Subnostr

What about server authentication via a hash of a salted hash of the password and returns the ncryptsec. The localstorage retains the ncryptsec decryption key which is a salted hash of the password. Ncryptsec is only stored in memory client side. This way the server doesn't know the nsec. The client at rest doesn't know the nsec. If the user forgets their password and they can convince the server of their identity (eg. email 2FA) they can still log in from a device they have previously logged in with to reset the password.

brugeman 1y ago

If ncryptsec isn't stored on the client, how can it be retieved and decrypted without asking for password? Either it can't be retrieved, or it can using stored hash but can't be decrypted, or it can be retrieved and decrypted but then stored hash can be stolen and used to retrieve and decrypt, which is equivalent to just storing the nsec. Am I missing something?

Reply to this note

Please Login to reply.

Discussion

DanConwayDev 1y ago

Your right. The user shouldn't be able to authenticate with the server using a hash of something stored in localstorage.

Therefore the password hash for the server auth key needs to use a different salt.