[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Cryptography] Zero Knowledge: Have I Been Pwned?
- From: John Denker via cryptography <cryptography AT metzdowd.com>
- Subject: Re: [Cryptography] Zero Knowledge: Have I Been Pwned?
- Date: Mon, 11 Sep 2017 03:48:27 -0700
- Arc-authentication-results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of cryptography-bounces+ben=bentasker.co.uk AT metzdowd.com designates 2001:470:30:84:e276:63ff:fe62:3500 as permitted sender) smtp.mailfrom=cryptography-bounces+ben=bentasker.co.uk AT metzdowd.com
- Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:content-transfer-encoding:reply-to:from :list-subscribe:list-help:list-post:list-archive:list-unsubscribe :list-id:precedence:subject:quilt:content-language:in-reply-to :mime-version:user-agent:date:message-id:references:to:delivered-to :arc-authentication-results; bh=lJ21YOP4mwvyXvhPUBeVQp/gF3j6NMb33uqRo0G4CLQ=; b=jr0UlcMDHOkg5MfLjliZc3uGl2oZKQFtTNvmLb40E4pvTQBy1m245X01nS4/EdyQ/K HsIl0G3vWim3JFBS2bkN4xt34lv40YEYmQS9NFkSAfzP03Ee3vr5ssr7S6bJh75IqfQS iJ/6BUY/W2ujLPB+KLStQ+7JRbczBrO/g9loJqZmhUBOQOF5WF+ghkK+djpOlLU1HRCk LbTuUkBTuEZWx8AYUHmaobxLcehP6ghC/BigaSs9RkjAeOah8jloHSbjjeRhHXXEjgn2 YxoCsgzUx0dKV1RyIePi7AGdpdfkWfl7ozUe85AHGA6iyzbUfdezC7upIuaMRxNTz4BP IqJA==
- Arc-seal: i=1; a=rsa-sha256; t=1505148198; cv=none; d=google.com; s=arc-20160816; b=nt/lT5rbIlvj75MXdiW3ZNJYVsHI09iad7wb8eCOqZB8olhtlKfPs2cfzrlEuWTz48 3TXRv/MPuO2syG3+f5/qP0Qs4OUXhP5/2vObPc+OoxOB2rPcwAJPqNuM5u/xfoW8bAMe UrH3yThsggDwbA5UJpzj9iDQujIHi5Xo/1T7mRp6hQv0EU3QqCd9Rn708bF3lj1+xRD1 HMUuEOeB4kh7k/tcDGeEHBzNwfHoSmJsohVoehCA4xjlfyrS6zAmKV8InyhctPvqu7tb TM2erh/2EVM54MDNprZr6d5C/zUyHWZ+mJRd5iWpgD1RQ51z1PIgs6mnIwH3CUKvWqX/ diJA==
- List-archive: <http://www.metzdowd.com/pipermail/cryptography/>
- Quilt: qNBVQtIDEi@FaUKQ7VJRNyUD7jEyKw5XCv2C5O35cUUKIrT2yNV9RdnXG1enIA/y
- Reply-to: John Denker <jsd AT av8n.com>
- Sender: "cryptography" <cryptography-bounces+ben=bentasker.co.uk AT metzdowd.com>
- To: cryptography AT metzdowd.com
On 09/10/2017 11:25 AM, Henry Baker wrote:
Thanks for calling attention to that.
> What would be a good protocol for the HIBP site itself, and a good protocol for anyone who wants to query it?
> * All I learn from my query is whether or not the password is the database -- i.e., exactly 1 bit.
> * All the HIBP database learns is that there *has* been a query, but can't determine what the query was, or whether it was successful.
> * The total number of bits transmitted in both directions should be a number of orders of magnitude less than 5.3GB.
That's a fascinating question. I reckon Bill Frantz gave the right
answer: Download a Bloom index rather than the whole corpus. Also,
have one or more trusted third parties sign off that (a) the corpus
was constructed in a reasonable way, and (b) the Bloom index was
As a tangentially-related issue: to avoid /future/ compromises, we
should insist my password never be sent from my machine to anywhere
else. Instead, as the Subject: line suggests, use a zero-knowledge
proof that I know the password (i.e. that I am using the /same/
password as the one previously set up and validated).
The password issue is as much a user-interface problem as anything
else. Passwords do not scale well when the user interacts with N
servers. This can be alleviated by using a password manager, but
from the user's point of view a password manager is indistinguishable
from a zero-knowledge proof manager.
There is a range of possibilities:
*) Entirely avoid all forms of online activity that require passwords.
*) Use one password for everything.
*) Try to remember N different passwords.
*) Use a password manager.
*) Use zero-knowledge proofs.
Of these, only the first and last offer reasonable security
without being Pareto-inferior to other items on the list. In
other words, if you are going to authenticate at all, there
is AFAICT no excuse for not using zero-knowledge methods.
On 09/10/2017 04:06 PM, Barney Wolff wrote:
>> I don't understand your concern with typing the SHA1 hash. If you
>> get a hit you are going to change the password and never use it
>> again. If you don't get a hit what can an attacker do with the hash?
Well, here are some scenarios of concern. These are off-the-cuff
thoughts; I'm sure a determined adversary could come up with even
a) the bad guys own (or pwn) troyhunt.com
or cloudflare (where troyhunt.com is hosted);
b) collect all the queries (sha1 and otherwise); and
c) test them against some corpus with more than 306 million entries.
If your password is in the big corpus but not the small one, you
get back a negative result, and you cannot detect any wrongdoing,
but the bad guys now have your IP address to go along with your
password, so you are now much more vulnerable than before.
2) Suppose you get back a positive result. You are now in a race against
the owner (or pwner) of the testing site, to see whether you can change
the password faster than they can exploit it.
The bad guys can give themselves a head start by delaying the positive
3) The bad guys can return a false negative result. This could in
principle be detected by comparing online to offline results, but
I doubt anybody has checked for this. And the bad guys could do
this selectively, making it even harder to check for.
The cryptography mailing list
cryptography AT metzdowd.com