt output and uses it to create a signing keypair using nacl.sign.keyPair.fromSeed
  3. Client sends salt and public key for later authentication

Authentication

  1. Client calls challenge endpoint to get salt and challenge token.
  2. Client regenerates keypair using method above.

  3. Client signs challenge token and sends it the verification endpoint.

    • The challenge token would only be used once per attempt
    • A fake salt and token would be returned if the user wasn't found
    • Verification endpoint would be rate limited
B. Alvarez
  • 31
  • 2
  • "A fake salt and token would be returned if the user wasn't found" I'm never a fan of these kind of solutions. User name should probably not be considered secret. It adds a hard to establish amount of security, while it may hamper the user experience. – Maarten Bodewes Jan 31 '19 at 18:44
  • 2
    For practical applications, you probably should prefer OPAQUE (paper) (CFRG draft). – SEJPM Jan 31 '19 at 19:02

0 Answers0