[Bug 2319] [PATCH REVIEW] U2F authentication

bugzilla-daemon at bugzilla.mindrot.org bugzilla-daemon at bugzilla.mindrot.org
Sun Jan 8 23:48:31 AEDT 2017 

https://bugzilla.mindrot.org/show_bug.cgi?id=2319

--- Comment #22 from Simon Josefsson <simon at josefsson.org> ---
> 1) Tt depends on a GPL library which is a licensing conflict we
> don't want.

libu2f-host is LGPLv2+.  

> 2) The spec is insufficient - we need more than "put this blob from
> the library that's specified for Javascript on the wire".

Which spec are you talking about?  U2F itself or the IETF draft?  The
U2F specifications are unfortunately structured in an unusual way
because it is oriented towards web browser based situations.  However
it is possible to abstract out the relevant details for non-browser
scenarios.  I agree and admit that this is not the intended scope, but
I don't think that should limit further considerations.

I am happy to work on clarifying the IETF specification.  While at
Yubico, I tracked U2F specifications closely and have familiarity with
it.

> 3) The spec as it stands has some problems. As someone who knows
> more than U2F that I said (privately):
> 
> > The draft, as I read it, does not do any validation of the 
> > username provided prior to sending a list of key handles for the
> > user. This is somewhat of a security concern, since it reduces the
> > "2F" in universal second factor to a single factor. Personally,
> > I'm willing to overlook that one a little: if we believe attackers
> > can easily get at your passwords, then this loss is a small one.

I don't understand this concern -- yes, you may get access to people's
key handles.  If that leads to security concerns, there is something
really strange going on.  Key handles are intended (cryptographically)
to only be usable by the key holder.  More details please?

> > The other concern I have with their approach is that it doesn't
> > protect the user's privacy. The regular SSH protocol relies 
> > on a leap of faith, in that neither the client nor the server
> > have any way to authenticate one another the first time they're
> > introduced, so one must assume that there's no attacker present
> > at that time. Still, it's customary for an SSH client to generate
> > a new key pair for every server it's introduced to, in order for
> > one server not to be able to correlate one user with another. One
> > SSH server could reveal a user's public key to another, but that
> > wouldn't compromise the user's privacy: the client would not use
> > the key pair for server A with server B.

I'm not sure I agree with this reasoning: as far as I recall, the SSH
protocol does not guarantee protection of user's privacy.  As far as I
am aware, it is not standard procedure for SSH clients to generate a
new key pair for every server.

Maybe the answer to the following question will allow me to understand
the concern better:

In what way does U2F decrease the user's privacy?

> > In U2F, the assumption is that the U2F devices themselves 
> > may be storage-less. As a result, the server sends a "key
> > handle" to remind the U2F device which key pair to use. The
> > application parameter is a means by which the key pair is bound
> > to a particular place. It's the web origin in the case of web
> > authentication flows. The keys are cryptographically bound to the
> > application parameter, such that no server that is associated with
> > a different application parameter can exercise the key. (This
> > protection relies on a trusted piece of software, i.e. the web 
> > browser in the case of the web, to tell the U2F device which 
> > server it is.) In this way, the key handles are safe: even if
> > server A reveals the key handle for Alice to server B, server B
> > can't learn that the key pair is in fact associated with an entity
> > of interest to B, because B can't exercise Alice's key handle for
> > server A.

I agree with this description, FWIW.

> > By using a static application parameter, their protocol leaves
> > users exposed to a new attack.

This would indeed be a flaw in the patch.  I agree!  I believe it was a
known issue, see earlier discussions.

> ... which brings me to 4) I'm not familiar enough with U2F to review
> it. 
> 
> Without a proper specification that has been reviewed by people who
> are properly familiar with U2F and a way to remove the licensing
> conflict, please do not expect any progress here.

Thanks.  Hopefully we can get more eyes on the draft itself and people
can start to test the patch a bit more.

I fully agree that this is not a done deal, however, I believe we are
getting there!

Thanks,
/Simon

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

More information about the openssh-bugs mailing list