Support for yubikeys?

[qbit]

Would it be possible to use a yubikey (in pgp/ccid mode) with this app? I take it there currently isn't any support - as I see no mention of it on the wiki.. but it would be neat if there was :D

[mssun]

Hi, Pass for iOS doesn't support PGP/ccid currently. Please stay tuned. More features will be added. Our main goal now is to implement/polish basic functions. Thanks for your suggestion.

On Mon, 27 Feb 2017 at 1:28 AM, Aaron Bieber notifications@github.com wrote:

Would it be possible to use a yubikey (in pgp/ccid mode) with this app? I take it there currently isn't any support - as I see no mention of it on the wiki.. but it would be neat if there was :D

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/mssun/passforios/issues/42, or mute the thread https://github.com/notifications/unsubscribe-auth/ABNieF-VMoh3nW1f6766IrTYUjI5sL0Pks5rgbYcgaJpZM4MMc3E .

-- Best, Mingshen www.cse.cuhk.edu.hk/~mssun

[mssun]

@posix4e Hi, I didn't get your point. Can you elaborate? Thanks.

For Yubikey thing, I didn't use it personally, and not sure how does it related to our app.

@qbit Can you talk about how to integrate it with the app? Thanks.

[posix4e]

Yea ignore me actually

[qbit]

@mssun Sure - I can give it a crack.

So on Android using OpenKeychain you do the following:

• connect usb OTG cable, then yubikey
• OpenKeychain prompt for a PIN to unlock the yubikey
• once unlocked gpg-agent sees the yubikey as a regular gpg key
• decryption / signing can happen
• user disconnects yubikey - gpg key is no longer available.

I don't know enough about the iOS frameworks to know if the smartcard protocol is usable. Hopefully it is though :D

[posix4e]

https://www.yubico.com/2017/10/iphone-support-yubikey-otp-via-nfc/

[brandon-arnold]

Still pre-release, but a couple of weeks back Yubico announced Yubikey for Lightning. It gives no info about which protocols will be supported, but the approval from Apple means Yubico will be creating an iOS library; I'd bet PGP will be on it. @qbit @mssun @posix4e

[awensaunders]

What would be necessary to get CCID/smart card stuff working for this app with a similar workflow to the android equivalent? Say I were to have a nitrokey or similar, is there any support in iOS at all at the hardware level?

[minkezhang]

https://www.yubico.com/lightning-project/

It looks like people can sign up to start developing using the iOS SDK / Yubikey for Lightning now in private beta, but you'll need to sign an NDA.

Given that, I don't think we can issue public pull requests on this project, but there may be people working on a private branch already.

[sbugert]

With Apple supposedly opening up Core NFC in iOS 13 (https://www.nfcworld.com/2019/06/06/362917/apple-includes-nfc-tag-writing-in-major-upgrade-to-core-nfc-framework/), does this change the situation at all or would you still need the Lightning connection?

[posix4e]

I just ordered one today!

[minkezhang]

https://www.yubico.com/store/yubikey-5ci-security-keys

Yubikey just officially launched the lightning key; I also bought one and will tinker with it to see how feasible integration is here.

[jbddc]

Saw the Yubikey 5Ci announcement as well and immediately had this project in mind. It would be really cool to integrate it with pass4ios! 🙌

[Logicwax]

Supposedly Yubico is releasing a SDK soon (December) to open up full NFC support on the latest iOS. Then it should be possible to support GPG over NFC yubikeys.

[adrienafl]

Adding Yubikey support might help to solve #295 issue. In my case, I need to only use my subkeys because I only add these on my Yubikey. My master key with certify capabilities stay offline. Having Yubikey support would solve it all.

[jtraulle]

I just find out passforios and it is really great :heart_eyes: ! It would be awesome to support GPG smartcard feature on a YubiKey device.

I currently own a Yubikey NEO (USB A + NFC). The GPG smartcard feature works great on desktop when the Yubikey is plugged-in on a USB port. I am not sure it is possible to get it working with NFC.

This StackExchange (https://unix.stackexchange.com/a/376138) suggests that it is possible and with Apple now allowing all apps to use the NFC capability with iOS 13.3 maybe this is possible.

[repomaa]

I have a YubiKey NEO and a YubiKey 5 NFC. Only the latter works with the official yubico authenticator app it seems

[jtraulle]

I have a YubiKey NEO and a YubiKey 5 NFC. Only the latter works with the official yubico authenticator app it seems

Yubico Authenticator works with NFC for my yubikey NEO ;)

[repomaa]

Yubico Authenticator works with NFC for my yubikey NEO ;)

On iOS? Interesting. I wonder why mine didn’t work then...

[jtraulle]

Yup, on firmware 3.5.0 (you can see that using Yubikey Manager). Maybe yours is older ?

[awensaunders]

Also just as an FYI for those reading this thread, Yubikeys and other FIDO compatible keys are now supported within safari on iOS on the latest version of iOS 13.1. You may need to enable webauthn in safari settings to do this. Try it out on the yubico website or passwordless.dev.

[anoadragon453]

Yubico have a native iOS SDK that claims to support OpenPGP (it also supports just sending raw commands back and forth to the device): https://developers.yubico.com/Mobile/iOS/

I believe that this should allow one to decrypt secrets with private keys stored on the device.

There's an issue for examples for pgp in the library, to which the developers noted that another smart card implementation (PIV) is already present in the example app, and that it should be possible; one just needs to do the same thing Desktop/Android already does, simply following pgp specification.

Also here is another example app: https://github.com/YubicoLabs/YubiKit-iOS-Starter

[mkoz92]

Any update on that feature? :)

[jarvisquis]

Any update on that feature? :)

Yeah good question. Would be interested in that feature as well.

[ndarilek]

New iOS user coming from Android. I'd love to use this, but am incredibly wary of storing private keys on a device that could easily be lost or stolen. Even with a secure passphrase, I'd rather my private key not fall into someone else's hands.

In the absence of this feature, are the keys at least stored securely? iDevices have some sort of secure enclave if I'm not mistaken. Are my private keys kept there? That might make me feel a bit more comfortable using this without my smartcard.

Thanks.

[kiranshila]

Would love to see this supported as well.

[SimplyDanny]

In the absence of this feature, are the keys at least stored securely? iDevices have some sort of secure enclave if I'm not mistaken. Are my private keys kept there? That might make me feel a bit more comfortable using this without my smartcard.

Yes, all keys and their passwords (if you let the app save them) are stored in the iOS keychain, so that only the app itself can access them.

[jvillasante]

Any progress on this. Would we be ever able to use yubikey through NFC on this app and not save our private keys on the device?

[madjam002]

In the absence of this feature, are the keys at least stored securely? iDevices have some sort of secure enclave if I'm not mistaken. Are my private keys kept there? That might make me feel a bit more comfortable using this without my smartcard.

Yes, all keys and their passwords (if you let the app save them) are stored in the iOS keychain, so that only the app itself can access them.

This doesn't sound like it uses the secure enclave, so keys will be stored in iTunes Backups and can be extracted

[Logicwax]

The secure enclave doesn't support native GPG, so won't the sure enclave just be unwrapping the private key and that will be now be in userland memory for the remainder of GPG operations?

[madjam002]

The secure enclave doesn't support native GPG, so won't the sure enclave just be unwrapping the private key and that will be now be in userland memory for the remainder of GPG operations?

I don't know enough about iOS keychain as I haven't worked with it before but I tried restoring a backup with the Pass for iOS app and all of my private keys were still there, which means that the secure enclave isn't wrapping private keys on disk, or maybe it is but when you do an iTunes backup the keys are unwrapped by iOS and re-encrypted with another key that isn't stored in the secure enclave. I'm just guessing though

[Logicwax]

No, that does not imply that the secure enclave is NOT wrapping keys. but as I said, the enclave does not support GPG, so this may all be security theater in that all GPG operations are performed in userland with the actual gpg private key. NFC yubikeys would be ideal!

[sjktje]

The missing Yubikey support is what's keeping me from switching over to pass and passforios. Hoping to switch soon! :)

[SoilRos]

Any advances on this? Is there a way we can help?

[basbebe]

+1 – hoping to switch soon to pass when I don't have to store a key on my phone.

[hexagonal-sun]

Looking at the latest Yubikit, they do have a PC/SC interface to the key over NFC. Perahps we could 'hook this up' to the GPG library that pass uses to send GPG commands to the key?

I can have a look at doing this, if that sounds like the right approach.

[Erik1000]

Looking at the latest Yubikit, they do have a PC/SC interface to the key over NFC. Perahps we could 'hook this up' to the GPG library that pass uses to send GPG commands to the key?

I can have a look at doing this, if that sounds like the right approach.

@hexagonal-sun I just stumbled over this post while researching about PGP in iOS. Would love to see this as a PoC too. Besides the App seems quite interesting. 👍

[m0]

Is anyone working on this? I wonder if some kind of funding (sponsorship, donations of hardware or maybe a bounty) might help to get yubikey support implemented sooner. Looking at the comments and reactions around this topic (here and on other issues) there should be at least some supporters for some sort of crowd funding. :thinking:

[Ch00k]

I would be willing to sponsor the development of this feature.

[Logicwax]

I would also be willing to sponsor development of this feature as well.

[matt-forster]

I would also love to sponsor the development of this feature!

[mssun]

Hi all, I spent several days studying and developing a prototype to support YubiKey. I have completed almost all primitives to implement this feature in the app. However, one important thing is missing that blocks my current prototyping. I'm frustrated.

The PGP library (gopenpgp) we are using cannot handle the AEADEncrypted type packet for session key decryption.

You can see this code snippet:

https://github.com/ProtonMail/gopenpgp/blob/3aafa3c549368db54703cf38372bfcc332a10f39/crypto/sessionkey.go#L307

Only the SymmetricallyEncrypted type is supported. However, from my understanding AEAD encryption is used by gpg and other OpenPGP compatible tool.

Therefore, we have two choices:

1. Implement the AEADEncrypted type packet in gopenpgp.
2. Use other application protocol supported by YubiKey (e.g., PIV).

I'm working on the first one. I need more time to understand the implementation details and come up a patch.

Once this issue is solved, I can continue to implement others like communication with YubiKey via PC/SC protocol, user interface, etc.

Thanks for waiting and supports in these years. We are getting close.

[mssun]

Hi all, I have exciting news. Please see the PoC video.

https://user-images.githubusercontent.com/1270392/147910946-7e2c5dd6-72cd-4f43-a261-e23e3f4a7e85.mp4

[Ch00k]

@mssun this is great news! Thank you so much for making this work! Would yubikey also work through the USB-C/Lightning ports, or is it NFC only?

[spamwax]

Finally, I can buy an iPhone. 🥳 Like others, my master private key is stripped from authentication and encryption keys and stored completely offline. And then I have moved the sign/encrypt/auth the subkeys to a yubikey, which are also used for pass Does the current implementation of your app support this case or do I have to put a non-stripped key on yubikey.

I am asking since in the video I did not see app ask for a code to unlock the yubikey. If someone get access to your yubikey, can they just scan it to read your passwords? (assuming your iphone is unlocked) Or does the app asks for a pin to unlock the key first?

[c0dev0id]

Sweet! I've written this off as "we'll never see something that properly supports gnupg on yubikey on iOS". Now I see this video and I'm super excited about it.

[adrienafl]

Yayyyy, congrats @mssun and thanks a lot for the work you do 🙏

[mssun]

Would yubikey also work through the USB-C/Lightning ports, or is it NFC only?

Yes. YubiKey 5Ci has lightning ports. I'm testing with YubiKey 5 NFC. I have both keys and will test them accordingly.

I am asking since in the video I did not see app ask for a code to unlock the yubikey.

This is a prototype. I just hardcoded the PIN code. There should be a prompt for the PIN code when decrypting message.

Does the current implementation of your app support this case or do I have to put a non-stripped key on yubikey.

Yes. I'm following this instruction (https://support.yubico.com/hc/en-us/articles/360013790259-Using-Your-YubiKey-with-OpenPGP) to setup my experimental key. The "E" sub-key (encryption key) will be used to decrypt the message.

[Logicwax]

Wow @mssun this is amazing work! I was starting to lose all hope of this ever being done! I cannot wait to start testing this!!!

is SSH authentication also possible? I keep my password-store on github, and as such, need to authenticate SSH using my gpg/yubikey. Currently this is how it works on my desktop machines (gpg-agent feeds SSH_AUTH_SOCK) and how pass works on android (it uses openkeychain to allow you to use your gpg yubikey to authenticate SSH connections for refreshing your password repository).

[spamwax]

Yes. I'm following this instruction (https://support.yubico.com/hc/en-us/articles/360013790259-Using-Your-YubiKey-with-OpenPGP) to setup my experimental key. The "E" sub-key (encryption key) will be used to decrypt the message.

Wonderful news and great work, I just became (small) sponsor of you in github. Thanks 🙏 I can test it on iPad Air (in 2-3 weeks) if you'd like a tester for that.

[mssun]

is SSH authentication also possible? I keep my password-store on github, and as such, need to authenticate SSH using my gpg/yubikey. Currently this is how it works on my desktop machines (gpg-agent feeds SSH_AUTH_SOCK) and how pass works on android (it uses openkeychain to allow you to use your gpg yubikey to authenticate SSH connections for refreshing your password repository).

Yes, it's possible. Let me focus on the decryption first.

I can test it on iPad Air (in 2-3 weeks) if you'd like a tester for that.

Thank you! I'll let you guys known when it's ready for testing.