How/where are skfsclient keys stored? #101

cyberphone · 2021-04-07T14:13:00Z

I'm able to register and authenticate using the skfsclient.
What I don't get is where the client keys are saved. I have skimmed the source but I just don't get it 😵

arshadnoor · 2021-04-07T17:14:59Z

Since skfsclient is intended only for demonstration or automated testing purposes, it uses a fixed AES key to encrypt the private-key and stores them on the FIDO Server. The FIDO protocol supports an authenticator to send an opaque blob (known as the "keyHandle") that is always returned with the preauthenticate and preauthorize responses. As a result, skfsclient merely uses the fixed AES key to decrypt the keyHandle, reassemble the private-key to digitally sign the challenge. Some physical Security Key manufacturers use a similar design to support an "unlimited" number of registered keys with their authenticators. Of course, they don't use fixed keys, but randomly generate a unique AES key within their device on first use.

…

On 4/7/21 7:13 AM, Anders Rundgren wrote: I'm able to register and authenticate using the skfsclient. What I don't get is where the client keys are saved. I have skimmed the source but I just don't get it 😵 — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#101>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ABWSVTVS6GCPLYTM2F7NAEDTHRR7ZANCNFSM42Q4AAEQ>.

cyberphone · 2021-04-07T18:00:39Z

Thanx Arshad!
Is this hidden somewhere in the following log output?

demo@fidopayme:/usr/local/strongkey/skfsclient$ java -jar skfsclient.jar A https://fidopayme.com:8181 1 REST HMAC 162a5684336fa6e7 7edd81de1baab6ebcc76ebe3e38f41f4 anders https://strongkey.com:8181 21

Copyright (c) 2001-2021 StrongAuth, Inc. All rights reserved.

REST Authentication test with HMAC
*******************************
preauthjson = 
{"svcinfo":{"did":1,"protocol":"FIDO2_0","authtype":"HMAC"},"payload":{"username":"anders","options":{}}}

Calling preauthenticate @ https://fidopayme.com:8181/skfs/rest/preauthenticate
 Response : {"Response":{"challenge":"tQ7S2aSoRsfTWGAo0sQUaw","allowCredentials":[{"type":"public-key","id":"OZ0VMYnIZ-NEgUbq0HsqaZthgT7eDqV7SedkcoSxX-QAtPQDewMmfLwfPkCBQHPiYs-w45YkkiuKiFl5iUQTEqkN-7kq_ppV3v0aVAw4ADazXSdcB8HGI81oXtYlQeNsgjWjsCysy86GW-jTqmSN0L2rrZBQvbIXntzlVaSJTdI9zaa3EluzAiiHy5l-Cm1eyNx3EjkYPUFDrrP6bTTCJ1X-0Wu5dFR-90RKIY1YS-s","alg":-7}],"rpId":"strongkey.com"}}

Pre-Authentication Complete.

Generating Authentication response...

Simulator Response : 
	id = OZ0VMYnIZ-NEgUbq0HsqaZthgT7eDqV7SedkcoSxX-QAtPQDewMmfLwfPkCBQHPiYs-w45YkkiuKiFl5iUQTEqkN-7kq_ppV3v0aVAw4ADazXSdcB8HGI81oXtYlQeNsgjWjsCysy86GW-jTqmSN0L2rrZBQvbIXntzlVaSJTdI9zaa3EluzAiiHy5l-Cm1eyNx3EjkYPUFDrrP6bTTCJ1X-0Wu5dFR-90RKIY1YS-s
	rawId = OZ0VMYnIZ-NEgUbq0HsqaZthgT7eDqV7SedkcoSxX-QAtPQDewMmfLwfPkCBQHPiYs-w45YkkiuKiFl5iUQTEqkN-7kq_ppV3v0aVAw4ADazXSdcB8HGI81oXtYlQeNsgjWjsCysy86GW-jTqmSN0L2rrZBQvbIXntzlVaSJTdI9zaa3EluzAiiHy5l-Cm1eyNx3EjkYPUFDrrP6bTTCJ1X-0Wu5dFR-90RKIY1YS-s
	response = 	authenticatorData = WnTBrV2dI2nYtpWAzOrzVHMkwfEC46dxHD4U1RP9KKMBAAAAFQ
	signature = MEQCIAXmutcdVFXMhVVKI5UGP2nT6YKz8G7u-aKBcWCCVdAoAiAHcRDB03laJvSADR4zCxh86oALJS3WEmf8Y7TYaWzaDA
	userHandle = 
	clientDataJSON = eyJ0eXBlIjoid2ViYXV0aG4uZ2V0IiwiY2hhbGxlbmdlIjoidFE3UzJhU29Sc2ZUV0dBbzBzUVVhdyIsIm9yaWdpbiI6Imh0dHBzOi8vc3Ryb25na2V5LmNvbTo4MTgxIn0
	type = public-key

Finished Generating Authentication Response.

Authenticating ...
authjson = 
{"svcinfo":{"did":1,"protocol":"FIDO2_0","authtype":"HMAC"},"payload":{"publicKeyCredential":{"id":"OZ0VMYnIZ-NEgUbq0HsqaZthgT7eDqV7SedkcoSxX-QAtPQDewMmfLwfPkCBQHPiYs-w45YkkiuKiFl5iUQTEqkN-7kq_ppV3v0aVAw4ADazXSdcB8HGI81oXtYlQeNsgjWjsCysy86GW-jTqmSN0L2rrZBQvbIXntzlVaSJTdI9zaa3EluzAiiHy5l-Cm1eyNx3EjkYPUFDrrP6bTTCJ1X-0Wu5dFR-90RKIY1YS-s","rawId":"OZ0VMYnIZ-NEgUbq0HsqaZthgT7eDqV7SedkcoSxX-QAtPQDewMmfLwfPkCBQHPiYs-w45YkkiuKiFl5iUQTEqkN-7kq_ppV3v0aVAw4ADazXSdcB8HGI81oXtYlQeNsgjWjsCysy86GW-jTqmSN0L2rrZBQvbIXntzlVaSJTdI9zaa3EluzAiiHy5l-Cm1eyNx3EjkYPUFDrrP6bTTCJ1X-0Wu5dFR-90RKIY1YS-s","response":{"authenticatorData":"WnTBrV2dI2nYtpWAzOrzVHMkwfEC46dxHD4U1RP9KKMBAAAAFQ","signature":"MEQCIAXmutcdVFXMhVVKI5UGP2nT6YKz8G7u-aKBcWCCVdAoAiAHcRDB03laJvSADR4zCxh86oALJS3WEmf8Y7TYaWzaDA","userHandle":"","clientDataJSON":"eyJ0eXBlIjoid2ViYXV0aG4uZ2V0IiwiY2hhbGxlbmdlIjoidFE3UzJhU29Sc2ZUV0dBbzBzUVVhdyIsIm9yaWdpbiI6Imh0dHBzOi8vc3Ryb25na2V5LmNvbTo4MTgxIn0"},"type":"public-key"},"strongkeyMetadata":{"version":"1.0","last_used_location":"Sunnyvale, CA","username":"anders","origin":"https://strongkey.com:8181"}}}

Calling authenticate @ https://fidopayme.com:8181/skfs/rest/authenticate
 Response   : {"Response":"Successfully processed sign response","jwt":"eyJhbGciOiJTSEEyNTZ3aXRoRUNEU0EiLCJ4NWMiOiItLS0tLUJFR0lOIENFUlRJRklDQVRFLS0tLS1cbk1JSUNmekNDQWVBQ0ZINmx2WjBuZldtK2FSQzJWdFBmbnE0QUxLVEJNQW9HQ0NxR1NNNDlCQU1DTUhJeEN6QUpcbkJnTlZCQVlUQWxWVE1STXdFUVlEVlFRSURBcERZV3hwWm05eWJtbGhNUkl3RUFZRFZRUUhEQWxEZFhCbGNuUnBcbmJtOHhFekFSQmdOVkJBb01DbE4wY205dVowRjFkR2d4RkRBU0JnTlZCQXNNQzBWdVoybHVaV1Z5YVc1bk1ROHdcbkRRWURWUVFEREFaS1YxUWdRMEV3SGhjTk1qRXdOREF6TVRNeU5EUTJXaGNOTWpJd05EQXpNVE15TkRRMldqQ0JcbmlURUxNQWtHQTFVRUJoTUNWVk14RXpBUkJnTlZCQWdNQ2tOaGJHbG1iM0p1YVdFeEVqQVFCZ05WQkFjTUNVTjFcbmNHVnlkR2x1YnpFVE1CRUdBMVVFQ2d3S1UzUnliMjVuUVhWMGFERVVNQklHQTFVRUN3d0xSVzVuYVc1bFpYSnBcbmJtY3hKakFrQmdOVkJBTU1IVXBYVkNCVGFXZHVhVzVuSUVObGNuUnBabWxqWVhSbElERXVNUzR6TUlHYk1CQUdcbkJ5cUdTTTQ5QWdFR0JTdUJCQUFqQTRHR0FBUUFWbWZsUzI5STNveFpQWWVtaHdEQkNzVXdTU0VDUEhnWC9aeU1cbmo2U2l2OFBDSHMvMmVXVWNqR2NkNThrRkEzS05FeVJ3dHVaTzBkWkFSMU1pRlcxVXFSb0FBdHJtK1ZzN0k1REZcbnRiaTVpbmxUNnJJZlFsVnFJc1Ewa09LTGg2UndyMk0yL1BQMWhNbFhmWjNzbHgwNWVZdW5hQUlCVkk1WE01RjFcblFkcGI3RGVhYXVjd0NnWUlLb1pJemowRUF3SURnWXdBTUlHSUFrSUJNWFNmQ0JRREVQV2hKR0hiRkIvSE5YOWRcbmFPUjNsaHpJNWFqWEhSS20zZnRMaHBqbkt6VnZtVVJNa1BKK0YzMXhmTUpoWGxBbjBDaHFBSGRXTFlMTm9Rd0NcblFnRjlCU3Uzd1luUjFXb3I2RnQ2TnVWbUxCblBOSzY2Z2o1QW9MVGFjbW9FNXFXTEMzeHJqNUxBdHVmRlR3cDlcbjFJS3lSeVAzS3VQYTJEWHFtZFpxSlA1TEdnPT1cbi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS1cbiJ9.eyJycGlkIjoic3Ryb25na2V5LmNvbSIsImlhdCI6IldlZCBBcHIgMDcgMTc6NTk6MjUgKzAwMDAgMjAyMSIsImV4cCI6IldlZCBBcHIgMDcgMTg6Mjk6MjUgKzAwMDAgMjAyMSIsImNpcCI6IjE5Mi4xNjguMTk3LjEyOSIsInVuYW1lIjoiYW5kZXJzIiwiYWdlbnQiOiJBcGFjaGUtSHR0cENsaWVudC80LjUuNiAoSmF2YS8xLjguMF8yODIpIn0.MIGIAkIAr63CHIVuFZJmiBOWcRh6-0udygYP8CxA6Y2OBFcVN4kTByxL9Tpf4lP5AthG8olDmnPOaNpLJP0kNxFJ_i5-bIACQgHUVzxl4sV7XFg4s_vTu4yyPYMgSy5exsi6YsWTSLO8NEeqo9BZBuknlpt5Gmywr4DdkQ7iCnv2lbfDX9iwEsg24A"}

Authentication Complete.
*******************************

Done with Authenticate!

cyberphone · 2021-04-07T18:36:18Z

I think I found it!

cyberphone closed this as completed Apr 7, 2021

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

How/where are skfsclient keys stored? #101

How/where are skfsclient keys stored? #101

cyberphone commented Apr 7, 2021

arshadnoor commented Apr 7, 2021 via email

cyberphone commented Apr 7, 2021

cyberphone commented Apr 7, 2021

How/where are skfsclient keys stored? #101

How/where are skfsclient keys stored? #101

Comments

cyberphone commented Apr 7, 2021

arshadnoor commented Apr 7, 2021 via email

cyberphone commented Apr 7, 2021

cyberphone commented Apr 7, 2021