Chrome 40+ FIDO U2F Security Keys

classic Classic list List threaded Threaded
16 messages Options
Reply | Threaded
Open this post in threaded view
|

Chrome 40+ FIDO U2F Security Keys

Alexey Suslikov
Hi ports@.

Are these Chrome 40+ FIDO U2F Security Keys supported on OpenBSD?

Thanks,
Alexey

Reply | Threaded
Open this post in threaded view
|

Re: Chrome 40+ FIDO U2F Security Keys

Brandon Mercer-3
On Tue, Aug 11, 2015 at 2:53 PM Alexey Suslikov <[hidden email]>
wrote:

> Hi ports@.
>
> Are these Chrome 40+ FIDO U2F Security Keys supported on OpenBSD?
>

There is a bug report opened:
https://code.google.com/p/chromium/issues/detail?id=451248
Reply | Threaded
Open this post in threaded view
|

Re: Chrome 40+ FIDO U2F Security Keys

Alexey Suslikov
On Tue, Aug 11, 2015 at 10:57 PM, Brandon Mercer
<[hidden email]> wrote:

> On Tue, Aug 11, 2015 at 2:53 PM Alexey Suslikov <[hidden email]>
> wrote:
>>
>> Hi ports@.
>>
>> Are these Chrome 40+ FIDO U2F Security Keys supported on OpenBSD?
>
>
> There is a bug report opened:
> https://code.google.com/p/chromium/issues/detail?id=451248

https://support.google.com/accounts/answer/6103523 says:

"Requirements for using Security Key

To use Security Key, you’ll need a computer running Google Chrome version 40
or newer on ChromeOS, Windows, Mac OS, or Linux".

Bug report is for Chrome 39.

Reply | Threaded
Open this post in threaded view
|

Re: Chrome 40+ FIDO U2F Security Keys

Brandon Mercer-3
On Tue, Aug 11, 2015 at 4:02 PM Alexey Suslikov <[hidden email]>
wrote:

> On Tue, Aug 11, 2015 at 10:57 PM, Brandon Mercer
> <[hidden email]> wrote:
> > On Tue, Aug 11, 2015 at 2:53 PM Alexey Suslikov <
> [hidden email]>
> > wrote:
> >>
> >> Hi ports@.
> >>
> >> Are these Chrome 40+ FIDO U2F Security Keys supported on OpenBSD?
> >
> >
> > There is a bug report opened:
> > https://code.google.com/p/chromium/issues/detail?id=451248
>
> https://support.google.com/accounts/answer/6103523 says:
>
> "Requirements for using Security Key
>
> To use Security Key, you’ll need a computer running Google Chrome version
> 40
> or newer on ChromeOS, Windows, Mac OS, or Linux".
>

Frankly, those requirements changed once bug reports started rolling in.
The first public statement I remember said, "a computer running chrome
version 39 or newer." Then the linux folks had issues and had to do some
usb jumping jacks, and then I opened that bug report, and then freebsd
folks complained as well.

The issue I take to it is not just compatibility. There is a site out there
that crashes my browser by running javascript. Presumably malicious
javascript could do that anyhow, but this is being caused by one of their
own web applications. Ironically, the yubikey demo site for u2f does not
trigger the same crash.
Reply | Threaded
Open this post in threaded view
|

Re: Chrome 40+ FIDO U2F Security Keys

Alexey Suslikov
On Tue, Aug 11, 2015 at 11:08 PM, Brandon Mercer
<[hidden email]> wrote:

> On Tue, Aug 11, 2015 at 4:02 PM Alexey Suslikov <[hidden email]>
> wrote:
>>
>> On Tue, Aug 11, 2015 at 10:57 PM, Brandon Mercer
>> <[hidden email]> wrote:
>> > On Tue, Aug 11, 2015 at 2:53 PM Alexey Suslikov
>> > <[hidden email]>
>> > wrote:
>> >>
>> >> Hi ports@.
>> >>
>> >> Are these Chrome 40+ FIDO U2F Security Keys supported on OpenBSD?
>> >
>> >
>> > There is a bug report opened:
>> > https://code.google.com/p/chromium/issues/detail?id=451248
>>
>> https://support.google.com/accounts/answer/6103523 says:
>>
>> "Requirements for using Security Key
>>
>> To use Security Key, you’ll need a computer running Google Chrome version
>> 40
>> or newer on ChromeOS, Windows, Mac OS, or Linux".
>
>
> Frankly, those requirements changed once bug reports started rolling in. The
> first public statement I remember said, "a computer running chrome version
> 39 or newer." Then the linux folks had issues and had to do some usb jumping
> jacks, and then I opened that bug report, and then freebsd folks complained
> as well.
>
> The issue I take to it is not just compatibility. There is a site out there
> that crashes my browser by running javascript. Presumably malicious
> javascript could do that anyhow, but this is being caused by one of their
> own web applications. Ironically, the yubikey demo site for u2f does not
> trigger the same crash.

I see.

Another thing that bothers me. These keys are USB HIDs, right? Is it safe
enough to let browser access USB bus (USB keyboard is HID and people
can type different things on it).

Reply | Threaded
Open this post in threaded view
|

Re: Chrome 40+ FIDO U2F Security Keys

Brandon Mercer-3
On Tue, Aug 11, 2015 at 4:15 PM Alexey Suslikov <[hidden email]>
wrote:

> On Tue, Aug 11, 2015 at 11:08 PM, Brandon Mercer
> <[hidden email]> wrote:
> > On Tue, Aug 11, 2015 at 4:02 PM Alexey Suslikov <
> [hidden email]>
> > wrote:
> >>
> >> On Tue, Aug 11, 2015 at 10:57 PM, Brandon Mercer
> >> <[hidden email]> wrote:
> >> > On Tue, Aug 11, 2015 at 2:53 PM Alexey Suslikov
> >> > <[hidden email]>
> >> > wrote:
> >> >>
> >> >> Hi ports@.
> >> >>
> >> >> Are these Chrome 40+ FIDO U2F Security Keys supported on OpenBSD?
> >> >
> >> >
> >> > There is a bug report opened:
> >> > https://code.google.com/p/chromium/issues/detail?id=451248
> >>
> >> https://support.google.com/accounts/answer/6103523 says:
> >>
> >> "Requirements for using Security Key
> >>
> >> To use Security Key, you’ll need a computer running Google Chrome
> version
> >> 40
> >> or newer on ChromeOS, Windows, Mac OS, or Linux".
> >
> >
> > Frankly, those requirements changed once bug reports started rolling in.
> The
> > first public statement I remember said, "a computer running chrome
> version
> > 39 or newer." Then the linux folks had issues and had to do some usb
> jumping
> > jacks, and then I opened that bug report, and then freebsd folks
> complained
> > as well.
> >
> > The issue I take to it is not just compatibility. There is a site out
> there
> > that crashes my browser by running javascript. Presumably malicious
> > javascript could do that anyhow, but this is being caused by one of their
> > own web applications. Ironically, the yubikey demo site for u2f does not
> > trigger the same crash.
>
> I see.
>
> Another thing that bothers me. These keys are USB HIDs, right? Is it safe
> enough to let browser access USB bus (USB keyboard is HID and people
> can type different things on it).
>

Well, that part of it is a completely different animal. It's probably worth
a separate discussion about how the protocol works. You are suggesting that
this couldn't even be made to work in a secure fashion, and I'm not going
to disagree with you.
Reply | Threaded
Open this post in threaded view
|

Re: Chrome 40+ FIDO U2F Security Keys

Robert Nagy
OpenBSD's chromium port does not have usb support enabled and it might crash
due to some calls to the USB codepath that is not disabled properly.

On (2015-08-11 20:20), Brandon Mercer wrote:

> On Tue, Aug 11, 2015 at 4:15 PM Alexey Suslikov <[hidden email]>
> wrote:
>
> > On Tue, Aug 11, 2015 at 11:08 PM, Brandon Mercer
> > <[hidden email]> wrote:
> > > On Tue, Aug 11, 2015 at 4:02 PM Alexey Suslikov <
> > [hidden email]>
> > > wrote:
> > >>
> > >> On Tue, Aug 11, 2015 at 10:57 PM, Brandon Mercer
> > >> <[hidden email]> wrote:
> > >> > On Tue, Aug 11, 2015 at 2:53 PM Alexey Suslikov
> > >> > <[hidden email]>
> > >> > wrote:
> > >> >>
> > >> >> Hi ports@.
> > >> >>
> > >> >> Are these Chrome 40+ FIDO U2F Security Keys supported on OpenBSD?
> > >> >
> > >> >
> > >> > There is a bug report opened:
> > >> > https://code.google.com/p/chromium/issues/detail?id=451248
> > >>
> > >> https://support.google.com/accounts/answer/6103523 says:
> > >>
> > >> "Requirements for using Security Key
> > >>
> > >> To use Security Key, you???ll need a computer running Google Chrome
> > version
> > >> 40
> > >> or newer on ChromeOS, Windows, Mac OS, or Linux".
> > >
> > >
> > > Frankly, those requirements changed once bug reports started rolling in.
> > The
> > > first public statement I remember said, "a computer running chrome
> > version
> > > 39 or newer." Then the linux folks had issues and had to do some usb
> > jumping
> > > jacks, and then I opened that bug report, and then freebsd folks
> > complained
> > > as well.
> > >
> > > The issue I take to it is not just compatibility. There is a site out
> > there
> > > that crashes my browser by running javascript. Presumably malicious
> > > javascript could do that anyhow, but this is being caused by one of their
> > > own web applications. Ironically, the yubikey demo site for u2f does not
> > > trigger the same crash.
> >
> > I see.
> >
> > Another thing that bothers me. These keys are USB HIDs, right? Is it safe
> > enough to let browser access USB bus (USB keyboard is HID and people
> > can type different things on it).
> >
>
> Well, that part of it is a completely different animal. It's probably worth
> a separate discussion about how the protocol works. You are suggesting that
> this couldn't even be made to work in a secure fashion, and I'm not going
> to disagree with you.
>

Reply | Threaded
Open this post in threaded view
|

Re: Chrome 40+ FIDO U2F Security Keys

Alexey Suslikov
In reply to this post by Brandon Mercer-3
On Tue, Aug 11, 2015 at 11:20 PM, Brandon Mercer
<[hidden email]> wrote:
>> Another thing that bothers me. These keys are USB HIDs, right? Is it safe
>> enough to let browser access USB bus (USB keyboard is HID and people
>> can type different things on it).
>
>
> Well, that part of it is a completely different animal. It's probably worth
> a separate discussion about how the protocol works. You are suggesting that
> this couldn't even be made to work in a secure fashion, and I'm not going to
> disagree with you.

Not exactly what I suggested.

My idea was a sort of USB proxy (emulator) to allow software like Chrome
to access USB bus in secure way (like if you can configure what do you want
to expose and what you don't).

Smth like vscsi midlayer accessible from user-land which user in control of.

Chrome uses only sort of vusb hub/bus with only permitted devices behind.

Also useful for usb camera/sound access control.

Reply | Threaded
Open this post in threaded view
|

Re: Chrome 40+ FIDO U2F Security Keys

Brandon Mercer-3
On Thu, Aug 13, 2015 at 1:35 PM Alexey Suslikov <[hidden email]>
wrote:

> On Tue, Aug 11, 2015 at 11:20 PM, Brandon Mercer
> <[hidden email]> wrote:
> >> Another thing that bothers me. These keys are USB HIDs, right? Is it
> safe
> >> enough to let browser access USB bus (USB keyboard is HID and people
> >> can type different things on it).
> >
> >
> > Well, that part of it is a completely different animal. It's probably
> worth
> > a separate discussion about how the protocol works. You are suggesting
> that
> > this couldn't even be made to work in a secure fashion, and I'm not
> going to
> > disagree with you.
>
> Not exactly what I suggested.
>
> My idea was a sort of USB proxy (emulator) to allow software like Chrome
> to access USB bus in secure way (like if you can configure what do you want
> to expose and what you don't).
>
> Smth like vscsi midlayer accessible from user-land which user in control
> of.
>
> Chrome uses only sort of vusb hub/bus with only permitted devices behind.
>

I would be willing to get behind that. I have a side project that would
also benefit from such a framework.
Reply | Threaded
Open this post in threaded view
|

Re: Chrome 40+ FIDO U2F Security Keys

Martin Pieuchot
In reply to this post by Alexey Suslikov
On 13/08/15(Thu) 20:35, Alexey Suslikov wrote:
> On Tue, Aug 11, 2015 at 11:20 PM, Brandon Mercer
> <[hidden email]> wrote:
> >> Another thing that bothers me. These keys are USB HIDs, right? Is it safe
> >> enough to let browser access USB bus (USB keyboard is HID and people
> >> can type different things on it).

What do you mean?  You're already typing in your browser, right?  AFAIK
these devices act like standard keyboards.

"Is is safe enough" depends on a lot of factors. And I don't know if nor
why the browser needs to access your USB bus.

> > Well, that part of it is a completely different animal. It's probably worth
> > a separate discussion about how the protocol works. You are suggesting that
> > this couldn't even be made to work in a secure fashion, and I'm not going to
> > disagree with you.
>
> Not exactly what I suggested.
>
> My idea was a sort of USB proxy (emulator) to allow software like Chrome
> to access USB bus in secure way (like if you can configure what do you want
> to expose and what you don't).
>
> Smth like vscsi midlayer accessible from user-land which user in control of.
>
> Chrome uses only sort of vusb hub/bus with only permitted devices behind.
>
> Also useful for usb camera/sound access control.

Why not put the same amount of effort in the existing userland interface
of the USB stack?  In the end what's complicated is the answer to "which
user can to what".

Honestly I doubt that another layer of abstraction will help, especially
if you considering the sate of our USB stack.

I don't know if you looked at Chrome's sources but it uses the libusb
(don't ask me why) and that's already a "proxy" to use your words.

Reply | Threaded
Open this post in threaded view
|

Re: Chrome 40+ FIDO U2F Security Keys

Stuart Henderson-6
On 2015/08/14 11:00, Martin Pieuchot wrote:
> On 13/08/15(Thu) 20:35, Alexey Suslikov wrote:
> > On Tue, Aug 11, 2015 at 11:20 PM, Brandon Mercer
> > <[hidden email]> wrote:
> > >> Another thing that bothers me. These keys are USB HIDs, right? Is it safe
> > >> enough to let browser access USB bus (USB keyboard is HID and people
> > >> can type different things on it).
>
> What do you mean?  You're already typing in your browser, right?  AFAIK
> these devices act like standard keyboards.

You're thinking of classic yubikey, which in normal use just emulates
a keyboard and just sends a sequence that looked like it was typed.
(Even for these, programming the device, and using it in other modes,
does require 2-way comms).

The problem there is that the private key needs to be known by anyone
who allows your key to be used to authenticate. So it's great when you
want a centrally controlled location to gate authentication, but you
wouldn't want to hand this around to random websites.

U2F is a different protocol, though still presenting as an HID.
It does challenge/response instead, so it needs 2-way comms in normal
use so the challenge can be sent to the key..

https://www.yubico.com/wp-content/uploads/2015/03/U2F.png

Reply | Threaded
Open this post in threaded view
|

Re: Chrome 40+ FIDO U2F Security Keys

Alexey Suslikov
In reply to this post by Martin Pieuchot
On Fri, Aug 14, 2015 at 12:00 PM, Martin Pieuchot <[hidden email]> wrote:

> On 13/08/15(Thu) 20:35, Alexey Suslikov wrote:
>> On Tue, Aug 11, 2015 at 11:20 PM, Brandon Mercer
>> <[hidden email]> wrote:
>> >> Another thing that bothers me. These keys are USB HIDs, right? Is it safe
>> >> enough to let browser access USB bus (USB keyboard is HID and people
>> >> can type different things on it).
>
> What do you mean?  You're already typing in your browser, right?  AFAIK
> these devices act like standard keyboards.
>
> "Is is safe enough" depends on a lot of factors. And I don't know if nor
> why the browser needs to access your USB bus.
>
>> > Well, that part of it is a completely different animal. It's probably worth
>> > a separate discussion about how the protocol works. You are suggesting that
>> > this couldn't even be made to work in a secure fashion, and I'm not going to
>> > disagree with you.
>>
>> Not exactly what I suggested.
>>
>> My idea was a sort of USB proxy (emulator) to allow software like Chrome
>> to access USB bus in secure way (like if you can configure what do you want
>> to expose and what you don't).
>>
>> Smth like vscsi midlayer accessible from user-land which user in control of.
>>
>> Chrome uses only sort of vusb hub/bus with only permitted devices behind.
>>
>> Also useful for usb camera/sound access control.
>
> Why not put the same amount of effort in the existing userland interface
> of the USB stack?  In the end what's complicated is the answer to "which
> user can to what".
>
> Honestly I doubt that another layer of abstraction will help, especially
> if you considering the sate of our USB stack.
>
> I don't know if you looked at Chrome's sources but it uses the libusb
> (don't ask me why) and that's already a "proxy" to use your words.

Thanks for answer, Martin.

Absolutely agree with the statement above. I only discussed an
idea of securing things.

I have a question about USB. Is there any sort of multipath in USB
standard, like in SCSI, so USB stack can see same device attached
to different controllers/buses? Is it possible?

Reply | Threaded
Open this post in threaded view
|

Re: Chrome 40+ FIDO U2F Security Keys

Martin Pieuchot
In reply to this post by Stuart Henderson-6
On 14/08/15(Fri) 10:17, Stuart Henderson wrote:

> On 2015/08/14 11:00, Martin Pieuchot wrote:
> > On 13/08/15(Thu) 20:35, Alexey Suslikov wrote:
> > > On Tue, Aug 11, 2015 at 11:20 PM, Brandon Mercer
> > > <[hidden email]> wrote:
> > > >> Another thing that bothers me. These keys are USB HIDs, right? Is it safe
> > > >> enough to let browser access USB bus (USB keyboard is HID and people
> > > >> can type different things on it).
> >
> > What do you mean?  You're already typing in your browser, right?  AFAIK
> > these devices act like standard keyboards.
>
> You're thinking of classic yubikey, which in normal use just emulates
> a keyboard and just sends a sequence that looked like it was typed.
> (Even for these, programming the device, and using it in other modes,
> does require 2-way comms).
>
> The problem there is that the private key needs to be known by anyone
> who allows your key to be used to authenticate. So it's great when you
> want a centrally controlled location to gate authentication, but you
> wouldn't want to hand this around to random websites.
>
> U2F is a different protocol, though still presenting as an HID.
> It does challenge/response instead, so it needs 2-way comms in normal
> use so the challenge can be sent to the key..
>
> https://www.yubico.com/wp-content/uploads/2015/03/U2F.png

Thanks for the pointer.  It seems they have a very simple client-side
library which is nothing else than a HID driver in userland with some
trendy JSON parsing:

        https://github.com/Yubico/libu2f-host

So if you write a kernel driver for the important bits you can
completely abstract the fact that this is a USB device.  But the
problem becomes then how to interface it with your application(s)?

I don't know how Chrome uses this, but if that's the reason for a
browser to be linked to the libusb, I feel this is completely wrong.

But since a lot of people write USB drivers in userland I understand
that applications are following this road.

Reply | Threaded
Open this post in threaded view
|

Re: Chrome 40+ FIDO U2F Security Keys

Martin Pieuchot
In reply to this post by Alexey Suslikov
On 14/08/15(Fri) 12:22, Alexey Suslikov wrote:
> [...]
> I have a question about USB. Is there any sort of multipath in USB
> standard, like in SCSI, so USB stack can see same device attached
> to different controllers/buses? Is it possible?

Not that I know.

Reply | Threaded
Open this post in threaded view
|

Re: Chrome 40+ FIDO U2F Security Keys

Robert Nagy
On (2015-08-14 13:02), Martin Pieuchot wrote:
> On 14/08/15(Fri) 12:22, Alexey Suslikov wrote:
> > [...]
> > I have a question about USB. Is there any sort of multipath in USB
> > standard, like in SCSI, so USB stack can see same device attached
> > to different controllers/buses? Is it possible?
>
> Not that I know.
>

With the commit I did today to chromium, it at least can use USB devices
now, so it might worth a try to test this device now.

Reply | Threaded
Open this post in threaded view
|

Re: Chrome 40+ FIDO U2F Security Keys

Brandon Mercer-3
On Sun, Aug 16, 2015 at 5:44 PM Robert Nagy <[hidden email]> wrote:

> On (2015-08-14 13:02), Martin Pieuchot wrote:
> > On 14/08/15(Fri) 12:22, Alexey Suslikov wrote:
> > > [...]
> > > I have a question about USB. Is there any sort of multipath in USB
> > > standard, like in SCSI, so USB stack can see same device attached
> > > to different controllers/buses? Is it possible?
> >
> > Not that I know.
> >
>
> With the commit I did today to chromium, it at least can use USB devices
> now, so it might worth a try to test this device now.
>
>
I built everything today, but my browser still crashes in the same fashion
it did before.