Re: [webauthn] Recovering from Device Loss (#931) from Dennis Jackson via GitHub on 2019-10-16 (public-webauthn@w3.org from October 2019)

From: Dennis Jackson via GitHub <sysbot+gh@w3.org>
Date: Wed, 16 Oct 2019 09:38:09 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-542617838-1571218688-sysbot+gh@w3.org>

 > Might it make sense, then, to include an EDH key agreement in the import/export exchange, and encrypt `S` with the agreed ephemeral key? It wouldn't prevent a malicious client from active-MitMing the exchange and learning `S` (since we can't reasonably authenticate DH public keys across different authenticator vendors), but at least there would be forward secrecy and `S` wouldn't be in cleartext in client memory if the client is benign.

I am not sure how much benefit there is to protecting `S` in transit. Either the client is not malicious in which case `S` will not be recorded, or the client is malicious and can intercept (or even replace) the `S` value. However, it might provide some protection against faulty client implementations. 
 
> This also has me thinking it might make sense to include the `rpIdHash` in the HKDF `info` parameter (in which case we could probably drop `rpIdHash` from the MAC)?
 
I don't see much difference here, but more key separation is always nice.  

> > Why add `cred_key * G` to `S`? What purpose does it serve over using `cred_key * G` directly?
> 
> If you don't, then `p = credKey` and the main authenticator therefore knows the backup credential private key. With `P = cred_key * G + S`, you need to know `s` to compute `p = cred_key + s`, so only the backup authenticator is able to exercise its backup credentials.

There's two cases to be distinguished here - at the point of backup credential registration - is the main authenticator malicious or not? If the main authenticator is malicious, the RP cannot detect it and consequently the main authenticator can provide a backup key of its own construction (to which it knows the private key). If the main authenticator is not malicious, it will destroy its private key `e`, which means if it is compromised later, it cannot compute `cred_key`. So in the first case, adding `S` cannot be enforced and in the latter case, adding `S` has no impact. 




-- 
GitHub Notification of comment by galadran
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/931#issuecomment-542617838 using your GitHub account

Received on Wednesday, 16 October 2019 09:38:11 UTC