[Cryptography] What do we mean by ... ???

Natanael natanael.l at gmail.com
Tue Feb 17 16:10:01 EST 2015 

On Tue, Feb 17, 2015 at 8:58 PM, John Denker <jsd at av8n.com> wrote:
> On 02/07/2015 05:05 PM, Bill Frantz wrote:
[..]
> 3) There was a tangential mention of baseline prudent
> practices concerning the choice of passwords.  As I
> see it, that's another example of asking the wrong
> questions.  IMHO almost all of what we now do with
> passwords should be protected by some sort of zero-
> knowledge crypto.  This would decrease the attack
> surface by orders of magnitude.  When I do business
> with Achmed's Recycled Body Parts, he should have no
> clue what password I am using, only that it is the
> same password that I used last time.  Obviously if
> Achmed gets hacked, the hackers can impersonate Achmed
> to me ... but they cannot get my password from his
> files, not even if I log into the hacked site.  In
> particular, the hackers cannot impersonate me to other
> sites, not even to Achmed's sister (Kitty's Kosher
> Pork and Porno Emporium).
>
> To say the same thing the other way, if I am running
> a web site, I do *not* want to know anybody's password!
> I don't want their password on my site, even momentarily.
> That's because knowing it would make me a target for
> bad guys who want to steal the password.  Why be
> responsible for protecting something if I don't
> need to?
>
> From the user's point of view, it looks the same,
> only better, so there is no barrier to adoption
> that I can see.  It's better in the sense that
> the user needs to remember only one password,
> with improved security.
>
> This reduces the number of things the user has
> to trust, but of course does not reduce it to
> zero.  The local agent that carries out the
> algorithm can still be subverted, perhaps by
> a keylogger, but that is a much smaller target
> than before.
>
>   By way of contrast, using a unique password
>   per site is more secure than using one password
>   for all, but it is less convenient, and also
>   carries some unnecessary risks, e.g. replay
>   et cetera.
>
> There exist implementations of zero-knowledge
> password systems, e.g.
>   https://bitbucket.org/simon_massey/thinbus-srp-js
> and probably others.   Does anybody here have any
> experience using such things?  Any useful pointers?
> Why are such things not more widely used?  Why are
> they not already fully integrated into servers and
> browsers????

We are getting there!

The FIDO alliance U2F and UAF standards allowd for something very
similar to this.

Here's how U2F dongles work: The dongle has a symmetric key that never
leaves the device. You connect to Achmed's used cars and hit
"register", enter your username and taps the button on the device. The
device generates an ECDSA keypair, encrypts the private key with its
own symmetric key, and uploads the encrypted private key and the
plaintext public key.

Then you come back to log in, enters your username, plugs in the
dongle. The server sends the ciphertext associated with your account
to you, and it generates a challenge that is partially derived from
that particular SSL session such that it can NOT be reused outside it.
The recieving browser confirms the challenge references the particular
SSL session it is coming from (blocks replay attacks) sends the
challenge and private key ciphertext to the device. The device
decrypts the key and signs the challenge, and sends it to the browser
which sends it to the server.

This setup means that Achmed's sister can not see that you're reusing
the same dongle for logging in to her site even if she could see his
database. It means that Achmed can't reuse your reply for his server
to get access to accounts that you have on his sister's service. It
means somebody who pretends to be Achmed either won't get a response
at all (wrong or bad certificate) or will get a response they can't
reuse against Achmed's service (because your device did not attempt to
authenticate *to Achmed*, but to a completely different service that
just have a similar name). And it means a MITM can not tamper with the
authentication, they can only act as a transparent proxy with access
to nothing but ciphertext or break the connection.

This also practically blocks all phishing that targets account credentials.

Google Chrome is getting this integrated currently, and Microsoft is
part of the standardization process and will support this in Windows
10, and likely IE too. I'm assuming Firefox will follow shortly. Using
NFC equipped dongles like Yubico has (Yubikey Neo), it could also be
easily used with smartphones.

Use that with a PIN, and put that dongle on your keychain, and you've
got USABLE high security that resists most common attacks for the vast
majority of users.

More information about the cryptography mailing list