
Zero-knowledge attestation - zdw
https://www.imperialviolet.org/2019/01/01/zkattestation.html
======
dane-pgp
"Ultimately, in such a world, sites only operate on a single bit of
information about any registration: was this public-key generated in a
certified device or not? The FIDO Alliance wants to run the certification
process, so then the problem reduces down to providing that bit to the site."

Are we really building a web where a single organisation gets to decide which
devices people can use to access any website securely? I don't know if that's
worse than a web where individual sites can say "Only
Windows/Android/iOS/WeChat users can create accounts here".

Before long, the requirements for a "secure" device will be one which
effectively implements something like DRM (i.e. has secret signing keys
outside of your control), probably requiring biometrics (iris scan or
fingerprint), and possibly phoning home to a government or corporation, to
check for firmware updates or revocation information (i.e. a kill switch, like
in AACS).

~~~
yayana
I think you can swap out FIDO in the role of certification for any other group
willing to run the process of certifying devices, so it is basically just CA
style PKI for client certs again but with an initial attempt at a free CA.

I think FIDO specifications and most organizations feeling pressure to at
least support devices they approve would mostly be good for the user.

The rate FIDO will introduce more invasive behavior instead of user benefiting
behavior before there is a version too common for most sites to reject is
going to be related to the level proprietary dongles issued by Banks, etc,
remain acceptable.

In the FIDO case, the consumer actually is the customer, so negative features
will have to arrive by vendors fighting their own customers interests, and
pushing institutions to reject their older devices. I think they probably
will, but not at the rate they can fight users when the institution is the
customer.

~~~
dane-pgp
A likely scenario is that, just as with mobile OSes or browsers, there will be
effectively an oligarchy or cartel of approved FIDO device manufacturers, who
will end up setting the rules to make it hard for new manufacturers to join
the trusted set.

This is basically a huge coordination problem, and there are natural barriers
to entry against becoming a globally accepted provider of hardware which
websites are prepared to trust.

History has shown that, as long as a market appears to have two options,
people will be content to choose the lesser or two evils rather than invest
time and effort into changing the system to add more options.

------
repolfx
I have to say, the short description of arithmetic circuits in elliptic curve
finite fields in this blog post is probably one of the clearest and most
concise I've seen. Bravo!

As for the problem of user-agent sniffing, well, it is done for a reason.
Probably there's less of it these days than there used to be as browsers got
better and more standards compliant. I'd be interested to know why Vanguard
restrict to YubiKeys, perhaps someone from the FIDO alliance can find out.

------
crazysim
That big financial site would be Vanguard which only allows Yubikeys for U2F.
Blogger is/was a Googler right? I heard they use them for their retirement
accounts.

~~~
loeg
Vanguard has recently moved to require[0] some form of 2FA for online account
access, probably in an attempt to either improve security (optimistic) or
shift liability for phishing to consumers (cynical). They do this by
forcing[0] you to sign up for SMS 2FA initially, which as informed readers
should know, is total crap for 2FA and frequently hijacked by bad actors. I'm
not a fan of this policy.

[0]:

> When it comes to account security, everyone has a role to play. So we're now
> requiring you to sign up to receive security codes. These codes provide a
> type of 2-step verification that adds an extra level of security to your
> accounts.

You can avoid signing up for 2FA after login by clicking "Get started," then
"Cancel" without marking that you agree to the terms, and then manually
navigating to your desired URL, e.g.,
[https://personal.vanguard.com/us/myaccounts/balancesholdings](https://personal.vanguard.com/us/myaccounts/balancesholdings)
.

~~~
c22
As a 2nd or 3rd factor SMS is usually fine. Hijacking a text message is still
an "extra hurdle" that improves security over _just a password_. The problem
comes when a site allows _account resets_ over SMS because then they've just
traded one single factor (a password) for another weaker one (SMS).

~~~
loeg
> As a 2nd or 3rd factor SMS is usually fine. Hijacking a text message is
> still an "extra hurdle" that improves security over just a password

Perhaps, but often 2FA is leaned on to reduce the significance of the primary
factor or shift liability.

> The problem comes when a site allows account resets over SMS because then
> they've just traded one single factor (a password) for another weaker one
> (SMS).

Yeah, exactly — that would be one way some "2FA" systems weaken the primary
factor.

------
ecesena
Direct Anonymous Attestation (DAA) has the extra feature that signature
computation can be split between trusted device and host. How does this
compare?

~~~
agl
There are various groupish signature systems (including DAA and BBS[1]) that
would probably be a better answer here, _if you controlled the signers_. But,
in this context, the devices have shipped and they do P-256 ECDSA. So the
question then becomes, what _can_ we do without being able to change the
signers? Can we plausibly retrofit something onto them?

[1]
[http://crypto.stanford.edu/~dabo/papers/groupsigs.pdf](http://crypto.stanford.edu/~dabo/papers/groupsigs.pdf)

~~~
ecesena
I see, thank you for the clarification. I was just surprised to read it takes
several seconds on a 4GHz cpu. For example the chip we’re using in Solo is a
STM32 at 80MHz so it’s prob impractical (But in fairness I don’t have numbers
on DAA either.)

------
alexnewman
Why not do this with the TPM?

~~~
ecesena
FIDO attestation is compatible with TPM, just its not required, so other
device manufacturer can implement it without a TPM.

~~~
alexnewman
What modern machines have no TPM or enclave? I know phones, tablets, laptops
and desktops do. FIDO key seems weak, i have a basket of them.

