Welcome to the resource topic for 2024/935
Title:
MFKDF: Multiple Factors Knocked Down Flat
Authors: Matteo Scarlata, Matilda Backendal, Miro Haller
Abstract:Nair and Song (USENIX 2023) introduce the concept of a Multi-Factor Key Derivation Function (MFKDF), along with constructions and a security analysis.
MFKDF integrates dynamic authentication factors, such as HOTP and hardware tokens, into password-based key derivation.
The aim is to improve the security of password-derived keys, which can then be used for encryption or as an alternative to multi-factor authentication.
The authors claim an exponential security improvement compared to traditional password-based key derivation functions (PBKDF).
We show that the MFKDF constructions proposed by Nair and Song fall short of the stated security goals.
Underspecified cryptographic primitives and the lack of integrity of the MFKDF state lead to several attacks, ranging from full key recovery when an HOTP factor is compromised, to bypassing factors entirely or severely reducing their entropy.
We reflect on the different threat models of key-derivation and authentication, and conclude that MFKDF is always weaker than plain PBKDF and multi-factor authentication in each setting.
ePrint: https://eprint.iacr.org/2024/935
See all topics related to this paper.
Feel free to post resources that are related to this paper below.
Example resources include: implementations, explanation materials, talks, slides, links to previous discussions on other websites.
For more information, see the rules for Resource Topics .