Re: u2f seed

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



On 2020-01-02, "Fox, Kevin M" <Kevin.Fox@xxxxxxxx> wrote:

> That sounds like the application param is still used as part of the process though? Would allowing the user to specify the application work in the Solokey case?

Let's cut this short without losing ourselves in details: Even if
you resend exactly the same U2F registration message, the token may
still create a different key pair.  Only a very minimal U2F token
without an on-board RNG might derive the key pair purely from the
parameters in the registration message; I don't know if any such
devices exist.

This actually made me curious and I checked the simple FIDO1 U2F
token I have here (HyperFIDO Titanium): It issues a different key
pair each time, even if the registration message is exactly the
same.  As would the Solokey.

Every time you run "ssh-keygen -t ecdsa-sk", the token will give
you a different key pair, and this is enforced by the token itself.

> What is stored in the private keyfile? The documentation says no private key is stored there. So is it just information used to reseed the public/private key?

The OpenSSH private key file stores the U2F key handle.  The key
handle is an opaque blob which you need to pass back to the token
so it can find the private key.

-- 
Christian "naddy" Weisgerber                          naddy@xxxxxxxxxxxx
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev



[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux