On 23 March 2016 at 14:05, elijah <[email protected]> wrote: > Although u2f does not seem directly related to messaging, the topic has > come up before here about how to secure local secrets, such as a user's > key pair and database of trusted public keys. > > How might u2f be used for this? To clarify, the problem is this: how can > we encrypt and decrypt local secrets in such a way that a weak password > does not allow an attacker with possession of the device to be able to > easily decrypt the local secrets. Essentially, the same problem of full > disk encryption. > > (perhaps "weak password" should be replaced with "any human memorable > password" since specialized hardware has turned what once seemed like > very good passwords, e.g. correct horse battery staple, into something > that can be broken very quickly when there is no artificial delay > between attempts). > > The general iOS strategy seems like a good one: mix in some device > secret with the shitty password to add entropy and achieve a reasonable > password. Maybe: > > kdf(hmac(user_password, device_secret)) => symmetric key for > encrypting/decrypting the local secrets. > > In the past, I was hoping that u2f signatures could be used for > device_secret, but then Trevor pointed out that NIST P256 signatures > that u2f uses are nondeterministic.
This should be a per-device situation though. If you could find a device that uses deterministic nonces (and thus is safer to private key leakage!).... > However, you can extract the public key from a ECDSA signature, so you > can abuse u2f by using the public key as the device_secret: > https://jbp.io/2015/11/23/abusing-u2f-to-store-keys/ > > Obviously, you lose ability to decrypt if you lost your u2f device. > Other than this, what problems could there be with this approach? It resists *replay* of the token traffic for authentication, but observation of the u2f traffic combined with stealing the encrypted database is enough to re-enable brute force attacks against the passphrase. Right? The strategy I want to see someone POC is using secure enclaves for this. Either SIM cards (specifically a dual-SIM phone combined with SEEK for Android) or Android's new 'Trusty' API. Write a javacard or whatever 'applet' that lives in the Secure Enclave. It enforces '10 wrong attempts, and I delete the key'. This mimics iOS's Secure Enclave but now we have it on a per-app basis. -tom _______________________________________________ Messaging mailing list [email protected] https://moderncrypto.org/mailman/listinfo/messaging
