113
edits
Services/Sync/P2P Key Exchange And Rotation: Difference between revisions
Jump to navigation
Jump to search
Services/Sync/P2P Key Exchange And Rotation (view source)
Revision as of 03:48, 17 January 2016
, 17 January 2016Revised eXfio Peer v2 to reflect candidate B solution
(updated message structures) |
(Revised eXfio Peer v2 to reflect candidate B solution) |
||
| Line 223: | Line 223: | ||
== eXfio Peer v2 == | == eXfio Peer v2 == | ||
Version 2 of the eXfio Peer protocol improves the protection against a man in the middle (MITM) attack, at the expense of a more complex protocol | Version 2 of the eXfio Peer protocol improves the protection against a man in the middle (MITM) attack, at the expense of a more complex protocol requiring two round-trips. Importantly the starting assumption is that an adversary has full access to the storage '''and''' knows the password, i.e. a hostile systems administrator. Fortunately an elegant means to mitigate against this threat is to use a [https://www.silentcircle.com/products-and-solutions/technology/scimp/ SCIMP] style hash commitment, which results in an adversary, Eve, having to select a public key without knowing the public key of either Alice or Bob, giving Eve a single opportunity to guess a 4 character base32 authcode with a probability of 1.05 x 10<sup>-6</sup>. Thus making it very difficult to launch a MITM attack without detection. | ||
<span id="Messaging_Protocol_v2"></span> | <span id="Messaging_Protocol_v2"></span> | ||
===Messaging Protocol=== | ===Messaging Protocol=== | ||
Although version 2 of the eXfio Peer protocol requires two round trips it has been designed such that the user input for out-of-band verification takes place on the registered device, Client B, which can determine if the verification of Client A has been successful without exchanging additional messages between clients. However to detect a MITM adversary impersonating Client B an additional verification check is needed on the new device, Client A. Although this attack would not result in a compromise of the master key it could result in the sharing of confidential data. Thus if a user incorrectly enters the authcode Client A must assume the session is compromised or exchange additional messages between clients to give the user additional opportunities to enter the correct authcode. | |||
'''Protocol Sequence''' | '''Protocol Sequence''' | ||
<ol start="0"> | <ol start="0"> | ||
<li>Each client publishes an identity key ( | <li>Each client publishes an identity key (AIp, BIp)</li> | ||
<li>Client A: Generates a new ephemeral key (AEp) and sends a message to Client B | <li>Client A: Generates a new ephemeral key (AEp) and to initiate a verified session sends a message to Client B including a digest of the key (AEd), thereby committing to a specific ephemeral key without revealing it</li> | ||
<li>Client B: | <li>Client B: Generates a new ephemeral key (BEp) and sends a message to Client A including the key (not a digest). Both parties have now committed to a specific ephemeral key without first knowing the key of the other party</li> | ||
<li>Client A: Sends a message to Client B including the ephemeral key (AEp)</li> | |||
<li>Out-of-Band: Client B can now verify the session by confirming that Client A's ephemeral key (AEp) matches the digest (AEd), provided earlier, and using user input to avoid interception, i.e. out-of-band, that an authcode (VCS) derived from Client A's ephemeral key (AEp) and identity key (AIp) has the same value on Client A and Client B.</li> | |||
<li>Client B: Derives a shared secret (SK) using 3DHE and sends an encrypted message to Client A including the status of the verification, i.e. okay|fail, and a random component of the authcode (VCRui) thus proving the response is from the registered device, i.e. Client B. If verification is successful the message can optionally include additional information such as account keys</li> | |||
</ol> | </ol> | ||
Assuming verification is successful Client A and Client B can now communicate using the shared secret (SK) as a session key. | |||
<pre> | <pre> | ||
Alice (Client A) Eve (MITM) Bob (Client B) | Alice (Client A) Eve (MITM) Bob (Client B) | ||
t0 AIs AIp, BIp BIs | t0 AIs AIp, BIp BIs | ||
t1 AIs AIp, BIp BIs | t1 AIs AIp, BIp BIs | ||
Key AEs AEd | |||
Commit AEp | |||
t2 AIs AIp, BIp BIs | t2 AIs AIp, BIp BIs | ||
AEs | AEs BEp BEs | ||
AEp AEd | |||
t3 AIs AIp, BIp BIs | |||
Key AEs AEp, BEp BEs | |||
Verify | |||
t4 AIs AIp, BIp BIs | |||
(OoB) AEs AEd BEs | |||
AEp BEp | |||
VCS = DIGEST(AIp, AEp) VCSui = <user input> | |||
VCR = RANDOM() VCRui = <user input> | |||
Verified = (VCSui == DIGEST(AIp, AEp) + AEd == DIGEST(AEp)) | |||
t5 AIs AIp, BIp BIs | |||
SK = KDF(3DHE(AIs, AEs, BIp, BEp)) SK = KDF(3DHE(BIs, BEs, AIp, AEp)) | |||
VCR VCRui | |||
VCRui | |||
Verified = (VCRui == VCR) | |||
</pre> | </pre> | ||
'''Client JSON''' | '''Notes:''' | ||
* The authcode (VCS + VCR) is a digest of Client A's identity key and ephemeral key and a random value respectively. This code must be entered on a registered device to verify the user is in possession of the device requesting authorisation. If the authcode displayed by Client A matches the VCS value generated on Client B and if Client A's hash commit matches the digest of Client A's public key then a man-in-the-middle attack impersonating Client A is highly unlikely. Finally if the VCRui value returned to Client A matches the original VCR random value then a man-in-the-middle attack impersonating Client B is highly unlikely. | |||
* To minimise errors during user input the authcode can be represented using a word list, i.e. [https://en.wikipedia.org/wiki/PGP_word_list PGP], [http://world.std.com/~reinhold/diceware.html Diceware], [https://tools.ietf.org/html/rfc1760 S/KEY] or optionally scanned using a QR code. | |||
* By including Client A's identity key in the authcode provides the additional benefit of verifying both keys | |||
'''Client JSON (compatible with v1 protocol)''' | |||
<pre> | <pre> | ||
{ | { | ||
| Line 280: | Line 294: | ||
</pre> | </pre> | ||
'''Message JSON (compatible with v1 protocol)''' | '''Message JSON (compatible with v1 protocol)''' | ||
| Line 496: | Line 332: | ||
name: "name of client", | name: "name of client", | ||
keydigest: "digest of sender's ephemeral key", | keydigest: "digest of sender's ephemeral key", | ||
getkeys: "when true and session verified | getkeys: "when true and session verified account keys will be included in SessionKeyVerifyResponseMessage, optional. See Registration protocol" | ||
} | } | ||
</pre> | </pre> | ||
| Line 514: | Line 350: | ||
{ | { | ||
authcode: "Random component of authcode entered by user, i.e. VCRui" | authcode: "Random component of authcode entered by user, i.e. VCRui" | ||
} | } | ||
</pre> | </pre> | ||
| Line 541: | Line 370: | ||
message: "ephemeral key okay|ephemeral key mismatch", | message: "ephemeral key okay|ephemeral key mismatch", | ||
auth: SessionVerifier (if status okay), | auth: SessionVerifier (if status okay), | ||
payload: | payload: Optional. See Registration protocol, | ||
} | } | ||
</pre> | </pre> | ||
| Line 562: | Line 391: | ||
status: "verified|failed", | status: "verified|failed", | ||
message: "session verification okay|session verification failed", | message: "session verification okay|session verification failed", | ||
} | |||
</pre> | |||
<span id="Registration_Protocol_v2"></span> | |||
===Registration Protocol=== | |||
The objective of the registration protocol is for a user, i.e. Alice, to authorise a new device and transfer to it the master key (sync key) thus allowing it to read and write encrypted data to and from the storage. To maintain the security of the master key the protocol must defend against a man-in-the-middle (MITM) attack from an adversary. Importantly for version 2 of the eXfio Peer protocol the starting assumption is that an adversary has full access to the storage '''and''' knows the password, i.e. a hostile systems administrator. | |||
When a user registers a new device with the Weave Sync server the client first checks if any devices have already been registered. If there are no registered devices it generates a master key (MK) and initialises the storage. If there are existing registered devices it requests authorisation by following the procedure below. A key difference from the messaging protocol is that to improve user experience we want to avoid the user having to wait for messages to be exchanged, thus the out-of-band step is brought forward as early as possible and is able to take place immediately after Client A has sent the SesssionKeyCommitRequestMessage although it cannot be completed until Client B has received the message, hence good connectivity is required on both Client A and Client B, but not necessarily simultaneously. | |||
'''Note:''' When the new device is mobile a QR code could be used for the out-of-band verification, which would remove the need for user input and mitigate against the impersonation of Client A and Client B. | |||
<ol start="0"> | |||
<li>Client A: Authenticate to sync server and create client record with status of 'pending'</li> | |||
<li>Client A: Send SessionKeyCommitRequestMessage to existing device, Client B, including digest of ephemeral key (AEd) and with a getkeys value of 'true'</li> | |||
<li>Out-of-Band: User sights authcode displayed on Client A, generated from identity and key ephemeral key and random value, and enters it on Client B</li> | |||
<li>Client B: Send SessionKeyCommitResponseMessage to new device, Client A, providing an ephemeral key (BEp)</li> | |||
<li>Client A: Send SessionKeyVerifyRequestMessage to Client B including ephemeral key (AEp)</li> | |||
<li>Client B: Send SessionKeyVerifyResponseMessage to Client A encrypted with a session key derived from the shared secret (SK) and including a status indicating if the identity and ephemeral key component (VCS) of authcode have been verified. If verification is successful include the AccountKeys payload, i.e. master key (MK)</li> | |||
</ol> | |||
Finally the user is notified of the registration status and if successful client record is updated with status of 'approved' | |||
<pre> | |||
Alice (Client A) Eve (MITM) Bob (Client B) | |||
t0 AIs AIp, BIp BIs, MK | |||
t1 AIs AIp, BIp BIs, MK | |||
Key AEs AEd | |||
Commit AEp | |||
t2 AIs AIp, BIp BIs, MK | |||
(OoB) AEs AEd BEs | |||
AEp BEp | |||
VCS = DIGEST(AIp, AEp) VCSui = <user input> | |||
VCR = RANDOM() VCRui = <user input> | |||
t3 AIs AIp, BIp BIs, MK | |||
AEs BEp BEs | |||
AEp AEd VCSui | |||
VCS VCRui | |||
t4 AIs AIp, BIp BIs, MK | |||
Key AEs AEp, BEp BEs | |||
Verify VCS VCSui | |||
VCR VCRui | |||
Verified = (VCSui == DIGEST(AIp, AEp) + AEd == DIGEST(AEp)) | |||
t5 AIs, MK AIp, BIp BIs, MK | |||
SK = KDF(3DHE(AIs, AEs, BIp, BEp)) SK = KDF(3DHE(BIs, BEs, AIp, AEp)) | |||
VCR VCRui | |||
VCRui | |||
Verified = (VCRui == VCR) | |||
</pre> | |||
'''Notes:''' | |||
* A QR code including Client A's entire key (AEp) would allow step 2, 3 and 4 to be collapsed into a single step. See [[#Signal (TextSecure) Registration Protocol|Signal (TextSecure) Registration Protocol]] below. | |||
'''AccountKeys JSON''' | |||
<pre> | |||
{ | |||
masterkey: "time used as input in to verification" | |||
} | } | ||
</pre> | </pre> | ||