Displaying 12 results from an estimated 12 matches for "key_handle".
Did you mean:
ae_handle
2020 Jul 26
2
Automatic FIDO2 key negotiation (request for comments)
...> Firstly, would the following or some combination thereof be
> > possible or is there an obvious impediment. Secondly, if it proved
> > possible are the maintainers open to a patch providing it?
> >
> > 1. Update the SSH ecdsa-sk public key type to contain the
> > key_handle and other relevant details (it doesn't contain sensitive
> > information or accessible key material so this is safe to do)
> > 2. Add a method to send a list of understood *-sk" publickeys from
> > authorized_keys to the client
>
> I'm not keen on making the pu...
2020 Jul 20
3
Automatic FIDO2 key negotiation (request for comments)
At present whenever non-resident keys are used the key_handle required
to use the token must be given by selecting the ssh 'private key' file
generated by ssh-keygen during negotiation.
In the more common webauthn context this key_handle would be stored on
the server and then transmitted to the client during authentication.
The client then checks con...
2019 Dec 07
2
Agent protocol changes related to U2F/FIDO2 keys
...e
ec_point Q
string application
uint64 serial
uint32 type
string key id
string valid principals
uint64 valid after
uint64 valid before
string critical options
string extensions
string reserved
string signature key
string signature
string application
uint8 flags
string key_handle
string reserved
If the instant was to avoid duplicating what was already in the certificate, though, I?m not sure why ?application? is sent twice. It seems like that should have been left out along with the curve_id and Q value, appending only the flags, key_handle, and reserved values from the p...
2014 Jan 10
4
[PATCH] Add a minimal hive with "special" keys and values
...ng(&root_key_name, L"\\Registry\\Machine\\minimal");
+ OBJECT_ATTRIBUTES root_key_obj;
+ InitializeObjectAttributes (&root_key_obj, &root_key_name,
+ OBJ_OPENIF | OBJ_CASE_INSENSITIVE,
+ NULL, NULL);
+ HANDLE minimal_key_handle;
+ rc = ZwCreateKey (&minimal_key_handle, KEY_ALL_ACCESS, &root_key_obj,
+ 0, NULL, REG_OPTION_NON_VOLATILE, NULL);
+ if (!NT_SUCCESS (rc)) {
+ printf("error: CreateKey <HKLM\\minimal>: 0x%08x\n", rc);
+ exit(1);
+ }
+
+ UNICODE_STRING key_name =...
2014 Jan 13
0
Re: [PATCH 1/7] Add a minimal hive with "special" keys and values
...gt; + UNICODE_STRING value_name = { val_len, val_len, val };
> + OBJECT_ATTRIBUTES key_obj;
> + InitializeObjectAttributes (&key_obj, &key_name,
> + OBJ_OPENIF | OBJ_CASE_INSENSITIVE,
> + *handle, NULL);
> + HANDLE key_handle;
> + NTSTATUS rc;
> + rc = ZwCreateKey (&key_handle, KEY_ALL_ACCESS, &key_obj,
> + 0, NULL, REG_OPTION_NON_VOLATILE, NULL);
> + if (!NT_SUCCESS (rc)) {
> + wprintf(L"error: CreateKey %s: 0x%08x\n", key, rc);
> + exit(1);
> + }
>...
2014 Jan 10
14
[PATCH 1/7] Add a minimal hive with "special" keys and values
...= { key_len, key_len, key };
+ UNICODE_STRING value_name = { val_len, val_len, val };
+ OBJECT_ATTRIBUTES key_obj;
+ InitializeObjectAttributes (&key_obj, &key_name,
+ OBJ_OPENIF | OBJ_CASE_INSENSITIVE,
+ *handle, NULL);
+ HANDLE key_handle;
+ NTSTATUS rc;
+ rc = ZwCreateKey (&key_handle, KEY_ALL_ACCESS, &key_obj,
+ 0, NULL, REG_OPTION_NON_VOLATILE, NULL);
+ if (!NT_SUCCESS (rc)) {
+ wprintf(L"error: CreateKey %s: 0x%08x\n", key, rc);
+ exit(1);
+ }
+ DWORD value = 0;
+ rc = ZwSetValueK...
2014 Jan 14
2
Re: [PATCH 1/7] Add a minimal hive with "special" keys and values
...ue_name = { val_len, val_len, val };
> > + OBJECT_ATTRIBUTES key_obj;
> > + InitializeObjectAttributes (&key_obj, &key_name,
> > + OBJ_OPENIF | OBJ_CASE_INSENSITIVE,
> > + *handle, NULL);
> > + HANDLE key_handle;
> > + NTSTATUS rc;
> > + rc = ZwCreateKey (&key_handle, KEY_ALL_ACCESS, &key_obj,
> > + 0, NULL, REG_OPTION_NON_VOLATILE, NULL);
> > + if (!NT_SUCCESS (rc)) {
> > + wprintf(L"error: CreateKey %s: 0x%08x\n", key, rc);
> >...
2019 Dec 07
2
Another U2F documentation issue
...l message used
> to add PKCS#11 keys to ssh-agent does not include any way to send the
> key handle to the agent as U2F keys require.
However, the extension described there has nothing to do with sending the key handle. In fact, all of the necessary fields (public key, application, flags, and key_handle) are all already encoded in the private key blob (and appended to the certificate blob when certificates are being imported). The extension only communicates the path to the middleware library to use, not the additional key information such as the key handle.
If you had ssh-agent pick up the locat...
2019 Dec 03
2
U2F support in OpenSSH HEAD
...ecifically, that doc says:
> In addition to the message to be signed, the U2F signature operation
> requires a few additional parameters:
>
> byte control bits (e.g. "user presence required" flag)
> byte[32] SHA256(message)
> byte[32] SHA256(application)
> byte key_handle length
> byte[] key_handle
This isn?t really the format that these parameters are provided during a signing operation, though, at least not to the middleware library documented later in the doc. You may just want to leave this part of the description out, or at least sync it up a bit better w...
2014 Jan 08
5
hivex: Make node names and value names with embedded null characters accessible
On Windows, there exist at least two APIs for dealing with the
Registry: The Win32 API (RegCreateKeyA, RegCreateKeyW, etc.) works
with null-terminated ASCII or UTF-16 strings. The native API
(ZwCreateKey, etc.), on the other hand works with UTF-16 strings that
are stored as buffers+length and may contain null characters. Malware
authors have been relying on the Win32 API's inability to
2019 Nov 01
10
U2F support in OpenSSH HEAD
Hi,
As of this morning, OpenSSH now has experimental U2F/FIDO support, with
U2F being added as a new key type "sk-ecdsa-sha2-nistp256 at openssh.com"
or "ecdsa-sk" for short (the "sk" stands for "security key").
If you're not familiar with U2F, this is an open standard for making
inexpensive hardware security tokens. These are easily the cheapest way
2020 Sep 04
3
Incomplete attestation data for FIDO2 SKs?
I was recently looking at verifying the attestation data
(ssh-sk-attest-v00) for a SK key, but I believe the data saved in this
structure is insufficient for completing verification of the attestation.
While the structure has enough information for U2F devices, FIDO2 devices
sign their attestation over a richer "authData" blob [1] (concatenated with
the challenge hash). The authData blob