Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CipherSeed MAC is keyed directly with low-entropy passphrase #4182

Closed
AaronFeickert opened this issue Jun 11, 2022 · 3 comments
Closed

CipherSeed MAC is keyed directly with low-entropy passphrase #4182

AaronFeickert opened this issue Jun 11, 2022 · 3 comments
Assignees
@jorgeantonio21
Labels
A-security Area - Security related

Comments

@AaronFeickert
Copy link
Collaborator

AaronFeickert commented Jun 11, 2022
edited
Loading

The MAC used in the CipherSeed construction is keyed (via Blake2b input concatenation) with the user-supplied passphrase, which should be assumed to be of low entropy.

A straightforward improvement is to extend the associated Argon2 output and split it to generate two keys: one for the ChaCha20 encryption, and the other for the MAC. While the MAC is very short (only 5 bytes in the current design), this approach can take some advantage of any key stretching provided by Argon2, in addition to preventing an attacker from performing any kind of precomputation on the MAC prior to deriving the key.

Additionally, the use of Blake2b for this MAC construction should use proper domain separation. Any future hashing API should be strongly considered for this.
@hansieodendaal
Copy link
Contributor

Wow, the pitfalls...

@jorgeantonio21
Copy link
Contributor

jorgeantonio21 commented Jul 9, 2022
edited
Loading

I tried to tackle this issue, the PR can be found here.

@AaronFeickert
Copy link
Collaborator Author

AaronFeickert commented Jul 11, 2022
edited
Loading

Another recommendation that came up recently in a discussion with @jorgeantonio21 was to use separate hash operations for turning the primary salt into the Argon2 salt and ChaCha20 nonce. This follows the best practice of not reusing key- or nonce-type material across different cryptographic primitives. The primary salt should continue to be used directly when computing the MAC, as there it serves as something akin to authenticated associated data.

stringhandler pushed a commit that referenced this issue Aug 2, 2022
@jorgeantonio21
fix: low entropy mac passphrase in cipher seed (see issue #4182) (#4296)
1c5ec0d 
Description
---
The following is an attempt to improve `CipherSeed` mnemonic generation by tackling MAC being keyed directly with a low entropy passphrase. We use proper domain separation to attain this.

Motivation and Context
--- 
The generation of MAC, within the context of a `CipherSeed` instance, is obtained through keying a (low) entropy passphrase. In order to reduce the chances of success of an attack involving offline key pre-computation, it is desirable to hash the passphrase, before MAC keying, using proper domain separation. The current PR is an attempt in this direction.

How Has This Been Tested?
---
 With previous unit tests.
@hansieodendaal hansieodendaal added the A-security Area - Security related label Aug 15, 2022
@hansieodendaal hansieodendaal moved this to Backlog in Tari Esme Testnet Aug 15, 2022
Repository owner moved this from Backlog to Done in Tari Esme Testnet Aug 17, 2022
@jorgeantonio21 jorgeantonio21 self-assigned this Aug 17, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jorgeantonio21 jorgeantonio21

Labels
A-security Area - Security related
Projects
Tari Esme Testnet
Archived in project
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jorgeantonio21 @hansieodendaal @AaronFeickert