Next: Timeout, Previous: Identity, Up: User manual
Previously we used pre-shared high-entropy long-term static key for client-server authentication. Is is secure, but not convenient for some user use-cases:
Overall security on the client side is concentrated in passphrase (high-entropy password), so it is convenient to use it in GoVPN directly, without static on-disk keys. That is why we use password authenticated key agreement.
We use "passphrase" term instead of "password". Technically there may be no difference between them. But as a rule passphrases are long strings with low entropy characters. Because of low entropy characters, they are memorable. Because of their quantity, they acts as a high entropy source.
Passphrases are entered directly by the human on the client side. Server side stores previously shared so-called Verifier. Verifier contains dictionary attack resistant password derivative. Attacker can not use it to act as a client.