> Second, this scheme relies completely on Bob's choice of a good
> passphrase. It is questionable whether people will choose passphrases
> with enough security to balance the rest of the system using typical
> parameters today, i.e. ~100 bits of security.
the software implementation could handle that, forcing certain length
and characteristics of passphrases (i.e. at least n different digits to
avoid aaaaaaaaaaaaa as a passphrase, simple stuff like that which
doesn't reduce the keyspace too much).
> One problem with doing it this way is that it allows an attacker to verify
> a guess at the message. Particularly if messages are short this might be
> a vulnerability in some contexts. As written it will also reveal whether
> two messages are the same, although if you use salt it should fix that.
>
> If you have any source of randomness at all, it would help to hash it in
> with the message in generating k. Almost any hardware device will have
> some kind of random source. Every little bit helps.
it doesn't even have to be random, just guaranteed to be different for
different messages (even if content is identical). something like the
system time would do.
