version 1.1, 2019/10/31 21:14:17 |
version 1.2, 2019/11/01 12:10:43 |
|
|
a monotonic signature counter that can be used (at scale) to detect |
a monotonic signature counter that can be used (at scale) to detect |
concurrent use of a private key, should it be extracted from hardware. |
concurrent use of a private key, should it be extracted from hardware. |
|
|
U2F private keys are generatted through an enrollment operation, |
U2F private keys are generated through an enrollment operation, |
which takes an application ID - a URL-like string, typically "ssh:" |
which takes an application ID - a URL-like string, typically "ssh:" |
in this case, but a HTTP origin for the case of web authentication, |
in this case, but a HTTP origin for the case of web authentication, |
and a challenge string (typically randomly generated). The enrollment |
and a challenge string (typically randomly generated). The enrollment |
operation returns a public key, a key handle that must be used to invoke |
operation returns a public key, a key handle that must be used to invoke |
the hardware-backed private key, some flags and signed attestation |
the hardware-backed private key, some flags and signed attestation |
information that may be used to verify that private key is hosted on a |
information that may be used to verify that a private key is hosted on a |
particular hardware instance. |
particular hardware instance. |
|
|
It is common for U2F hardware to derive private keys from the key handle |
It is common for U2F hardware to derive private keys from the key handle |
|
|
The certificate form of a SSH U2F key appends the usual certificate |
The certificate form of a SSH U2F key appends the usual certificate |
information to the public key: |
information to the public key: |
|
|
string "sk-ecdsa-sha2-nistp256@openssh.com" |
string "sk-ecdsa-sha2-nistp256-cert-v01@openssh.com" |
string nonce |
string nonce |
ec_point Q |
ec_point Q |
string application |
string application |
|
|
default. |
default. |
|
|
Attestation information is very useful however in an organisational |
Attestation information is very useful however in an organisational |
context, where it may be used by an CA as part of certificate |
context, where it may be used by a CA as part of certificate |
issuance. In this case, exposure to the CA of hardware identity is |
issuance. In this case, exposure to the CA of hardware identity is |
desirable. To support this case, OpenSSH optionally allows retaining the |
desirable. To support this case, OpenSSH optionally allows retaining the |
attestation information at the time of key generation. It will take the |
attestation information at the time of key generation. It will take the |
|
|
ssh-agent protocol extensions |
ssh-agent protocol extensions |
----------------------------- |
----------------------------- |
|
|
ssh-agent requires some protocol extension to support U2F keys. At |
ssh-agent requires a protocol extension to support U2F keys. At |
present the closest analogue to Security Keys in ssh-agent are PKCS#11 |
present the closest analogue to Security Keys in ssh-agent are PKCS#11 |
tokens, insofar as they require a middleware library to communicate with |
tokens, insofar as they require a middleware library to communicate with |
the device that holds the keys. Unfortunately, the protocol message used |
the device that holds the keys. Unfortunately, the protocol message used |
to add PKCS#11 keys to ssh-agent does not include any way to send the |
to add PKCS#11 keys to ssh-agent does not include any way to send the |
key handle to the agent as U2F keys require. |
key handle to the agent as U2F keys require. |
|
|
To avoid this, without having to add wholy new messages to the agent |
To avoid this, without having to add wholly new messages to the agent |
protocol we will use the existing SSH2_AGENTC_ADD_ID_CONSTRAINED message |
protocol, we will use the existing SSH2_AGENTC_ADD_ID_CONSTRAINED message |
with a new a key constraint extension to encode a path to the middleware |
with a new key constraint extension to encode a path to the middleware |
library for the key. The format of this constraint extension would be: |
library for the key. The format of this constraint extension would be: |
|
|
byte SSH_AGENT_CONSTRAIN_EXTENSION |
byte SSH_AGENT_CONSTRAIN_EXTENSION |