[BACK]Return to PROTOCOL.u2f CVS log [TXT][DIR] Up to [local] / src / usr.bin / ssh

Diff for /src/usr.bin/ssh/PROTOCOL.u2f between version 1.6 and 1.7

version 1.6, 2019/11/18 04:29:50 version 1.7, 2019/11/18 04:34:47
Line 36 
Line 36 
 hardware, thus requiring little on-device storage for an effectively  hardware, thus requiring little on-device storage for an effectively
 unlimited number of supported keys. This drives the requirement that  unlimited number of supported keys. This drives the requirement that
 the key handle be supplied for each signature operation. U2F tokens  the key handle be supplied for each signature operation. U2F tokens
 primarily use ECDSA signatures in the NIST-P256 field.  primarily use ECDSA signatures in the NIST-P256 field, though the FIDO2
   standard specified additional key types include one based on Ed25519.
   
 SSH U2F Key formats  SSH U2F Key formats
 -------------------  -------------------
   
 OpenSSH integrates U2F as a new key and corresponding certificate type:  OpenSSH integrates U2F as new key and corresponding certificate types:
   
         sk-ecdsa-sha2-nistp256@openssh.com          sk-ecdsa-sha2-nistp256@openssh.com
         sk-ecdsa-sha2-nistp256-cert-v01@openssh.com          sk-ecdsa-sha2-nistp256-cert-v01@openssh.com
           sk-ssh-ed25519@openssh.com
           sk-ssh-ed25519-cert-v01@openssh.com
   
 These key types are supported only for user authentication with the  These key types are supported only for user authentication with the
 "publickey" method. They are not used for host-based user authentication  "publickey" method. They are not used for host-based user authentication
Line 72 
Line 75 
         string          key_handle          string          key_handle
         string          reserved          string          reserved
   
 The certificate form of a SSH U2F key appends the usual certificate  The format of a sk-ssh-ed25519@openssh.com public key is:
   
           string          "sk-ssh-ed25519@openssh.com"
           string          public key
           string          application (user-specified, but typically "ssh:")
   
   With a private half consisting of:
   
           string          "sk-ssh-ed25519@openssh.com"
           string          public key
           string          application (user-specified, but typically "ssh:")
           uint32          flags
           string          key_handle
           string          reserved
   
   The certificate form for SSH U2F keys appends the usual certificate
 information to the public key:  information to the public key:
   
         string          "sk-ecdsa-sha2-nistp256-cert-v01@openssh.com"          string          "sk-ecdsa-sha2-nistp256-cert-v01@openssh.com"
Line 92 
Line 110 
         string          signature key          string          signature key
         string          signature          string          signature
   
           string          "sk-ssh-ed25519-cert-v01@openssh.com"
           string          nonce
           string          public key
           string          application
           uint64          serial
           uint32          type
           string          key id
           string          valid principals
           uint64          valid after
           uint64          valid before
           string          critical options
           string          extensions
           string          reserved
           string          signature key
           string          signature
   
 During key generation, the hardware also returns attestation information  During key generation, the hardware also returns attestation information
 that may be used to cryptographically prove that a given key is  that may be used to cryptographically prove that a given key is
 hardware-backed. Unfortunately, the protocol required for this proof is  hardware-backed. Unfortunately, the protocol required for this proof is
Line 187 
Line 221 
 U2F tokens may be attached via a number of means, including USB and NFC.  U2F tokens may be attached via a number of means, including USB and NFC.
 The USB interface is standardised around a HID protocol, but we want to  The USB interface is standardised around a HID protocol, but we want to
 be able to support other transports as well as dummy implementations for  be able to support other transports as well as dummy implementations for
 regress testing. For this reason, OpenSSH shall perform all U2F operations  regress testing. For this reason, OpenSSH shall support a dynamically-
 via a dynamically-loaded middleware library.  loaded middleware libraries to communicate with security keys, but offer
   support for the common case of USB HID security keys internally.
   
 The middleware library need only expose a handful of functions:  The middleware library need only expose a handful of functions:
   
Legend:
Removed from v.1.6  
changed lines
  Added in v.1.7