True2F: Backdoor-resistant authentication tokens

2019-07-09 401 Words S& p2019 System secruity

Brief

  • author: Emma Dauterman, Henry Corrigan-Gibbs, David Mazières, Dan Boneh, Dominic Rizzo
  • From: Stanford and Google

Introduction

双因子认证是目前对抗弱密码等恶意攻击的有效手段。其中一种是使用 U2F 硬件认证。但是使用硬件也可能给系统带来新的安全隐患(后门等)。

由于 U2F 在分发过程中需要在服务器中记录 seed,一旦攻击装获取seed就可以恢复公私钥,进而破坏系统安全性。

使用主秘钥和会话秘钥分离也可能发生cache和 swap 攻击等。

U2F 认证过程

U2F 双因子认证设计三个对象:U2F 硬件、浏览器和可靠服务器。

协议要求

  1. 防止恶意的token
  2. 防止 compromised browser
  3. Protect against token fingerprinting.
  4. 对服务器端透明
  5. 不改变硬件条件

密码学技术

1. 数字签名

  • Sig.KeyGen() → (sk, pk). Output a secret signing key sk and a public verification key pk.
  • Sig.Sign(sk, m) → σ. Output a signature σ on the message m ∈ M using the secret key sk.
  • Sig.Verify(pk, m, σ) → {0, 1}. Output “1” iff σ is a valid signature on message m under public key pk.

2. Verifiable random function (VRF)

  • VRF.KeyGen() → (skVRF, pkVRF). Output a secret key and a public key.
  • VRF.Eval(skVRF, id) → (y, π). Take as input the secret key skVRF, and an input id ∈ I, and output a value y ∈ Z∗q along with a proof π.
  • VRF.Verify(pkVRF, id, y, π) → {0, 1}. Take as input the public ∗ keypkVRF,apurportedinput-outputpair(id,y)∈I×Zq,and a proof π. Return “1” iff π is a valid proof that (id, y) is an input-output pair.

3. New tool: Verifiable identity families (VIFs)

作者在 VRF 的基础上加以修改,成为 VIFs

  • VIF.KeyGen()→(msk,mpk).Outputamastersecretkeymsk and a master public key mpk.
  • VIF.Eval(msk, id) → (skid, pkid, π). Given an identity string id ∈ I, output the keypair (skid, pkid) corresponding to that identity, as well as a proof π that pkid is well formed. The keypair (skid, pkid) must be a valid keypair for the signature scheme Σ.
  • VIF.Verify(mpk, id, pkid, π) → {0, 1}. Verify that pkid is the public key for identity id ∈ I corresponding to master public key mpk using the proof π. Return “1” iff the proof is valid.

实现:

/images/sp20191.png

4. New tool: Fast collaborative key generation

需要为VIFs 生成秘钥对。需要保证正确性、无偏和零知识。

  1. The browser commits to a random value v ∈ Zq . That is, the browser samples v ←R Zq and r ←R Zq and sends c ← H(v, r) to the token.
  2. Thetokensamplesv′ ←R Zq andsendsV′ ←gv′ ∈Gtothe browser.
  3. The browser opens its commitment to v by sending (v, r ) to the token. The browser outputs X ← V ′ · gv ∈ G as the public key.
  4. The token checks that H(v, r) = c. If so, the token accepts and outputs x ← v + v′ ∈ Zq. Otherwise, the token outputs “⊥.” Completeness follows immediately.

5. New tool: Firewalled ECDSA signatures

/images/sp20192.png

6. 计数算法

需要一个对小容量硬件友好的计数算法。值得注意的是需要对于flash做优化。

协议实现

/images/sp20193.png