Submitted by Aurojit Panda (not verified) on 22 April, 2008 - 05:12.
Hi
I am curious as to how user passphrases translate to keys. It would seem that at some strange level, anything that you do client side is open to me seeing a transformation, and would be hard to salt and such (more specifically, any private nonce that you do use as a part of this transformation would have to show up in my browser, mostly so I can decrypt all that fine data I encrypted elsewhere). Which leads me to imagine (I admit to being lazy and not looking over your source) that at some level you’re using something very closely derived from the passphrase, and hence something I could calculate given a set of passphrase. This somehow seems to makes me feel that you’d have issues with dictionary attacks.
This seems strange, since I imagine the usecase for a secure password storage is to allow one to have reasonably secure passwords protected by a more memorable passphrase.
Keys
Hi I am curious as to how user passphrases translate to keys. It would seem that at some strange level, anything that you do client side is open to me seeing a transformation, and would be hard to salt and such (more specifically, any private nonce that you do use as a part of this transformation would have to show up in my browser, mostly so I can decrypt all that fine data I encrypted elsewhere). Which leads me to imagine (I admit to being lazy and not looking over your source) that at some level you’re using something very closely derived from the passphrase, and hence something I could calculate given a set of passphrase. This somehow seems to makes me feel that you’d have issues with dictionary attacks.
This seems strange, since I imagine the usecase for a secure password storage is to allow one to have reasonably secure passwords protected by a more memorable passphrase.
Panda