true2f backdoor resistant authentication tokens
play

True2F: Backdoor-resistant authentication tokens Emma Dauterman , - PowerPoint PPT Presentation

Sep 04, 2023 •127 likes •781 views

True2F: Backdoor-resistant authentication tokens Emma Dauterman , Henry Corrigan-Gibbs, David Mazires, Dan Boneh, Dominic Rizzo Stanford and Google IEEE Security & Privacy 2019 U2F: Effective hardware 2FA 2 U2F: Effective hardware 2FA

  1. True2F: Backdoor-resistant authentication tokens Emma Dauterman , Henry Corrigan-Gibbs, David Mazières, Dan Boneh, Dominic Rizzo Stanford and Google IEEE Security & Privacy 2019

  2. U2F: Effective hardware 2FA 2

  3. U2F: Effective hardware 2FA 3

  4. U2F protocol steps 1. Registration (associating a token with an account) 2. Authentication (logging into an account) 4

  5. U2F Step #1: Registration Associate a token with an account. github.com github.com pk github.com pk github.com github.com 5

  6. U2F Step #2: Authentication Log into an account. github.com , github.com , challenge challenge signature signature github.com 6

  7. U2F defends against phishing and browser compromise Even if malware takes over your browser, it can’t authenticate without the token. github.com , challenge sk github.com github.com 7

  8. … but what about vulnerabilities in the token itself? sk github.com github.com 8

  9. … but what about vulnerabilities in the token itself? 1. Implementation bugs 2. Supply-chain tampering sk github.com github.com 9

  10. Security threat #1: Implementation bugs in token [NSS+17] 10

  11. Security threat #1: Implementation bugs in token [NSS+17] 11

  12. Security threat #1: Implementation bugs in token [NSS+17] 12

  13. Security threat #1: Implementation bugs in token [NSS+17] 13

  14. Security threat #1: Implementation bugs in token [NSS+17] 14

  15. Security threat #2: Supply-chain tampering 15

  16. True2F: U2F protections + faulty-token protection 16

  17. True2F: U2F protections + faulty-token protection U2F protection Browser learns no secrets. 17

  18. True2F: U2F protections + faulty-token protection U2F protection Browser learns no secrets. True2F addition: Faulty-token protection Browser enforces correct behavior 18 to prevent token leaking secrets.

  19. True2F: U2F protections + faulty-token protection Goals: ● Augment U2F to protect against faulty tokens ○ Same protections as U2F even if token is buggy or backdoored ● Backwards-compatible with U2F server ○ Only requires changes to token and browser, not server ● Practical on commodity hardware tokens ○ Evaluated on Google hardware 19

  20. True2F: U2F protections + faulty-token protection Goals: ● Augment U2F to protect against faulty tokens ○ Same protections as U2F even if token is buggy or backdoored ● Backwards-compatible with U2F server ○ Only requires changes to token and browser, not server ● Practical on commodity hardware tokens ○ Evaluated on Google hardware Design principles: ● Both browser and token contribute randomness to the protocol. ● Browser can verify all deterministic token operations. 20

  21. True2F implementation Google production USB token with same hardware specs. ARM SC-300 processor Google development clocked at 24 MHz board running True2F. 21

  22. U2F protocol steps 1. Registration (associating a token with an account) 2. Authentication (logging into an account) 22

  23. True2F protocol steps 0. Initialization (after purchasing a token) [New] 1. Registration (associating a token with an account) [Modified] 2. Authentication (logging into an account) [Modified] 23

  24. True2F protocol steps 0. Initialization (after purchasing a token) [New] ➔ Ensure token master secret incorporates good randomness. 1. Registration (associating a token with an account) [Modified] 2. Authentication (logging into an account) [Modified] Principle: Both browser and token contribute randomness to the protocol. 24

  25. Step #0: Initialization collaborative key generation 25

  26. Step #0: Initialization collaborative key generation msk mpk 26

  27. Initialization: Security properties The token cannot bias mpk. msk mpk [GJKR99], [CMBF13] 27

  28. Initialization: Security properties The token cannot The browser learns bias mpk. nothing about msk. msk mpk [GJKR99], [CMBF13] 28

  29. Initialization properties The token cannot The browser learns bias mpk. nothing about msk. Our protocol reduces the number of group operations by 3x compared to [CMBF13] (see paper). 29

  30. True2F protocol steps 0. Initialization (after purchasing a token) [New] ➔ Ensure token master secret incorporates good randomness. 1. Registration (associating a token with an account) [Modified] 2. Authentication (logging into an account) [Modified] 30

  31. True2F protocol steps 0. Initialization (after purchasing a token) [New] ➔ Ensure token master secret incorporates good randomness. 1. Registration (associating a token with an account) [Modified] ➔ Ensure per-site keys generated correctly. 2. Authentication (logging into an account) [Modified] Principle: Browser can verify all deterministic token operations. 31

  32. Step #1: U2F Registration Associate a token with an account. github.com github.com pk github.com pk github.com github.com 32

  33. Security threat #1: Implementation bugs in token github.com github.com pk github.com pk github.com Generate (sk github.com , github.com pk github.com ) using weak randomness Bad randomness in embedded devices: [EZJ+14], [LHA+14], [NDWH14], [YRS+09] 33

  34. Security threat #2: Supply-chain tampering evil.com evil.com pk evil.com pk evil.com pk evil.com ← f(sk github.com ) evil.com sk github.com ← f -1 (pk evil.com ) 34

  35. Verifiable Identity Families (VIFs) mpk msk Derive server-specific keypairs in a deterministic and verifiable way from a master keypair. 35

  36. Verifiable Identity Families (VIFs) mpk msk Formally, we prove that VIFs are unique , verifiable , unlinkable , and unforgeable . 36

  37. Contribution: Simple (weak) VIF construction mpk msk github.com 37

  38. Contribution: Simple (weak) VIF construction github.com 38

  39. Contribution: Simple (weak) VIF construction github.com 39

  40. Contribution: Simple (weak) VIF construction github.com 40

  41. Contribution: Simple (weak) VIF construction github.com Unique: The token can produce the unique keypair for github.com . 41

  42. Contribution: Simple (weak) VIF construction github.com Verifiable: The token can prove to the browser that pk github.com is really the unique public key for github.com . 42

  43. Contribution: Simple (weak) VIF construction github.com Unforgeable: The browser cannot forge a signature under pk github.com . 43

  44. Contribution: Simple (weak) VIF construction github.com Weak unlinkability: github.com cannot distinguish pk github.com from a random ECDSA public key. 44

  45. Contribution: Simple (weak) VIF construction github.com Full unlinkability: Informally, browser cannot generate public keys without the token (see paper). 45

  46. True2F protocol steps 0. Initialization (after purchasing a token) [New] ➔ Ensure token master secret incorporates good randomness. 1. Registration (associating a token with an account) [Modified] ➔ Ensure per-site keys generated correctly. 2. Authentication (logging into an account) [Modified] 46

  47. True2F protocol steps 0. Initialization (after purchasing a token) [New] ➔ Ensure token master secret incorporates good randomness. 1. Registration (associating a token with an account) [Modified] ➔ Ensure per-site keys generated correctly. 2. Authentication (logging into an account) [Modified] ➔ Ensure authentication leaks no data. Principle: Both browser and token contribute randomness to the protocol. 47

  48. Step #2: U2F Authentication Log into an account. github.com , github.com , challenge challenge signature signature github.com 48

  49. Security threat #1: Implementation bugs in token github.com , github.com , challenge challenge signature signature Choose signing nonce with github.com weak randomness Bad randomness in embedded devices: [EZJ+14], [LHA+14], [NDWH14], [YRS+09] 49

  50. Security threat #2: Supply-chain tampering github.com , github.com , challenge challenge signature signature Hide sk github.com in evil.com signature Subliminal channels: [Sim84], [Des88] Unique signatures: [BLS01] 50

  51. Firewalled ECDSA Signatures Two ideas: 1. The token and browser use collaborative key generation to generate a signing nonce. 2. Because of ECDSA malleability, signatures are re-randomized by the browser. … see paper for details. [AMV15], [MS15], [DMS16] 51

  52. True2F protocol steps 0. Initialization (after purchasing a token) [New] ➔ Ensure token master secret incorporates good randomness. 1. Registration (associating a token with an account) [Modified] ➔ Ensure per-site keys generated correctly. 2. Authentication (logging into an account) [Modified] ➔ Ensure authentication leaks no data. 52

  53. Other contributions (see paper) ● Cryptographic optimizations tailored to token hardware ○ Offload hash-to-point to the browser ○ Cache Verifiable Random Function outputs at the browser ● Flash-optimized data structure for storing U2F authentication counters ○ Provides stronger unlinkability than many existing U2F tokens ○ “Tear-resistant” and respects constraints of token flash 53

  54. Multiple Browsers 1. Token gives mpk to browser (protect against bugs) 2. Sync mpk across browser instances 54

  55. True2F evaluation Google production USB token with same hardware specs. ARM SC-300 processor Google development clocked at 24 MHz board running True2F. 55

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

User Authentication Storing Passwords Selecting Passwords ITS335: IT Security Tokens

User Authentication Storing Passwords Selecting Passwords ITS335: IT Security Tokens

ITS335 User Authentication Authentication Passwords User Authentication Storing Passwords Selecting Passwords ITS335: IT Security Tokens Biometrics Sirindhorn International Institute of Technology Summary Thammasat University Prepared

663 views • 40 slides
RSA Authentication Manager 8.2 Over 25,000 customers 50 60 million active tokens in

RSA Authentication Manager 8.2 Over 25,000 customers 50 60 million active tokens in

RSA Authentication Manager 8.2 Over 25,000 customers 50 60 million active tokens in circulation 10 million units shipped per year More than 50% market share RSA Ready Partner Program: 400 Partners with Native SecurID Integration THE

226 views • 20 slides
Tamper-resistant creation of integrity tokens for trustworthy communication in cyber-physical

Tamper-resistant creation of integrity tokens for trustworthy communication in cyber-physical

Chair of Network Architectures and Services Department of Informatics Technical University of Munich Tamper-resistant creation of integrity tokens for trustworthy communication in cyber-physical systems Intermediate talk for the Masters

740 views • 25 slides
Strong Authentication without Tamper-Resistant Hardware and Application to Federated Identities

Strong Authentication without Tamper-Resistant Hardware and Application to Federated Identities

Strong Authentication without Tamper-Resistant Hardware and Application to Federated Identities Zhenfeng Zhang , Yuchen Wang , Kang Yang Institute of Software, Chinese Academy of Sciences; The Joint Academy of Blockchain

869 views • 25 slides
USABLE SECURITY GRAD SEC SEP 28 2017 USER AUTHENTICATION What we know (passwords) What we

USABLE SECURITY GRAD SEC SEP 28 2017 USER AUTHENTICATION What we know (passwords) What we

USABLE SECURITY GRAD SEC SEP 28 2017 USER AUTHENTICATION What we know (passwords) What we have (tokens) What we are (iris, fingerprint) [Accuracy vs. cost trade-off] Other USER AUTHENTICATION INKBLOT AUTHENTICATION Come up with

671 views • 20 slides
Client puzzles for denial-of-service resistant authentication Joint work with Juan Gonzalez,

Client puzzles for denial-of-service resistant authentication Joint work with Juan Gonzalez,

Client puzzles for denial-of-service resistant authentication Joint work with Juan Gonzalez, Lakshmi Kuppusamy, Jothi Rangasamy, Douglas Stebila, Suriadi Suriadi Colin Boyd Information Security Institute Queensland University of Technology

560 views • 32 slides
SRM Space Tokens SRM Space Tokens SRM Space Tokens SRM Space Tokens Scalla/xrootd Andrew

SRM Space Tokens SRM Space Tokens SRM Space Tokens SRM Space Tokens Scalla/xrootd Andrew

SRM Space Tokens SRM Space Tokens SRM Space Tokens SRM Space Tokens Scalla/xrootd Andrew Hanushevsky Stanford Linear Accelerator Center Stanford University Stanford University 27-May-08 http://xrootd slac stanford edu

550 views • 23 slides
Forgery-Resistant Touch-based Authentication on Mobile Devices Neil Zhenqiang Gong, Iowa State

Forgery-Resistant Touch-based Authentication on Mobile Devices Neil Zhenqiang Gong, Iowa State

Forgery-Resistant Touch-based Authentication on Mobile Devices Neil Zhenqiang Gong, Iowa State University Mathias Payer*, Purdue University Reza Moazzezi, UC Berkeley Mario Frank, UC Berkeley * @gannimo, http://hexhive.github.io Mobile

671 views • 26 slides
The Increasing Importance of Proof-of-Possession to the Web W3C Workshop on Authentication,

The Increasing Importance of Proof-of-Possession to the Web W3C Workshop on Authentication,

The Increasing Importance of Proof-of-Possession to the Web W3C Workshop on Authentication, Hardware Tokens and Beyond Michael B. Jones September 10, 2014 Abstract A number of different initiatives and organizations are now defining new

376 views • 8 slides
Upper and Lower Bounds for Weak Backdoor Set Detection Neeldhara Misra, Sebastian Ordyniak ,

Upper and Lower Bounds for Weak Backdoor Set Detection Neeldhara Misra, Sebastian Ordyniak ,

Upper and Lower Bounds for Weak Backdoor Set Detection Neeldhara Misra, Sebastian Ordyniak , Venkatesh Raman, and Stefan Szeider SAT 2013 Backdoor Sets Introduced by Crama et al. 1997 and independently by Williams et al. 2003 in an

768 views • 12 slides
AUTHENTICATION AUTHENTICATION Authentication is the process by which you decide that someone is

AUTHENTICATION AUTHENTICATION Authentication is the process by which you decide that someone is

SECURITY TOPICS PART 2 AUTHENTICATION AUTHENTICATION Authentication is the process by which you decide that someone is who they say they are and therefore permitted to access the requested resources: getting entrance to a computer lab

833 views • 44 slides
Optimized or Balanced Mix Design Crack Resistant Rut Resistant Resistant to Moisture

Optimized or Balanced Mix Design Crack Resistant Rut Resistant Resistant to Moisture

Optimized or Balanced Mix Design Crack Resistant Rut Resistant Resistant to Moisture Damage 1 Balanced Mix Design: ETG Definition Asphalt mix design using performance tests on appropriately conditioned specimens that address

480 views • 46 slides
HOST Authentication Overview ECE 525 Authentication Overview Authentication refers to the

HOST Authentication Overview ECE 525 Authentication Overview Authentication refers to the

HOST Authentication Overview ECE 525 Authentication Overview Authentication refers to the process of verifying the identity of the communicating principals to one another Usually sub-divided into Entity authentication Authentication

288 views • 10 slides
Anonymous Tokens Michele Orr ia.cr/2020/072 1 Anonymous Tokens Michele Orr joint work

Anonymous Tokens Michele Orr ia.cr/2020/072 1 Anonymous Tokens Michele Orr joint work

Anonymous Tokens Michele Orr ia.cr/2020/072 1 Anonymous Tokens Michele Orr joint work with Ben Kreuter, Tancrde Lepoint, Mariana Raykova ia.cr/2020/072 1 Definition Anonymous tokens are lightweight, single-use anonymous credentials.

657 views • 61 slides
Authentication Most technical security safeguards have Authentication authentication as a

Authentication Most technical security safeguards have Authentication authentication as a

Authentication Most technical security safeguards have Authentication authentication as a precondition How to authenticate: Something you know Password, Secrets Something you have Smart Card, Token Something you are Biometrie

607 views • 4 slides
Breakthrough silicon scanning discovers backdoor in military chip Sergei Skorobogatov,

Breakthrough silicon scanning discovers backdoor in military chip Sergei Skorobogatov,

Breakthrough silicon scanning discovers backdoor in military chip CHES2012 Workshop, Leuven, Belgium, 9-12 September 2012 Breakthrough silicon scanning discovers backdoor in military chip Sergei Skorobogatov, Christopher Woods

353 views • 20 slides
Practical Secure Two-Party Computation and Applications Lecture 4: Hardware-Assisted

Practical Secure Two-Party Computation and Applications Lecture 4: Hardware-Assisted

Practical Secure Two-Party Computation and Applications Lecture 4: Hardware-Assisted Cryptographic Protocols Estonian Winter School in Computer Science 2016 Motivation 2 Two Areas Cryptographic Protocols Secure Hardware strong security

759 views • 52 slides
Corpus of Contemporary Lithuanian Language the Standardised Way Erika RIMKUT, Jolanta

Corpus of Contemporary Lithuanian Language the Standardised Way Erika RIMKUT, Jolanta

Corpus of Contemporary Lithuanian Language the Standardised Way Erika RIMKUT, Jolanta KOVALEVSKAIT, Vida MELNINKAIT, Andrius UTKA, Daiva VITKUT - ADGAUSKIEN Vytautas Magnus University Centre of Computational Linguistics Kaunas,

723 views • 20 slides
Electronic Labeling (ET 15-170) Presentation to the Federal Communications Commission May 2017

Electronic Labeling (ET 15-170) Presentation to the Federal Communications Commission May 2017

Electronic Labeling (ET 15-170) Presentation to the Federal Communications Commission May 2017 1 TIA Supports FCC Efforts TIA recognizes the need for device compliance TIA applauds FCC moves toward modernizing device labeling

199 views • 5 slides
Briefing Agenda Background Information Tactical Spatial Object (TSO) TSO Reference

Briefing Agenda Background Information Tactical Spatial Object (TSO) TSO Reference

Representing Geospatially Enabled C2 Information within the JC3IEDM AFCEA-GMU C4I Center Symposium Critical Issues in C4I 19 20 May 2009 John D. Roberts ACS, Inc. Shrewsbury, NJ, 732-460-9416 x22 jroberts@acsinc-nj.com Briefing Agenda

486 views • 11 slides
DeepBinDiff : Learning Program-Wide Code Representations for Binary Diffing Yue Duan, Xuezixiang

DeepBinDiff : Learning Program-Wide Code Representations for Binary Diffing Yue Duan, Xuezixiang

DeepBinDiff : Learning Program-Wide Code Representations for Binary Diffing Yue Duan, Xuezixiang Li, Jinghan Wang, and Heng Yin 1 Motivation Binary Code Differential Analysis quantitatively measure the similarity between two given

507 views • 27 slides
A Token-Based MAC For Long-Distance IEEE802.11 Point-To-Point Links Karl Jonas Michael

A Token-Based MAC For Long-Distance IEEE802.11 Point-To-Point Links Karl Jonas Michael

A Token-Based MAC For Long-Distance IEEE802.11 Point-To-Point Links Karl Jonas Michael Rademacher Martin Chauchet karl.jonas@h-brs.de michael.rademacher@h-brs.de martin.chauchet@inf.h-brs.de Hochschule Bonn-Rhein-Sieg Mobilkomtagung, 11-12.

633 views • 15 slides
INF5110 Compiler Construction Scanning Spring 2016 1 / 102 Outline 1. Scanning Intro

INF5110 Compiler Construction Scanning Spring 2016 1 / 102 Outline 1. Scanning Intro

INF5110 Compiler Construction Scanning Spring 2016 1 / 102 Outline 1. Scanning Intro Regular expressions DFA Implementation of DFA NFA From regular expressions to DFAs Thompsons construction Determinization Minimization Scanner

1.52k views • 102 slides
r rst trrs

r rst trrs

r rst trrs r r sttt

779 views • 33 slides

More recommend