I am trying to figure out how to build a secure, playback-proof, web authentication scheme and at the same time be able to use a KEK at the server.
After a lot of reading it seems that a reasonable way to validate the password between the server and client is as follows:
Server:
- I have stored db-hash = hash(password, server-user-salt).
Client:
- Obtain a copy of the server-user-salt
- User enters user-name, password.
- [Edit: Get the nonce from the server] Generate a client-nonce
- Send the server Hash(Hash(password, server-user-salt), client-nonce), client-nonce
The server can then compare the received doubly hased value with Hash(db-hash, client-nonce).
So far so good - hope I didn't misunderstand that part, I'm not a security expert :-D
Now on the server I also need to be able to decrypt another secret key - using a KEK. My initial thought was simply that if I sent the password to the server, I could run it through PBKDF2() and use that as my KEK.
But given the authentication algorithm above, I shouldn't send the password to the server. I probably can't use a hash() function since what the server needs is a secret (e.g. the password) so that it can generate the KEK. I could generate the KEK on the client, but then I'd send the KEK over the wire which is almost as bad as sending the password.
So to combine the authentication scheme above with a KEK would I need to throw myself into a public/private key exchange to send over the secret / password to the server?