Re: Yubikey announces v4 with PKCS#11 smart card features from Ben Gidley on 2015-11-25 (public-webpayments-ig@w3.org from November 2015)

From: Ben Gidley <ben.gidley@irdeto.com>
Date: Wed, 25 Nov 2015 15:04:55 +0000
To: Tony Arcieri <bascule@gmail.com>, Erik Anderson <eanders@pobox.com>
CC: Web Payments IG <public-webpayments-ig@w3.org>
Message-ID: <3FE94308-02F6-4324-AE94-A56C66E21720@irdeto.com>
I like the concept of origin bound certificates – has any browser vendor shown interest in implementing?

It would be perfect possible to implement such a scheme using JavaScript, Cookies and Whitebox crypto as part of any website (in fact Irdeto’s cloaked.js ‘secure cookie’ approach is similar in concept except we have to spend a lot of effort making it hard to move them between devices). I’d be very interested to see if browser vendors want to make that easy.


Ben Gidley
Director Technology
t:  +44 7850 773096
Irdeto
Please visit:  www.irdeto.com<http://www.irdeto.com/>
Follow us on:  Twitter<http://twitter.com/#!/Irdeto> | Facebook<http://www.facebook.com/pages/Irdeto/353374403048> | LinkedIn<http://www.linkedin.com/company/8291?trk=tyah>
CONFIDENTIAL: This e-mail and any attachments are confidential and intended solely for the use of the individual(s) to whom it is addressed. It can contain proprietary confidential information and/or be subject to legal privilege and/or subject to a non-disclosure Agreement. Unauthorized use, disclosure or copying is strictly prohibited. If you are not the/an addressee and are in possession of this e-mail, please notify us immediately.
Please consider the environment before printing this e-mail. Thank you

From: Tony Arcieri <bascule@gmail.com<mailto:bascule@gmail.com>>
Date: Tuesday, 24 November 2015 at 22:16
To: Erik Anderson <eanders@pobox.com<mailto:eanders@pobox.com>>
Cc: Web Payments IG <public-webpayments-ig@w3.org<mailto:public-webpayments-ig@w3.org>>
Subject: Re: Yubikey announces v4 with PKCS#11 smart card features
Resent-From: <public-webpayments-ig@w3.org<mailto:public-webpayments-ig@w3.org>>
Resent-Date: Tuesday, 24 November 2015 at 22:16

On Tue, Nov 24, 2015 at 1:19 PM, Erik Anderson <eanders@pobox.com<mailto:eanders@pobox.com>> wrote:
Speaking as someone who works in the "financial industry" who also
attended the W3C's WebCrypto Next Steps workshop, PKCS#11 has a
design which is hostile to usage in browsers, particularly around
providing a meaningful user experience and easy-to-understand
interaction flows for user consent.

Yubikey only exposes the PKCS#11 to the soft card module/PIV Applet, not to the browser JavaScript.

However, U2F's origin-bound certificates are exposed to the browser, because they are designed for use in a browser, and can be used to sign documents, credentials, or what have you with JavaScript (with cryptography performed on a hardware token and authenticated by whatever UI the hardware device provides).

Public/Private keys isnt the right answer. You might want to take a look at

1) 2013 President Obama tells the world the US Government must stop sabotaging public cryptography. NSA has been sabotaging the general public cryptography for decades.
  page 22 of https://www.whitehouse.gov/sites/default/files/docs/2013-12-12_rg_final_report.pdf

2) August 2015 - NSA tells the world don't trust the security Bitcoin was built on. ECC (Elliptical Curve Cryptography) is very susceptible to quantum computing attacks.
  - https://www.nsa.gov/ia/programs/suiteb_cryptography/

  - ECC vulnerabilities  https://eprint.iacr.org/2015/1018.pdf   (Pay particular interest to this one)

We need to move away from using public/private keys as the form of identity. Its definitely not a credential that's bound to the individual.

Your argument is "public key cryptography doesn't work"?

#2 in particular is complete FUD. The NSA's actual recommendations were to move away from a 128-bit security level and had nothing specific to say about ECC that they didn't say about symmetric ciphers and hash functions.  Koblitz published a paper around the same time talking about attacks on "verifiably random" elliptic curves such as the NIST curves and Brainpool, however he specifically calls out the process used for next generation elliptic curves by the IRTF's CFRG as being a way to solve attacks on weak curves (by explicitly selecting strong curves). Matt Green also had a blog post speculating the NSA may have broken ECDLP somehow, but it's little more than a guess on his part.

Don't get me wrong, I love using symmetric cryptography as much as possible, but for problems like TLS token/channel binding public key cryptography is the only solution, because that's what TLS uses to authenticate principals in a key exchange.

In the meantime until someone builds a large quantum computer or makes some mathematical breakthrough algorithms like RSA (using proper public exponents, padding, etc) and ECC (using modern elliptic curves like the CFRG curves) are fine and the only option for authenticating peers with TLS.

The past problems with public key cryptography have been with things like cross-origin certificates and the <keygen> tag. These things were ill-specified and not well designed for the browser ecosystem, and therefore did not work well in a browser environment (just like PKCS#11). These problems are remedied by the origin-bound certificates supported by token binding as described on http://www.browserauth.net/


--
Tony Arcieri
Received on Wednesday, 25 November 2015 22:23:25 UTC