[messaging] abusing u2f

elijah elijah at riseup.net
Wed Mar 23 15:48:24 PDT 2016

On 03/23/2016 12:27 PM, Tom Ritter wrote:

>> Obviously, you lose ability to decrypt if you lost your u2f device.
>> Other than this, what problems could there be with this approach?
> It resists *replay* of the token traffic for authentication, but
> observation of the u2f traffic combined with stealing the encrypted
> database is enough to re-enable brute force attacks against the
> passphrase. Right?

Yes, although you could also do this without observing the u2f auth
round trip. You just need the u2f key handle and domain origin (the part
normally stored by the "server") in order to be able to extract the
public key from the u2f device. Presumably, the key handle is just lying
around on disk in plain text, since trying to encrypt the key handle
using the password alone kind of defeats the purpose :)


More information about the Messaging mailing list