[Cryptography] Security weakness in iCloud keychain
Jerry Leichter
leichter at lrw.com
Fri Jun 1 11:26:16 EDT 2018
Nice description. Only one - no so much disagreement as shading:
> ... [I]f the attacker steals the [TOTP secret] database, the TOTP is toast yet they still have to brute force my password. If the site can somehow securely store my TOTP secret, this is mitigated, but usually if the password database is exposed to some access vulnerability, the TOTP secret is going to be right next to it.
It would be bad practice to store the two kinds of secrets in the same place. Checking the time-based password is exactly the kind of thing that should be done in dedicated hardware (something like a key store); or if you want to get close to that, in an isolated machine or VM providing TOTP validation as a service. This kind of thing is very cheap these days.
There's an additional level that could be implemented (though I don't know of anyone who's done it): Have the token sign the one-time password. The token has the signing key; the server has only the verification key. Now there's no shared secret at the server to be stolen! (Actually, a better protocol would be to have the client send the signed pair <password, one-time value>.) The downside of this approach is that the one-time password will necessarily be much longer than is typical - today it's usually 4-6 digits - so this isn't practical when the user is expect to type in the OTP, a common mode of operation for retro-fitted systems.
-- Jerry
More information about the cryptography
mailing list