erikie wrote:
Tom,
is this really true? Something (whatever it is) must be retained and tied to the key or how else will the key I use for a specific PIN/secret transaction key for some specific website be identified amongst all other U2F keys?
Or (I have not read all U2F documentation so I could have missed the point) are all U2F keys in fact interchangeable (so I could use any key in pace of the one I own) and it just ensures that a secret login token is generated in a secure way?
Where by this key and it's action is somewhat like a TPM module?
In short - if I login & register to an U2F site using one particular U2F key can I then login another time with same with another U2F key with the same PIN/password(phrase)?
Pardon me for posing these questions which may seem obvious to you but I am just trying to understand this device.
Thx in advance for your reply & kind regards, Erik...
is this really true? Something (whatever it is) must be retained and tied to the key or how else will the key I use for a specific PIN/secret transaction key for some specific website be identified amongst all other U2F keys?
Or (I have not read all U2F documentation so I could have missed the point) are all U2F keys in fact interchangeable (so I could use any key in pace of the one I own) and it just ensures that a secret login token is generated in a secure way?
Where by this key and it's action is somewhat like a TPM module?
In short - if I login & register to an U2F site using one particular U2F key can I then login another time with same with another U2F key with the same PIN/password(phrase)?
Pardon me for posing these questions which may seem obvious to you but I am just trying to understand this device.
Thx in advance for your reply & kind regards, Erik...
For all intents and purposes, the only unique identifier for a U2F device is the securely stored internal symmetric key, which cannot be read from outside the device.
Effectively, to identify a particular key, it must be used to attempt to validate a previous registration it was used for [see my layman's description here which should be close to correct: viewtopic.php?f=33&t=1530&p=5956#p5956 ]. If the validation works, then you know that was the key used to generate the public/encrypted-private keys used to register with that origin/site, sent to that origin/site and remote-stored at that origin/site.
Otherwise, there's no way via software to tell one u2f device from another.
In theory, this means that use of the device across multiple unrelated origins/sites should not lead to disclosure concerns. However, I'd like to see a professional cryptographer release a public analysis of the standard and examine some implementations.
B