-
Notifications
You must be signed in to change notification settings - Fork 117
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Protect private minisign key with FIDO2 token #100
Comments
Yes! The secret key can be stored and decrypted in any way. This doesn't affect how signatures are computed and verified. I'm not planning to add FIDO2 support to this implementation (and would rather see keychain/touchid support) but feel free to do it! Thank you! |
I think there's a misunderstanding here. It is true that minisign would support any kind of storage for the secret key as long you have full control of the data to be signed. But FIDO security keys are hard coded to always prepend a prefix before signing, a prefix that is not under the caller's control and cannot be omitted. See for example the definition of signature inputs in WebAuthn; the So generating or verifying FIDO signatures with minisign would require some small changes to minisign. Signers need to (1) record the authenticator data in the signature format; and (2) indicate that the signature includes this additional data, for example by using a new algorithm identifier. Verifiers need to (3) check for such an indicator; and (4) if present, prepend the authenticator data to the signed data before verifying the signature. With that in mind, would that change the verdict on whether you'd want to support FIDO tokens in minisign? I'd be happy to help implement it if so, or help prototype it to see what it could look like before you make a decision. |
I should add that most of the benefit lies in supporting FIDO signatures for verification ((3) and (4) above). If only there is a suitable signature format with wide support in verifiers, the probably few signers that wish to use a FIDO token for signing ((1) and (2)) could use external tools to do so. 🙂 |
@emlun Thanks for clarifying! As long as it doesn't complicate the spec too much, why not. If you could write a prototype, that would be awesome! |
Cool! I'm not sure when I'll get around to it, but I'll add it to my todo list. |
Alright, I have something to share! Please check out the This adds a new
As of right now, this implementation adds a dependency on OpenSSL for the SHA256 hash algorithm. This is for two reasons:
As for the C implementation, I tried to keep it minimally invasive. The implementation approach I ended up with was to over-allocate some of the signature struct buffers and use pointer arithmetic to separate the additional data (when present) from the base struct. I don't have much experience with plain C, so there may very well be some horrible crimes against conventions in there. I'm also aware that there are a few memory leaks that I haven't bothered fixing for now. Of course, all aspects of the implementation prototype are open for discussion, from crypto architecture to code formatting. 😄 Other possibilities not currently implemented:
Anyway, here's how to try it all out if you have a CTAP2 security key available: $ git checkout wip/fido
$ pip install fido2 PyNaCl
$ python fido_minisign.py generate
$ echo 'Hello, World!' > msg.txt
$ python fido_minisign.py sign msg.txt
$ (cd build && cmake .. && make)
$ ./build/minisign -V -m msg.txt Note that the What do you think, now that there's something concrete to look into? Is this something you'd like to support? |
In SHA256 is also available ( |
Oh! I just looked in the "generic hashing" section of the docs. It seemed weird that the library wouldn't support SHA at all, but it didn't occur to me to look anywhere else. I've updated the prototype implementations and signature format documentation to use Blake2b-256 instead of SHA256 and SHA256(Blake2b-512). I also found now that I can just use |
Hi @jedisct1, have you had time to consider this? Would you like me to proceed with developing this proof of concept into a proper pull request? |
Related: w3c/webauthn#2026 |
Hello everyone. @emlun Your work is very interesting. I'm looking forward to being able to make FIDO2 signatures in my app. I hope this can make it into minisign! |
As of v8.2 OpenSSH supports FIDO2 as a second factor to protect the private key. This makes resident keys on a token (yubikey etc.) avoidable. So you can locate the private key on the file system of your computer (as probably most people do anyway). In my opinion it even obsoletes passphrases for the private key, because it is imply not useable without the FIDO2 token.
I wonder if minisign keys could be protected the same way.
The text was updated successfully, but these errors were encountered: