[messaging] abusing u2f

elijah elijah at riseup.net
Wed Mar 23 18:11:44 PDT 2016 

On 03/23/2016 05:31 PM, Daniel Kahn Gillmor wrote:

> On Wed 2016-03-23 15:05:47 -0400, elijah wrote:
>> Obviously, you lose ability to decrypt if you lost your u2f device.

> hmm, i thought most people today were trying to solve the multi-device
> use case.  Here, it sounds like we'd be back to single-device. ...
> Or are you envisioning a way that you could abuse u2f in the
> multi-device case?

It will probable be more clear if I stick to the following definitions:

* u2f dongle -- the u2f thumb drive or bracelet or subdermal implant
where the key pairs are generated.

* client device -- the end-user computer such as a laptop or mobile phone.

The specific use case I have in mind is Soledad [1], a client-encrypted
db synchronized with the cloud and multiple devices. We use Soledad in
combination with SRP server authentication: the username/password
combination is used both to unlock local storage and also to
authenticate with the server, so the user has a simple experience like
logging into skype client.

The desire is to be able to increase the entropy of passwords so that
offline cracking of the soledad storage and offline cracking of the
service provider's db of SRP verifiers is much more difficult.

I think that it is OK to impose a restriction that the user can only use
a single u2f dongle to authenticate with a given service provider when
using their different client devices.

However, a scheme that abused u2f to use public keys for increased
entropy could work with multiple u2f dongles and multiple client devices:

(1) for server auth, the server needs to be able to authenticate with
multiple passwords for a given account, one for each registered u2f dongle.

(2) for unlocking local secrets, the code running on the client device
would need to do something like this:

kdf(password, u2f_public_key_1) => storage_secret1, then use this to
decrypt actual storage secret.

kdf(password, u2f_public_key_2) => storage_secret2, then use this to
decrypt actual storage secret.

Seems messy, but possible. You would need to manually pair the second
u2f dongle with each client device by using the first u2f dongle.

One additional security consideration is that for usability, we would
probably want the service provider to store the u2f key handle(s), so
that a user can sit down at a new computer with their password knowledge
and their previously registered u2f dongle and log in. If anyone with
the service provider's db then gets the u2f dongle, we are back to just
easy brute force attack against the password.

-elijah

[1] https://leap.se/en/soledad

More information about the Messaging mailing list