> From: tech-boun...@lists.lopsa.org [mailto:tech-boun...@lists.lopsa.org] > On Behalf Of Robert Hajime Lanning > > So, unless you are trying to get CBCrypt implemented in the web browser > itself, you really have no choice but to use JavaScript in a browser > security context. And it better be damn fast at key creation.
Everything you said was correct up to here. Javascript is intended as the fall-back, to provide compatibility for browsers that don't have CBCrypt integrated, but the primary usage behavior needs to be integrated into the browser just as HTTPS is. Also, there's a funny thing about being "damn fast at key creation." For one, generating an Elliptic Curve key is as fast as generating a few random bytes from the PRNG. (About 130 bytes, it's effectively 5-10 iterations of a hash function, effectively instantaneous.) But RSA key generation can be kind of slow. So here's the funny part... You have a rate limiting function, whose sole purpose in life is to be slow, and you feed it into the key generator, which might coincidentally be slow (if it's an RSA key). The parameters of the rate limiting function get chosen to produce a total 100ms-200ms including key generation time. > If you implement CBCrypt server side, then you are passing the user's > password into the server's memory in plain text. That would be incorrect usage, you are right. _______________________________________________ Tech mailing list Tech@lists.lopsa.org https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/
