The proposed authentication mechanism uses the Ed25519 signing protocol. In this protocol, there is a type of forgery called "weak key forgery". In this attack, a special public key A and a signature σ can be generated such that, for any message m, there is a high probability that σ is a valid signature for m with respect to A[1].
If a "weak key" were used for authentication, then many login signatures would be identical, and if an attacker managed to get access to that signature, they could attempt to use it to log in as the account being attacked.
Proposal
The Rust library ed25519-dalek, version [2.0.0-rc.2] provides the is_weak method on the VerifyingKey, which we could use to check that any new public key is not a "weak key" before it is set, returning an error if the provided public key is a "weak key".
Pros
Prevents use of insecure, "weak keys" as public login keys
Cons
Would require more error handling client-side
Alternative
We could strongly recommend not using weak keys and possibly checking for them after generation, however, the chance of generating a "weak key" randomly is very low.
Should Weak Keys Be Rejected Server-Side?
Background
The proposed authentication mechanism uses the Ed25519 signing protocol. In this protocol, there is a type of forgery called "weak key forgery". In this attack, a special public key
A
and a signatureσ
can be generated such that, for any messagem
, there is a high probability thatσ
is a valid signature form
with respect toA
[1].If a "weak key" were used for authentication, then many login signatures would be identical, and if an attacker managed to get access to that signature, they could attempt to use it to log in as the account being attacked.
Proposal
The Rust library ed25519-dalek, version [2.0.0-rc.2] provides the
is_weak
method on theVerifyingKey
, which we could use to check that any new public key is not a "weak key" before it is set, returning an error if the provided public key is a "weak key".Pros
Cons
Alternative
We could strongly recommend not using weak keys and possibly checking for them after generation, however, the chance of generating a "weak key" randomly is very low.
ref-1
Weak key Forgery and
verify_strict()
https://github.com/dalek-cryptography/ed25519-dalek/blob/80aac08c1ca4a4a14912707650413b59c989e79a/README.md#weak-key-forgery-and-verify_strict