2 Become One, 1 Becomes Two: Attacking and Protecting 2FA Tokens
TalBeery1
12 views
29 slides
Jul 17, 2024
Slide 1 of 29
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
About This Presentation
Compromised credentials have been APT groups’ favorite tool for accessing, propagating and maintaining access to their victims’ networks. To mitigate this risk, defenders deploy second factor authentication (2FA) tokens. Since APTs are persistent, they must regain their access to these networks ...
Slide Content
2 Become 1, 1 Becomes 2 Attacking and protecting 2 factor auth (2FA) PasswordCon 2020
👋 Hi, I’m Tal Be’ery Co-Founder, Security Research @ ZenGo 20 years of cyber security experience Former EIR Innov8 VC, VP Research Aorato (acquired by Microsoft) @talbeerysec
👋 Hi, I’m Alex Manuskin Security and Blockchain Research @ ZenGo
Easy and Secure crypto experience: all from your mobile device Founded in 2017 VC backed since 2018 20 employees We’re hiring!
Agenda 2FA, U2F + WebAuthn Motivation, How it works Hardware solutions ≠ silver bullet: Confidentiality, Availabi lity, UX issues How are 2FA and Crypto Wallets related? Spoiler: They are virtually the SAME!! Distributed U2F: Threshold Signatures (TSS) applied to U2F Theory Code (open source in GitHub) Demo Next steps Q&A
U2F Motivation: Password r elated s ecurity issues Passwords are one the key factors in breaches ( Verizon DBIR 2020 ) Humans are not so good with secrets Generation Guessable passwords Password reuse Protection them: phishing
2FA : Replacing humans with machines Machines are better than humans with secrets Generation: Random key for each site No more weak passwords or password reuse Protection: Machines are not confused with visually similar phishing sites Machines can do crypto and use other crypto standard (TLS Channel ID) to prevent MITM attacks Some added benefits: By using public key cryptography, website does not need to know users’ secrets Private keys can be stored on a different hardware to reduce malware based theft However, machines require standards! Source: cleverism.com
2FA s tandardization : U2F + WebAuthn Web Authentication (WebAuthn) : standardize an interface for authenticating users to web apps using public-key cryptography . (wikipedia) Universal 2nd Factor (U2F) is an open standard that strengthens and simplifies two-factor authentication (2FA) ( W ikipedia ) Supported by 2FA vendors , browsers and webapps Source: yubico.com
U2F + WebAuthn: More technically User generates a key pair (Private - Public) with a U2F device User registers the public key with the service On authentication, service sends challenge and the user signs it with its U2F device U2F device Browser Website Challenge Signature Challenge Auth
2FA solution requirements Generate a key pair (private, public) Sign a message with private key Understand the protocol to generate messages / validate messages to be signed Keep the private key secure, as it enables full control If attackers obtain the key, they have the same capabilities as of the original owner Same as password 2 (factors) become effectively 1
U2F: Hardware is not a perfect solution Security Confidentiality : Hardware > Software, but can be attacked too ( physical attacks , vulnerabilities ) Availability : Software > Hardware. Backing up keys in software is easy, but w hat happens when you lose your HW token? UX: Software > Hardware People don’t want another thing in their pocket How do you share an account with multiple people? Cost: Hardware cost is much more than “0 cost” of password or software
Cryptocurrency wallet solution requirements Generate a key pair (private, public) Sign a message with private key Understand the protocol to generate messages / validate messages to be signed Keep the private key secure , as it enables full control twitter.com/balajis/
ZenGo makes crypto zen . Buy, store, trade, and earn crypto in a tap.
Threshold Signatures (TSS): 1 becomes 2 Private key becomes distributed: no longer a Single-Point-of-Failure Distributed protocols: back and forth messages exchange between parties Key generation: e ach party creates a “Share” (which is not “half of the key”) Signing: using the Shares, parties sign together The signature looks the same! When 1 (private key) becomes 2 (shares) : Harder for attackers to steal: needs to compromise both parties Easier to backup: each share is meaningless by itself
ZenGo: Easy + Secure The first “keyless” wallet: No more (single) private key Security: Confidentiality: 2 Party (2-P) Threshold Signatures ZenGo Server ZenGo app on the user’s device Each share is stored in a secure manner Availability Cloud based backup for each share UX: Mobile app Already in the pockets of customers No additional cost
U2F + TSS
U2F flow USB key Browser Website Challenge Signature Challenge Auth
Replace Hardware with Software Software Daemon Browser Website Challenge Signature Challenge Auth
Use Two Party MPC ZenGo App Browser Website Challenge Signature Challenge Auth ZenGo Server Sig Gen
ZenGo Open Source TSS stack ZenGo Gotham-City Key Generation Signing Supported Curves ECDSA EdDSA P256 by Oded Leiba @oleiba from ZenGo
Gotham-City Operation Server Share Key Generation Signing Client Share
Supported Blockchains Bitcoin Ethereum (+ERC20) Tezos Binance Terra More...
Easy Integration Recipe Start with a monolith implementation Identify Key Generation Identify Signature Replace calls with calls to Gotham
Threshold-Rust-U2F Based on Open Source solution: rust-u2f Implemented in Rust Works on Linux + USB Tested on Fedora 31 Integrated with our stack Gotham client/server + P256 Curve Take it for a spin: https://github.com/ZenGo-X/thresh-rust-u2f
Demo Coinbase Replace mobile Authenticator with 2-Party U2F Log in with 2-Party U2F Persistent login between sessions
Next steps Browsers integration: Bluetooth support removed To be added in 2021 Can always fallback to extension, a-la Krypton
Takeaways U2F is great for the security of authentication Hardware solutions are not perfect Crypto wallets have the same issues Using Threshold Signatures ( further reading ) we can get the best of both worlds!
twitter.com/zengo medium .com/zengo github.com/zengo-x [email protected]
Download
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 12
- Slides 29
- Age 502 days
Related Slideshows
11
8-top-ai-courses-for-customer-support-representatives-in-2025.pptx
JeroenErne2
44 views
10
7-essential-ai-courses-for-call-center-supervisors-in-2025.pptx
JeroenErne2
44 views
13
25-essential-ai-courses-for-user-support-specialists-in-2025.pptx
JeroenErne2
36 views
11
8-essential-ai-courses-for-insurance-customer-service-representatives-in-2025.pptx
JeroenErne2
33 views
21
Know for Certain
DaveSinNM
19 views
17
PPT OPD LES 3ertt4t4tqqqe23e3e3rq2qq232.pptx
novasedanayoga46
23 views