Confirmed users
471
edits
Identity/CryptoIdeas/02-Recoverable-Keywrapping: Difference between revisions
Jump to navigation
Jump to search
Identity/CryptoIdeas/02-Recoverable-Keywrapping (view source)
Revision as of 23:49, 13 September 2012
, 13 September 2012→Access Reliance Sets, Attack Costs
| Line 131: | Line 131: | ||
The Account Server (or someone who compromises it) can mount a brute-force | The Account Server (or someone who compromises it) can mount a brute-force | ||
attack to deduce the user's password (and thus access the Secure data), using | attack to deduce the user's password (and thus access the Secure data), using | ||
one of: | one of the following as an oracle: | ||
* the SRP verifier (or H(S1) in the non-SRP variant) | * the SRP verifier (or H(S1) in the non-SRP variant) | ||
* a combination of the WSUK and an SDK (or plaintext/ciphertext pair from any web site the user has logged into) | * the HMAC used as an integrity check on the encrypted WSUK | ||
* a combination of the WSUK and an SDK (or a plaintext/ciphertext pair from any web site the user has logged into) | |||
(we might omit the HMAC integrity check on WSUK, to avoid providing this | |||
oracle, in the hopes that SRP verifiers cost too much to create, and getting | |||
a plaintext/ciphertext pair is too hard. If we did this, corrupting in the | |||
account server would not be detected until the user tried to decrypt data and | |||
failed) | |||
The cost of this brute-force attack is equal to the cost of a single guess | The cost of this brute-force attack is equal to the cost of a single guess | ||