[cryptography] Hi all, would like your feedback on something

Ondrej Mikle ondrej.mikle at nic.cz
Fri Dec 18 18:35:40 EST 2015


On 12/18/2015 03:27 PM, Brian Hankey wrote:
> The question we are trying to answer here is how could we all have ultra strong
> passwords i.e. “!3AbDEE9eE45DCea” that are you unique for each and every
> website, email, social media, etc. service that we use but without having to
> trust any third parties to store them for us protected by single password
> (perhaps with 2 factor authentication, hardware key, etc., admittedly), or to

I've been looking into this for a long time and here are two key points:

1) No matter how strong your password is, it will leak if you reuse it, because
attackers hack badly secured sites/databases - this is in no way surprising, but
it's "new" to non-tech-savvy people.

2) U2F, "Universal 2-Factor", is probably the best solution now - very usable,
"kind of" wide-spread (see http://www.dongleauth.info/). Yubikey Neo and Yubikey
4 are the best sample devices that implement this. You plug in the token in USB
slot and touch the button (malware cannot physically touch the button - this is
very important in the design!).

That is your answer - you don't need any third party and challenge-response
makes it resistant to replay attack.

Internally Yubikey uses secp-256-r1 challenge-response. However, U2F can support
all kinds of authenthication, see
https://www.yubico.com/2015/01/fido-u2f-ecosystem-coming-alive/

The only shame is that only recent Chrome/Chromium supports it natively in
browser area. Firefox supports it as an addon
(https://addons.mozilla.org/en-US/firefox/addon/u2f-support-add-on/). There is
an implementation in Firefox Nightly, but it's broken. There's actually noone
assigned to finish U2F support (information from bugzilla).

If there is a substantial flaw in U2F, let's hear it.

/me reminds himself to review the U2F protocol in more thorough detail now :-)

Ondrej


More information about the cryptography mailing list