dicekeys / dicekeys-android

DiceKeys for Android
13 stars 1 forks source link

When generating secrets, allow arbitrary strings in lieu of a sequence number #111

Open merrellb opened 3 years ago

merrellb commented 3 years ago

If I understand the current approach correctly, obtaining (or taking a photo of) the physical DiceKey would give complete access to the master key of any associated password manager. The only additional (trivial) step would be to guess the sequence number (likely 1). While providing robust protection against brute force attack from an outside actor, this seems to provide significantly less protection (vs a memorized password) against an insider threat (perhaps an untrusted roommate) who might stumble across the key.

Instead of (or as an additional option to) using a sequence number, it seems we could use an arbitrary string (ie password) as the seed used to generate the secret for a particular domain. This would mean that even if an nefarious roommate were to stumble upon the DiceKey, it would not lead to trivial compromise as they could not generate the master key to any domain without knowledge of the arbitrary string/ password used to generate the secret. This password would not be saved in the app and would have to be entered any time the master password were to be regenerated.

A sophisticated and determined insider could, of course, use other means (eg keystroke logging) but I think the main insider threat would be a crime of opportunity, from technologically unsophisticated actor. They might see "DiceKey" on curious blue box seemingly hidden away , download the app and suddenly find that they have access to my master key and all the password in my manager.

I should note this is not related to #104 which is about using a password/PIN to access the app but rather directly incorporating a password into the secret generation process.

UppaJung commented 3 years ago

[I initially put this comment in #104 thinking it was about adding a password to the secret generation process. Moving it here.]

From a technical perspective, this feature is fairly straightforward to implement. From a user experience and design perspective, I have serious concerns that users need to be educated about the risks about before using it.

First, if there are the opportunities for offline dictionary attacks on a generated password or secret (e.g. if it's generating the private key for a matching public key), the password will need to be quite strong or it will be worthless.

A key goal of DiceKeys is to be a recovery authentication factor that is used rarely, so it can be stored someplace safe and act as a strong authenticator. However, human memory of secrets degrades quickly when users are not regularly entering those passwords or PINs. If the DiceKey is stored someplace safe and rarely used, users are likely to underestimate the chance that they'll forget it. (Also, users often don't anticipate other scenarios that could impact their memory, such as strokes or other trauma.)

merrellb commented 3 years ago

@UppaJung Thanks for the quick reply. I am not a security researcher for so apologies if I am thinking about this wrong.

My concern is that "stored someplace safe" is very dependent on the context. In a drawer in my desk would keep it away from 99.99999% of the people on the planet who could conduct an offline dictionary attack,but wouldn't necessarily keep it away from a nosey roommate who knows how to look up DiceKey on the App Store and suddenly finds that they have my master password and must decide what to do with that knowledge. I think for many users this is a far more likely scenario than a nation state looking to brute force their password (and needing to break into my house to find a DiceKey)

Even a spectacularly weak (but easy to remember) four digit PIN seems like it should prevent an online attack (not going to get 10,000 tries), and I suspect the typical sketchy roommate is unlikely to have the knowledge or motivation to carry-out an offline dictionary attack (nor would they have the server side information required). It seems like the option for a PIN/password can only add security although I understand the concern about needing to remember something that is infrequently used. Perhaps a hidden advanced option with suitable caveats about something you will not forget (or hide a copy of the PIN/password far from your DiceKey)?

Transisto commented 3 years ago

I would expect this too, the app is very confusing.

Like you said, Something big to have (dicekey) and something small that you can't forget (pass) is still the best combination.

mrclschstr commented 10 months ago

This is exactly the feature I was looking for. Is there a chance that this will be built into the apps?

UppaJung commented 10 months ago

You can do this with the current app. On Android, after loading your DiceKey, go to the secrets tab at the bottom, then "Custom Recipe" submenu, "password", and switch the recipe from "Web Address" to "Purpose". Enter the secret as the purpose and click "done".

The purpose becomes part of the "recipe" for creating that password. Recipes are JSON and start with { and end with }. You'll see the recipe at the top of the screen that shows the password. The app generates the password by hashing your DiceKey with the recipe. So, an attacker can't re-generate the password without guessing the secret that you entered into the purpose field.

mrclschstr commented 10 months ago

Many thanks for the little guide, I seem to have overlooked that.

Small suggestion for improvement: Currently the purpose is displayed when typing and someone could see my password in plain text if they look over my shoulder. Would it be possible to hide the password (i.e. the purpose) while typing?

Edit: My password is also displayed in plain text in the "Internal representation of your recipe" display.

UppaJung commented 10 months ago

Yes. If we wanted to do hiding it would be a new feature. We'd need to message strongly that you DO NOT want to generate a secret without visually verifying that you've typed the password correctly when creating a password to register for a service, creating an encryption key, or doing anything else where there's permanent loss if you typed something wrong.

mrclschstr commented 10 months ago

You're right, good thoughts. How about a simple hide/show toggle for the input like the "tap to show dice" button?