Replace the current Yubikey PBA implementation with the previous one.
Rationale: * The main reason for choosing to implement the PBA in accordance with the Yubico documentation was to prevent a MITM-USB-attack successfully recovering the new LUKS key. * However, a MITM-USB-attacker can read user id and password when they were entered for PBA, which allows him to recover the new challenge after the PBA is complete, with which he can challenge the Yubikey, decrypt the new AES blob and recover the LUKS key. * Additionally, since the Yubikey shared secret is stored in the same AES blob, after such an attack not only is the LUKS device compromised, the Yubikey is as well, since the shared secret has also been recovered by the attacker. * Furthermore, with this method an attacker could also bruteforce the AES blob, if he has access to the unencrypted device, which would again compromise the Yubikey, should he be successful. * Finally, with this method, once the LUKS key has been recovered once, the encryption is permanently broken, while with the previous system, the LUKS key itself it changed at every successful boot, so recovering it once will not necessarily result in a permanent breakage and will also not compromise the Yubikey itself (since its secret is never stored anywhere but on the Yubikey itself). Summary: The current implementation opens up up vulnerability to brute-forcing the AES blob, while retaining the current MITM-USB attack, additionally making the consequences of this attack permanent and extending it to the Yubikey itself.
This commit is contained in:
parent
e96bc485db
commit
8e74e1fded
|
@ -39,27 +39,11 @@ let
|
||||||
${optionalString (luks.yubikeySupport && (yubikey != null)) ''
|
${optionalString (luks.yubikeySupport && (yubikey != null)) ''
|
||||||
|
|
||||||
rbtohex() {
|
rbtohex() {
|
||||||
od -An -vtx1 | tr -d ' \n'
|
( od -An -vtx1 | tr -d ' \n' )
|
||||||
}
|
}
|
||||||
|
|
||||||
hextorb() {
|
hextorb() {
|
||||||
tr '[:lower:]' '[:upper:]' | sed -e 's|\([0-9A-F]\{2\}\)|\\\\\\x\1|gI' | xargs printf
|
( tr '[:lower:]' '[:upper:]' | sed -e 's/\([0-9A-F]\{2\}\)/\\\\\\x\1/gI'| xargs printf )
|
||||||
}
|
|
||||||
|
|
||||||
take() {
|
|
||||||
local c="$1"
|
|
||||||
shift
|
|
||||||
head -c $c "$@"
|
|
||||||
}
|
|
||||||
|
|
||||||
drop() {
|
|
||||||
local c="$1"
|
|
||||||
shift
|
|
||||||
if [ -e "$1" ]; then
|
|
||||||
cat "$1" | ( dd of=/dev/null bs="$c" count=1 2>/dev/null ; dd 2>/dev/null )
|
|
||||||
else
|
|
||||||
( dd of=/dev/null bs="$c" count=1 2>/dev/null ; dd 2>/dev/null )
|
|
||||||
fi
|
|
||||||
}
|
}
|
||||||
|
|
||||||
open_yubikey() {
|
open_yubikey() {
|
||||||
|
@ -70,83 +54,41 @@ let
|
||||||
local uuid_r
|
local uuid_r
|
||||||
local k_user
|
local k_user
|
||||||
local challenge
|
local challenge
|
||||||
local k_blob
|
local opened
|
||||||
local aes_blob_decrypted
|
|
||||||
local checksum_correct
|
|
||||||
local checksum
|
|
||||||
local uuid_luks
|
|
||||||
local user_record
|
|
||||||
|
|
||||||
uuid_luks="$(cryptsetup luksUUID ${device} | take 36 | tr -d '-')"
|
sleep 1
|
||||||
|
|
||||||
${optionalString (!yubikey.multiUser) ''
|
uuid_r="$(cat ${yubikey.storage.mountPoint}${yubikey.storage.path})"
|
||||||
user_record="$(cat ${yubikey.storage.mountPoint}${yubikey.storage.path})"
|
|
||||||
uuid_r="$(echo -n $user_record | take 32)"
|
|
||||||
''}
|
|
||||||
|
|
||||||
for try in $(seq 3); do
|
for try in $(seq 3); do
|
||||||
|
|
||||||
${optionalString yubikey.multiUser ''
|
|
||||||
local user_id
|
|
||||||
echo -n "Enter user id: "
|
|
||||||
read -s user_id
|
|
||||||
echo
|
|
||||||
''}
|
|
||||||
|
|
||||||
${optionalString yubikey.twoFactor ''
|
${optionalString yubikey.twoFactor ''
|
||||||
echo -n "Enter two-factor passphrase: "
|
echo -n "Enter two-factor passphrase: "
|
||||||
read -s k_user
|
read -s k_user
|
||||||
echo
|
echo
|
||||||
''}
|
''}
|
||||||
|
|
||||||
${optionalString yubikey.multiUser ''
|
challenge="$(echo -n $k_user$uuid_r | openssl-wrap dgst -binary -sha512 | rbtohex)"
|
||||||
local user_id_hash
|
|
||||||
user_id_hash="$(echo -n $user_id | openssl-wrap dgst -binary -sha512 | rbtohex)"
|
|
||||||
|
|
||||||
user_record="$(sed -n -e /^$user_id_hash[^$]*$/p ${yubikey.storage.mountPoint}${yubikey.storage.path} | tr -d '\n')"
|
k_luks="$(ykchalresp -${toString yubikey.slot} -x $challenge 2>/dev/null)"
|
||||||
|
|
||||||
if [ ! -z "$user_record" ]; then
|
echo -n "$k_luks" | hextorb | cryptsetup luksOpen ${device} ${name} ${optionalString allowDiscards "--allow-discards"} --key-file=-
|
||||||
user_record="$(echo -n $user_record | drop 128)"
|
|
||||||
uuid_r="$(echo -n $user_record | take 32)"
|
|
||||||
''}
|
|
||||||
|
|
||||||
challenge="$(echo -n $k_user$uuid_r$uuid_luks | openssl-wrap dgst -binary -sha1 | rbtohex)"
|
if [ $? == "0" ]; then
|
||||||
|
opened=true
|
||||||
k_blob="$(ykchalresp -${toString yubikey.slot} -x $challenge 2>/dev/null)"
|
|
||||||
|
|
||||||
aes_blob_decrypted="$(echo -n $user_record | drop 32 | hextorb | openssl-wrap enc -d -aes-256-ctr -K $k_blob -iv $uuid_r | rbtohex)"
|
|
||||||
|
|
||||||
checksum="$(echo -n $aes_blob_decrypted | drop 168)"
|
|
||||||
if [ "$(echo -n $aes_blob_decrypted | hextorb | take 84 | openssl-wrap dgst -binary -sha512 | rbtohex)" == "$checksum" ]; then
|
|
||||||
checksum_correct=1
|
|
||||||
break
|
break
|
||||||
else
|
else
|
||||||
checksum_correct=0
|
opened=false
|
||||||
echo "Authentication failed!"
|
echo "Authentication failed!"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
${optionalString yubikey.multiUser ''
|
|
||||||
else
|
|
||||||
checksum_correct=0
|
|
||||||
echo "Authentication failed!"
|
|
||||||
fi
|
|
||||||
''}
|
|
||||||
done
|
done
|
||||||
|
|
||||||
if [ "$checksum_correct" != "1" ]; then
|
if [ "$opened" == false ]; then
|
||||||
umount ${yubikey.storage.mountPoint}
|
umount ${yubikey.storage.mountPoint}
|
||||||
echo "Maximum authentication errors reached"
|
echo "Maximum authentication errors reached"
|
||||||
exit 1
|
exit 1
|
||||||
fi
|
fi
|
||||||
|
|
||||||
local k_yubi
|
|
||||||
k_yubi="$(echo -n $aes_blob_decrypted | take 40)"
|
|
||||||
|
|
||||||
local k_luks
|
|
||||||
k_luks="$(echo -n $aes_blob_decrypted | drop 40 | take 128)"
|
|
||||||
|
|
||||||
echo -n "$k_luks" | hextorb | cryptsetup luksOpen ${device} ${name} ${optionalString allowDiscards "--allow-discards"} --key-file=-
|
|
||||||
|
|
||||||
update_failed=false
|
update_failed=false
|
||||||
|
|
||||||
local new_uuid_r
|
local new_uuid_r
|
||||||
|
@ -161,24 +103,32 @@ let
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [ "$update_failed" == false ]; then
|
if [ "$update_failed" == false ]; then
|
||||||
new_uuid_r="$(echo -n $new_uuid_r | take 36 | tr -d '-')"
|
new_uuid_r="$(echo -n $new_uuid_r | head -c 36 | tr -d '-')"
|
||||||
|
|
||||||
local new_challenge
|
local new_challenge
|
||||||
new_challenge="$(echo -n $k_user$new_uuid_r$uuid_luks | openssl-wrap dgst -binary -sha1 | rbtohex)"
|
new_challenge="$(echo -n $k_user$new_uuid_r | openssl-wrap dgst -binary -sha512 | rbtohex)"
|
||||||
|
|
||||||
local new_k_blob
|
local new_k_luks
|
||||||
new_k_blob="$(echo -n $new_challenge | hextorb | openssl-wrap dgst -binary -sha1 -mac HMAC -macopt hexkey:$k_yubi | rbtohex)"
|
new_k_luks="$(ykchalresp -${toString yubikey.slot} -x $new_challenge 2>/dev/null)"
|
||||||
|
|
||||||
local new_aes_blob
|
mkdir -p ${yubikey.ramfsMountPoint}
|
||||||
new_aes_blob=$(echo -n "$k_yubi$k_luks$checksum" | hextorb | openssl-wrap enc -e -aes-256-ctr -K "$new_k_blob" -iv "$new_uuid_r" | rbtohex)
|
# A ramfs is used here to ensure that the file used to update
|
||||||
|
# the key slot with cryptsetup will never get swapped out.
|
||||||
|
# Warning: Do NOT replace with tmpfs!
|
||||||
|
mount -t ramfs none ${yubikey.ramfsMountPoint}
|
||||||
|
|
||||||
${optionalString yubikey.multiUser ''
|
echo -n "$new_k_luks" | hextorb > ${yubikey.ramfsMountPoint}/new_key
|
||||||
sed -i -e "s|^$user_id_hash$user_record|$user_id_hash$new_uuid_r$new_aes_blob|1"
|
echo -n "$k_luks" | cryptsetup luksChangeKey ${device} --key-file=- ${yubikey.ramfsMountPoint}/new_key
|
||||||
''}
|
|
||||||
|
|
||||||
${optionalString (!yubikey.multiUser) ''
|
if [ $? == "0" ]; then
|
||||||
echo -n "$new_uuid_r$new_aes_blob" > ${yubikey.storage.mountPoint}${yubikey.storage.path}
|
echo -n "$new_uuid_r" > ${yubikey.storage.mountPoint}${yubikey.storage.path}
|
||||||
''}
|
else
|
||||||
|
echo "Warning: Could not update LUKS key, current challenge persists!"
|
||||||
|
fi
|
||||||
|
|
||||||
|
rm -f ${yubikey.ramfsMountPoint}/new_key
|
||||||
|
umount ${yubikey.ramfsMountPoint}
|
||||||
|
rm -rf ${yubikey.ramfsMountPoint}
|
||||||
else
|
else
|
||||||
echo "Warning: Could not obtain new UUID, current challenge persists!"
|
echo "Warning: Could not obtain new UUID, current challenge persists!"
|
||||||
fi
|
fi
|
||||||
|
@ -336,21 +286,21 @@ in
|
||||||
description = "Whether to use a passphrase and a Yubikey (true), or only a Yubikey (false)";
|
description = "Whether to use a passphrase and a Yubikey (true), or only a Yubikey (false)";
|
||||||
};
|
};
|
||||||
|
|
||||||
multiUser = mkOption {
|
|
||||||
default = false;
|
|
||||||
type = types.bool;
|
|
||||||
description = "Whether to allow multiple users to authenticate with a Yubikey";
|
|
||||||
};
|
|
||||||
|
|
||||||
slot = mkOption {
|
slot = mkOption {
|
||||||
default = 2;
|
default = 2;
|
||||||
type = types.int;
|
type = types.int;
|
||||||
description = "Which slot on the Yubikey to challenge";
|
description = "Which slot on the Yubikey to challenge";
|
||||||
};
|
};
|
||||||
|
|
||||||
|
ramfsMountPoint = mkOption {
|
||||||
|
default = "/crypt-ramfs";
|
||||||
|
type = types.string;
|
||||||
|
description = "Path where the ramfs used to update the LUKS key will be mounted in stage-1";
|
||||||
|
};
|
||||||
|
|
||||||
storage = mkOption {
|
storage = mkOption {
|
||||||
type = types.optionSet;
|
type = types.optionSet;
|
||||||
description = "Options related to the authentication record";
|
description = "Options related to the storing the random UUID";
|
||||||
|
|
||||||
options = {
|
options = {
|
||||||
device = mkOption {
|
device = mkOption {
|
||||||
|
@ -358,7 +308,7 @@ in
|
||||||
type = types.path;
|
type = types.path;
|
||||||
description = ''
|
description = ''
|
||||||
An unencrypted device that will temporarily be mounted in stage-1.
|
An unencrypted device that will temporarily be mounted in stage-1.
|
||||||
Must contain the authentication record for this LUKS device.
|
Must contain the current random UUID to create the challenge for this LUKS device.
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
|
@ -378,7 +328,7 @@ in
|
||||||
default = "/crypt-storage/default";
|
default = "/crypt-storage/default";
|
||||||
type = types.string;
|
type = types.string;
|
||||||
description = ''
|
description = ''
|
||||||
Absolute path of the authentication record on the unencrypted device with
|
Absolute path of the random UUID on the unencrypted device with
|
||||||
that device's root directory as "/".
|
that device's root directory as "/".
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
Loading…
Reference in New Issue