Re: Automatic FIDO2 key negotiation (request for comments)

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



On Tue, 2020-07-21 at 14:47 +1000, Damien Miller wrote:
> On Mon, 20 Jul 2020, Jordan J wrote:
[...]
> > Firstly, would the following or some combination thereof be
> > possible or is there an obvious impediment. Secondly, if it proved
> > possible are the maintainers open to a patch providing it?
> > 
> > 1. Update the SSH ecdsa-sk public key type to contain the
> > key_handle and other relevant details (it doesn't contain sensitive
> > information or accessible key material so this is safe to do)
> > 2. Add a method to send a list of understood *-sk" publickeys from
> > authorized_keys to the client
> 
> I'm not keen on making the public keys contain the key handle. IMO
> being able to offer some protection of the key handle on disk by
> setting a password on the key is valuable and we'd lose that if
> everything were public by default.

Your worry is that webauthn isn't true two factor because it's only
based on a thing you possess rather than both a thing you know and a
thing you possess?  I agree, I've always thought the ability to steal
someone's token was a big flaw in the scheme.  However, it is trivially
fixable: if you encrypt the fido key handle with a passphrase before
sending it to the remote then even if I steal your token, I still can't
use it to access your account because when the remote presents the
encrypted key handle I don't know the passphrase to decrypt it.

This double encryption scheme should work for openssh public keys
containing the key handle as well.  The only drawback is that to change
the passphrase you now have to change every public key in every account
you possess.

James

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev



[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux