Re: [cryptography] Javascript Password Hashing: Scrypt with WebCrypto API?
On 3/15/15 12:45 PM, stef wrote: Check the Threat Model link on https://globaleaks.org in the footer to get a better insight. i now understand why you did not link this directly: https://docs.google.com/document/d/1niYFyEar1FUmStC03OidYAIfVJf18ErUFwSWCmWBhcA/pub seriously on google? your threatmodel seems indeed quite limited. you should be much more open about your limits. Stef, don't troll! :-) In most places in the world Whistleblowing is done by sending email over gmail, that's the reality you have to live with. To be more realistic, from several investigative journalism groups we've been told that many sources use directly Facebook over the Facebook Pages as a preferred way to share confidential information. When you look at the reality, you need to *fly down from the moon to the earth* and be realistic on what can be done, finding the right tradeoff. That's what real-world security is, a tradeoff between what can be acceptable to achieve a Safe Enough level compared to the current situation. If you only think techy and only think radical, then you'll not achieve any security and safety improvement. If you understand real-life context of use, focusing on bringing the best security that they can effectively leverage for their context of operation, then you're making them safer. Perfectly safe? No. But it's just hypocrisy to think that technology can gives perfect safety, as technology it's only part of the picture. -- Fabio Pietrosanti (naif) HERMES - Center for Transparency and Digital Human Rights http://logioshermes.org - https://globaleaks.org - https://tor2web.org - https://ahmia.fi ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Javascript Password Hashing: Scrypt with WebCrypto API?
On Wed, Mar 11, 2015 at 01:02:14PM +0100, Fabio Pietrosanti (naif) - lists wrote: On 3/11/15 12:42 PM, stef wrote: against state level actors. i mean globaleaks clearly has state-level actors in their threat-model, right? No, GlobaLeaks doesn't consider in it's threat model an NSA-like actor. observe, how the question regarding state-level actors is dodged by reducing the set to nsa-like (what does that even mean?) and knowing the dutch, the hungarian and the serbian globaleaks users personally, i can assure you they are operating outside your threat-model, and i'm not sure they are aware of it. Check the Threat Model link on https://globaleaks.org in the footer to get a better insight. i now understand why you did not link this directly: https://docs.google.com/document/d/1niYFyEar1FUmStC03OidYAIfVJf18ErUFwSWCmWBhcA/pub seriously on google? your threatmodel seems indeed quite limited. you should be much more open about your limits. your actions and words to not instill trust in your product. -- otr fp: https://www.ctrlc.hu/~stef/otr.txt ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Javascript Password Hashing: Scrypt with WebCrypto API?
On Mar 13, 2015, at 8:43 AM, Solar Designer so...@openwall.com wrote: On Thu, Mar 12, 2015 at 10:57:47AM -0600, Jeffrey Goldberg wrote: 2. Use SHA-512 in PBKDF2 This will make PBKDF2 resistant to GPU based cracking efforts. Note that this is resistance to attacks using current, off-the-shelf, hardware. It is only a short term solution. I think this wording is too strong. While I did and I continue to advocate SHA-512 over SHA-256 for this reason (when someone insists on PBKDF2 or the like anyway), the gap with recent attack implementations is narrower than it used to be. Ah, so the term of this “short term solution” is already expiring. For sha512crypt vs. sha256crypt, it's down to ~2x: https://hashcat.net/misc/p130_img/changes_v130.png Interesting. Thank you for that, Solar. And scrypt even at fairly low settings is likely somewhat stronger (or rather not-as-weak) against GPU attacks than PBKDF2-HMAC-SHA-512 at comparable low running time. Not at settings as low as Litecoin's 128 KB with r=1, but at settings like 2 MB with r=8, which is affordable in JavaScript. OK. So I guess we return to the original question, does anyone know of an scrypt implementation in JavaScript? BTW, given the wide availability of scrypt altcoin ASICs, some of which can handle higher N (this is known) but likely not higher r (this is a plausible guess, given the incentive model for those ASICs), and given the effect r has on scrypt speeds on GPU, I recommend that scrypt paper's recommended r=8 (rather than altcoins' typical r=1) be used. That's even when the original reason for using r=8 (reducing the frequency and thus performance impact of TLB misses, and allowing for some prefetching) does not apply, like it mostly does not with JavaScript. Thanks! (Of course, someone may produce more capable scrypt ASICs.) Indeed. As I said, in this race the attacker has more to gain from Moore’s Law than the defender. Cheers, -j ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Javascript Password Hashing: Scrypt with WebCrypto API?
On Fri, Mar 13, 2015 at 12:29:58PM -0600, Jeffrey Goldberg wrote: OK. So I guess we return to the original question, does anyone know of an scrypt implementation in JavaScript? They've already been posted. But unlike Alexander who was kind enough to repeat himself, I won't give any further encouragement to folly. Stop. Really: stop. Client-side-in-browser JavaScript crypto does not and cannot provide security. Like building a castle from jello, it is flawed in conception. -- . ___ ___ . . ___ . \/ |\ |\ \ . _\_ /__ |-\ |-\ \__ ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Javascript Password Hashing: Scrypt with WebCrypto API?
On Fri, Mar 13, 2015 at 12:29:58PM -0600, Jeffrey Goldberg wrote: OK. So I guess we return to the original question, does anyone know of an scrypt implementation in JavaScript? I had already posted these links: https://github.com/dchest/scrypt-async-js http://dchest.github.io/scrypt-async-js/demo.html Alexander ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Javascript Password Hashing: Scrypt with WebCrypto API?
I agree with Jeffrey's suggestion to implement server-side KDF as well, with higher settings. Just some minor detail on what (little) can be done on client side in JavaScript: On Thu, Mar 12, 2015 at 10:57:47AM -0600, Jeffrey Goldberg wrote: 2. Use SHA-512 in PBKDF2 This will make PBKDF2 resistant to GPU based cracking efforts. Note that this is resistance to attacks using current, off-the-shelf, hardware. It is only a short term solution. I think this wording is too strong. While I did and I continue to advocate SHA-512 over SHA-256 for this reason (when someone insists on PBKDF2 or the like anyway), the gap with recent attack implementations is narrower than it used to be. For sha512crypt vs. sha256crypt, it's down to ~2x: https://hashcat.net/misc/p130_img/changes_v130.png And scrypt even at fairly low settings is likely somewhat stronger (or rather not-as-weak) against GPU attacks than PBKDF2-HMAC-SHA-512 at comparable low running time. Not at settings as low as Litecoin's 128 KB with r=1, but at settings like 2 MB with r=8, which is affordable in JavaScript. BTW, given the wide availability of scrypt altcoin ASICs, some of which can handle higher N (this is known) but likely not higher r (this is a plausible guess, given the incentive model for those ASICs), and given the effect r has on scrypt speeds on GPU, I recommend that scrypt paper's recommended r=8 (rather than altcoins' typical r=1) be used. That's even when the original reason for using r=8 (reducing the frequency and thus performance impact of TLB misses, and allowing for some prefetching) does not apply, like it mostly does not with JavaScript. (Of course, someone may produce more capable scrypt ASICs.) Alexander ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Javascript Password Hashing: Scrypt with WebCrypto API?
Leaving aside the “Crypto in JS delivered over the web: Don’t do it”, I will offer a couple of suggestions. at GlobaLeaks we're undergoing implementation of client-side encryption with server-side storage of PGP Private keys. I understand why you are looking for ways to make this less scary. As you probably know, this makes your servers a very juicy target. Obviously the hashing to be used for storing such PGP private keys has to be strong enough, with valuable key-stretching approach. Yes. Though I’m not sure that hashing will be enough. We're now considering using Scrypt with some finely tuned parameters, but we've concern regarding it's performance in the browser as a JS implementation. Yes. That is going to be a problem (I will offer an alternative approach below) PBKDF2 is available from WebCrypto API I don’t know that your time-line is, but it I believe that only Chrome Canary actually implements this at the moment. and, as far as i read and understand but i'm not that low-level-crypto expert, is used internally to scrypt. Although scrypt makes some use of PBKDF2, you won’t be able to simply build scrypt out of PBKDF, nor will you be able to build Does anyone know of any scrypt implementation that try to leverage the WebCrypto API? Even if you need the whole client-side crypto delivered in the browser, I don’t think that you will find scrypt in JS useful, as the performance means that you will not be able to put set parameters in a way that will thwart the kinds of attackers that you can expect. So I’m going to make multiple proposals that can be adopted independently of each other. 1. Split password hashing between server and client. Have the client do as many PBKDF2 rounds as you can get away with, and then use the result of that as a input to your use of scrypt server side. 2. Use SHA-512 in PBKDF2 This will make PBKDF2 resistant to GPU based cracking efforts. Note that this is resistance to attacks using current, off-the-shelf, hardware. It is only a short term solution. 3. Use a second factor. Client side, you can combine the processing of the user’s password with some data from some second factor (stored in a file on a USB device or the like). Of course if they lose that data, they will be locked out forever. This is really the thing that will make it impossible for attackers who get copies of your stored data to be able to decrypt what you have stored. A couple of notes: Things like PBKDF2 and scrypt will never protect you from well-resourced attackers. This is because the cost to both the defender and the attacker are of the same order. And so, that gives the advantage to those who can through more resources at the task. As computing gets cheaper, the advantage shits towards the attacker. This is unlike what we have with security factors of other sorts of things, where the work needed by the attacker rises exponentially compared to the polynomial cost to the defender. You are correct to want client-side crypto, but because you are delivering the crypto from the web, you are not providing the benefits of client side crypto. Someone who gains control of the server you deliver the JS from or gains control in transmission can deliver a malicious client to the user and capture everything they need. This isn’t about JavaScript, but it is about how easy it is for an attacker (or you) to provide a malicious client to your users. Cheers, -j ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Javascript Password Hashing: Scrypt with WebCrypto API?
On Wed, Mar 11, 2015 at 02:20:42PM +, Alfonso De Gregorio wrote: Until more browsers start supporting PBKDF2 with HMAC-SHA-256, you might be better of reverting to a JavaScript library, to be plugged in your scrypt implementation. I never took the chance to look at it, but I heard that asmcrypto.js provides the fastest PBKDF2-HMAC-SHA-256 implementation in town [2]. The uses of PBKDF2-HMAC-SHA-256 in scrypt are not performance-critical. When scrypt is invoked with sane settings, most of the processing time is spent in scrypt's SMix, not in PBKDF2. This might be the most suitable implementation of scrypt in JavaScript: https://github.com/dchest/scrypt-async-js Its performance test: http://dchest.github.io/scrypt-async-js/demo.html Alexander ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Javascript Password Hashing: Scrypt with WebCrypto API?
On Wed, Mar 11, 2015 at 11:53:35AM +0100, Fabio Pietrosanti (naif) - lists wrote: at GlobaLeaks we're undergoing implementation of client-side encryption Okay. I'm going to elide the fine points of madness here and just refer you to: http://matasano.com/articles/javascript-cryptography/ -- . ___ ___ . . ___ . \/ |\ |\ \ . _\_ /__ |-\ |-\ \__ ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
[cryptography] Javascript Password Hashing: Scrypt with WebCrypto API?
Hi all, at GlobaLeaks we're undergoing implementation of client-side encryption with server-side storage of PGP Private keys. Obviously the hashing to be used for storing such PGP private keys has to be strong enough, with valuable key-stretching approach. We're now considering using Scrypt with some finely tuned parameters, but we've concern regarding it's performance in the browser as a JS implementation. PBKDF2 is available from WebCrypto API and, as far as i read and understand but i'm not that low-level-crypto expert, is used internally to scrypt. Does anyone know of any scrypt implementation that try to leverage the WebCrypto API? -- Fabio Pietrosanti (naif) HERMES - Center for Transparency and Digital Human Rights http://logioshermes.org - https://globaleaks.org - https://tor2web.org - https://ahmia.fi ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Javascript Password Hashing: Scrypt with WebCrypto API?
On 3/11/15 1:10 PM, stef wrote: GlobaLeaks it's designed to be a Whistleblowing framework that can be used in very different context, from WildLife Crime Activism up to Anticorruption in Serbia up to PubLeaks-like Journalism in Netherland, keeping the maximum level of security achievable for a specific context of use. serbia sounds like a state level actor, and i heard that the publeaks people also get attention from the local services. The reality is that each scenarios have it's own peculiarities, really, it would be a very long and complex discussion that require few hours to analyze each scenarios details. PubLeaks in the Netherland has been deployed with Tails as Leaktops for the journalists for end-point security, with GlobaLeaks being hosted by a well-known third party within the activists community (GreenHost), with servers deployed in a geo-political smart way, with service contract done with the PubLeaks Foundation (a legal entity created on purpose) to be resilient against certain kind of legal threats. OCCRPLeaks do require instead, in Bosnia and balkan-area, to leverage plausible deniability by embedding GlobaLeaks within existing HTTPS site (https://occrp.org) because plausible deniability has been considered, after threat-modelling with the stakeholders, more relevant than just saying Hey, use Tor to access this .onion site . In Africa for AfriLeaks we're considering that, in certain country, it's better to avoid using any Tails or Tor stuff, but better implement deception strategies. When you work supporting the many initiatives you'll just realize that many time, the cryptographic/technical implementation side of a Whistleblowing initiative's security, is a minor part and shall be considered in a broader Security threat model. Given that the picture is complex and variegate enough, we are providing such a differentiated set of security levels, from a technical and procedural point of view. Consider that in most situation, when you consider significant threats, only opsec procedures and stakeholder organization can provide some degree of protection (or at least detection), with technology playing a little role. The way you work in a place where The rule of law is effective, it's very different from working in a place where having an encrypted usb stick with you can lead to Tortures. Hope to have provided a broader view on how complex and complicated can be our threat model, so that we must choose individual security choices that enable use to provide a graduated/configurable level of security (that could go up, being very strong, or go down, being more flexible). Btw, that's not the goal of this thread, but i loved to articulate an answer! :) -- Fabio Pietrosanti (naif) HERMES - Center for Transparency and Digital Human Rights http://logioshermes.org - https://globaleaks.org - https://tor2web.org - https://ahmia.fi ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Javascript Password Hashing: Scrypt with WebCrypto API?
On Wed, Mar 11, 2015 at 11:53:35AM +0100, Fabio Pietrosanti (naif) - lists wrote: at GlobaLeaks we're undergoing implementation of client-side encryption with server-side storage of PGP Private keys. i didn't get the memo, that js in browsers is now the way to best mitigate against state level actors. i mean globaleaks clearly has state-level actors in their threat-model, right? -- otr fp: https://www.ctrlc.hu/~stef/otr.txt ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Javascript Password Hashing: Scrypt with WebCrypto API?
On 3/11/15 12:42 PM, stef wrote: On Wed, Mar 11, 2015 at 11:53:35AM +0100, Fabio Pietrosanti (naif) - lists wrote: at GlobaLeaks we're undergoing implementation of client-side encryption with server-side storage of PGP Private keys. i didn't get the memo, that js in browsers is now the way to best mitigate against state level actors. i mean globaleaks clearly has state-level actors in their threat-model, right? No, GlobaLeaks doesn't consider in it's threat model an NSA-like actor. GlobaLeaks it's designed to be a Whistleblowing framework that can be used in very different context, from WildLife Crime Activism up to Anticorruption in Serbia up to PubLeaks-like Journalism in Netherland, keeping the maximum level of security achievable for a specific context of use. Some deployment scenario is Safe Enough, some other is Super Paranoid, but we're bound to the reality of real-wold uses, that are differentiated as the risks scenario are. Check the Threat Model link on https://globaleaks.org in the footer to get a better insight. This email thread is specifically addressing the issue of using a strong client-side password hashing methods, such as scrypt (or maybe the upcoming winner of https://password-hashing.net/report1.html), in a way that could exploit the WebCrypto API primitives. Today with WebCrypto API you can only do hashing with PBKDF2 with tons of iterations, but i haven't found/seen an scrypt that leverage WebCrypto API or something similar to enable key-stretching client-side with a decent time-waiting/key-stretching-crypto-improvement ratio. -- Fabio Pietrosanti (naif) HERMES - Center for Transparency and Digital Human Rights http://logioshermes.org - https://globaleaks.org - https://tor2web.org - https://ahmia.fi ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Javascript Password Hashing: Scrypt with WebCrypto API?
On Wed, Mar 11, 2015 at 01:02:14PM +0100, Fabio Pietrosanti (naif) - lists wrote: against state level actors. i mean globaleaks clearly has state-level actors in their threat-model, right? No, GlobaLeaks doesn't consider in it's threat model an NSA-like actor. there's other state level actors. GlobaLeaks it's designed to be a Whistleblowing framework that can be used in very different context, from WildLife Crime Activism up to Anticorruption in Serbia up to PubLeaks-like Journalism in Netherland, keeping the maximum level of security achievable for a specific context of use. serbia sounds like a state level actor, and i heard that the publeaks people also get attention from the local services. -- otr fp: https://www.ctrlc.hu/~stef/otr.txt ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Javascript Password Hashing: Scrypt with WebCrypto API?
On Wed, Mar 11, 2015 at 01:28:27PM +0100, Fabio Pietrosanti (naif) - lists wrote: serbia sounds like a state level actor, and i heard that the publeaks people also get attention from the local services. The reality is that each scenarios have it's own peculiarities, really, it would be a very long and complex discussion that require few hours to analyze each scenarios details. let's stick with the webcrypto aspect, and the fact that both governments control their own CA in the browsers. the dutch CA being even historically shared with some other parties. PubLeaks in the Netherland has been deployed with Tails as Leaktops for the journalists for end-point security, with GlobaLeaks being hosted by a well-known third party within the activists community (GreenHost), with servers deployed in a geo-political smart way, with service contract done with the PubLeaks Foundation (a legal entity created on purpose) to be resilient against certain kind of legal threats. how does that protect against active covert attacks? luckily parallel constructions will save your conscience from feeling responsible. OCCRPLeaks do require instead, in Bosnia and balkan-area, to leverage plausible deniability by embedding GlobaLeaks within existing HTTPS site (https://occrp.org) because plausible deniability has been considered, after threat-modelling with the stakeholders, more relevant than just saying Hey, use Tor to access this .onion site . how is using stuff over ssl in the country where the adversary controls a local CA plausible deniability? When you work supporting the many initiatives you'll just realize that many time, the cryptographic/technical implementation side of a Whistleblowing initiative's security, is a minor part and shall be considered in a broader Security threat model. absolutely. Given that the picture is complex and variegate enough, we are providing such a differentiated set of security levels, from a technical and procedural point of view. so you allow your clients to shoot themselves in the foot. The way you work in a place where The rule of law is effective, it's that's a quite bold assumption even in europe today :/ -- otr fp: https://www.ctrlc.hu/~stef/otr.txt ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Javascript Password Hashing: Scrypt with WebCrypto API?
On Wed, Mar 11, 2015 at 10:53 AM, Fabio Pietrosanti (naif) - lists li...@infosecurity.ch wrote: Hi all, at GlobaLeaks we're undergoing implementation of client-side encryption with server-side storage of PGP Private keys. Obviously the hashing to be used for storing such PGP private keys has to be strong enough, with valuable key-stretching approach. We're now considering using Scrypt with some finely tuned parameters, but we've concern regarding it's performance in the browser as a JS implementation. PBKDF2 is available from WebCrypto API and, as far as i read and understand but i'm not that low-level-crypto expert, is used internally to scrypt. Sure, scrypt uses PBKDF2 with HMAC-SHA-256 as its PRF of choice in the state expansion and compression steps [1]. Does anyone know of any scrypt implementation that try to leverage the WebCrypto API? AFAICT, there is no such implementation yet. While PBKDF2 is included in the WebCrypto API specifications, to date its support is pretty limited. PBKDF2 works with Chrome Canary (Windows and OSX) and Opera Developer (Windows); it also works with Firefox, but only with SHA-1 --- as such, it is not relevant for scrypt applications. Until more browsers start supporting PBKDF2 with HMAC-SHA-256, you might be better of reverting to a JavaScript library, to be plugged in your scrypt implementation. I never took the chance to look at it, but I heard that asmcrypto.js provides the fastest PBKDF2-HMAC-SHA-256 implementation in town [2]. Good luck. [1] http://tools.ietf.org/id/draft-josefsson-scrypt-kdf-02.txt [2] https://github.com/vibornoff/asmcrypto.js -- Alfonso tweets @secYOUre ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography