Closed Bug 1036393 Opened 10 years ago Closed 10 years ago

FindMyDevice authentication hardening: Store pre-shared key only in the client

Categories

(Firefox OS Graveyard :: FindMyDevice, defect)

Product:
Firefox OS Graveyard
Component:
FindMyDevice
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED DUPLICATE of bug 1040315

People

(Reporter: freddy, Assigned: jrconlin)

References

Details

(Keywords: sec-want) 

Just a wild idea:
Since FMD is using Hawk, it relies on a pre-shared key that only the server and the client have.
If somebody compromises the server (hopefully rather unlikely), they might compromise the security of all devices using the pre-shared keys in the database.

My suggestion is that the webapp does not store the HAWK key but derives it from information the user gives on login (I think FxA does something similar with the session token). The derived key would only be available when a user is logged in: the webapp relies on a logged-in user to do generate the HAWK-signature for it. (either directly with message passing or by storing the key in memory for a certain while).
To GGP for evaluation.
Assignee: nobody → ggoncalves
Sounds like a cool enhancement, but it looks like it affects the server-side much more than client-side, so I'll assign to JR and we can discuss this after 2.0.
Assignee: ggoncalves → jrconlin
Let's go with bug 1040315
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.