Today, we are happy to announce the launch of a brand new authentication system for ProtonMail’s secure email service using just a single password.
ProtonMail launched with a two-password system—one to authenticate the user to ProtonMail, and one to decrypt the mail. The security benefit provided by this separation is easy to understand, but it has multiple usability issues.
First, two passwords are more difficult to remember than one, and it contributes to users losing access to their accounts and mail. Second, it tends to confuse password managers, one of the best ways to organize and secure passwords. Third, it makes two-factor authentication (a best-practice method to securing online accounts) a very onerous process, as the user has to enter both passwords and a two-factor code to log in.
At ProtonMail, our mission to is make secure communication easy-to-use and secure. In pursuit of these goals, we are happy to introduce both one-password and two-factor authentication support with ProtonMail 3.6.0. While ProtonMail’s authentication system has been completely redesigned, these changes are transparent to end users, and we will continue to support the legacy two-password mode.
Our basic assumption is that all servers can be compromised, and that sooner or later, ProtonMail will also be compromised. Incidents like the Yahoo breach are not isolated, and will gradually become the norm over the next decade. This is the fundamental philosophy behind our Zero Knowledge Architecture. By utilizing client side end-to-end encryption, we ensure that we do not have the ability to decrypt your emails, and thus, your communications would also be inaccessible to any attacker who does manage to breach our systems. This same philosophy was also applied when we redesigned our authentication system.
How does One-Password Mode work?
In two-password mode, there is a login password and a mailbox password. The login password authenticates the user to ProtonMail and is not stored by the client. The server will occasionally ask the user for the login password to confirm sensitive settings changes, such as password changes. The mailbox password, however is cached on the client, as it is only used to decrypt mail. Simply making the login password the same as the mailbox password is a problem, because then there is no barrier to account takeover for someone with physical possession of your device and some technical know-how.
In ProtonMail’s one-password mode, the mailbox password is derived from the login password via a one-way cryptographic password hash. The input to this hash includes a salt provided by the server on login but not stored in the client. In this way, compromise of the mailbox password does not automatically lead to compromise of the login password.
In this scheme, however, the login password cannot be sent to ProtonMail directly, as it can be used to calculate the mailbox password and thus decrypt mail. To solve this problem, we have re-engineered our entire login process to never send the login password to our server, which has the added benefit of helping protect against MITM (man-in-the-middle) attacks.
Secure Remote Password (SRP) Protocol
The Secure Remote Password (SRP) protocol is widely-tested and widely-deployed password-authenticated key agreement (PAKE) protocol which mutually authenticates both the user and server while never sending any password-equivalent data over the network. Authentication attempts cannot be replayed, and the protocol remains secure even in the presence of active tampering by a third party. More information about SRP can be found here and here.
SRP 6a (the latest revision) has been protecting all ProtonMail logins for more than two months now, and with this improvement, we are now able to safely offer one-password mode to our users with no reduction in our security guarantee. When using SRP, even an attacker who can arbitrarily read, modify, delay, destroy, repeat, or fabricate messages between ProtonMail and a user in an undetectable fashion is limited to checking only a single password guess per login attempt, which is equivalent to just trying to log in directly. Even if ProtonMail is compromised and acts maliciously, password equivalent information is never revealed. Thus, with SRP, ProtonMail’s security is greatly strengthened against MITM attacks (particularly for the native clients).
Technical Implementation Details
This section may be difficult to follow without appropriate mathematical and security background and can be skipped.
The security of SRP, like that of Diffie-Hellman, is based on the difficulty of the discrete logarithm problem. One potential issue with this is heavy precomputation via a number field sieve done for a particular modulus to enable faster breaking of the protocol.
For ProtonMail’s implementation we use multiple moduli, randomly chosen every time a user’s password is changed. This offers a number of advantages, notably the possibility of rotating out old moduli with time and limiting the motivation for precomputation, as any modulus would only apply to a subset of users.
To further protect against precomputation, we choose our own primes rather than those recommended by the TLS specification or otherwise commonly used, as these are large targets and almost certainly have been worked on by the world’s security services. We do this by choosing a random 2048-bit integer, setting the top bit to ensure it is large, and picking the first safe prime greater than or equal which has 2 as a generator of the whole group. By using safe primes, we are not vulnerable to backdoored primes. The native (mobile) clients verify the safety of the primes before use, and we also cryptographically sign the moduli to prevent tampering.
2048-bit moduli are used because that proved to be the upper limit that existing web and mobile clients can handle with acceptable performance. This size should be beyond sufficient from a security perspective for the near- and medium-term future and can be increased by rotating in new moduli.
The most widely-used implementation of SRP is TLS-SRP as described in RFC 5054. Our implementation differs from it in several ways, none of which decrease security. First, SHA-1 is a poor password hash function, and in order to migrate our existing password database, we were locked into using bcrypt for this purpose anyway. We do use semi-random password salts (one random part, one non-random part) but do not use the username as the non-random part to enable login with both email addresses and usernames. With bcrypt, password inputs are truncated after 72 characters. For practical purposes, this has no impact on security. As noted above, we also choose our own moduli, and the entire transaction is embedded inside certificate-based TLS for added security.
There exist other PAKE schemes in addition to SRP. We chose SRP because it has been battle-tested, is well known, has many existing implementations, has thorough documentation about pitfalls to avoid, and no patent issues. A promising alternative scheme in the future may be AugPAKE, which benefits from the existence of a security proof (Edit on April 11th, 2017: this proof may be flawed, so any transition is on-hold indefinitely until the situation is clarified). We should be able to seamlessly switch to AugPAKE in the future if necessary.
One-password mode is the culmination of many months of behind-the-scenes work to make ProtonMail more secure and easy-to-use than ever. While we will always support two-password mode, one-password mode will be the default for the future and we recommend that existing users consider switching for increased ease-of-use. A step-by-step guide for switching can be found here.
At ProtonMail, we appreciate more deeply than most that security is a rapidly moving target. Threats are constantly evolving, and every month, we see more and more complex attacks launched against ProtonMail. Because of this, we invest a considerable amount of resources on research and development to stay ahead of current and future threats. Most of this work happens behind the scenes, and is not as visible as new features or UI improvements, but nevertheless, they are a critical part of creating a solid secure email service.
If you would like to support these efforts, upgrading to a paid ProtonMail account or donating is a great way to do so. On the security side, our work is never done, so in the coming months, we will be releasing additional security features to make ProtonMail even more secure.
The ProtonMail Team
2016-12-04: Some minor corrections and clarifications.
You can get a free secure email account from ProtonMail here.