Yubico Forum

rnewson: You're right. For some reason I thought you were referring to the timestamp and nonce that is generated by the client as part of the validation protocol.

It has been reviewed by an independent security firm.

are there any resources available of this?

Have recently also bought a Yubikey NEO and while pondering on the U2F feature, the "hardcoded" device key became also one of my primary interest.
To me, this comes down to "Yubikey and other U2F vendors" becoming a "token CA" and as customer you buy a hardware token including a per-generated private key. To me, if I would start to support U2F on our websites for auth, that would fundamentally imply to require to trust "all those CA's" in the first place.

To summary, and please feel free to correct my understanding:

- access/altering device key is prohibited to assure uniqueness of each U2F "key" and used private key are "impossible" to retrieve (no cloning).
- attestation certificate signs they "on-chip" pub key (during manufacturing) so U2F aware websites can verify the "U2F" being genuine.
- U2F "token certificate authorities" such as Yubico guarantee for their U2F devices.

Considering that Yubico is a company under US law, I do trust it as much I trust e.g. "Symantec SSL".

Here are some resources that should answer your questions:

viewtopic.php?p=6561#p6561
https://developers.yubico.com/U2F/Proto ... ation.html
https://developers.yubico.com/U2F/Proto ... rview.html

Regarding the security audit, please contact Sales.

Somehow I missed this part:



I agree with your point, no matter how 'R' is calculated.

But your comment reminded me about a question I had about the ECDSA implementation that is being used for the U2F app... Is 'R' for the ECDSA signature operation mandated to be determined deterministically (via hashing the private key along with the data being signed) or is it generated using the on-board RNG?