[messaging] abusing u2f

elijah elijah at riseup.net
Wed Mar 23 12:05:47 PDT 2016

Although u2f does not seem directly related to messaging, the topic has
come up before here about how to secure local secrets, such as a user's
key pair and database of trusted public keys.

How might u2f be used for this? To clarify, the problem is this: how can
we encrypt and decrypt local secrets in such a way that a weak password
does not allow an attacker with possession of the device to be able to
easily decrypt the local secrets. Essentially, the same problem of full
disk encryption.

(perhaps "weak password" should be replaced with "any human memorable
password" since specialized hardware has turned what once seemed like
very good passwords, e.g. correct horse battery staple, into something
that can be broken very quickly when there is no artificial delay
between attempts).

The general iOS strategy seems like a good one: mix in some device
secret with the shitty password to add entropy and achieve a reasonable
password. Maybe:

kdf(hmac(user_password, device_secret)) => symmetric key for
encrypting/decrypting the local secrets.

In the past, I was hoping that u2f signatures could be used for
device_secret, but then Trevor pointed out that NIST P256 signatures
that u2f uses are nondeterministic.

However, you can extract the public key from a ECDSA signature, so you
can abuse u2f by using the public key as the device_secret:

Obviously, you lose ability to decrypt if you lost your u2f device.
Other than this, what problems could there be with this approach?


More information about the Messaging mailing list