undefined | Better HN

0 pointstialaramex5y ago0 comments

> I never really understood this. Ed25519 keys use SHA-512 and are considered secure. They're still just long secrets, aren't they?

No. I find it easiest to keep this straight in my head with a line from the U2 song "The Fly", "a secret is something you tell one other person". You're thinking of Ed25519 private keys, you mustn't tell those to anybody and they're minted as a pair with a public key you can tell to everybody.

> What's to prevent me from using a similarly long, randomly generated secret as my password

That's a Shared Secret. You tell the password to the remote web site. They have a copy of it, their permanent copy of it is likely hashed, but you send them a new, unhashed version of that same password to the site every single time you log in.

This makes all the difference in the world. Let's see that in action:

Suppose that Edward, who is Evil, has complete insight into everything stored by and every program running at Facebook for an hour. If someone logs into Facebook using a password, obviously Edward learns the password, it was sent to Facebook so they could check it was correct. So Edward can log in as any Facebook user who logged in while Edward's magical insight lasted? Right?

Nope. Facebook has WebAuthn. For WebAuthn users logging in involves public key cryptography. Facebook has a public key for those users but no private key. Edward can see that the users were properly authenticated, but he doesn't get a persistent credential because the persistent credential never left the user's grasp. He cannot log in as those users, only they can do that.

0 comments

10 comments · 2 top-level

KronisLV5y ago· 4 in thread

This makes me wonder about something else: why not just hash the passwords client side and send the hashed value to the server? Better yet, why not make the hashes salted with something like a timestamp (similarly to how TOTP works), so that those hashes couldn't be reused later?

What's inside of the private key is a long secret (albeit not a shared one), a password also feels like it should be a secret that's not shared. So why hasn't the industry made that happen? Why can't we have solutions where one's password does not leave their browser?

shandor5y ago

Everything you described is still a shared secret. Hashing your password client side is just a way to create a random, shared password. Yes, an attacker has a much harder time getting to your password, but they don't need to if it's the hash that's the one the server knows and checks against.

Asymmetric cryptography with its Math Magic IS the solution industry came up with.

KronisLV5y ago

But if the valid hash changes as a function of time (e.g. a time based salt value), does it still matter as much, then? If a stale hash is stolen, then it doesn't allow to log in since it's no longer valid, nor does it allow figuring out the original password.

I find it interesting to reason about all of the interesting ways this could still break, as long as the words of Eoin Woods [1] are followed: "Never invent security tech.", to only reason about these things outside of production environments, and use tested solutions there. In that regard, asymemetric cryptography and the frameworks surrounding it seem to be the one way to go.

Of course, that brings up a further question: why aren't certificates the default way to sign up for sites for end users? Instead of coming up with a password, or using API keys or whatever, why not create a certificate through some sort of a browser/external mechanism instead? It feels like no attempts have been made to make something like that easier, so that it'd replace the concept of passwords.

Thanks for your input, but i guess i shouldn't take up too much of your time.

  [1] https://speakerdeck.com/eoinwoods/secure-by-design-security-design-principles-for-the-working-architect?slide=31 (or in video form: https://www.youtube.com/watch?v=4qN3JBGd1g8 )

1 more reply

tialaramexOP5y ago

shandor explained why the trivial approach you thought of doesn't work.

But you can actually have what you're asking for. It's called an Asymmetric Password Authenticated Key Exchange or aPAKE. The IRTF is in the process of recommending OPAQUE for this purpose: https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-opaque...

However, given that we're still putting the finishing touches on the OPAQUE recommendation in 2021 and older attempts at this have needed numerous patches to fix unforeseen problems, it is understandable that Tim's toy hypermedia system (which became the Web) did not implement this feature thirty years ago.

KronisLV5y ago

Thanks for the link, it seems like an interesting approach!

Thorrez5y ago· 4 in thread

Overall I agree, but couldn't Edward steal the users' Facebook cookies regardless of WebAuthn? I think those last until the user clicks logout, so many of them will last forever.

Additionally, Edward can steal the cookies of every user using Facebook for that hour. But he can only steal the passwords of a small fraction of those users, because only a small fraction will start a new session; most users will use existing sessions (because the cookies last forever).

dandarie5y ago

Yes, he can steal the cookies and new passwords, but still won't have access to user accounts and/or passwords for more than an hour.

So, after Edward is discovered, all sessions are remotely logged off and all accounts created during that hour are blocked, asked to confirm their email, phone or even identity, or deleted.

So, after one hour, Edward is left with nothing more than braggable rights. And personal data of billions, but not their passwords.

Thorrez5y ago

Interesting. But this point seems a bit different than the one tialaramex was making.

tialaramex's criticism of passwords was that Edward can use the stolen ones eternally. But if your actions are followed, with Facebook resetting all those users' passwords and forcing them to reconfirm via email or phone, then tialaramex's criticism doesn't really apply anymore. The criticism only applies to users who reused their passwords on other sites, because Edward can still attack those other sites.

1 more reply

tialaramexOP5y ago

Facebook can invalidate all existing cookies, and with them Edward's access based on cookies. This is slightly inconvenient for users (they are logged out and need to log back in) but it locks Edward out except for where users are relying on passwords alone and Edward knows their password.

You as an individual Facebook user can also invalidate sessions you subsequently realise shouldn't exist and thus the associated cookie. Just realised you're still logged into Facebook on your mother-in-law's laptop that you used for a few minutes this afternoon? Go into Facebook privacy & security settings to see that session shown on a list, then click to log it out. If you are just worried that somebody has cloned your current session by learning the cookie value (I don't know what countermeasures, if any, Facebook use) you can log yourself out and get a new one, which of course invalidates any cloned session.

Thorrez5y ago

Invalidating all cookies will only happen if Facebook learns of the attack. Facebook can invalidate all cookies used during the 1 hour period, and they can also invalidate all passwords used during the 1 hour period (a much smaller number) and force people to recover their accounts by other means (recovery email or phone). Yes, it would be quite painful, but it would be possible.

Most users are not motivated or knowledgeable enough to manually invalidate sessions. If a user is motivated to do that, the user could just as easily do a password change.

j / k navigate · click thread line to collapse

0 comments

10 comments · 2 top-level

KronisLV5y ago· 4 in thread

shandor5y ago

Asymmetric cryptography with its Math Magic IS the solution industry came up with.

KronisLV5y ago

Thanks for your input, but i guess i shouldn't take up too much of your time.

  [1] https://speakerdeck.com/eoinwoods/secure-by-design-security-design-principles-for-the-working-architect?slide=31 (or in video form: https://www.youtube.com/watch?v=4qN3JBGd1g8 )

1 more reply

tialaramexOP5y ago

shandor explained why the trivial approach you thought of doesn't work.

KronisLV5y ago

Thanks for the link, it seems like an interesting approach!

Thorrez5y ago· 4 in thread

Overall I agree, but couldn't Edward steal the users' Facebook cookies regardless of WebAuthn? I think those last until the user clicks logout, so many of them will last forever.

dandarie5y ago

Yes, he can steal the cookies and new passwords, but still won't have access to user accounts and/or passwords for more than an hour.

So, after Edward is discovered, all sessions are remotely logged off and all accounts created during that hour are blocked, asked to confirm their email, phone or even identity, or deleted.

So, after one hour, Edward is left with nothing more than braggable rights. And personal data of billions, but not their passwords.

Thorrez5y ago

Interesting. But this point seems a bit different than the one tialaramex was making.

1 more reply

tialaramexOP5y ago

Thorrez5y ago

Most users are not motivated or knowledgeable enough to manually invalidate sessions. If a user is motivated to do that, the user could just as easily do a password change.

j / k navigate · click thread line to collapse