From: Wolfgang Ehrhardt on
On Mon, 5 Jul 2010 12:18:20 +0000 (UTC), Kristian Gj�steen
<kristiag+news(a)math.ntnu.no> wrote:
>>If so, is there any way to do it using other/extra primitives?
>
>I can't think of any. It seems impossible.
>
>(Consider the following attack: the user has stored one data file
>generated with his passphrase. I substitute my data file generated with a
>random passphrase. How is the software to decide whether the user enters
>the correct passphrase and the file has been tampered with, or the file
>has not been tampered with and the user enters an incorrect passphrase?)

Do you have any concerns about the following construction?

(masterkey, pw_verifier) = PBKDF(passphrase, salt)

i.e. instead you deriving the key bits only derive say 64 bits more
and use them as a password verifier.

The password verification calculates (masterkey2, pw_verifier2) =
PBKDF(passphrase2, salt), and if pw_verifier != pw_verifier2, the
password is wrong (ignoring the 2^-64 chance of false negatives).

From: Kristian Gj�steen on
Wolfgang Ehrhardt <WE(a)completely.invalid> wrote:
>On Mon, 5 Jul 2010 12:18:20 +0000 (UTC), Kristian Gj�steen
><kristiag+news(a)math.ntnu.no> wrote:
>>>If so, is there any way to do it using other/extra primitives?
>>
>>I can't think of any. It seems impossible.
>
>Do you have any concerns about the following construction?
>
>(masterkey, pw_verifier) = PBKDF(passphrase, salt)
>
>i.e. instead you deriving the key bits only derive say 64 bits more
>and use them as a password verifier.
>
>The password verification calculates (masterkey2, pw_verifier2) =
>PBKDF(passphrase2, salt), and if pw_verifier != pw_verifier2, the
>password is wrong (ignoring the 2^-64 chance of false negatives).

I haven't got a problem with it, but it doesn't solve the problem
as posed.

--
kg
From: TC on
On Jul 6, 3:15 am, Kristian Gjøsteen <kristiag+n...(a)math.ntnu.no>
wrote:
> Wolfgang Ehrhardt <W...(a)completely.invalid> wrote:
> >On Mon, 5 Jul 2010 12:18:20 +0000 (UTC), Kristian Gjøsteen
> ><kristiag+n...(a)math.ntnu.no> wrote:
> >>>If so, is there any way to do it using other/extra primitives?
>
> >>I can't think of any.  It seems impossible.
>
> >Do you have any concerns about the following construction?
>
> >(masterkey, pw_verifier) = PBKDF(passphrase, salt)
>
> >i.e. instead you deriving the key bits only derive say 64 bits more
> >and use them as a password verifier.
>
> >The password verification calculates (masterkey2, pw_verifier2) =
> >PBKDF(passphrase2, salt), and if pw_verifier != pw_verifier2, the
> >password is wrong (ignoring the   2^-64 chance of false negatives).
>
> I haven't got a problem with it, but it doesn't solve the problem
> as posed.


Thanks for everyones' further replies. I need to read them all
carefully, which will take a couple of days. Then I will get back
again.

Cheers,
TC
From: TC on
On Jul 6, 2:36 pm, TC <gg.20.keen4s...(a)spamgourmet.com> wrote:
> On Jul 6, 3:15 am, Kristian Gjøsteen <kristiag+n...(a)math.ntnu.no>
> wrote:
>
>
>
>
>
> > Wolfgang Ehrhardt <W...(a)completely.invalid> wrote:
> > >On Mon, 5 Jul 2010 12:18:20 +0000 (UTC), Kristian Gjøsteen
> > ><kristiag+n...(a)math.ntnu.no> wrote:
> > >>>If so, is there any way to do it using other/extra primitives?
>
> > >>I can't think of any.  It seems impossible.
>
> > >Do you have any concerns about the following construction?
>
> > >(masterkey, pw_verifier) = PBKDF(passphrase, salt)
>
> > >i.e. instead you deriving the key bits only derive say 64 bits more
> > >and use them as a password verifier.
>
> > >The password verification calculates (masterkey2, pw_verifier2) =
> > >PBKDF(passphrase2, salt), and if pw_verifier != pw_verifier2, the
> > >password is wrong (ignoring the   2^-64 chance of false negatives).
>
> > I haven't got a problem with it, but it doesn't solve the problem
> > as posed.
>
> Thanks for everyones' further replies. I need to read them all
> carefully, which will take a couple of days. Then I will get back
> again.
>
> Cheers,
> TC- Hide quoted text -
>
> - Show quoted text -

Hi folks

I'm really surprised to see that there is apparently no way to do what
I want. It seems like such a simple requirement from an end-user
viewpoint!

To restate the requirement: the user enters a passphrase. The
ciphertext does not decrypt to the original plaintext. I want to
unambigously detect whether that was because (1) the user entered the
wrong passphrase, or (2) the ciphertext has been altered (for any
reason - including by a malicious attacker).

Francois Grieu says: "There is no meaningful way to distinguish "wrong
password" from "malicious alteration" without a public key scheme."

I'm no expert, but on reflection, it seems to me that the problem is
this.

There's /no shared secret/ in this system. The only secret is the
passphrase. But if someone enters the passphrase wrongly, then, they
no longer share a secret with the person who encrypted the data. And
"no shared secret" means, "no way to distinguish 'wrong passphrase'
from 'malicious alteration'" - right?

If the users /did/ have a shared secret, /seperate to/ the password,
then I could achieve what I want - /without/ using a public key
scheme. So the problem is not the lack of a public key scheme - it's
the lack of a known shared secret - right?

TIA,
TC
From: Kristian Gj�steen on
TC <gg.20.keen4some(a)spamgourmet.com> wrote:
>So the problem is not the lack of a public key scheme - it's
>the lack of a known shared secret - right?

Well, if you have a shared secret, what do you need the passphrase for?

--
kg