[messaging] abusing u2f

Jeff Burdges burdges at gnunet.org
Thu Mar 24 01:59:44 PDT 2016

On Wed, 2016-03-23 at 12:05 -0700, elijah wrote:
> How might u2f be used for this? To clarify, the problem is this: how
> can
> we encrypt and decrypt local secrets in such a way that a weak
> password
> does not allow an attacker with possession of the device to be able to
> easily decrypt the local secrets. Essentially, the same problem of
> full
> disk encryption.

It's worth mentioning that Argon2 improves password hashing situation

Also, there might be tricks for making stronger passwords usable :

At application/device start up, we decrypt a high entropy symmetric key
x using device_key = Argon2[512megs,1min](password[1..k],device_seed)
where password consists of k dictionary words and device_seed is high
entropy.  We immediately create high entropy session_seeds[i] and
reencrypt x separately for each i=1..k, using session_key[i] =

After app/device timeouts, the user enter some password[i] to unlock it,
but need not reenter the whole password[1..k].  In this way, the user's
low entropy passwords password[i] have a mental link with their high
entropy password password[1..k].  There are options for communicating
which password[i] a user should enter each time, but each individual i
may be attempted only a couple times each before all session_seed are
destroyed, and the high entropy password with very slow login must be
entered.  In this way, the users gets like 2k attempts, but an attacker
has only a few against that session.  

We could now incorporate the u2f public key y into either device_seed or
session_seed obviously, but we've gained something here :  If we
incorporate y into device_seed, then it only gets used once per session,
which makes sniffing it harder.  If we incorporate y into
session_seed[i], then y could be recreated afresh for each session on
the dongle, which makes sniffing it useful only during that session.  I
suppose you could do both if your u2f system employs deterministic
nonces, allowing you to incorporate only the signature and not y itself.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part
URL: <http://moderncrypto.org/mail-archive/messaging/attachments/20160324/23fd0f5b/attachment.sig>

More information about the Messaging mailing list