On Making U2F Protocol Leakage-Resilient via Re-keying

The Universal 2nd Factor (U2F) protocol is an open authentication standard to strengthen the two-factor authentication process. It augments the existing password based infrastructure by using a specialized USB, termed as the U2F authenticator, as the 2nd factor. The U2F authenticator is assigned two fixed keys at the time of manufacture, namely the device secret key and the attestation private key. These secret keys are later used by the U2F authenticator during the Registration phase to encrypt and digitally sign data that will help in proper validation of the user and the web server. However, the use of fixed keys for the above processing leaks information through side channel about both the secrets. In this work we show why the U2F protocol is not secure against side channel attacks (SCA). We then present a countermeasure for the SCA based on re-keying technique to prevent the repeated use of the device secret key for encryption and signing. We also recommend a modification in the existing U2F protocol to minimise the effect of signing with the fixed attestation private key. Incorporating our proposed countermeasure and recommended modification, we then present a new variant of the U2F protocol that has improved security guarantees. We also briefly explain how the side channel attacks on the U2F protocol and the corresponding proposed countermeasures are similarly applicable to Universal Authentication Framework (UAF) protocol.

[1]  Steven M. Bellovin,et al.  Encrypted key exchange: password-based protocols secure against dictionary attacks , 1992, Proceedings 1992 IEEE Computer Society Symposium on Research in Security and Privacy.

[2]  Raymond Turner,et al.  Specification , 2011, Minds and Machines.

[3]  Donghoon Chang,et al.  Cryptographic Module Based Approach for Password Hashing Schemes , 2014, PASSWORDS.

[4]  Ken Thompson,et al.  Password security: a case history , 1979, CACM.

[5]  Jean-Jacques Quisquater,et al.  ElectroMagnetic Analysis (EMA): Measures and Counter-Measures for Smart Cards , 2001, E-smart.

[6]  William Stallings,et al.  Cryptography and Network Security: Principles and Practice , 1998 .

[7]  Dakshi Agrawal,et al.  Templates as Master Keys , 2005, CHES.

[8]  Jerome H. Saltzer,et al.  Protection and the control of information sharing in multics , 1974, CACM.

[9]  William Stallings,et al.  Cryptography and network security - principles and practice (3. ed.) , 2014 .

[10]  Mihir Bellare,et al.  Increasing the Lifetime of a Key: A Comparative Analysis of the Security of Re-keying Techniques , 2000, ASIACRYPT.

[11]  Dan S. Wallach,et al.  Origin-Bound Certificates: A Fresh Approach to Strong Client Authentication for the Web , 2012, USENIX Security Symposium.

[12]  Srdjan Capkun,et al.  On the Effective Prevention of TLS Man-in-the-Middle Attacks in Web Applications , 2014, USENIX Security Symposium.

[13]  Pankaj Rohatgi,et al.  Template Attacks , 2002, CHES.

[14]  David E. Culler,et al.  A practical evaluation of radio signal strength for ranging-based localization , 2007, MOCO.

[15]  Dengguo Feng,et al.  Side-Channel Attacks: Ten Years After Its Publication and the Impacts on Cryptographic Module Security Testing , 2005, IACR Cryptol. ePrint Arch..

[16]  Paul C. Kocher,et al.  Differential Power Analysis , 1999, CRYPTO.

[17]  Dirk Balfanz,et al.  Transport Layer Security (TLS) Channel IDs , 2013 .

[18]  Patrick Schaumont,et al.  State-of-the-art of secure ECC implementations: a survey on known side-channel attacks and countermeasures , 2010, 2010 IEEE International Symposium on Hardware-Oriented Security and Trust (HOST).

[19]  Mauro Conti,et al.  A Survey of Man In The Middle Attacks , 2016, IEEE Communications Surveys & Tutorials.

[20]  Longbing Cao,et al.  Effective detection of sophisticated online banking fraud on extremely imbalanced data , 2012, World Wide Web.

[21]  Paul C. Kocher,et al.  Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems , 1996, CRYPTO.