u2f

Kevin Cernekee cernekee at gmail.com
Thu Feb 5 11:12:23 PST 2015 

On Thu, Feb 5, 2015 at 10:50 AM, Nikos Mavrogiannopoulos
<nmav at gnutls.org> wrote:
> On Thu, 2015-02-05 at 18:26 +0000, David Woodhouse wrote:
>> > > Hi,
>> > >  One of the presentations in fosdem's security devroom was about U2F. As
>> > > far as I understood U2F is smart card which provides unique per server
>> > > ECDSA256 keys. Those could be stored in the card or in the PC similarly
>> > > to TPM (i.e., encrypted using a key that depends on the card and the
>> > > site). The protocol includes registration, and is a simple
>> > > challenge-response process. The differences between a PKCS #11 smart
>> > > card and that one, is the specified registration protocol as well as its
>> > > driverless nature. The U2F protocol is however limited to secp256r1 curve
>> > > and cannot be extended beyond it. What do you think of that? Would it make
>> > > sense to support it in openconnect?
>> > From an ease-of-use standpoint, U2F is much nicer than typing OTPs.
>> > The Yubico NEO-N can be left in your USB slot indefinitely, and used
>> > on demand.
>> That's true when using it for HOTP/TOTP too, isn't it?

By "typing OTPs" I was referring to the traditional plastic hard
tokens with LCD displays (RSA SID700 and similar) or a software token
running on a mobile phone.

Using something like a Yubikey Nano in HOTP mode is a usability
improvement over these, although you do still need to worry somewhat
about focusing on the text input field, avoiding double taps, etc.

> I guess so. The advantage however of U2F over HOTP/TOTP is that you
> don't need an additional shared secret with the server. The relation is
> pretty asymmetric as the server only needs to hold your public key
> similarly to ssh.

One reason you might not want to leave an HOTP token in the slot is
that somebody could tap the token when you aren't looking and
pre-generate a bunch of tokencodes.  i.e. the tokencode doesn't prove
that the hardware token was physically present at the time of the
access request.

Also, accidentally bumping it too many times could cause the token to
get out of sync with the server, and will paste random tokencodes into
whatever program is running at the moment.  This isn't a problem with
the U2F devices.

More information about the openconnect-devel mailing list