
Testing FIDO U2F security keys - stargrave
https://www.imperialviolet.org/2017/10/08/securitykeytest.html
======
tptacek
You'd assume that a device as sensitive as a hardware security key would get
extensive testing from the vendor, from 3rd parties contracted to the vendor,
and from random unauthorized 3rd parties testing out of personal or public
interest.

But in fact there are almost certainly commercial hardware security keys that
receive _no testing at all_ at the level AGL is working at --- which, while
impressive and super interesting, isn't as low-level as serious third party
specialized crypto validation goes.

My takeaway from this is: buy the most popular U2F key (which happens to be
Yubico's). This isn't a place where you want to shop around for interesting
alternative brands.

Nobody pays me to say this and I have no relationship with Yubico of any sort.

~~~
csomar
Wouldn't that make Bitcoin Hardware wallets the most secure then? They don't
have the same software support and documentation as Yubico but they are
targeted heavily by hackers.

The two popular options are: Trezor and Ledger. Both supports FIDO U2F and
have a large user base.

~~~
TorKlingberg
Does the FIDO U2F feature on them get targeted by hackers?

~~~
csomar
My understanding is that it depends on the secure components that secure the
private key and sign the messages. So hacking FIDO means hacking the crypto
private key or the wallet.

------
jlgaddis
Related (but slightly OT) question: has anyone ran into any issues when using
either 1) a single Yubikey for both U2F and SSH authentication or 2) multiple
Yubikeys simultaneously on the same machine (i.e., one for U2F, one for SSH)?

For SSH authentication, I use Yubikeys (and only Yubikeys) everywhere: my
workstation at home (I WFH 99% of the time), my primary laptop, and a "backup"
laptop. Each of these machines has its own "dedicated" Yubikey that I use to
authenticate to remote SSH servers (a "Nano" that is left plugged in 24/7). I
also use these (with challenge/response) to unlock encrypted LUKS volumes
(containing ZFS pools) at boot, FWIW.

I would like to begin using U2F (AFAICT, U2F support should be coming to
Firefox soon, if it hasn't already; running FF57 Developer Edition here),
preferably with these same Yubikeys I am already using for SSH. If there are
any issues, however, I'm fine with using a separate Yubikey just for the U2F
side of things (I have a few U2F-only Yubikeys laying around as well).

Basically, I want it to be as easy/convenient as possible and, before I begin
to attempt this, I'm just curious if anyone else is already doing this and, if
so, what their experiences were and any issues they may have encountered. In
theory, it should all just work but, in reality, well, who knows. TIA!

~~~
posixplz
U2F should work with your Yubikeys, irrespective of your slot 1/2
configurations. U2F does not depend on slot provisioning. Unlike your slot/gpg
keys, U2F authenticators are unique to each individual hardware component and
cannot be replicated between Yubikeys.

~~~
jlgaddis
I thought as much. I'm mostly curious about any possible "inter-op" issues
with GnuPG and U2F functionality (for example, I have heard reports that gpg-
agent would "reset" after a U2F auth and so would require a PIN on next use
regardless of any timeouts; that's not a problem for me, just something I'd
like to be aware of beforehand). Thanks!

~~~
subway
Be prepared to pull and replace the Yubikey when switching between applets. I
currently use a key configured with U2F, gpg (and ssh via gpg-agent), and oath
totp. Usually it switches between applets seamlessly, requiring pin entry for
gpg any time I switch back to gpg.

Occasionally whichever applet I'm attempting to use will appear unavailable,
requiring the token be pulled and reseated.

~~~
jlgaddis
Yeah, I've heard similar reports before and that's exactly the kind of thing I
was wanting to hear about because, e.g., the Nano can be a PITA to remove
sometimes -- especially on my workstation, where it is plugged into one of the
USB ports on the "back" of a Das Keyboard. I don't mind punching in my PIN all
the time (I already use short timeouts anyways), but removing and reinserting
the Nano several times a day is inconvenient and will get annoying real quick.

Thanks.

~~~
pfg
I used to run into this regularly as well, usually with gpg-agent refusing to
work. I recently switched to a 4C Nano, which made it quite cumbersome to pull
the key, so I looked into it and found out that reloading gpg-agent does the
trick as well. I use this alias to do that quickly:

    
    
        alias gpgpls='gpg-connect-agent reloadagent /bye'
    

I haven't needed to pull the key since. I'm on macOS and use gpg-agent, U2F
and yubioath-desktop.

~~~
jlgaddis
Oh, excellent, that's great to know. I run Arch Linux on these particular
machines but, in this case, it probably doesn't matter. Thank you.

------
dpeckett
A while back I looked into building my own hardware two factor key. I wanted
to experiment with the technology. I've since backed off the idea due to
several serious challenges with designing secure hardware for this purpose.

* By necessity there's a pretty large attack surface, you've likely got a vendor specific bluetooth stack and coprocessor. The same goes for wired solutions with hardware USB peripherals (though atleast significantly less complex). Being sure the hardware peripheral doesn't have any major memory safety issues is a complete bear to test, and that's not even touching on sidechannel analysis.

* Running public key crypto on microcontroller (excluding specific hardware crypto support) is a little more novel than a desktop machine, the leading libraries are no where near as extensively battle tested. And there's architectural concerns about sidechannel attacks and often the lack of any memory protection units (bigger chips solve these issues, but power budget concerns are tricky).

* And given all software has bugs, how do you update the firmware? Signed firmware patches as part of driver update? Who's to say somebody hasn't already owned your bootloader.

I think the solution to all this, is to abandon the idea of additional
hardware, what if your smartphone could act as a two factor hardware token
over Bluetooth? The big problem is pairing really, and how to make this an
easy process for users, I never figured that out. On the other hand I did come
up with a scheme that would allow usb based hardware tokens to work without
additional drivers / software and on all current major operating systems and
browsers. I really ought to work on it, but as above I don't trust embedded
hardware (embedded hardware is such an antithesis to, move fast and break
things).

~~~
bri3d
How'd your scheme work? I suspect HN wants to know ;) A lot of hardware just
acts as HID keyboard, but that only works one direction unless you use a side
channel like visual (QR code like TOTP and/or camera like the Bloomberg unit).

I think the Bloomberg auth units are some of the most advanced examples of
this - they're protected against almost any imaginable physical attack, too
(freezing memory state, power sidechannels, xray/delidding to dump mask ROM,
etc.) But they have a lot of money to spend on it...

~~~
dpeckett
Broadly based on abusing USB ethernet and browser origin policies. Relies on
the fact browsers are used to treating the network layer as a hostile
environment.

------
Legogris
I'd be very interested to see the author review how the cryptocurrency
hardware wallets Ledger[0] and Trezor[1] compare - they also have U2F
functionality. I use my hardware wallet for U2F and I am guessing they are
becoming more widely used for consumer users.

[0]: [https://www.ledgerwallet.com/](https://www.ledgerwallet.com/)

[1]: [https://trezor.io/](https://trezor.io/)

~~~
cyphar
EEVblog did a video about the Trezor[1].

[1]:
[https://youtube.com/watch?v=BzxGoJdd8a4](https://youtube.com/watch?v=BzxGoJdd8a4)

------
wakkaflokka
I'd really like to buy a U2F token, but need to find one that let's me use it
mobile (Android) as well as on desktop.

I know that Yubico offers an NFC-enabled on, but it doesn't support 4096-bit
keys if I understand correctly.

~~~
te0006
The Fidesmo dual-interface smartcard might fit the bill:
[http://shop.fidesmo.com/product/fidesmo-card-dual-
interface](http://shop.fidesmo.com/product/fidesmo-card-dual-interface) You
would need to buy and install the U2F applet ("card app") onto it. There are
other applets available for PGP and for Bitcoin wallets, which can co-exist on
the same card AFAIR. Not sure about supported key lengths. I'm not affiliated
with Fidesmo or the applet vendors.

Any opinions on this product from the HN crowd? E.g., what do you think about
the security implications of their user-installable applet model?

------
hasa
FIDO U2F is just enterprise stuff. My mom will never own one to log in to
Facebook. So the market is very difficult for newcomers. That's why we see
lots of low quality products which come and go.

~~~
r3bl
But she will enter the info from the SMS that Facebook sends to her?

I mean, comparing U2F keys with the alternative 2FA methods (like SMS and
Google Authenticator), it sure seems simpler to just tap the USB key instead
of taking out your phone, unlocking it, seeing the message, and writing the
code from the message.

They're convenient as hell.

~~~
hasa
You're right. 2FA is convenient as hell until biometric authentication will do
it with user's consent ( just tap something ). Yubico is quite near this
target, but fragile usb dongle hanging from the side of your laptop isn't
still optimal. FIDO is doing great work trying to bring secure authentication
on the market, but the risk is that it'll be another complex OpenID which is
killed by the giants ( Google, M$ etc ).

~~~
r3bl
> but fragile usb dongle hanging from the side of your laptop isn't still
> optimal.

And that's why we have Yubikey Nano versions. And as for them being fragile, I
really don't experience that. Mine one has been sitting on my keychain for
about a year and a half and it seems rock-solid. Even though it has been
through rains and thrown around countless times, it still works like it did on
the day one. Even though it's plastic, it is pretty durable from my
perspective.

------
_Codemonkeyism
Slightly OT, what do people use for U2F, Google Mail and Firefox?

~~~
EwanToo
Yubico do a short (but I think that's realistic) list of sites that
specifically support u2f

[https://www.yubico.com/solutions/#FIDO-U2F](https://www.yubico.com/solutions/#FIDO-U2F)

~~~
_Codemonkeyism
Thanks I have a Yubico key and use it with Gmail on Chrome, to better phrase
my question: How do I use it with FF? (my main browser).

~~~
danieldk
On Firefox Nightly, it works without extensions, but you have to set
_security.webauth.u2f_ to true in _about:config_.

It only worked with some sites that I tried, for others you probably have to
fake the user agent.

~~~
daenney
Yeah... The Google Cloud Console and Google Accounts do that for one. I can't
set up or use my U2F key in anything but Chrome. Hangouts similarly barfs when
you're using Firefox because they believe the WebRTC support is missing
(instead of checking). Works fine with GitHub though :).

------
jnwatson
I cannot fathom that folks still can't parse DER correctly. It really isn't
complicated.

