7

As I understand, U2F is mainly used for authentication. It uses challenge-response scheme to check if the device used for logging in is the same device which was used during registration based on shared secret. So the result of the process is a yes/no answer.

Is there a way to use U2F device for encrypting data in a symmetrical way, like a local password manager?

Philipp
  • 48,867
  • 8
  • 127
  • 157
atok
  • 183
  • 7

2 Answers2

5

No, the U2F specified keys are not able to perform symmetric encryption operations. They are designed only for providing a public key, attestation certificate, and signing data for the challenge / response process with their internal private key. Specifications can be read at https://fidoalliance.org/specifications/overview/

Jeff Ferland
  • 38,090
  • 9
  • 93
  • 171
  • That's bad. So, a trusted 2nd party (server) is needed for secure data storage? How this works https://www.yubico.com/applications/password-management/consumer/password-safe/ ? – atok Nov 18 '15 at 08:00
  • 1
    Many YubiKey devices operate in several modes. What you've linked to describes another mode using HMAC-SHA1 which is not public key encryption and not part of the U2F standard. – Jeff Ferland Nov 18 '15 at 08:26
  • Jeff: Could you elaborate why signing a challenge does not lend itself to a way to generate a password for symmetric encyrption? – Christopher Oezbek Mar 14 '17 at 19:41
  • @ChristopherOezbek I would suggest asking that as an independent question on https://crypto.stackexchange.com – Jeff Ferland Mar 14 '17 at 19:43
  • @JeffFerland https://crypto.stackexchange.com/questions/44717/can-an-u2f-public-private-key-pair-for-signatures-be-used-for-encryption – Christopher Oezbek Mar 14 '17 at 20:15
1

No, it is not possible to get some constant value/bytes from U2F device that will be unique for a particular device and can be used later as encryption key, mainly because of FIDO Privacy concern: "identifying devices would reveal a unique identifier for a device across unrelated origins, violating the user’s privacy." (c) FIDO specs.

In another hand, this is why U2F Signature feature also cant be used to get some constant value that can be later used as an encryption key:

  1. U2F device sign a Digest that is created by Client and Device (U2F adds signature counter to Digest). So every new signature will be unique even if Client provides the same data twice.
  2. When U2F device generates a new KeyHandle (ECDSA pair) it uses its own random value. So it will never generate the same KeyHandle even if you provide the same data for the 2nd request.

By FIDO philosophy, the U2F key mainly designed to ensure a Trust between Authentication Service and remote client. When you want to adopt U2F key for other authentication/security scenarios take care about a dozen of attacks that can be applied.

AleSil
  • 49
  • 6