Password and key generation
62 views
Skip to first unread message
Adrià Casajús
Oct 6, 2014, 10:46:58 AM10/6/14
to mitr...@googlegroups.com
Hi all,
I've got a question. When a user registers I guess his key pair is created and ciphered with the password. Is that password sent plaintext to the server along with the key pair? How do you prevent the server from being able to open the keypair with the user password?
Cheers,
Adri
Evan Jones
Oct 6, 2014, 11:14:48 AM10/6/14
to Adrià Casajús, mitr...@googlegroups.com
The password never leaves the client, so the server has no access to the private key. If you forget your password, we have to delete your account. Additional details here:
Let me know if you have other questions,
Evan
--
You received this message because you are subscribed to the Google Groups "Mitro developers list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to mitro-dev+...@googlegroups.com.
To post to this group, send email to mitr...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/mitro-dev/8c54ba6a-bebc-45cd-a63e-47da76c30a0a%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Adrià Casajús
Oct 6, 2014, 11:24:17 AM10/6/14
to mitr...@googlegroups.com, ad...@ecm.ub.edu
Ho do users authenticate if the password does not leave the client? When a user logs he's got not key pair (yet) to sign/request info.
Bri Hatch
Oct 7, 2014, 12:15:15 AM10/7/14
to Adrià Casajús, mitr...@googlegroups.com
On Mon, Oct 6, 2014 at 8:24 AM, Adrià Casajús <ad...@ecm.ub.edu> wrote:
Ho do users authenticate if the password does not leave the client? When a user logs he's got not key pair (yet) to sign/request info.
When you first sign up your browser creates a keypair, where the secret part is encrypted with your password. Both secret (encrypted) and public are uploaded to mitro servers. However if you forget your password, since it never got there, there's no way to recover it and deleting/starting over is the only option.
Which kinda proves that it's proper crypto. ;-)
Bri Hatch, Systems and Security Engineer. http://www.ifokr.org/bri/
I have a deep and profound love for this new licensing set
up. I get all misty even writing about it.
--matt
Adrià Casajús
Oct 7, 2014, 4:54:29 AM10/7/14
to mitr...@googlegroups.com, ad...@ecm.ub.edu
Yes, I got that. My question is:
1.- User registers in mitro
1.1.- User fills registration form (including email + password)
1.1.- Generates keypair ciphered with the user password
1.2.- Uploads keypair + other stuff to the mitro server
1.3.- User browser extension has the keypair -> is logged in
2.- User wants to log-in to mitro from another PC (that does NOT have the keypair yet)
2.1- User fills the login form (including email + password )
2.2.- ¿?¿?
Question 1 -> Mitro extension sends what?? to the servers to get the ciphered keypair
Question 2 -> How does mitro server verify that I am indeed me to grant me access to my keypair without the password?
Cheers,
Adri
Evan Jones
Oct 8, 2014, 10:44:38 AM10/8/14
to Adrià Casajús, mitr...@googlegroups.com
1: Mitro sends the public key, plus the private key encrypted using your password.
2: a) First login attempt for a new device: we ask you to click a verification link in an email we send you.
2: b) After the link is clicked, on the next login attempt, Mitro returns the encrypted private key.
2: c) Your browser decrypts the key using your password. If it cannot decrypt it, it says "password incorrect"
Hope that helps,
Evan
On Oct 7, 2014, at 4:54, Adrià Casajús <ad...@ecm.ub.edu> wrote:
Yes, I got that. My question is:1.- User registers in mitro1.1.- User fills registration form (including email + password)1.1.- Generates keypair ciphered with the user password1.2.- Uploads keypair + other stuff to the mitro server1.3.- User browser extension has the keypair -> is logged in2.- User wants to log-in to mitro from another PC (that does NOT have the keypair yet)2.1- User fills the login form (including email + password )2.2.- ¿?¿?
1: Mitro extension sends public key priva
Question 1 -> Mitro extension sends what?? to the servers to get the ciphered keypairQuestion 2 -> How does mitro server verify that I am indeed me to grant me access to my keypair without the password?Cheers,Adri
On Tuesday, 7 October 2014 06:15:15 UTC+2, Bri Hatch wrote:On Mon, Oct 6, 2014 at 8:24 AM, Adrià Casajús <ad...@ecm.ub.edu> wrote:--Ho do users authenticate if the password does not leave the client? When a user logs he's got not key pair (yet) to sign/request info.When you first sign up your browser creates a keypair, where the secret part is encrypted with your password. Both secret (encrypted) and public are uploaded to mitro servers. However if you forget your password, since it never got there, there's no way to recover it and deleting/starting over is the only option.Which kinda proves that it's proper crypto. ;-)Bri Hatch, Systems and Security Engineer. http://www.ifokr.org/bri/I have a deep and profound love for this new licensing setup. I get all misty even writing about it.--matt
--
You received this message because you are subscribed to the Google Groups "Mitro developers list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to mitro-dev+...@googlegroups.com.
To post to this group, send email to mitr...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/mitro-dev/8fc59112-5500-47ac-a176-97423c8c574c%40googlegroups.com.
Matthew Ford
Oct 9, 2014, 1:57:35 PM10/9/14
to mitr...@googlegroups.com, ad...@ecm.ub.edu
How are the keys stored on the browser, in local storage, is the private key then stored in an decrypted form?
Adrià Casajús
Oct 10, 2014, 4:37:33 AM10/10/14
to mitr...@googlegroups.com, ad...@ecm.ub.edu
Thanks! That made it clear :)
Evan Jones
Oct 10, 2014, 9:33:05 AM10/10/14
to Matthew Ford, mitr...@googlegroups.com, ad...@ecm.ub.edu
The browser only ever stores the key in memory, in a web worker as part of the background page in the extension. If you *don't* check the "keep me logged in" option, then the browser extension re-fetches the encrypted private key from Mitro each time, and decrypts it using your password.
If you check the "keep me logged in" option, then your browser generates a device-specific AES key, and uses that to encrypt the private key in local storage. The device-specific key is stored on Mitro. When you restart your browser, it contacts Mitro with the device ID, and Mitro returns the device specific-key, which can be used to decrypt the key in local storage. If you change your password on any device, Mitro discards all the device-specific keys, so you must log in again on all devices.
Evan
To view this discussion on the web visit https://groups.google.com/d/msgid/mitro-dev/40306943-8448-427d-b6b0-78efb3c9d95b%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages