Cryptology ePrint Archive: Report 2017/721

On Making U2F Protocol Leakage-Resilient via Re-keying

Donghoon Chang and Sweta Mishra and Somitra Kumar Sanadhya and Ajit Pratap Singh1

Abstract: The Universal 2nd Factor (U2F) protocol is an open authentication standard to strengthen the two-factor authentication process. It augments the existing password based infrastructure by using a specialized USB, termed as the U2F authenticator, as the 2nd factor. The U2F authenticator is assigned two fixed keys at the time of manufacture, namely the device secret key and the attestation private key. These secret keys are later used by the U2F authenticator during the Registration phase to encrypt and digitally sign data that will help in proper validation of the user and the web server. However, the use of fixed keys for the above processing leaks information through side channel about both the secrets. In this work we show why the U2F protocol is not secure against side channel attacks (SCA). We then present a countermeasure for the SCA based on re-keying technique to prevent the repeated use of the device secret key for encryption and signing. We also recommend a modification in the existing U2F protocol to minimise the effect of signing with the fixed attestation private key. Incorporating our proposed countermeasure and recommended modification, we then present a new variant of the U2F protocol that has improved security guarantees. We also briefly explain how the side channel attacks on the U2F protocol and the corresponding proposed countermeasures are similarly applicable to Universal Authentication Framework (UAF) protocol.

Category / Keywords: Password, Authentication, U2F, UAF, FIDO Alliance, Side-channel attack, Re-keying

Date: received 25 Jul 2017, last revised 8 Aug 2017

Contact author: swetam at iiitd ac in

Available format(s): PDF | BibTeX Citation

Note: There are few editorial changes in the current version of the paper.

Version: 20170808:172548 (All versions of this report)

Short URL:

Discussion forum: Show discussion | Start new discussion

[ Cryptology ePrint archive ]