[messaging] abusing u2f

Joseph Birr-Pixton jpixton at gmail.com
Fri Mar 25 13:42:10 PDT 2016

On 23 March 2016 at 19:27, Tom Ritter <tom at ritter.vg> wrote:
> It resists *replay* of the token traffic for authentication, but
> observation of the u2f traffic combined with stealing the encrypted
> database is enough to re-enable brute force attacks against the
> passphrase. Right?

Yes. So you probably don't want to do this kind of thing over NFC.

> The strategy I want to see someone POC is using secure enclaves for
> this. Either SIM cards (specifically a dual-SIM phone combined with
> SEEK for Android) or Android's new 'Trusty' API.  Write a javacard or
> whatever 'applet' that lives in the Secure Enclave. It enforces '10
> wrong attempts, and I delete the key'.  This mimics iOS's Secure
> Enclave but now we have it on a per-app basis.

We (in the sense of my previous employer) actually did this and demoed
it at Mobile World Congress 2013. This was on Android, using TrustZone
via a third party TEE. Unfortunately as a product feature it never
made it to market.

These days we also have SGX for PCs, which has good support for
monotonic storage that you need to convincingly do "N strikes and
you're out".


More information about the Messaging mailing list