Auth for Encrypted Services with Server Side APT

Steve “Sc00bz” Thomas

Who is This Talk For?

Where are the Keys?

• “Brain wallet”• “Key file”• “Key service”

Pre-Authentication

• Run the PW-KDF once

• Generate two keys– Authentication key– Encryption key

• Caveat– PBKDF2

Crypho (Fixed)

• Send 6 digit 2FA

• Receive password encrypted private key

ProtonMail

• Two passwords– Authentication sent to the server as is– Decrypt PGP key

• Most users will use the same password

Mega

• KDF is “Do stupid shit with AES 65536 times”• Auth key is encrypt email 16384 times with

password key

Nigori (Google Sync)

Crypton

PAKE

• Password Authenticated Key Exchange– Diffie-Hellman– Eve and Mallory proof

Client-Server

ClientauthKey || pwKey = PW-KDF(...)sKey = PAKE(authKey)

encMK = decrypt(sKey, packet)MK = decrypt(pwKey, encMK)

Server

sKey = PAKE(serverData)packet = encrypt(sKey, encMK)

authKey Used for authenticationpwKey Decrypts the encrypted master keysKey Session encryption keyencMK The encrypted master keyMK The master key

Server-HSM

Server

encData = DB.find(user)

HSM

encMK, serverData = decrypt(hsmKey, encData)

sKey = PAKE(serverData)

packet = encrypt(sKey, encMK)

hsmKey Encryption key stored on the HSMsKey Session encryption keyencMK The encrypted master key

Server-HSM

Server

encData = DB.find(user)

 

Encrypt packets with sKey2

HSM

encMK, serverData = decrypt(hsmKey, encData)

sKey = PAKE(serverData)

packet = encrypt(sKey, encMK)

sKey2 = KDF(sKey)

hsmKey Encryption key stored on the HSMsKey Session encryption keysKey2 Server-client session keyencMK The encrypted master key

Change Password

fall2014

winter14

spring15

summer15

New User

I Can Has 2FA?

I Can Has 2FA

• Time based• Challenge response• No counters

U2F

• Tracking• Poor multi token

support• 10 second window• User presents

U2F

• BUT it’s the best we got

TeensyGap

TeensyGap-ed Raspberry Pi

Questions?

• Twitter: @Sc00bzT• GitHub: Sc00bz• Site: tobtu.com