Image for post
Image for post
Photo by Jason Dent on Unsplash

Why Do We Still Pass Our Passwords Over The Network?

Passwords are a legacy of a log-in into main frame computers, and when these computers only connected to a local network. It was thus enough to use a username and a password in order to stop users logging in as other people.

But now? They are just silly and ever more complicated.

Companies thus open themselves up to dictionary attacks on hashed passwords. So why don’t we just register a secret that can’t be mapped back? Well, we do with hashes, but the hash methods that we use are often super fast, so we can try billions or even trillions of possible passwords every second. To improve we can use slow hashing methods such as BCrypt and PBKDF2, but we can also use the magic of elliptic curve methods.

With this, Bob takes his password (pwd) and makes a hash of it:

h=H(pwd)

He then converts h to a x-point (x), and tries to fit onto an elliptic curve (x,y). If there is no point on the curve, we just keep incrementing x up until he gets a point that is on the curve. This gives him a hashed point (pkx,pky), and where this point can then be registered with Alice as the seed of his password:

P=(pkx,pky)

When Bob wants to login, Alice sends him a random challenge value (r) and asks him to mask his password by sending back:

L=rP (mod p)

This is the point P added to itself r times (P+P+ … +P). Bob passes this back, and Alice performs the operation of:

R=r^{−1}L (mod p)

We thus find the inverse of r mod p, and multiply it with the L point (L+L … +L). The point (R) should then match the password hash value that Bob registered (P).

A sample run is:

In this case Alice sends the Random value. Bob will then send the Masked value, and Alice will create the Umasked value, and which should be the same as the Hash To point value. Here is the code:

and a demo:

We need to move to a world which preserves our most precious of all secrets.

Written by

Professor of Cryptography. Serial innovator. Believer in fairness, justice & freedom. EU Citizen. Auld Reekie native. Old World Breaker. New World Creator.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store