Use passkeys PRF extension as improvement/alternative

[yackermann]

Passkeys now support PRF extension which means that if the app is has passkey registered with it (with the user app identity, and not web), then you can use PRF extension by passing Phone+Pin and retrieve a seed for KDF, which then can be used to create encrypted payload, and stored in opaque location, or even offline/backup services.

The passkeys themselves provide pre-authorization, and rate limiting.

We just released a whole whitepaper on it

https://www.daryascam.info/White-Paper-Killing-messenger-phishing-with-passkeys-blackjack-and-hybrid-141cf1aba98e80ea9bcfee7353a22623#15acf1aba98e80c69248c53c89f5d58d

[yackermann]

Step-by-Step Guide for Backup Process

1. Enable Backup in Mobile App
   • Enter backup PIN or Password.
2. Obtain Challenge from Backup Bucket
   • The mobile app communicates with the Messenger Backup Bucket to request a challenge, a random string used to perform challenge response check, and protect against replay attack.
3. Compute Salt in Mobile App
   • Compute recoverySalt using the formula:HMAC(HASH(Normalized phone number), HASH(PIN or Password)).
4. Generate Passkey Assertion
   • The mobile app generates a passkey assertion with the PRF (Pseudorandom Function) extension, and prf.salt1 set to recoverySalt
5. User Consent
   • Prompt: The user provides consent to proceed.
6. Extract PRF Secret and Derive Keys
   • Extract the PRF secret.
   • Derive three 32-byte keys: idk (Identity Key), mack (Message Authentication Code Key), enck (Encryption Key)
7. Serialize App Data
   • Serialise the app identity, including app private key, messages, and optionally files, etc
8. Encrypt and Secure Data
   • Encrypt-then-MAC using enck and mack.
   • Derive the recovery index using the formula:HMAC(idk, HASH(credId)).
9. Sign Encrypted Payload
   • Sign the encrypted payload, and x962 passkey public key with app private key
10. Send Payload to Messenger Backup Bucket
    • The mobile app sends asserti the signed payload to the Messenger Backup Bucket.
11. Validate App and Passkey
    • Validate that the app's public key exists in the Messenger Broker.
    • Validate the AppKey signature.
    • Validate the passkey signature against signed payload.
    • (Optional) Validate device app attestation, to prevent enumeration, and malicious app access.
12. Save Encrypted Blob
    • The Messenger Backup Bucket saves the encrypted blob.
13. Confirm Backup Success
    • The Messenger Backup Bucket sends an "OK" confirmation back to the mobile app.

[yackermann]

And for recovery

Step-by-Step Guide: Recovering Messenger Account with Passkey and PRF

1. Enter Phone Number and PIN/Password
   • The user enters their phone number and PIN or password into the mobile app.
2. Obtain Challenge
   • The mobile app communicates with the Messenger Backup Bucket to obtain a recovery challenge.
3. Compute Salt in Mobile App
   • Compute recoverySalt using the formula:HMAC(HASH(Normalized phone number), HASH(PIN or Password)).
4. Generate Passkey Assertion
   • The mobile app generates a passkey assertion with the PRF (Pseudorandom Function) extension, and prf.salt1 set to recoverySalt
5. User Consent
   • The user provides consent to proceed with the recovery process.
6. Extract PRF Secret and Derive Keys
   • Extract the PRF secret.
   • Derive three 32-byte keys: idk (Identity Key), mack (Message Authentication Code Key), enck (Encryption Key)
7. Derive Recovery Index
   • The mobile app derives the recovery index (rid) using the formula:HMAC(idk, HASH(credId)).
8. Send Recovery Request
   • The mobile app sends the signed payload to the Messenger Backup Bucket at the endpoint /blob/${rid}.
9. Validate Request
   • The Messenger Backup Bucket checks if a blob exists for the provided recovery index.
   • It the validates the passkey signature.
   • If either fails a generic error must be returned to prevent blob enumeration
   • (Optional) Validate device app attestation, to prevent enumeration, and malicious app access.
10. Retrieve Backup Blob
    • If validation succeeds, the Messenger Backup Bucket returns the encrypted blob to the mobile app.
11. Decrypt Backup Blob
    • The mobile app authenticates and decrypts the blob using:
      • mack for message authentication.
      • enck for decryption.
12. Recovery Success
    • The mobile app informs the user that account recovery was successful.