3

When I buy an U2F device, say a Yubikey smart-card, does the vendor hardcode on it a private key that will be later used in a challenge-response mechanism by the user, or do they only put in there some kind of 'seed', which is later used to create a private key when I plug the device in my computer?

In the first case, how likely is a scenario where vendor is compromised and leaks my private key? in the second, is it mathematically possible known the seed to reconstruct my private key?

If instead I completely misunderstood how it works, could you please correct me?

jj_p
  • 369
  • 1
  • 9
  • 1
    Read through this question and answer to see if it helps your understanding of key generation and storage with a Yubikey device:http://crypto.stackexchange.com/questions/25332/yubicos-take-on-u2f-key-wrapping – PwdRsch Jan 31 '17 at 21:58
  • @PwdRsch thanks, I will take a look, though it seems a bit technical. could you please explain in more basic terms how it works? – jj_p Jan 31 '17 at 22:37

2 Answers2

4

lots of confusion here... but that's normal :)

  1. Reminder: Each time a user enrolls a FIDO U2F device (FIDO U2F USB security key, FIDO U2F NFC card, FIDO U2F BLE device), a new key pair is needed and created.
  2. Inside FIDO U2F Specifications, there is a section called "7. Allowing for Inexpensive U2F Devices" (http://gg.gg/4eny2) describing how a manufacturer is allowed to wrap every newly created users keys from an initial built-in secret. Yubico (like many others) made the decision to follow this path. The advantage is that the device can deal with an infinite number of keypairs since they are not really stored inside the device, they are created from information "hidden"/wrapped inside keyhandles that were originally supposed to be purely random index attached to generated keys. A first problem is that specifications don't say anything about how manufacturer can wrap keys so a manufacturer can use a totally broken and non-secure wrapping method and still be "FIDO U2F" certified. Another major issue with this choice is that even with a secure wrapping method, if a manufacturer is forced by an agency like the NSA for example to give this list of initial secrets or if an insider decided to take this list of these secrets that are built-in inside their products... well... all users private keys don't belong to users only anymore... meaning that a third-party can rebuild all users keys from all these products just from the public keyhandle that are stored on the server side and exchanged with the browser... "What could possibly go wrong?" (c)
  3. As Far as I know, Yubico personalization don't let you change these built-in secrets, this software is made for other non-FIDO U2F related features. * sigh *
  4. There are solutions like FIDO U2F compatible products from Ledger.co (first disclaimer: they are friends) that are wrapping keys but nuilt-in tools let the user change an initial seed to change the built-in secret.
  5. Some other manufacturers (second disclaimer: like NEOWAVE, the company I am working for) don't allow this kind of key wrapping. Here is a visual illustration to show the difference between wrapping and non-wrapping : http://www.neowave.fr/pleaseno/key_wrapping_versus_stored_isolation.jpg

I hope it is more clear now :)

FredericMARTIN
  • 581
  • 3
  • 8
2

I'm not familiar enough with the internals of U2F to comment on it specifically.

But Yubico provides a Yubikey personalization tool. You can use this to change a wide variety of settings on the key, and even use it to clone one key to another. This implies that yes, Yubico could know what key they initially provided you and use it to impersonate you. However, it also provides a way for you to prevent that, by setting your own key when receiving the device.

Xiong Chiamiov
  • 9,384
  • 2
  • 34
  • 76
  • 1
    thanks. However, when setting my own key, it seems I loose the possibility of using Yubico’s validation server: how does that impact the usage of my u2f key? – jj_p Jan 31 '17 at 22:38
  • namely, are services like gmail or dropbox (or any future major player joining this initiative) making use of the yubico validation server, or running their own? – jj_p Jan 31 '17 at 22:43
  • perhaps I now understand better: it is the user who must, upon generating a new key, run its own validation server, if he's not willing to let Yubico know the new key, is that right? – jj_p Jan 31 '17 at 23:01
  • Yes, I believe that is correct. – Xiong Chiamiov Feb 04 '17 at 16:52
  • This sounds like _"U2F with a YubiKey requires 100% trust in Yubico unless you run your own validation server"_ -- is that correct? – Jonathan Cross Sep 23 '17 at 14:52
  • 1
    @JonathanCross I'm unsure enough of my knowledge to want to say, sorry. – Xiong Chiamiov Sep 25 '17 at 20:46