Auth for Encrypted Services with Server-Side APT

I'll improve his audio three times in a single sounds good to me that's pretty awesome let me can actually do that and if you want to discuss about if you don't want to discuss crypto talk to Steve if you want everybody to you know completely crackers oh man so take it away thank you so when I was over at the speaker room I was working away and then my name was called side didn't I was like what so I have no time to like mentally prepare so still on edge a little so ah for encrypted services with server-side apt so you're authenticating into a server that is Verde owned so who is in stock for this is for people that

are actually making encrypted services that would want to implement this and for users to know that there is something that's really good out there so there's three places where you can put the keys there's brain wallet where your public key is generated while your private keys generated from password que dia and the public key given that anyone can start trying to guess what your password was key file this it's like PGP you have a file on your computer that has your private key that you decrypt with a password then key service that's where you have a some company has a server where they store a so a user generates a cryptographic key then encrypts it with their password and then

that's stored somehow on the server so that's what I'm actually going to be talking most about because the first one that's less secure because everyone can crack it the second one that's its it's not a it's harder for users because they have to deal with like moving the key everywhere but then the third one the keys always you just log in so before we even popped on Kate you want to run the KDF the password kdf once then generate two keys the authentication key and the encryption key caveat pbk do to each block is done independently so you can actually it's bad for doing something like this because someone could just spend half the time and just generate one of the

keys or something like that so you would either have to like I use H kdf afterwards or something sure yeah so I am going to go quickly over these but so these were just some of the things that I found so cry foe that they had a basically to get the password encrypted private key all you needed was a six digit code but but was like a tough top p that's real yeah so that's now fixed there was no rate limiting or anything so those that proton may obey they're like oh we'll have an authentication key or a password and a decryption decryption password but I'm pretty sure most users are going to use the same

password then the first ones just set point X like logging into lepage mega do some crazy with AES a bunch of times then then to authenticate they do a bunch of extra steps so if you were to actually get the data that's on mega servers you have to do a lot less computations so and since it's not salted for the first part everyone with the same password has the same he pretty sure i forgot i'm pretty sure but you'd have to check each one like decrypting to make sure as actually worked or not net gory Google's think so they use p v kt up to four different times with varying oh you can't read that at all now that it's 800

x 600 anyways um so and the first one is done on static data so then you generate like Mac key which if you're actually attacking if you actually had the data from there you just do the static one first that generates the salt and then always use that again and then just generate the mac key on by doing a thousand and four iterations cry cry crypt whatever they use pbk day up to three times with a min pbk tf2 ground which is 1000 then there srp they use decrypt 10 so then they hash that for the actual key but if you're going to attack this you're just going to attack the thousand round pdk tf2 so since

we're talking about srp pink it's a password authenticated key exchange so basically diffie-hellman but there's a key mixed password key whatever mixed in that makes it so that anyone in between the two ends that are trying to connect you can't like men in the middle or modify or like get any information from that you can't crack the password from any of the information going back and forth so this is 0 so the way you would use it is you would generate the two keys the authentication key and the encryption key then you would use that to do the pate connection then over that channel the server would send you the encrypted master key it's encrypt the password

encrypted master key then you just decrypt that and then you'd have your master key can we make this better yes we can so if you had an HSM and you have the server hold an encrypted blob of all the information that was necessary from before the HSM is the only one that has the decryption key for that so when a client comes in you do a database lookup send that over to the HSM the age of some decrypt it then is able to do the paid connection then you over that channel you send over the password encrypted master key so nothing in between the HSM and the client can man in the middle this so and no one can get

any information about the password or anything like that so and we make this any better yes we can generate two session Keys and give the second one back to the server so now the server can actually have its own protected channel that it can talk to to the client so now granted the talks about advanced persistent threats on the server this wouldn't help with that because the endpoint is the server now but anything from the server to the client can't met in the middle so changing passwords uh what this is actually extremely easy it's the same exact thing as before except for instead of receiving the password encrypted master key you send that information along with the fake information so that

the server can actually authenticate with you then it creates that data sends it to the data the server to be stored in the database

nope well yes the master key is though well you yes the master keys still say you can do like if you wanted to you could do basically like revoking keys and like generating everything new and pulling down all your data re encrypting it and putting it back but yeah so new users so there's no password that the server already a twelve the HSM can do the pay connection so the HSM would need a public/private key pair that the public use baked into the clients the client software and so it would just do it would request a femoral key get that then do a thermal diffie-hellman thing and then send over the information to be encrypted I'm talking two circles I see

blank faces so the information from before when you change your passwords that information be sent over the ephemeral diffie-hellman key exchange yeah can I hat i can has thank you thank you I messed up twice the answer is yes so the nice thing about this is if you add the two factor authentication information into the encrypted blob that is stored in database and have the hsm to the authentication for the second factor you eliminate online password guessing but you can't do any counters because that requires the hsm to change you know re encrypt the blob send it to the server and the server would just elect whoops it's the same one and just keep on replaying the same

counter for the user and there yeah so there's you two up that's Universal second factor there are some problems with it there's tracking which is the combination of the attestation King the tessier Shin King a test a test station I asked someone there like I don't know either so via a station and the counter that's in the protocol when you combine both of those you can narrow down to a smaller percentage you know I got it gets you down to a smaller group of what you think could be who they are by the across sites from but there's a ways to mitigate that with multiple counters and buckets and stuff but from the spec that's optional so you don't know what

you're buying but then there's poor multi token support which is so when you press the button the server doesn't know who you well when you're trying to authenticate the server doesn't know which dongle it is so it just sends the first key over and you press the button and then it'll fail it will send the second one the third one the fourth log and keep on going down the line this is why there's a 10-second window but that's also a problem because if you press the button anyone else if your computer's own yes I know but if your computer's own if you press that button it literally can log you into anything it wants in that ten-second window it's

better to have that button be just one and you know I didn't get in I might be own or I got in I'm good then there that's basically user presents first user a fennec authorizing but it's not really operating because someone could steal the button press so the way to fix multi token support is just use the username during registration send it over to the the YouTube but that would require a protocol change in them you just do a HK DF on that and a secret key whatever so but it's the best we got it's it's actually really good there's one really cool thing that can do it can you can sign the actual ssl key so that

you know you're not being menlo so for super fish that would have been detected reap really fast if u 2f was used everywhere so teensy gap this is the thing i came up with last year it was for so I was watching hak5 and they were doing a air gap pgp and they were like trying to use the camera to do QR code transfers and stuff I was like so what this is is two teen sees that are soldered together they talk to each other basically it shows up as like a serial port on either end and basically the teensy gap enforces the protocol so hopefully it well if let's say your laptop is owned or partially I guess you

can hello if your laptop so your air gap laptop or whatever well tuned to get this wood I'm going not too long em how basically you would get email in and then when you want to send an email is just turn the light on and when you press the button then it would allow one email to be Sun and then you could add like a LCD screen with like the hash of the message that was going to be sunk so that you can verify that you know although your computer's owned when you actually do the hash on your computer show up as the same but if you were to use this with a raspberry pi so you have

raspberry pi as the HSM and then it's connected to a server through that well now the buttons not really useful then what you can do is this is the like ghetto whale getting an HSM because there's not one that actually does the paid connection and everything I've been talking about but if you do this then hopefully the operating system isn't backdoored but if it is it might have the only communication it has to be outside world's through a serial serial port with like they wouldn't know how to talk to the teensy gap but it it might be able to find out so it's not really like it's this isn't a secure solution obviously but it's nearish um wait one

questions yeah oh well sure I mean what I see is that I really need to dedicate you know myself more fully to my drinking yeah odd i was told to add photos so i see what you know that is because no man so how did some little something there's one with us we want to submit for passage from a few gentlemen just do this back in the summer 2012 I have Steve at the University and also doing at all we have a German folk that's a lot of urine town and he introduced the concept of using kitties in the presentation for specific purpose if you have one more internet for its life but basically described

know the basics background stuff that everybody suppose below with a kid from the spine so that important is that another twenty come i'll try to upload dude that stupid i had kittens then I then yeah I had kittens but then I was like this is funny yeah this is hilarious okay um okay what if you into all of us oh no I actually have a Content full question um given that you're doing fake stuff on your HSM how much is that putting more of a burden compute power requirements on an HSM than is typical of the kinds of devices that are available now um I don't need them oh yeah so there's the eb co oh

that's what I found anyway so be yeah the there's the ub co HSM that just does symmetric key stuff so it's super fast in comparison for this you need to do three elliptic curve multiplications and two editions so it's faster than RS I thing and 50 ohm work i just had one comment um we implemented we was designed a very similar scheme for Firefox accounts the first time around about second time around about two years ago the thing that caused us to abandon it was that needing to do the stretching on the client side before you put it into the pake a vibration was kind of unpredictable like you know we had very very slow cheap phones doing it

powerful desktop machines and we couldn't get a consistent enough experience with that on that side and then they also recognizing there was some other other problems to it where we weren't really getting as much security out of it as we wanted relative to the complexity and the kind of burden we're putting on the client side which is why we then backed away from that stuff so it's really cool and I told the support what you're doing that there's some practical stuff that causes problems when we tried to pursue it more questions yeah i think i had a related question was for pics the server has to store some verification info right yeah it's been heated by the hsm

and then it's handed over to the hsm decrypted by contained in there and then does the connection okay step all questions okay well thank you Steve [Applause]