On 03/23/2016 05:31 PM, Daniel Kahn Gillmor wrote: > On Wed 2016-03-23 15:05:47 -0400, elijah wrote: >> Obviously, you lose ability to decrypt if you lost your u2f device.
> hmm, i thought most people today were trying to solve the multi-device > use case. Here, it sounds like we'd be back to single-device. ... > Or are you envisioning a way that you could abuse u2f in the > multi-device case? It will probable be more clear if I stick to the following definitions: * u2f dongle -- the u2f thumb drive or bracelet or subdermal implant where the key pairs are generated. * client device -- the end-user computer such as a laptop or mobile phone. The specific use case I have in mind is Soledad [1], a client-encrypted db synchronized with the cloud and multiple devices. We use Soledad in combination with SRP server authentication: the username/password combination is used both to unlock local storage and also to authenticate with the server, so the user has a simple experience like logging into skype client. The desire is to be able to increase the entropy of passwords so that offline cracking of the soledad storage and offline cracking of the service provider's db of SRP verifiers is much more difficult. I think that it is OK to impose a restriction that the user can only use a single u2f dongle to authenticate with a given service provider when using their different client devices. However, a scheme that abused u2f to use public keys for increased entropy could work with multiple u2f dongles and multiple client devices: (1) for server auth, the server needs to be able to authenticate with multiple passwords for a given account, one for each registered u2f dongle. (2) for unlocking local secrets, the code running on the client device would need to do something like this: kdf(password, u2f_public_key_1) => storage_secret1, then use this to decrypt actual storage secret. kdf(password, u2f_public_key_2) => storage_secret2, then use this to decrypt actual storage secret. Seems messy, but possible. You would need to manually pair the second u2f dongle with each client device by using the first u2f dongle. One additional security consideration is that for usability, we would probably want the service provider to store the u2f key handle(s), so that a user can sit down at a new computer with their password knowledge and their previously registered u2f dongle and log in. If anyone with the service provider's db then gets the u2f dongle, we are back to just easy brute force attack against the password. -elijah [1] https://leap.se/en/soledad _______________________________________________ Messaging mailing list [email protected] https://moderncrypto.org/mailman/listinfo/messaging
