u2f

David Woodhouse dwmw2 at infradead.org
Thu Feb 5 09:21:35 PST 2015


On Thu, 2015-02-05 at 17:45 +0100, Nikos Mavrogiannopoulos wrote:
> 
>  One of the presentations in fosdem's security devroom was about U2F. As
> far as I understood U2F is smart card which provides unique per server
> ECDSA256 keys. Those could be stored in the card or in the PC similarly
> to TPM (i.e., encrypted using a key that depends on the card and the
> site). The protocol includes registration, and is a simple
> challenge-response process. The differences between a PKCS #11 smart
> card and that one, is the specified registration protocol as well as its 
> driverless nature. The U2F protocol is however limited to secp256r1 curve
> and cannot be extended beyond it. What do you think of that? Would it make 
> sense to support it in openconnect?

From the client point of view, it makes sense for OpenConnect to support
it iff the servers do.

Can you currently use U2F with AnyConnect or Junos Pulse?

Of course, if you implement it in ocserv then I'll have to :)

-- 
dwmw2
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5745 bytes
Desc: not available
URL: <http://lists.infradead.org/pipermail/openconnect-devel/attachments/20150205/618e485b/attachment.bin>


More information about the openconnect-devel mailing list