Reset lost password

[maxtaco]

So let's say a user forgets their password. Here are the things that are no longer accessible:

• Site login via password hash
• Detkey for web use
• Device keys encrypted via Local Key Security and not stored into the keychain

The biggest problem I foresee if how to handle device keys behind LKS after the password is reset on another device without LKS (like the phone). Those keys are now not accessible. What should happen is:

• the devices that use LKS that don't use keychain storage should be deprovisioned (the server has to know where are when to apply this, which it doesn't now).
• those devices then need to be individually reprovisioned with the password.

In addition to the hairy LKS problem, we of course need to resolve the detkey and password hash problems. That would have to be done by whatever device is resetting the password. BTW, password reset can happen with any provisioned device key. So it is likely to happen on a mobile phone that doesn't have LKS-style key locking.

All of this is a ton of work, it makes the case for keeping secret keys in plaintext. The users who really care will likely have encrypted home directories. Those who don't will be susceptible to their devices being seized and no way to disable file access.

[maxtaco]

Here's a solution that's not too painful.

For every device in the devices table:

• Encrypt the scrypt slice of the passphrase with that device's DH subkey, and push this to the server.

We'll need to do this on PW change, and on device provisioning.

Now, a device with an unlocked DH key can change PWs without knowing the previous PW. All it needs to do is to decrypt the encryption above and XOR into the mask. The previous PW is no longer required.

[maxtaco]

Also see #184, in which a slightly different solution was proposed. The only question is whether or not to rely on KBFS to recover.

[maxtaco]

Let's not rely on KBFS to recover, since that won't be ready until milestone 2.

[maxtaco]

Some related issues:

• keybase/keybase#239 -- Change server to allow passphrase updates
• Generate update_passphrase_hash signatures proofs#20 -- generate proofs for these updates
• keybase/keybase#240 -- Store encrypted passphrase masks on server
• keybase/keybase#242 -- update passphrase XOR masks on passphrase update.
• keybase/keybase#243 -- store update requests in private merkle chain
• keybase/keybase#246 -- be more strict and only allow device updates for the current passphrase

[maxtaco]

Client work needed here:

• Compatibility with keybase/keybase#240 changes in basic keybase/keybase#240 compatibility  #509
• Encrypted client-half uploads in Lost Password: Upload encrypted LKS-client halves with device/update #512
• Change passphrase engine in Build Change Passphrase engine #515

[patrickxb]

The client side of this should be all finished as of a9cc312

[maxtaco]

(Except for new detkey uploads, which is blocked on keybase/keybase#260)

[maxtaco]

Leave keybase/keybase#243 for future work, but close this out.