Open DigitalBrains1 opened 8 months ago
Ah. This is with latest bleeding edge:
ver xous
Xous version: v0.9.15-459-g38855960
Thu, 01 Feb 2024 13:55:23 +0800
But it doesn't work with the stable release either. I just thought you'd prefer testing with bleeding edge.
Thank you for the incredibly detailed notes. This will help debugging it more later.
As I mentioned elsewhere, I might de-prioritize this until this actually is a blocker for someone's workflow -- at the moment slogging through upgrading the crypto APIs to support the Signal client effort.
Yes, in practice the places where I actually use Precursor with FIDO work fine, so this issue might not be a problem for anyone.
at the moment slogging through upgrading the crypto APIs to support the Signal client effort.
Operator: We get signal. Captain: What ! Operator: Main screen turn on.
:-D Good luck!
This issue report stems from this comment. While FIDO2 works fine, it seems the older U2F fails where a different device, a NitroKey 3, works fine.
I installed libu2f-server and libu2f-host, simply by installing the Debian bookworm/stable packages, versions 1.1.0-4+b1 (u2f-server) and 1.1.10-3 (u2f-host).
These two programs should allow you to register a U2F device and have it validate authentication challenges, and it works with the Nitrokey 3. However, with the Precursor, it cannot be registered, the
u2f-host
program that talks to the device gives an errorHere is how to reproduce, and I also included USB traffic dumps for both Precursor and Nitrokey.
Generate challenge
The following invocation will make
u2f-server
generate a registration challenge, save the key handle tokeyhandle-precursor.dat
and the user key touserkey-precursor.dat
:This will print to
stdout
some JSON:Note that for exact reproduction, you can make it reuse that exact challenge again by passing it in with
-c "[...challenge...]"
as such:Pass challenge to Precursor
Invoke
u2f-host
as:and then copy-paste the JSON output by
u2f-server
onstdin
of theu2f-host
process. End with a newline and EOF (Ctrl-D).The Precursor will now prompt:
Clicking accept will make
u2f-host
error out:at which point you cannot continue with registration. The USB conversation between
u2f-host
and the Precursor, as captured by Wireshark, should be this: precursor-u2f-register-fail.pcapng.gzPass challenge to Nitrokey
Again, invoke
u2f-host
as:and then copy-paste the JSON output by
u2f-server
onstdin
of theu2f-host
process. End with a newline and EOF (Ctrl-D). I used the exact same challenge as for the Precursor.The Nitrokey starts to blink, touch it.
u2f-host
outputs some JSON onstdout
:(I did it twice with the same challenge.
registrationData
changed,clientData
stayed the same)I am hoping that the following capture by Wireshark is the correct conversation for this exact response: nitrokey-u2f-success.pcapng.gz
Finish registration of Nitrokey
Paste the JSON that
u2f-host
outputted on stdin of the still runningu2f-server
process, ending in newline and EOF.u2f-host
will reply:and will save the credentials in the two files: key handle and user key.
Authenticate with Nitrokey
Very similar to the steps we did up to now, but instead of
-aregister
we now do-aauthenticate
and the files are now input instead of output.gives us some JSON:
Paste the JSON from
u2f-server
intou2f-host
as before, touch the Nitrokey, andu2f-host
will output the challenge response:Paste that back again to
u2f-server
and it will say:I suspect that with all this data, people might be able to pose as the
https://example.org
server to my Nitrokey. But that server is not going to exist and it seems like a weird attacker model anyway; what should protect me from people posing asexample.org
is a signed SSL certificate, not this exchange above. Still, I decided not to use a real hostname.