[messaging] abusing u2f

Tom Ritter tom at ritter.vg
Wed Mar 23 12:27:06 PDT 2016 

On 23 March 2016 at 14:05, elijah <elijah at riseup.net> wrote:
> Although u2f does not seem directly related to messaging, the topic has
> come up before here about how to secure local secrets, such as a user's
> key pair and database of trusted public keys.
>
> How might u2f be used for this? To clarify, the problem is this: how can
> we encrypt and decrypt local secrets in such a way that a weak password
> does not allow an attacker with possession of the device to be able to
> easily decrypt the local secrets. Essentially, the same problem of full
> disk encryption.
>
> (perhaps "weak password" should be replaced with "any human memorable
> password" since specialized hardware has turned what once seemed like
> very good passwords, e.g. correct horse battery staple, into something
> that can be broken very quickly when there is no artificial delay
> between attempts).
>
> The general iOS strategy seems like a good one: mix in some device
> secret with the shitty password to add entropy and achieve a reasonable
> password. Maybe:
>
> kdf(hmac(user_password, device_secret)) => symmetric key for
> encrypting/decrypting the local secrets.
>
> In the past, I was hoping that u2f signatures could be used for
> device_secret, but then Trevor pointed out that NIST P256 signatures
> that u2f uses are nondeterministic.

This should be a per-device situation though. If you could find a
device that uses deterministic nonces (and thus is safer to private
key leakage!)....


> However, you can extract the public key from a ECDSA signature, so you
> can abuse u2f by using the public key as the device_secret:
> https://jbp.io/2015/11/23/abusing-u2f-to-store-keys/
>
> Obviously, you lose ability to decrypt if you lost your u2f device.
> Other than this, what problems could there be with this approach?

It resists *replay* of the token traffic for authentication, but
observation of the u2f traffic combined with stealing the encrypted
database is enough to re-enable brute force attacks against the
passphrase. Right?




The strategy I want to see someone POC is using secure enclaves for
this.  Either SIM cards (specifically a dual-SIM phone combined with
SEEK for Android) or Android's new 'Trusty' API.  Write a javacard or
whatever 'applet' that lives in the Secure Enclave. It enforces '10
wrong attempts, and I delete the key'.  This mimics iOS's Secure
Enclave but now we have it on a per-app basis.

-tom

More information about the Messaging mailing list