Yubico Forum https://forum.yubico.com/ |
|
Blog entry on Yubico U2F implementation https://forum.yubico.com/viewtopic.php?f=33&t=1604 |
Page 1 of 1 |
Author: | brendanhoar [ Fri Nov 14, 2014 10:05 pm ] |
Post subject: | Blog entry on Yubico U2F implementation |
Just saw this post from Dain on Yubico's blog: https://www.yubico.com/2014/11/yubicos-u2f-key-wrapping/ Very very interesting. Seems like a nice alternative to key wrapping...and a useful discussion, but...I think it's still missing important information (and not just because of the "(slightly simplified)" comment). It's not clear to me how the EC public key, which must returned during registration and is used to generate the relying-party challenge during authentication, is generated. Since yubico states that private key is the output of the HMAC-SHA256 function, wouldn't that preclude generating an EC key pair in a standard manner? Hmm. Or is the HMAC-SHA256 output "private key" not the EC private key per se, but instead a portion of the mixed secret input, along with the device key, into a deterministic function (or set of functions) for creating the public/private keypair for this particular relationship? So the key pair is internally generated not only at registration but also (technically) at each authentication? Not a cryptographer, but curious, and maybe the questions can help to improve the clarify of the blog post. Alternately, you get to kick me around for missing something very obvious (most likely). Thanks, Brendan |
Author: | dain [ Sun Nov 16, 2014 12:56 pm ] |
Post subject: | Re: Blog entry on Yubico U2F implementation |
The "standard manner" of generating an EC key pair is by choosing a random integer in the range [1, n-1], where n is the order of the curve (a parameter of the specific curve used, secp256r1 in U2F's case). This random integer becomes the private key, p, and the public key is calculated as p*G, where G is the generator point (another curve parameter). The interesting thing here is that any value can be used as a private key, as long as it is numerically less than n-1. The properties of HMAC-SHA256 make its output suitable for use as a private key with one caveat: If the output hash is greater than n-1 it cannot be used. We solve this by simply starting over and choosing a new nonce if that occurs (it's not very likely to happen). |
Author: | brendanhoar [ Sun Nov 16, 2014 8:48 pm ] |
Post subject: | Re: Blog entry on Yubico U2F implementation |
Thanks Dain, I've been appropriately kicked. |
Page 1 of 1 | All times are UTC + 1 hour |
Powered by phpBB® Forum Software © phpBB Group https://www.phpbb.com/ |