undefined | Better HN

0 pointsfuoqi5y ago0 comments

>PAKE still require storing verifier on the server, which is basically a password hash.

No, there is an important difference: leaking this verifier does not let an attacker to impersonate user at will. See my other message [0].

Is my understanding correct that you derive two keys from user password, one used for authentication and one for decrypting encrypted content which does not leave the user's computer? In that case, yes, it's somewhat better than the typical scenario, though I personally would still prefer if a proper PAKE was used for authentication. It may not apply to your service, but leaking encrypted data can still result in exposing certain meta-information, which may be important, so it's better to be extra-safe in such matters.

[0]: https://news.ycombinator.com/item?id=26230200

0 comments

dchest5y ago

(Not my service, I'm just a random commenter)

The same happens with PAKE during registration, where the user will need to provide the verifier. Since everything happens over TLS anyway, and hopefully, with pinning (in apps), this is not a huge concern.

I haven't checked Bitwarden, but even though 1Password uses SRP, the initial registration happens in a browser. (PAKE inside a browser with JavaScript is even more useless.) Their protocol though uses a strong key in addition to password, making password bruteforcing from the verifier impossible.

I'm not against PAKE — the biggest benefit is that you don't have to create your own protocol and make mistakes. What I'm saying is that for such use cases its security benefits compared to other protocols are negligible.

fuoqiOP5y ago

>The same happens with PAKE during registration, where the user will need to provide the verifier.

In a typical PAKE, generated challenge depends on random values generated by both server and user, so if at least one of them is not controlled by an attacker, the generated challenge will be different each time. So leaking the verifier or eavesdropping on previous logins does not help an attacker to impersonate user in any way.

dchest5y ago

Right, the verifier can't be used to impersonate the user, but can be used to verify password guesses offline.

CyberRage5y ago

Encryption\Decryption are done locally. the server has no clue what your master-key is, all it knows here's a blob of data you need to store, here's my "ID"(The secondary key generated which is different from the encryption key and also relies on the master-key and other parameters).

When retrieving the vault, the program will generate the secondary key, provides it to the server(You can add 2FA btw), the server sees that indeed it matches one of the ID's and sends you back the encrypted vault. decryption is done locally.

I don't see any issue with this process, maybe you care to point the attack vector\scenario

fuoqiOP5y ago

Leaking the secondary key will allow an attacker to impersonate user at any time and to continuously retrieve the encrypted vault. As I've said, it may not be important for a password storage, but in more sophisticated applications continuous access to an encrypted vault may leak important meta-information (e.g. number of files, their size, time of creation, etc.).

CyberRage5y ago

As I've mentioned, when retrieving the vault other parameters need to match like Account name, Email etc.

You can add 2FA to the authentication process.

All metadata is obviously encrypted, the data is just a single blob. you maybe could try to guess the number of entries based on size but that's too dynamic as well.

These products were attacked before, decrypting the vault wasn't how they were attacked.

It was with bugs\vulnerabilities within the browser extensions that lead to data leaks. something else entirely.

j / k navigate · click thread line to collapse

0 pointsfuoqi5y ago0 comments

>PAKE still require storing verifier on the server, which is basically a password hash.

No, there is an important difference: leaking this verifier does not let an attacker to impersonate user at will. See my other message [0].

[0]: https://news.ycombinator.com/item?id=26230200

0 comments

dchest5y ago

(Not my service, I'm just a random commenter)

fuoqiOP5y ago

>The same happens with PAKE during registration, where the user will need to provide the verifier.

dchest5y ago

Right, the verifier can't be used to impersonate the user, but can be used to verify password guesses offline.

CyberRage5y ago

I don't see any issue with this process, maybe you care to point the attack vector\scenario

fuoqiOP5y ago

CyberRage5y ago

As I've mentioned, when retrieving the vault other parameters need to match like Account name, Email etc.

You can add 2FA to the authentication process.

All metadata is obviously encrypted, the data is just a single blob. you maybe could try to guess the number of entries based on size but that's too dynamic as well.

These products were attacked before, decrypting the vault wasn't how they were attacked.

It was with bugs\vulnerabilities within the browser extensions that lead to data leaks. something else entirely.

j / k navigate · click thread line to collapse