Documentation
¶
Overview ¶
The type 2017a password is calculated like so (pseudo-code):
stretchedmaster = StretchMasterPassword(yourMasterPassword, yourEmailAddress) sitekey = MakeSiteKey(stretchedmaster, 'example.com', 0) //revision 0 cardCoordinate1, cardCoordinate2 = MakeSiteCoordinates(sitekey, 2) eightCharsFromCard = youGoLookup(cardCoordinate1, cardCoordinate2) finalSeed = StretchSiteCardMix(MixSiteAndCard(sitekey, eightCharsFromCard)) finalPassword = MakeFriendlyPassword12a(finalSeed)
This construction achieves these goals:
- If your master password is compromised you're safe because they don't have your card.
- If your card is compromised you're safe because they don't know the master password.
- Master password is very expensive to brute force (effectively bcrypt 15).
- The eight card characters are very expensive to brute force (effectively bcrypt 15).
- A verifier hash for the stretched master password can be stored to check for typos.
- Uses only 3 cryptograhic primitives: SHA-256, HMAC and bcrypt.
- Good performance when implemented in JavaScript.
- In the future, an embedded device with a secure element could store the stretched master password and the entire card. These secrets would never leave secure memory. The device can compute everything up to StretchSiteCardMix().
The bcrypt algorithm is used as the slow hash for the two key stretching steps. bcrypt was chosen because it has a proven track record. The stretching uses 4 invokations of bcrypt with cost 13. Each invokation runs in a separate thread. Since many modern computers have 4 cores this means we are doing 4X more work in the same amount of time. This yields an effective bcrypt cost of 15 (each increment of cost doubles the calculation time). For perspective, the Ashley Madison leak of 36 million bcrypt 12 hashes has mostly stymied crackers. (https://arstechnica.com/security/2015/08/cracking-all-hacked-ashley-madison-passwords-could-take-a-lifetime/)
Argon2 would have been even better but it requires a lot of 64bit integer math and thread synchronization, neither of which work well in JavaScript.
Index ¶
- func CreateStretchedMasterVerifier(stretchedMaster StretchedMaster) (string, error)
- func MakeFriendlyPassword12a(seed PasswordSeed) (string, error)
- func MakeSiteCoordinates(siteKey SiteKey, count int) ([]card.Coord, error)
- func VerifyStretchedMasterPassword(stretchedMaster StretchedMaster, verifier string) (bool, error)
- type PasswordSeed
- type SiteCardMix
- type SiteKey
- type StretchedMaster
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func CreateStretchedMasterVerifier ¶
func CreateStretchedMasterVerifier(stretchedMaster StretchedMaster) (string, error)
func MakeFriendlyPassword12a ¶
func MakeFriendlyPassword12a(seed PasswordSeed) (string, error)
*Create a human readable password from a 32 byte seed. The password should minimize the hassle of typing it. Even if you normally use the calcpass browser plugin, sooner or later you'll find yourself entering a password manually on your smartphone or TV.
We should also minimize chances that an archaic website with stupid password limitations will reject the password.
Passwords from this function will be:
- 12 characters long.
- Start with a capital A-Z.
- Followed by ten lowercase a-z.
- End with 0-9.
For example: Szbhgdixtgw9
If your are being targeted and your adversary knows that you use calcpass then he must make 36 quadrillion guesses (10^16). This is not viable for an online (over a network) attack.
For comparison, an 8 character password using an alphabet of 72 characters (mixed case and ten specials), has a strength of only 10^14 and is much harder to type.
Because the characters are random, these passwords will likely resist the most common types of offline cracking attempts: dictionary and "hybrid".
These passwords are NOT long enough to withstand a targeted offline cracking attempt. Therefore they should not be used for encryption keys unless a slow KDF function is also used.
Finally, keep in mind that passwords from this function are only as strong as the seed used. For example, if the seed was created as the hash of a 4 digit number that means there are only 10,000 possible seeds. If the attacker knows this then your password is easily guessable!
For some interesting research regarding online vs offline password strength please read:
"An Administrator’s Guide to Internet Password Research" Dinei Florêncio and Cormac Herley, Microsoft Research; Paul C. van Oorschot, Carleton University https://www.usenix.org/conference/lisa14/conference-program/presentation/florencio
func MakeSiteCoordinates ¶
func VerifyStretchedMasterPassword ¶
func VerifyStretchedMasterPassword(stretchedMaster StretchedMaster, verifier string) (bool, error)
*Verify that the master password was entered correctly.
Types ¶
type PasswordSeed ¶
type PasswordSeed []byte
32 byte hash to be used to generate a human readable password
func StretchSiteCardMix ¶
func StretchSiteCardMix(siteCardMix SiteCardMix) PasswordSeed
*If your master password is compromised the adversary still has to use brute force to guess the characters from the card (208 billion possibilities). This step slows such guessing attempts.
type SiteCardMix ¶
type SiteCardMix []byte
32 byte hash of SiteKey and characters from the card
func MixSiteAndCard ¶
func MixSiteAndCard(siteKey SiteKey, charactersFromCard string) (SiteCardMix, error)
*Mix SiteKey and card characters using HmacSha256.
type SiteKey ¶
type SiteKey []byte
32 byte hash of website or program name for which you need a password and the revision number mixed with StretchedMaster
func MakeSiteKey ¶
func MakeSiteKey(stretchedMaster StretchedMaster, websiteName string, revision int) (SiteKey, error)
type StretchedMaster ¶
type StretchedMaster []byte
32 byte hash of your master password
func StretchMasterPassword ¶
func StretchMasterPassword(plaintextPassword []byte, userEmail string) (StretchedMaster, error)
*Hash the given password using 4 bcrypt threads with cost 13.
userEmail is used to salt the hash. Since email addresses are globally unique this will make precomputation pointless.
Source Files