Ross L Richardson: > Question: Given that the private key file contains only a "key handle", > what's the significance of setting a passphrase for it? Is there enough > information in it for that to be considered a "factor" in multi-factor auth?
TL;DR: In practice, yes. A U2F authenticator does not hold a single key pair. Instead it can issue numerous authentication key pairs. The handle is required so the authenticator can retrieve the relevant private key. How exactly it does this is up to the implementor. Each time a key pair is requested, an authenticator could stash the private key in an array in internal storage and return a simple index as key handle. This would allow all private key indices to be enumerated. An attacker in possession of both the authenticator and the public key could re-create the key handle by trying all private keys until finding the one matching the public key. A different approach allows supporting an unlimited number of key pairs without requiring any internal storage. The authenticator can use a device-internal secret and the key handle to rederive the private key each time a signature is requested. For instance, the key handle could contain the actual private key encrypted with the authenticator's master key. This is explicitly mentioned in the U2F spec. In such a case, possession of the authenticator alone would be worthless without the SSH private key file. I expect the latter scheme to be the norm, but I can't be certain what kind of U2F authenticators are out there. The key handle returned by the Yubico Security Key is a 64-byte blob. -- Christian "naddy" Weisgerber [email protected]
