That sounds like the application param is still used as part of the process though? Would allowing the user to specify the application work in the Solokey case? What is stored in the private keyfile? The documentation says no private key is stored there. So is it just information used to reseed the public/private key? Thanks, Kevin ________________________________________ From: openssh-unix-dev <openssh-unix-dev-bounces+kevin.fox=pnnl.gov at mindrot.org> on behalf of Christian Weisgerber <naddy at mips.inka.de> Sent: Thursday, January 2, 2020 3:42 PM To: openssh-unix-dev at mindrot.org Subject: Re: u2f seed On 2020-01-02, "Fox, Kevin M" <Kevin.Fox at pnnl.gov> wrote:> In the u2f protocol, my understanding is in the normal case, the web browser seeds the keypair process with the hostname of the remote server. In the case of ssh, the hostname is probably not what I would want to do. But the u2f protocol seems to have a way to handle this.There is no guarantee that the U2F token derives the key pair in a deterministic fashion from the challenge/application parameters passed during registration. For instance, if I read the firmware code correctly, the Solokey creates the key material using its built-in random number generator and only uses its master secret and the application parameter to wrap the key for the key handle. -- Christian "naddy" Weisgerber naddy at mips.inka.de _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev at mindrot.org https://protect2.fireeye.com/v1/url?k=c4371812-988227ab-c4373207-0cc47adc5fce-56c2948a65834232&q=1&e=0f45e6c0-4544-44ae-af8d-3d64af881ea7&u=https%3A%2F%2Flists.mindrot.org%2Fmailman%2Flistinfo%2Fopenssh-unix-dev
On 2020-01-02, "Fox, Kevin M" <Kevin.Fox at pnnl.gov> wrote:> That sounds like the application param is still used as part of the process though? Would allowing the user to specify the application work in the Solokey case?Let's cut this short without losing ourselves in details: Even if you resend exactly the same U2F registration message, the token may still create a different key pair. Only a very minimal U2F token without an on-board RNG might derive the key pair purely from the parameters in the registration message; I don't know if any such devices exist. This actually made me curious and I checked the simple FIDO1 U2F token I have here (HyperFIDO Titanium): It issues a different key pair each time, even if the registration message is exactly the same. As would the Solokey. Every time you run "ssh-keygen -t ecdsa-sk", the token will give you a different key pair, and this is enforced by the token itself.> What is stored in the private keyfile? The documentation says no private key is stored there. So is it just information used to reseed the public/private key?The OpenSSH private key file stores the U2F key handle. The key handle is an opaque blob which you need to pass back to the token so it can find the private key. -- Christian "naddy" Weisgerber naddy at mips.inka.de
How does a u2f website then authenticate the same user, with the same keyfob, on a different machine? If that actually works, then we should be able to use the same mechanism. Maybe it doesn't, and some people are going to be locked out of their account when their machine fails and they have to go to another one. portability was one of the selling points of u2f though I thought. Maybe I'll try and dig up the u2f spec and see if there is any detail in it. Thanks, Kevin ________________________________________ From: openssh-unix-dev <openssh-unix-dev-bounces+kevin.fox=pnnl.gov at mindrot.org> on behalf of Christian Weisgerber <naddy at mips.inka.de> Sent: Friday, January 3, 2020 5:01 AM To: openssh-unix-dev at mindrot.org Subject: Re: u2f seed On 2020-01-02, "Fox, Kevin M" <Kevin.Fox at pnnl.gov> wrote:> That sounds like the application param is still used as part of the process though? Would allowing the user to specify the application work in the Solokey case?Let's cut this short without losing ourselves in details: Even if you resend exactly the same U2F registration message, the token may still create a different key pair. Only a very minimal U2F token without an on-board RNG might derive the key pair purely from the parameters in the registration message; I don't know if any such devices exist. This actually made me curious and I checked the simple FIDO1 U2F token I have here (HyperFIDO Titanium): It issues a different key pair each time, even if the registration message is exactly the same. As would the Solokey. Every time you run "ssh-keygen -t ecdsa-sk", the token will give you a different key pair, and this is enforced by the token itself.> What is stored in the private keyfile? The documentation says no private key is stored there. So is it just information used to reseed the public/private key?The OpenSSH private key file stores the U2F key handle. The key handle is an opaque blob which you need to pass back to the token so it can find the private key. -- Christian "naddy" Weisgerber naddy at mips.inka.de _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev at mindrot.org https://protect2.fireeye.com/v1/url?k=102d876a-4c98b8d3-102dad7f-0cc47adc5fce-f963eec20cc653fd&q=1&e=445ca71b-c946-44b4-a663-d2d3fc1f288f&u=https%3A%2F%2Flists.mindrot.org%2Fmailman%2Flistinfo%2Fopenssh-unix-dev