
Improved Authentication for Email Encryption and Security - binaryanomaly
https://protonmail.com/blog/encrypted_email_authentication/
======
mark_l_watson
"In ProtonMail’s one-password mode, the mailbox password is derived from the
login password via a one-way cryptographic password hash."

I wondered why they didn't do this. As a customer, this is a welcome change.

One thing that is of general concern to me: I tend to use a lot of encrypted
traffic because much of my work is done on SSH shells to servers, and some of
my customers request encrypting work files and use VPNs. With also using
ProtonMail, I would expect to be on a government list of some sort. Given the
general anti-privacy and anti-encryption rhetoric from public government
officials this is a concern.

What our government should do is a moon-shot level of effort to promote strong
encryption and very robust digital infrastructure. While this might
unfortunately make law enforcement's job a little more difficult, the
advantages in fighting computer crime and generally saving businesses,
citizens and the government money would be worth it. I think it would also
increase our level of national security, with all of our systems less
hackable.

~~~
nickpsecurity
"What our government should do is a moon-shot level of effort to promote
strong encryption and very robust digital infrastructure."

They did. It was called the Computer Security Initiative. It was the
culmination of efforts starting with Anderson Report that collectively
invented INFOSEC and deployed high-assurance versions. Early releases were
secure messaging, the BLACKER VPN, MLS endpoints, private databases, and so
on. Industry ignored it in favor of cheapest, fanciest products with features
moving at explosive pace. Congress's (or DOD's) COTS mandate and NSA's MISSI
initiative finished it off by reducing government contracts for high-security
product.

So, it's been done here before. It would work again. Just no will to do it on
top esp with Microsoft and IBM's lobbying. ;) At least the papers on
requirements and methods for achieving that were all published. Some still use
the methods in commercial sector and CompSci. The first, secure systems are
still available comnercially on not-so-secure hardware (i.e. Intel). Just
almost no uptake in FOSS for such methods despite a labor advantage.

~~~
shshhdhs
"At least the papers on requirements and methods for achieving that were all
published."

Hi there! Ive seen you post on these before; do you have a collection of links
or references to papers an infosec engineer interested in this should read? Ty

~~~
nickpsecurity
Send me an email at address in my profile. Ill send them to you as I dig them
out.

------
smnscu
We had this at Lavaboom (German encrypted email, bankrupt) 2 years ago. Our
designer came up with this idea, I initially wanted to implement the classic 2
password design. The tricky bits are (1) explaining to the users that they
can't reset their password and (2) supporting users who opt for manual key
management (e.g. I own name@mydomain.com and I want to move from Google Apps +
GPGtools to Lavaboom/Protonmail/etc).

[https://github.com/lavab](https://github.com/lavab)

our (brilliant) designer
[http://www.felixvonlooz.com/](http://www.felixvonlooz.com/)

~~~
tux3
>The tricky bits are (1) explaining to the users that they can't reset their
password

So that's interesting, because as I understand it ProntonMail does allow users
to reset their password using a recovery email, although the feature can be
disabled in the settings.

~~~
vabmit
If a user resets their single password or encryption password, they lose
access to their previous e-mail. This is because what essentially happens is
that a new PGP keypair is generated and the Secret Key is encrypted with the
new password. Since we do not have their old, lost, password we cannot access
their secret key to decrypt the e-mails (and subsequently re-encrypt them with
the new Public Key).

------
polack
So how does one migrate from the two password to the one? I like the idea of
protonmail, but since they made it incompatible with normal public key
encrypted mail it's pretty useless for many of us, unfortunately...

~~~
mtgx
PGP is quite difficult to use by most people, and it doesn't even support
forward secrecy, which is a _huge_ weakness. It will never be used by more
than a core group of highly technical, which is maybe less than 0.01% of the
population.

If we're to push end-to-end encryption to the masses, then we ought to try to
get forward secrecy in it, and it should be quite invisible to the user.

That's not to say that ProtonMail is getting it right, but it's at least one
of the few that are striving to move in that direction.

Relevant post from Moxie from Open Whisper Systems:

[https://moxie.org/blog/gpg-and-me/](https://moxie.org/blog/gpg-and-me/)

~~~
nickik
I would like something better then GPG as well, but at the moment I have a
group of contacts that I would like to write GPG with.

If you have a replacement for GPG and E-Mail please tell me what it is.

~~~
ticoombs
__Possibly __bitmessage.

But adoption is even worse than pgp

------
esseti
I need a clarification

"In ProtonMail’s one-password mode, the mailbox password is derived from the
login password via a one-way cryptographic password hash. The input to this
hash includes a salt provided by the server on login but not stored in the
client. In this way, compromise of the mailbox password does not automatically
lead to compromise of the login password."

This means, if my password is "123hello" then the mailbox password is
hash(derived("123hello"),secret_salt) where, hash is an hash algorithm (which
one?), the secret_salt is a value stored in the server and never sent to the
client, and the derived("123hello") is a password computed using the SRP
protocol, which should be the session key explained here
[https://en.wikipedia.org/wiki/Secure_Remote_Password_protoco...](https://en.wikipedia.org/wiki/Secure_Remote_Password_protocol),
correct? the part of the SRP and on how to genreate the password in SRP is a
bit obscure to me, just trying to understand.

------
dom0
Nice to see wider adoption of ZKPP authentication.

------
ComodoHacker
>In ProtonMail’s one-password mode, the mailbox password is derived from the
login password via a one-way cryptographic password hash.

I wonder what the password change procedure will be when you have several
gigabytes of mail in your mailbox? Would you have to download every message,
re-encrypt it in your browser and send back?

~~~
vesinisa
Hopefully the mailbox encryption key is actually static, and they only store
it encrypted with a key derived from your login password. If you use two
different salts the knowledge of the login pw hash does not yield the mailbox
key encryption key.

~~~
vabmit
The mailbox encryption key is static. There is no need to re-encrypted all the
mail when it is changed. Since the PGP Secret Key is only decrypted in the
client browser or app, there is no need to transmit the decryption password to
the server.

------
Wonnk13
how practical is it to drop GMail for these guys? I'm tied fairly heavily to
the Google ecosystem (Chome, Play, Finance, etc etc). They already have a
mountain of data on me, but I really want to start taking encryption and
privacy more seriously.

~~~
ShinyCyril
I didn't miss anything when I left Gmail, but I imagine it depends a lot on
how you use email. I switched to Fastmail on my own domain and actually prefer
the webmail interface over Gmail.

I mainly use IMAP via Mail.app on my laptop and phone, Pantheon Mail (formerly
Geary) on my desktop. I use PGP wherever I can. I haven't received any spam at
all yet, so I can't comment on how their spam filters compare to Gmail. I
maintain a zero inbox – important stuff gets archived, and everything else is
deleted. This means that I don't miss Gmail's search feature as hardly keep
any emails. Obviously your mileage may vary here. They also support CalDAV and
CardDAV – so all of my notes, contacts, calendar items etc. are synced across
my devices.

I've moved from Google completely, and for the most part, I don't really miss
them all that much.

\- Search -> DuckDuckGo (I do miss Google here – DDG's search results pale in
comparison)

\- Gmail -> Fastmail

\- Maps -> Citymapper and Apple Maps

\- Chrome -> Safari on macOS, Firefox on everything else (my experience with
FF is a bit 'meh' – it was incredibly laggy on my work laptop, but runs great
on my desktop)

~~~
nwuensche
Right now, I also try to keep Google as far away from me as I can.
Unfortunately, I don't own a domain myself. Have you tried out ProtonMail
yourself? If so, do you think that it is a good alternative to a self-hosted
server like Fastmail?

~~~
ShinyCyril
I have not used ProtonMail myself so I can't help you there I'm afraid.

While I use Fastmail with my own domain, it is not self-hosted. My MX records
point to Fastmail's servers.

------
andrewfromx
similar to [https://www.caplinked.com](https://www.caplinked.com) 's
[http://www.attachd.com](http://www.attachd.com)

------
jimktrains2
This all seems to be a web-based application
([https://github.com/ProtonMail/WebClient](https://github.com/ProtonMail/WebClient)).
How are the security issues regarding knowing that you're always running that
code and that the server isn't compromised and sending altered code? The
arguments against server-supplied, js-in-the-browser crypto have been done to
death.

Why is this any different, and why am I wrong to dismiss it out-of-hand as
(in)secure as simply sending unencrypted data to the server? Why isn't this
only an open-source, native app (where I can load a specific, known version
instead of whatever is on the server).

> we choose our own primes rather than those used by TLS

Does TLS specify any primes? You can use your own DH primes, SRP primes, and
your key is your own prime. Those RFCs recommend primes, but allow the server
to use different ones. TLS, SRP, or DH doesn't "use" a single prime, any prime
satisfying the requirements in the RFC is acceptable. know it's nitpicking but
something about how it was said rubbed me the wrong way.

I would love to know how they communicate between their TLS-SRP layer and
their authentication layer. Most implementations are file-based. Did they
write a plugin for gnutls or openssl? Did they write their own TLS layer?

I would love for TLS-SRP to be more wide-spread, but this is always the
biggest hurdle to adoption in my case.

~~~
ComodoHacker
>Why is this any different

Nobody says it's different

>Why isn't this only an open-source, native app (where I can load a specific,
known version instead of whatever is on the server).

OK, let's suppose you're using a native app. One day vendor issues an update
with some critical vulnerability patched. Unfortunately, another vulnerability
(or even backdoor) sneaks into this update for whatever reasons. How is this
any different?

~~~
jimktrains2
> Nobody says it's different

They why do all the extra work for no gain in security?

I think the sibling comment address your next comment well.

~~~
bartbutler
There's a difference between an active attacker and a passive MITM attacker.
Doing this for the web app in addition to the native apps helps prevent a
passive MITM attack from stealing login credentials.

~~~
jimktrains2
A mitm is an active attacker. If TLS fails, then the mitm could modify the
code sent to the end user.

~~~
bartbutler
That's a limited definition of MITM. That would be an active attack, and yes,
this does nothing for that for the web app--the native apps are a different
story. However, there are plenty of corporate PCs and other machines with root
certs installed in a way that a third party could, and often does, passively
record traffic without modification for analysis later. SRP prevents those
dumps from containing information that can be used to compromise an account.

~~~
jimktrains2
That is exactly what I'm describing though. The corporation could edit the
page to do what they want. To claim otherwise is foolish and really makes me
question proton's understanding of security.

------
piotrjurkiewicz
It should be reminded that emails exchanged between Protonmail and any
recipient who use ordinary email server are not secure. In order to achieve
security you have to mail with other Protonmail user or use PGP.

~~~
LeoPanthera
They have an option to send a secure email to "normal" email addresses which
works by sending them an https link to click. You must have a pre-arranged
password with the other person for this to work, but it is possible.

