3
0
Fork 0
forked from mirrors/nixpkgs

Update to the Yubikey PBA

Security-relevant changes:
 * No (salted) passphrase hash send to the yubikey, only hash of the salt (as it was in the original implementation).
 * Derive $k_luks with PBKDF2 from the yubikey $response (as the PBKDF2 salt) and the passphrase $k_user
   (as the PBKDF2 password), so that if two-factor authentication is enabled
   (a) a USB-MITM attack on the yubikey itself is not enough to break the system
   (b) the potentially low-entropy $k_user is better protected against brute-force attacks
 * Instead of using uuidgen, gather the salt (previously random uuid / uuid_r) directly from /dev/random.
 * Length of the new salt in byte added as the parameter "saltLength", defaults to 16 byte.
   Note: Length of the challenge is 64 byte, so saltLength > 64 may have no benefit over saltLengh = 64.
 * Length of $k_luks derived with PBKDF2 in byte added as the parameter "keyLength", defaults to 64 byte.
   Example: For a luks device with a 512-bit key, keyLength should be 64.
 * Increase of the PBKDF2 iteration count per successful authentication added as the
   parameter "iterationStep", defaults to 0.

Other changes:
 * Add optional grace period before trying to find the yubikey, defaults to 2 seconds.

Full overview of the yubikey authentication process:

  (1) Read $salt and $iterations from unencrypted device (UD).
  (2) Calculate the $challenge from the $salt with a hash function.
      Chosen instantiation: SHA-512($salt).
  (3) Challenge the yubikey with the $challenge and receive the $response.
  (4) Repeat three times:
    (a) Prompt for the passphrase $k_user.
    (b) Derive the key $k_luks for the luks device with a key derivation function from $k_user and $response.
        Chosen instantiation: PBKDF2(HMAC-SHA-512, $k_user, $response, $iterations, keyLength).
    (c) Try to open the luks device with $k_luks and escape loop (4) only on success.
  (5) Proceed only if luks device was opened successfully, fail otherwise.

  (6) Gather $new_salt from a cryptographically secure pseudorandom number generator
      Chosen instantiation: /dev/random
  (7) Calculate the $new_challenge from the $new_salt with the same hash function as (2).
  (8) Challenge the yubikey with the $new_challenge and receive the $new_response.
  (9) Derive the new key $new_k_luks for the luks device in the same manner as in (4) (b),
      but with more iterations as given by iterationStep.
 (10) Try to change the luks device's key $k_luks to $new_k_luks.
 (11) If (10) was successful, write the $new_salt and the $new_iterations to the UD.
      Note: $new_iterations = $iterations + iterationStep

Known (software) attack vectors:

 * A MITM attack on the keyboard can recover $k_user. This, combined with a USB-MITM
   attack on the yubikey for the $response (1) or the $new_response (2) will result in
   (1) $k_luks being recovered,
   (2) $new_k_luks being recovered.
 * Any attacker with access to the RAM state of stage-1 at mid- or post-authentication
   can recover $k_user, $k_luks, and  $new_k_luks
 * If an attacker has recovered $response or $new_response, he can perform a brute-force
   attack on $k_user with it without the Yubikey needing to be present (using cryptsetup's
   "luksOpen --verify-passphrase" oracle. He could even make a copy of the luks device's
   luks header and run the brute-force attack without further access to the system.
 * A USB-MITM attack on the yubikey will allow an attacker to attempt to brute-force
   the yubikey's internal key ("shared secret") without it needing to be present anymore.

Credits:

 * Florian Klien,
   for the original concept and the reference implementation over at
   https://github.com/flowolf/initramfs_ykfde
 * Anthony Thysse,
   for the reference implementation of accessing OpenSSL's PBKDF2 over at
   http://www.ict.griffith.edu.au/anthony/software/pbkdf2.c
This commit is contained in:
Moritz Maxeiner 2014-02-05 17:10:59 +01:00
parent 8e74e1fded
commit 09f9af17b4
2 changed files with 137 additions and 54 deletions

View file

@ -43,22 +43,33 @@ let
}
hextorb() {
( tr '[:lower:]' '[:upper:]' | sed -e 's/\([0-9A-F]\{2\}\)/\\\\\\x\1/gI'| xargs printf )
( tr '[:lower:]' '[:upper:]' | sed -e 's/\([0-9A-F]\{2\}\)/\\\\\\x\1/gI' | xargs printf )
}
open_yubikey() {
# Make all of these local to this function
# to prevent their values being leaked
local salt
local iterations
local k_user
local challenge
local response
local k_luks
local opened
local new_salt
local new_iterations
local new_challenge
local new_response
local new_k_luks
mkdir -p ${yubikey.storage.mountPoint}
mount -t ${yubikey.storage.fsType} ${toString yubikey.storage.device} ${yubikey.storage.mountPoint}
local uuid_r
local k_user
local challenge
local opened
sleep 1
uuid_r="$(cat ${yubikey.storage.mountPoint}${yubikey.storage.path})"
salt="$(cat ${yubikey.storage.mountPoint}${yubikey.storage.path} | sed -n 1p | tr -d '\n')"
iterations="$(cat ${yubikey.storage.mountPoint}${yubikey.storage.path} | sed -n 2p | tr -d '\n')"
challenge="$(echo -n $salt | openssl-wrap dgst -binary -sha512 | rbtohex)"
response="$(ykchalresp -${toString yubikey.slot} -x $challenge 2>/dev/null)"
for try in $(seq 3); do
@ -68,9 +79,11 @@ let
echo
''}
challenge="$(echo -n $k_user$uuid_r | openssl-wrap dgst -binary -sha512 | rbtohex)"
k_luks="$(ykchalresp -${toString yubikey.slot} -x $challenge 2>/dev/null)"
if [ ! -z "$k_user" ]; then
k_luks="$(echo -n $k_user | pbkdf2-sha512 ${toString yubikey.keyLength} $iterations $response | rbtohex)"
else
k_luks="$(echo | pbkdf2-sha512 ${toString yubikey.keyLength} $iterations $response | rbtohex)"
fi
echo -n "$k_luks" | hextorb | cryptsetup luksOpen ${device} ${name} ${optionalString allowDiscards "--allow-discards"} --key-file=-
@ -89,53 +102,60 @@ let
exit 1
fi
update_failed=false
echo -n "Gathering entropy for new salt (please enter random keys to generate entropy if this blocks for long)..."
for i in $(seq ${toString yubikey.saltLength}); do
byte="$(dd if=/dev/random bs=1 count=1 2>/dev/null | rbtohex)";
new_salt="$new_salt$byte";
echo -n .
done;
echo "ok"
local new_uuid_r
new_uuid_r="$(uuidgen)"
if [ $? != "0" ]; then
for try in $(seq 10); do
sleep 1
new_uuid_r="$(uuidgen)"
if [ $? == "0" ]; then break; fi
if [ $try -eq 10 ]; then update_failed=true; fi
done
fi
new_iterations="$iterations"
${optionalString (yubikey.iterationStep > 0) ''
new_iterations="$(($new_iterations + ${toString yubikey.iterationStep}))"
''}
if [ "$update_failed" == false ]; then
new_uuid_r="$(echo -n $new_uuid_r | head -c 36 | tr -d '-')"
new_challenge="$(echo -n $new_salt | openssl-wrap dgst -binary -sha512 | rbtohex)"
local new_challenge
new_challenge="$(echo -n $k_user$new_uuid_r | openssl-wrap dgst -binary -sha512 | rbtohex)"
new_response="$(ykchalresp -${toString yubikey.slot} -x $new_challenge 2>/dev/null)"
local new_k_luks
new_k_luks="$(ykchalresp -${toString yubikey.slot} -x $new_challenge 2>/dev/null)"
mkdir -p ${yubikey.ramfsMountPoint}
# A ramfs is used here to ensure that the file used to update
# the key slot with cryptsetup will never get swapped out.
# Warning: Do NOT replace with tmpfs!
mount -t ramfs none ${yubikey.ramfsMountPoint}
echo -n "$new_k_luks" | hextorb > ${yubikey.ramfsMountPoint}/new_key
echo -n "$k_luks" | cryptsetup luksChangeKey ${device} --key-file=- ${yubikey.ramfsMountPoint}/new_key
if [ $? == "0" ]; then
echo -n "$new_uuid_r" > ${yubikey.storage.mountPoint}${yubikey.storage.path}
else
echo "Warning: Could not update LUKS key, current challenge persists!"
fi
rm -f ${yubikey.ramfsMountPoint}/new_key
umount ${yubikey.ramfsMountPoint}
rm -rf ${yubikey.ramfsMountPoint}
if [ ! -z "$k_user" ]; then
new_k_luks="$(echo -n $k_user | pbkdf2-sha512 ${toString yubikey.keyLength} $new_iterations $new_response | rbtohex)"
else
echo "Warning: Could not obtain new UUID, current challenge persists!"
new_k_luks="$(echo | pbkdf2-sha512 ${toString yubikey.keyLength} $new_iterations $new_response | rbtohex)"
fi
mkdir -p ${yubikey.ramfsMountPoint}
# A ramfs is used here to ensure that the file used to update
# the key slot with cryptsetup will never get swapped out.
# Warning: Do NOT replace with tmpfs!
mount -t ramfs none ${yubikey.ramfsMountPoint}
echo -n "$new_k_luks" | hextorb > ${yubikey.ramfsMountPoint}/new_key
echo -n "$k_luks" | hextorb | cryptsetup luksChangeKey ${device} --key-file=- ${yubikey.ramfsMountPoint}/new_key
if [ $? == "0" ]; then
echo -ne "$new_salt\n$new_iterations" > ${yubikey.storage.mountPoint}${yubikey.storage.path}
else
echo "Warning: Could not update LUKS key, current challenge persists!"
fi
rm -f ${yubikey.ramfsMountPoint}/new_key
umount ${yubikey.ramfsMountPoint}
rm -rf ${yubikey.ramfsMountPoint}
umount ${yubikey.storage.mountPoint}
}
${optionalString (yubikey.gracePeriod > 0) ''
echo -n "Waiting ${toString yubikey.gracePeriod} seconds as grace..."
for i in $(seq ${toString yubikey.gracePeriod}); do
sleep 1
echo -n .
done
echo "ok"
''}
yubikey_missing=true
ykinfo -v 1>/dev/null 2>&1
if [ $? != "0" ]; then
@ -292,6 +312,30 @@ in
description = "Which slot on the Yubikey to challenge";
};
saltLength = mkOption {
default = 16;
type = types.int;
description = "Length of the new salt in byte (64 is the effective maximum)";
};
keyLength = mkOption {
default = 64;
type = types.int;
description = "Length of the LUKS slot key derived with PBKDF2 in byte";
};
iterationStep = mkOption {
default = 0;
type = types.int;
description = "How much the iteration count for PBKDF2 is increased at each successful authentication";
};
gracePeriod = mkOption {
default = 2;
type = types.int;
description = "Time in seconds to wait before attempting to find the Yubikey";
};
ramfsMountPoint = mkOption {
default = "/crypt-ramfs";
type = types.string;
@ -300,7 +344,7 @@ in
storage = mkOption {
type = types.optionSet;
description = "Options related to the storing the random UUID";
description = "Options related to the storing the salt";
options = {
device = mkOption {
@ -308,7 +352,7 @@ in
type = types.path;
description = ''
An unencrypted device that will temporarily be mounted in stage-1.
Must contain the current random UUID to create the challenge for this LUKS device.
Must contain the current salt to create the challenge for this LUKS device.
'';
};
@ -328,7 +372,7 @@ in
default = "/crypt-storage/default";
type = types.string;
description = ''
Absolute path of the random UUID on the unencrypted device with
Absolute path of the salt on the unencrypted device with
that device's root directory as "/".
'';
};
@ -370,11 +414,13 @@ in
cp -pdv ${pkgs.popt}/lib/libpopt*.so.* $out/lib
${optionalString luks.yubikeySupport ''
cp -pdv ${pkgs.utillinux}/bin/uuidgen $out/bin
cp -pdv ${pkgs.ykpers}/bin/ykchalresp $out/bin
cp -pdv ${pkgs.ykpers}/bin/ykinfo $out/bin
cp -pdv ${pkgs.openssl}/bin/openssl $out/bin
cc -O3 -I${pkgs.openssl}/include -L${pkgs.openssl}/lib ${./pbkdf2-sha512.c} -o $out/bin/pbkdf2-sha512 -lcrypto
strip -s $out/bin/pbkdf2-sha512
cp -pdv ${pkgs.libusb1}/lib/libusb*.so.* $out/lib
cp -pdv ${pkgs.ykpers}/lib/libykpers*.so.* $out/lib
cp -pdv ${pkgs.libyubikey}/lib/libyubikey*.so.* $out/lib
@ -394,7 +440,6 @@ EOF
boot.initrd.extraUtilsCommandsTest = ''
$out/bin/cryptsetup --version
${optionalString luks.yubikeySupport ''
$out/bin/uuidgen --version
$out/bin/ykchalresp -V
$out/bin/ykinfo -V
cat > $out/bin/openssl-wrap <<EOF

View file

@ -0,0 +1,38 @@
#include <stdint.h>
#include <string.h>
#include <stdio.h>
#include <openssl/evp.h>
void hextorb(uint8_t* hex, uint8_t* rb)
{
while(sscanf(hex, "%2x", rb) == 1)
{
hex += 2;
rb += 1;
}
*rb = '\0';
}
int main(int argc, char** argv)
{
uint8_t k_user[2048];
uint8_t salt[2048];
uint8_t key[4096];
uint32_t key_length = atoi(argv[1]);
uint32_t iteration_count = atoi(argv[2]);
hextorb(argv[3], salt);
uint32_t salt_length = strlen(argv[3]) / 2;
fgets(k_user, 2048, stdin);
uint32_t k_user_length = strlen(k_user);
if(k_user[k_user_length - 1] == '\n') {
k_user[k_user_length - 1] = '\0';
}
PKCS5_PBKDF2_HMAC(k_user, k_user_length, salt, salt_length, iteration_count, EVP_sha512(), key_length, key);
fwrite(key, 1, key_length, stdout);
return 0;
}