Yubico Forum

...visit our web-store at store.yubico.com
It is currently Tue Jan 30, 2018 10:32 am

All times are UTC + 1 hour




Post new topic Reply to topic  [ 3 posts ] 
Author Message
PostPosted: Fri Nov 14, 2014 10:05 pm 
Offline

Joined: Thu Oct 16, 2014 11:51 pm
Posts: 82
Just saw this post from Dain on Yubico's blog:

https://www.yubico.com/2014/11/yubicos-u2f-key-wrapping/

Very very interesting.

Seems like a nice alternative to key wrapping...and a useful discussion, but...I think it's still missing important information (and not just because of the "(slightly simplified)" comment).

It's not clear to me how the EC public key, which must returned during registration and is used to generate the relying-party challenge during authentication, is generated. Since yubico states that private key is the output of the HMAC-SHA256 function, wouldn't that preclude generating an EC key pair in a standard manner?

Hmm.

Or is the HMAC-SHA256 output "private key" not the EC private key per se, but instead a portion of the mixed secret input, along with the device key, into a deterministic function (or set of functions) for creating the public/private keypair for this particular relationship? So the key pair is internally generated not only at registration but also (technically) at each authentication?

Not a cryptographer, but curious, and maybe the questions can help to improve the clarify of the blog post. Alternately, you get to kick me around for missing something very obvious (most likely).

Thanks,
Brendan


Top
 Profile  
Reply with quote  

Share On:

Share on Facebook FacebookShare on Twitter TwitterShare on Tumblr TumblrShare on Google+ Google+

PostPosted: Sun Nov 16, 2014 12:56 pm 
Offline
Site Admin
Site Admin

Joined: Mon Mar 02, 2009 9:51 pm
Posts: 83
The "standard manner" of generating an EC key pair is by choosing a random integer in the range [1, n-1], where n is the order of the curve (a parameter of the specific curve used, secp256r1 in U2F's case). This random integer becomes the private key, p, and the public key is calculated as p*G, where G is the generator point (another curve parameter). The interesting thing here is that any value can be used as a private key, as long as it is numerically less than n-1. The properties of HMAC-SHA256 make its output suitable for use as a private key with one caveat: If the output hash is greater than n-1 it cannot be used. We solve this by simply starting over and choosing a new nonce if that occurs (it's not very likely to happen).


Top
 Profile  
Reply with quote  
PostPosted: Sun Nov 16, 2014 8:48 pm 
Offline

Joined: Thu Oct 16, 2014 11:51 pm
Posts: 82
Thanks Dain, I've been appropriately kicked. :)


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 3 posts ] 

All times are UTC + 1 hour


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group