[fix] enforce that alpha!=beta in final step of the oprf.\n\nthis would allow an attacker having access to the output of the OPRF to reduce the effort to bruteforce the master password to two hashes, eliminating the scalarmultiplication.

Author: stef

README.md

@@ -119,11 +119,11 @@ Pass the challenge from step 1 on standard input like:
 The response is sent to standard output.
 
 ### step 3 - derive password
-To derive a (currently hex) password, pass the response from step 2 on
-standard input and the filename of the tempfile from step 1 like:
+To derive a (currently hex) password, pass the response from step 2 on standard
+input and the filename of the tempfile and the challenge from step 1 like:
 
 ```
-fname=$(cat b) ./derive $fname <r0 >pwd0
+fname=$(cat b) ./derive $fname c <r0 >pwd0
 ```
 
 The derived password is sent to standard output and currently is a 32

src/bin/derive.c

@@ -23,10 +23,12 @@
 #include <unistd.h>
 #include <stdint.h>
 #include <sodium.h>
+#include <string.h>
 
 int main(int argc, char **argv) {
   (void) argc;
   uint8_t blind[crypto_core_ristretto255_SCALARBYTES],
+    chal[crypto_core_ristretto255_BYTES],
     resp[crypto_core_ristretto255_BYTES];
 
   // read response from stdin
@@ -47,6 +49,23 @@ int main(int argc, char **argv) {
   }
   fclose(f);
 
+  // read original challenge from file passed in argv[2]
+  f = fopen(argv[2], "r");
+  if(f==NULL) {
+    fprintf(stderr,"could not open %s\n", argv[2]);
+    return 1;
+  }
+  if(fread(chal, sizeof chal, 1, f)!=1) {
+    fprintf(stderr, "expected 32B challenge in %s\n", argv[2]);
+    return 1;
+  }
+  fclose(f);
+
+  if(memcmp(chal,resp,sizeof resp)==0) {
+    fprintf(stderr, "challenge and response are equal\n");
+    return 1;
+  }
+
   // invert r = 1/r
   unsigned char ir[crypto_core_ristretto255_SCALARBYTES];
   if (crypto_core_ristretto255_scalar_invert(ir, blind) != 0) {

src/bin/tests/test.sh

@@ -18,7 +18,7 @@ echo "run 1 respond to challenge"
 
 fname=$(cat b)
 echo "run 1 derive password from response"
-{ cat r0; echo -n "shitty master password"; } | ../derive $fname >pwd0
+{ cat r0; echo -n "shitty master password"; } | ../derive $fname c >pwd0
 
 echo "second run"
 echo "run 2 create challenge"
@@ -27,7 +27,7 @@ echo "run 2 respond to challenge"
 ../respond secret <c >r1
 fname=$(cat b)
 echo "run 2 derive password from response"
-{ cat r1; echo -n "shitty master password"; } | ../derive $fname >pwd1
+{ cat r1; echo -n "shitty master password"; } | ../derive $fname c >pwd1
 
 rm c b
 

src/sphinx.c

@@ -22,6 +22,7 @@
 #include <stdint.h>
 #include <sodium.h>
 #include "sphinx.h"
+#include <string.h>
 #ifdef TRACE
 #include "common.h"
 #endif
@@ -105,20 +106,30 @@ int sphinx_respond(const uint8_t chal[crypto_core_ristretto255_BYTES], const uin
  * pwd: (input) the password
  * p_len: (input) the password length
  * bfac: (input) bfac from challenge(), array of crypto_core_ristretto255_SCALARBYTES (32) bytes
+ * chal: (input) the challenge generated in sphinx_challenge, crypto_core_ristretto255_BYTES(32) bytes array
  * resp: (input) the response from respond(), crypto_core_ristretto255_BYTES (32) bytes array
  * salt: (input) salt for the final password hashing, crypto_pwhash_SALTBYTES bytes array
  * rwd: (output) the derived password, crypto_core_ristretto255_BYTES (32) bytes array
  * returns -1 on error, 0 on success
  */
-int sphinx_finish(const uint8_t *pwd, const size_t p_len, const uint8_t bfac[crypto_core_ristretto255_SCALARBYTES], const uint8_t resp[crypto_core_ristretto255_BYTES], const uint8_t salt[crypto_pwhash_SALTBYTES], uint8_t rwd[crypto_core_ristretto255_BYTES]) {
+int sphinx_finish(const uint8_t *pwd, const size_t p_len,
+                  const uint8_t bfac[crypto_core_ristretto255_SCALARBYTES],
+                  const uint8_t chal[crypto_core_ristretto255_BYTES],
+                  const uint8_t resp[crypto_core_ristretto255_BYTES],
+                  const uint8_t salt[crypto_pwhash_SALTBYTES],
+                  uint8_t rwd[crypto_core_ristretto255_BYTES]) {
 #ifdef TRACE
   dump(bfac, crypto_core_ristretto255_SCALARBYTES, "r");
+  dump(chal, crypto_core_ristretto255_BYTES, "alpha");
   dump(resp, crypto_core_ristretto255_BYTES, "beta");
   dump(pwd, p_len, "pwd");
   dump(salt, crypto_pwhash_SALTBYTES, "salt");
 #endif
   // Checks that resp ∈ G^∗ . If not, abort;
   if(crypto_core_ristretto255_is_valid_point(resp)!=1) return -1;
+  if(memcmp(chal,resp,crypto_core_ristretto255_BYTES)==0) {
+    return -1;
+  }
 
   // invert bfac = 1/bfac
   unsigned char ir[crypto_core_ristretto255_SCALARBYTES];

src/sphinx.h

@@ -38,6 +38,7 @@ int sphinx_respond(const uint8_t chal[crypto_core_ristretto255_BYTES],
                    uint8_t resp[crypto_core_ristretto255_BYTES]);
 int sphinx_finish(const uint8_t *pwd, const size_t p_len,
                   const uint8_t bfac[crypto_core_ristretto255_SCALARBYTES],
+                  const uint8_t chal[crypto_core_ristretto255_BYTES],
                   const uint8_t resp[crypto_core_ristretto255_BYTES],
                   const uint8_t salt[crypto_pwhash_SALTBYTES],
                   uint8_t rwd[crypto_core_ristretto255_BYTES]);

src/tests/test.c

@@ -6,7 +6,7 @@
 
 int main(void) {
   const uint8_t pwd[]="shitty password";
-  const uint8_t secret[SPHINX_255_SCALAR_BYTES]={1};
+  const uint8_t secret[SPHINX_255_SCALAR_BYTES]={2};
   const uint8_t salt[crypto_pwhash_SALTBYTES]={1};
   uint8_t bfac[SPHINX_255_SCALAR_BYTES],
     chal[SPHINX_255_SER_BYTES],
@@ -17,7 +17,7 @@ int main(void) {
   if(0!=sphinx_respond(chal, secret, resp)) {
     return 1;
   }
-  if(0!=sphinx_finish(pwd, strlen((char*) pwd), bfac, resp, salt, rwd)) {
+  if(0!=sphinx_finish(pwd, strlen((char*) pwd), bfac, chal, resp, salt, rwd)) {
     return 1;
   }