[lug] GitHub+Yubico, FIDO U2F token discount

Davide Del Vento davide.del.vento at gmail.com
Mon Oct 5 15:22:43 MDT 2015 

The section "Client Malware Interactions with U2F Devices" for one.
The untold mechanisms by which the data is passed to the token for
signing is another (related to the previous one).
Some of the MITM which are not covered are the (least concerning)
ones. And I'd expect more if I had time to read it more carefully than
I did.

In other words, (other than the UI) this does not seem to be much
different than signing your own piece of text with your private key
fully in software, with all the corresponding good and bad. My biggest
concern is that in the UI documentations all of this is lost, and I
fear users could be misled into thinking "only I have this thing,
therefore I'm 100% secure as long as I don't lose it", which of course
isn't true.

FWIW, I'm not in any way claiming that I could do better, just saying
things which we "tech people" should be aware of.


On Mon, Oct 5, 2015 at 2:49 PM, Quentin Hartman <qhartman at gmail.com> wrote:
> I haven't yet read that doc in detail since I'm at work, but where do you
> think the security is lacking?
>
> On Mon, Oct 5, 2015 at 2:31 PM, Davide Del Vento
> <davide.del.vento at gmail.com> wrote:
>>
>> That wasn't what I was looking for, but it lead me to
>>
>> https://fidoalliance.org/specs/fido-u2f-v1.0-nfc-bt-amendment-20150514/fido-u2f-overview.html
>> which still isn't what I am looking for, but contained much more tech
>> details than anything I've seen before. I still have questions, and
>> the document demonstrates that this isn't as secure as I thought it
>> was, but it's still progress.
>> Thanks
>> Davide
>>
>> On Mon, Oct 5, 2015 at 12:26 PM, Quentin Hartman <qhartman at gmail.com>
>> wrote:
>> > This might be what you are looking for:
>> > https://fidoalliance.org/specifications/overview/
>> >
>> > On Mon, Oct 5, 2015 at 12:03 PM, Davide Del Vento
>> > <davide.del.vento at gmail.com> wrote:
>> >>
>> >> Hey Rich,
>> >>
>> >> The special github yubikeys are totally sold out, but there is 20% off
>> >> any regular yubikey. I'm familiar with the yubikey OTP, but I'm not
>> >> with this FIDO U2F. At first is sounded to me like it is just a really
>> >> long, second password that you don't have to type (like the OTP is the
>> >> first, equally long password, that you don't have to type and second,
>> >> it changes every time). But then it says something like "it performs
>> >> cryptographic functions triggered by a simple touch of the key [...]
>> >> required for login", which sounded OTP-like but based on an input
>> >> instead of an implicit sequence count. I could not find any decent
>> >> documentation about this, do you have any recommended readings? For
>> >> example, how is this input sent to the yubikey? What is it really
>> >> about? How can be that "you have an unlimited number of U2F
>> >> credentials on these YubiKeys that support the U2F protocol" as the
>> >> FAQ says?
>> >>
>> >> Thanks,
>> >> Davide
>> >>
>> >> On Sun, Oct 4, 2015 at 12:17 PM, Richard Johnson <rdump at river.com>
>> >> wrote:
>> >> > If you participate in open source projects that use GitHub, or you're
>> >> > even a
>> >> > bit of a crypto geek, this is a cool opportunity for an inexpensive
>> >> > but
>> >> > quite durable [1] hardware 2nd factor.
>> >> >
>> >> >   https://www.yubico.com/github-special-offer/
>> >> >
>> >> >
>> >> >
>> >> > http://www.wired.com/2015/10/github-moves-past-password-make-open-source-secure/
>> >> >
>> >> > GitHub has announced they're supporting FIDO U2F as a 2nd factor on
>> >> > logins
>> >> > to their web service. It's working now via recent versions of
>> >> > Chromium/Chrome only, but Mozilla has an open feature issue for
>> >> > adding
>> >> > support.
>> >> >
>> >> > Even better, they have a serious discount ($5+$5 shipping) on
>> >> > Yubico's
>> >> > otherwise $18 FIDO U2F-only USB tokens (complete with OctoCat logo so
>> >> > you
>> >> > can tell them apart ;) ). They'll be usable on GitHub and
>> >> > increasingly
>> >> > widely beyond.
>> >> >
>> >> > While I'm still wanting a fully open source s/w + h/w implementation
>> >> > of
>> >> > FIDO
>> >> > U2F on a secure base (Nitrokey, eventually?), this will do for now.
>> >> > $5
>> >> > is in
>> >> > "might as well get some to experiment with" range for me.
>> >> >
>> >> >
>> >> > Rich
>> >> >
>> >> > -------
>> >> > [1] I once found a lost basic Yubikey after it had spent 3 weeks
>> >> > freezing
>> >> > every night in a puddle of muddy snowmelt. It still works fine. These
>> >> > Yubico
>> >> > FIDO U2F models have the same construction.
>> >> > _______________________________________________
>> >> > Web Page:  http://lug.boulder.co.us
>> >> > Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
>> >> > Join us on IRC: irc.hackingsociety.org port=6667
>> >> > channel=#hackingsociety
>> >> _______________________________________________
>> >> Web Page:  http://lug.boulder.co.us
>> >> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
>> >> Join us on IRC: irc.hackingsociety.org port=6667
>> >> channel=#hackingsociety
>> >
>> >
>> >
>> > _______________________________________________
>> > Web Page:  http://lug.boulder.co.us
>> > Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
>> > Join us on IRC: irc.hackingsociety.org port=6667 channel=#hackingsociety
>> _______________________________________________
>> Web Page:  http://lug.boulder.co.us
>> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
>> Join us on IRC: irc.hackingsociety.org port=6667 channel=#hackingsociety
>
>
>
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> Join us on IRC: irc.hackingsociety.org port=6667 channel=#hackingsociety

More information about the LUG mailing list