On Wed, 2016-03-23 at 12:05 -0700, elijah wrote: > How might u2f be used for this? To clarify, the problem is this: how > can > we encrypt and decrypt local secrets in such a way that a weak > password > does not allow an attacker with possession of the device to be able to > easily decrypt the local secrets. Essentially, the same problem of > full > disk encryption.
It's worth mentioning that Argon2 improves password hashing situation considerably. Also, there might be tricks for making stronger passwords usable : At application/device start up, we decrypt a high entropy symmetric key x using device_key = Argon2[512megs,1min](password[1..k],device_seed) where password consists of k dictionary words and device_seed is high entropy. We immediately create high entropy session_seeds[i] and reencrypt x separately for each i=1..k, using session_key[i] = Argon2[1gig,5sec](password[i],session_seed). After app/device timeouts, the user enter some password[i] to unlock it, but need not reenter the whole password[1..k]. In this way, the user's low entropy passwords password[i] have a mental link with their high entropy password password[1..k]. There are options for communicating which password[i] a user should enter each time, but each individual i may be attempted only a couple times each before all session_seed are destroyed, and the high entropy password with very slow login must be entered. In this way, the users gets like 2k attempts, but an attacker has only a few against that session. We could now incorporate the u2f public key y into either device_seed or session_seed obviously, but we've gained something here : If we incorporate y into device_seed, then it only gets used once per session, which makes sniffing it harder. If we incorporate y into session_seed[i], then y could be recreated afresh for each session on the dongle, which makes sniffing it useful only during that session. I suppose you could do both if your u2f system employs deterministic nonces, allowing you to incorporate only the signature and not y itself. Jeff
signature.asc
Description: This is a digitally signed message part
_______________________________________________ Messaging mailing list [email protected] https://moderncrypto.org/mailman/listinfo/messaging
