0

I've heard that hardware keys like Yubikey are phishing resistant. But I do not understand where a phished man-in-the-middle attack, which tries to "forward" the whole communication, fails in that scenario.

I'm imagining the attacker opens a live connection to the target site and forwards every little bit of information to the victim while displaying a fake website. That fake website would somehow need to certify to the victim's browser as the real one by forwarding that communication, too. Eventually the victim is asked to press his hardware key button and the attacker forwards every communication again.

So if you are a skilled hacker who has full control over the internet communication, at which step is the hacker unable to play a transparent man-in-the-middle?

I could imagine the answer is that either the communication must be encrypted up to the victim and the hacker cannot decrypt, or the hacker sets up an unencrypted end, but is unable to re-encrypt it while the user's browser is asking for encryption. But not sure how to make sense of it.

(What are the names of phishing resistant methods of hardware keys? Webauthn, challenge-response, ...?)

I do refer to the U2F mode only and I suggest that the attacker tries to certify as the real domain by "forwarding communication" - if that is possible.

Gere
  • 127
  • 5
  • Does this answer your question? [Is a hardware based 2FA more resistant to phishing than SMS or TOTP?](https://security.stackexchange.com/questions/261349/is-a-hardware-based-2fa-more-resistant-to-phishing-than-sms-or-totp). In short: hardware is not in general phishing resistant (i.e. hardware based TOTP or HOTP are not) but authentication bound to the domain is (U2F) - which comes also in the form of hardware tokens. – Steffen Ullrich Feb 19 '23 at 07:54
  • @SteffenUllrich I had read through that answer, but I do not see where it demonstrates the failure of man-in-the-middle attacks. I added the scenario that the attacker "forwards everything" including the domain certification somehow. In my question I do mean U2F only. – Gere Feb 19 '23 at 08:00

1 Answers1

1

I do refer to the U2F mode only and I suggest that the attacker tries to certify as the real domain by "forwarding communication" - if that is possible.

This is not possible.

U2F is bound to the target domain - see here for details. This means classical phishing with a different (but often similar) domain to trick the victim is not possible. Instead the attacker needs to impersonate the exact target domain, like using DNS spoofing or being in the path of the connection to the target domain. Assuming the attacker manages to do this (which usually isn't the case with phishing) then there are two options: passiv forwarding the (encrypted) traffic to the target domain or active man in the middle (MITM).

If the attacker only forwards the encrypted connection to the original domain, then no harm is done since the attacker can neither sniff nor modify the traffic to the original domain, in order to sniff and/or modify the unprotected communication. This means the phishing attempt could not achieve its goal of stealing credentials or misusing an authenticated session this way.

In order to actually extract the credentials or misuse the already authenticated connection for their own purpose, the attacks needs to MITM the TLS connection to the original domain. This can only be done if the user device or its trusted environment is already compromised by the attacker. A phishing attack can not assume that this is the case and a phishing attack would not be needed if the attacker can already MITM the traffic.

Steffen Ullrich
  • 190,458
  • 29
  • 381
  • 434
  • Could you please describe the rough steps of connection authentication and highlight what is impossible, if the attacker has all technical expertise to forward whatever he wishes in both directions? I assume the user device is not compromised and the attacker can only communication by network from a remote machine. – Gere Feb 19 '23 at 09:32
  • @Gere: I've extended the answer. I don't describe how U2F works in technical detail though - there are enough resources about this and I link to one. The relevant part here is that U2F is bound to the domain so the attacker needs to impersonate the original domain. – Steffen Ullrich Feb 19 '23 at 09:49
  • I can imagine how U2F is tied to a domain. But how is the step before U2F where a connection to a domain is established protected from a sophisticated MITM attack? Is there a short explanation or a reference you know? And is the connection to the domain safe even if the MITM is between the ISP and the victims computer and hence in full control of the network traffic (but not the victim's computer)? I assume that encrypted DNS is used. – Gere Feb 19 '23 at 12:12
  • @Gere: *"But how is the step before U2F where a connection to a domain is established protected from a sophisticated MITM attack?"* - this is a complete different question and has nothing to do with phishing. It is instead about the security TLS/HTTPS provides against MITM. There are several questions here about this, like https://security.stackexchange.com/questions/94331/why-doesnt-dns-spoofing-work-against-https-sites – Steffen Ullrich Feb 19 '23 at 12:25
  • "If the attacker only forwards the encrypted connection to the original domain, then no harm is done since the attacker can neither sniff nor modify the traffic to the original domain" There's still a slight risk from side-channel disclosure, and by routing (encrypted) traffic directly through the threat actor you enhance his ability to do side-channel analyses. – Ben Voigt Feb 20 '23 at 16:30
  • @BenVoigt: I don't think that this "slight risk" is relevant in practice. The encrypted traffic needs to be resistant against observation by many untrusted parties anyways, i.e. public WiFi, ISP .. and also government agencies. – Steffen Ullrich Feb 20 '23 at 17:10