Project Description

FIDO2 is set of specifications for multi-factor authentication. It is based on asymmetric cryptography with secrets stored in a HW token. The token must support the protocol to be usable. I own Nitrokey Start which is fundamentally similar but it speaks a different protocol (of GPG smart cards). I'm curious whether the device can serve as FIDO2 token too.

Goal for this Hackweek

There will be likely lots of impedance to match. Ideally, the secrets should never live out of the GPG smart card, however, I'm not sure if the signing protocols are compatible. (To study this is also a goal.) An alternative would be to use an established password manager (e.g. pass) and emulate the FIDO2 token in software with access to secrets in the password manager. The intention is to be able to authenticate via browser against a WebAuthn (web) service.

The goal is not to provide a more secure solution than real HW FIDO2 token.

Resources

Looking for hackers with the skills:

cryptography security gpg mfa

This project is part of:

Hack Week 21

Activity

  • 3 months ago: ybonatakis liked this project.
  • 3 months ago: mkoutny joined this project.
  • 3 months ago: jzerebecki liked this project.
  • 3 months ago: jzerebecki left this project.
  • 3 months ago: jzerebecki joined this project.
  • 3 months ago: jzerebecki left this project.
  • 3 months ago: jzerebecki joined this project.
  • 3 months ago: toe liked this project.
  • 4 months ago: Coelacanthus started this project.
  • 4 months ago: szarate liked this project.
  • 4 months ago: mkoutny added keyword "cryptography" to this project.
  • 4 months ago: mkoutny added keyword "security" to this project.
  • 4 months ago: mkoutny added keyword "gpg" to this project.
  • 4 months ago: mkoutny added keyword "mfa" to this project.
  • 4 months ago: mkoutny originated this project.

  • Comments

    • jzerebecki
      3 months ago by jzerebecki | Reply

      There are fido2 implementations for various stm32 boards, like the nitrokey start is one. But sadly I know of none that combine a fido2 and gpg implementation, though it is theoretically possible. E.g. https://github.com/solokeys/solo1 and there is also one in rust https://github.com/google/OpenSK

      If you can't get your hardware key to cooperate with the fido2 protocol, then there are fido2 implementations using the tpm2 most laptops have available. E.g. https://github.com/psanford/tpm-fido

    • mkoutny
      3 months ago by mkoutny | Reply

      Report after Hackweek

      --- a/drivers/usb/gadget/udc/Kconfig
      +++ b/drivers/usb/gadget/udc/Kconfig
      @@ -471,7 +471,7 @@ source "drivers/usb/gadget/udc/aspeed-vhub/Kconfig"
      
       config USB_DUMMY_HCD
              tristate "Dummy HCD (DEVELOPMENT)"
      -       depends on USB=y || (USB=m && USB_GADGET=m)
      +       depends on USB=y || (USB=m && USB_GADGET=y)
              help
                This host controller driver emulates USB, looping all data transfer
                requests back to a USB "gadget driver" in the same host.  The host
      
      • my quickly hacked program was able to register (aka provide public key) against https://webauthn.io/ but it's not able to authenticate (aka sign challenges)
      • my joy was stopped by RFC4880 that defines GPG signatures as follows (highlight mine):

      The concatenation of the data being signed and the signature data from the version number through the hashed subpacket data (inclusive) is hashed. The resulting hash value is what is signed.

      • that's where I stopped but I realize ssh-keygen -Y sign ... is the way forward (preferred to low-level communications with ssh-agent)
        • the point is that gpg-agent can act as ssh-agent too
      • the goal of this project should be achieved with the ssh-agent detour

    Similar Projects

    OMEMO Hexchat plugin by dknorr

    [comment]: # (Please use the project descriptio...


    Project Verifree : internal key server(s) by mcaj

    Project description

    The project Verifree...


    rust security reviews and cargo-crev by jzerebecki

    [comment]: # (Please use the project descriptio...


    Learn more about Application Security (AppSec) Open Source Tools and Testing Techniques by heidi.bronson

    [comment]: # (Please use the project descriptio...


    Poking technologies for enrolling customer key to kernel trusted keyring by joeyli

    [comment]: # (Please use the project descriptio...


    Project Verifree : internal key server(s) by mcaj

    Project description

    The project Verifree...


    Kanidm - Modern Opensource Identity Management by firstyear

    Project Description

    Kanidm is a identity ma...


    Project Verifree : internal key server(s) by mcaj

    Project description

    The project Verifree...