Why Do We Still Pass Our Passwords Over The Network?

Passwords a legacy of login into main frame computers, and when these computers only connected to a local network. It was thus enough to…
Photo by Jason Dent on Unsplash

Why Do We Still Pass Our Passwords Over The Network?

Passwords are a legacy of a log-in into main frame computers, and when these computers only connected to a local network. It was thus enough to use a username and a password in order to stop users logging in as other people.

But now? They are just silly and ever more complicated.

Companies thus open themselves up to dictionary attacks on hashed passwords. So why don’t we just register a secret that can’t be mapped back? Well, we do with hashes, but the hash methods that we use are often super fast, so we can try billions or even trillions of possible passwords every second. To improve we can use slow hashing methods such as BCrypt and PBKDF2, but we can also use the magic of elliptic curve methods.

With this, Bob takes his password (pwd) and makes a hash of it:

h=H(pwd)

He then converts h to a x-point (x), and tries to fit onto an elliptic curve (x,y). If there is no point on the curve, we just keep incrementing x up until he gets a point that is on the curve. This gives him a hashed point (pkx,pky), and where this point can then be registered with Alice as the seed of his password:

P=(pkx,pky)

When Bob wants to login, Alice sends him a random challenge value (r) and asks him to mask his password by sending back:

L=rP (mod p)

This is the point P added to itself r times (P+P+ … +P). Bob passes this back, and Alice performs the operation of:

R=r^{−1}L (mod p)

We thus find the inverse of r mod p, and multiply it with the L point (L+L … +L). The point (R) should then match the password hash value that Bob registered (P).

A sample run is:

Password:            abc
Hash to point:   95017883689903263263412437934895862529149298257614557298284005734876875048308 61433049493608443686329451970034081715042206578701532908334510179548401320619
Random value:    100744741463562276901487354539524967185255486670144893236967491661792699544457
Masked:  66968489052222159410273282624824899566726664000799114608156879464886044766100 95020879848341971820418321248547925592982068187581203731552863736303952405161
Unmasked:    95017883689903263263412437934895862529149298257614557298284005734876875048308 61433049493608443686329451970034081715042206578701532908334510179548401320619

In this case Alice sends the Random value. Bob will then send the Masked value, and Alice will create the Umasked value, and which should be the same as the Hash To point value. Here is the code:

and a demo:

Golang Hash Password to Curve
Bob first takes this password (pwd) and take a hash of it: \(h=H(pwd)\) We then convert \(h\) to a x-point (\(x\)), and…asecuritysite.com

Conclusions

We need to move to a world which preserves our most precious of all secrets.