-
-
Notifications
You must be signed in to change notification settings - Fork 556
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support DID Auth #24
Comments
This provides crypto_box for authenticated encryption |
|
|
Authenticated Encryption in the Public-Key Setting: Security Notions and Analyses |
Defective Sign & Encrypt in S/MIME, PKCS#7, MOSS, PEM, PGP, and XML |
Step 2, I suspect should also include an auth encrypted challenge This also implies 5 needs to happen before 2 |
@mrinalwadhwa If these "Auth Encrypt" packets are An active attacker who learns either side's secret key can mount a MiTM attack, thus reading and manipulating messages in either direction. A passive attacker who records the transcript and later learns either party's secret key can recover all encrypted messages. If you're maintaining session state, please use a KCI and FS secure key exchange such as Signal's Triple-DH, then use
This yields both stronger security and faster performance as the asymmetric operations are only necessary during the handshake, not any further messages, unless the session lives long enough to consider key rotation. If the underlying transport already provides order, you may use Rogaway's OAE2 CHAIN construction (instead of Even if we ignore Key Compromises, an attacker who sends garbage as their first packet will cause the receiver to perform the expensive asymmetric operations (DH) for each connection an attacker can open. If the responder is under load, consider using HIPv2's puzzles to avoid computation and state based denial of service attacks. I recommend just using HIPv2 as your authentication between hosts. Alternatively take what it has specified to influence your protocol design. I'm planning to implement both HIPv2 and a lightweight UDP alternative with some additional goals; both in Rust. |
@james-darkfox Thank you for that detailed feedback ❤️ The above issue/discussion is somewhat stale. We realized many of these weaknesses some months ago and spent the past few months researching and discussing this protocol design internally. The current draft of the key agreement protocol is roughly C(2e,2s) described here which uses DH with ephemeral keys and gets us Forward Secrecy (but not KCI protection). Signal's X3DH has been part of the on going discussion however we haven't formed an opinion yet on one-time prekeys within the contest of ockam's overall design. We're also leaning on AEAD_AES_128_GCM_SIV as the AEAD construction after we have key agreement. We've been looking into the effort needed to implement it with the various hardware we want to support. Which, at least theoretically, seems feasible. Greatly appreciate your post, I will try to publish our draft design over the next few weeks and would love to get more feedback. |
@mrinalwadhwa Signal's extension to 3DH only weakens the handshake for the convenience of bootstrapping asynchronous messaging; it takes away only one message at the cost of distributing and managing the single use prekeys and a 4th DH call. IMO it is unnecessary. KCI resistance is critical. For a flexible protocol the core handshake should do nothing more than anonymous-DH to establish the session's key and to pass a session-bound token to the application for arbitrary authentication mechanisms of its choice. 3DH is cheap for mutual static-key authentication; (only beaten by schemes designed for stronger adversaries). OPAQUE for password authentication, optionally composed with a secure two-factor authentication protocol. AES-128-GCM-SIV relies only on AES and CLMUL acceleration to be efficient. If you need a fallback for when they are not available; you may want to look into HS1-SIV (chacha20 based SIV), HPolyC (chacha20 + aes-soft + NH/poly1305 hybrid ADU), or a few others. Regarding the DID -> public key lookup and locator meta; I recommend sending the public keys without relying on online access to a third party registry for the lookup. The identity can optionally point to a third party to check for revocation; that third party may be your blockchain or it may be an entity under the user's control. Stronger symmetric credentials may be used with optional identity-bounds for authorization. Google's Macaroons rely only on a keyed-hash function and a single bit per credential a server mints. Macaroons are designed for single entities to mint and verify; while the clients can delegate and provision their authorities without identities and without having to talk to the server. I've noticed you're interested in object capabilities; macaroons are a great way to implement ocaps. I'm happy to help. Ping me when you publish the next draft and I'll take a look. Are you on IRC? |
DID Auth:
https://github.com/WebOfTrustInfo/rwot6-santabarbara/blob/master/final-documents/did-auth.md
https://www.slideshare.net/SSIMeetup/introduction-to-did-auth-with-markus-sabadello
The text was updated successfully, but these errors were encountered: