-
Notifications
You must be signed in to change notification settings - Fork 289
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Is there a way to store a key/secret in the dongle? #401
Comments
Hi! Happy to hear you want to use OpenSK as a research platform! There are no commands / primitives outside of the regular FIDO commands. During authentication, the only returned strings are inside the User Entity (see specification, under response structure). If you want to use that, make sure to
But, since you said "secret" string, that depends on how secret you want it to be. It is stored on hardware, so you can unplug OpenSK to carry it around, but user name and user display name are not considered secrets. Nothing stops you from encrypting that string, of course. And then the username is some unreadable or encoded bytestring. One thing you might want to look into is the HMAC-secret extension. It allows you to do some symmetric crypto on device, maybe that is what you are looking for? To give you a better answer, I'd have to understand your requirements better. |
Hi! Thanks for the quick reply. Research context: Currently no major web services provide passwordless authentication. For a user study, we are trying to imitate the passwordless authentication behavior for a couple of popular websites. For that we want to store the user's website password in the security key and retrieve it later when user plugs in the security key and taps it. We are using a chrome extension to handle the UI at the browser end. I was playing with As far as I understand HMAC-secret extension, only allows you to generate a new secret key. You cannot store a pre-determined password, right? In case we do not find something that I can directly use, I am planning to introduce a new command in the firmware to store the passwords. |
The term Your understanding of HMAC-secret is correct. I thought it might be interesting if you want to encrypt the passwords that you store in the User Entity info. You definitely lose the guarantees that security keys usually offer. Plaintext on OpenSK is like a plaintext password manager that is somewhat easier to steal. To write your own command, you have 2 choices:
You'd also have to dig into our persistent storage code to actually store the new string. The credential storage data structure is here. |
Thinking about extensions, maybe credBlob solves your problem? The specification requires RPs to use One implicit restriction is that this passwords need to be encoded with 32 Byte, but you can change that constant here.` |
thanks, @kaczmarczyck, all the suggestions are very helpful. Requiring PINS at the user end for our purpose is fine, even preferable. |
Please leave it open! result = authenticator.send_cbor(
COMMAND_BYTE,
data=cbor_data,
) |
The example is taken from our configure script. |
@kaczmarczyck I have been looking into I am getting Registration response
Registration Request:
Authentication response:
Authentication Request:
|
Are these logs WebAuthn or CTAP? My understanding is that you have three components:
Your logs are the communication between Client and RP? Which of them are OpenSK related? |
These logs are at the client's end. Requests are sent to the authenticator and responses are received by the client from the authenticator (but are processed by the client to send to RP). |
I think platform/browser will only send necessary data back to RP, as this case only user.id. https://fidoalliance.org/specs/fido-v2.1-ps-20210615/fido-client-to-authenticator-protocol-v2.1-ps-20210615.html#:~:text=it%20will%20only%20return%20%22id%22%20back%20to%20the%20%5Bwebauthn%5D%20layer%20and%20discard%20other%20user%20details. |
I believe that OpenSK initially did send a display name, if you set one. You'd have to grab it from its response before Chrome filters it. I don't think OpenSK can fix this or the fact that browsers don't implement Concerning your question about user ID vs display name, they are not really different from OpenSK's perspective. The former is a byte string, the latter a text string. But @nuno0529 mentioned a difference in the client, and I think that RPs choose the user ID, whereas the user name and display name have more freedom for choice. |
Thanks for your answers. That makes a lot of sense. I'll use the To register I am sending the following request from chrome console. I include the
clientExtensionsResults value from the authenticator:
I tried to verify that if OpenSK supports credBlob, by using authenticatorGetInfo. "Authenticator reflects amount of byte storage it supports as maxCredBlobLength parameter in authenticatorGetInfo". But I don't see it in the response from the authenticator. ./info /dev/hidraw3
|
I failed to mention that
The board name changed, too, i.e.
You might have to erase the persistent storage due to a backwards incompatilbe change. Also be aware that |
I am trying to reflash the dongle using |
I'm currently of reworking the documentation! Until that lands, let me try to help. You do need to reset some things, depending on how far you are jumping in history. To be safe, you reset both repo and storage. Be careful, the reset scripts deletes all uncommited changes! ./reset.sh
./setup.sh
./deploy.py ... --erase_storage
./tools/configure.py \
--certificate=crypto_data/opensk_cert.pem \
--private-key=crypto_data/opensk.key I don't think this explains your error message though. Your device is not even detected. I had to press the tiny reset button that is hard to see and operate, located next to the actual user button. Usually, the idea is to the the device into DFU mode. My dongle indicates it is ready to be flashed with a slow red blink. |
To be more precise with the deploy instructions: First ./deploy.py --board="nrf52840_dongle_dfu" --programmer=nordicdfu --erase_storage
./deploy.py --board="nrf52840_dongle_dfu" --programmer=nordicdfu --opensk |
Thanks, @kaczmarczyck. That worked. I still cannot retrieve the credBlob during authentication, but I found that it's an issue with Chrome browser implementation. I am following up with them on this. |
Awesome! If you don't mind, I'd appreciate a quick update on a later stage of your project. Some FIDO 2.1 features are currently still not used much, and any real world feedback is useful. |
Sure! We decided to use OpenSK for our research going forward. we would be happy to give the feedbacks we have. |
Is there an API in the
OpenSK
that I can use to store a secret string mapped to a username and retrieve it later on?If not, can I exploit the FIDO register call to store a secret string mapped to a username? Is there any field in the FIDO2 protocol that is stored on the authenticator and is returned during authentication? I need it for the research prototype, so any hack/ideas would help.
The text was updated successfully, but these errors were encountered: