You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This issue report stems from this comment. While FIDO2 works fine, it seems the older U2F fails where a different device, a NitroKey 3, works fine.
I installed libu2f-server and libu2f-host, simply by installing the Debian bookworm/stable packages, versions 1.1.0-4+b1 (u2f-server) and 1.1.10-3 (u2f-host).
These two programs should allow you to register a U2F device and have it validate authentication challenges, and it works with the Nitrokey 3. However, with the Precursor, it cannot be registered, the u2f-host program that talks to the device gives an error
error (-2): error in transport layer
Here is how to reproduce, and I also included USB traffic dumps for both Precursor and Nitrokey.
Generate challenge
The following invocation will make u2f-server generate a registration challenge, save the key handle to keyhandle-precursor.dat and the user key to userkey-precursor.dat:
and then copy-paste the JSON output by u2f-server on stdin of the u2f-host process. End with a newline and EOF (Ctrl-D).
The Precursor will now prompt:
Clicking accept will make u2f-host error out:
error (-2): error in transport layer
at which point you cannot continue with registration. The USB conversation between u2f-host and the Precursor, as captured by Wireshark, should be this: precursor-u2f-register-fail.pcapng.gz
and then copy-paste the JSON output by u2f-server on stdin of the u2f-host process. End with a newline and EOF (Ctrl-D). I used the exact same challenge as for the Precursor.
Paste that back again to u2f-server and it will say:
Successful authentication, counter: 135, user presence 1
I suspect that with all this data, people might be able to pose as the https://example.org server to my Nitrokey. But that server is not going to exist and it seems like a weird attacker model anyway; what should protect me from people posing as example.org is a signed SSL certificate, not this exchange above. Still, I decided not to use a real hostname.
The text was updated successfully, but these errors were encountered:
Thank you for the incredibly detailed notes. This will help debugging it more later.
As I mentioned elsewhere, I might de-prioritize this until this actually is a blocker for someone's workflow -- at the moment slogging through upgrading the crypto APIs to support the Signal client effort.
This issue report stems from this comment. While FIDO2 works fine, it seems the older U2F fails where a different device, a NitroKey 3, works fine.
I installed libu2f-server and libu2f-host, simply by installing the Debian bookworm/stable packages, versions 1.1.0-4+b1 (u2f-server) and 1.1.10-3 (u2f-host).
These two programs should allow you to register a U2F device and have it validate authentication challenges, and it works with the Nitrokey 3. However, with the Precursor, it cannot be registered, the
u2f-host
program that talks to the device gives an errorHere is how to reproduce, and I also included USB traffic dumps for both Precursor and Nitrokey.
Generate challenge
The following invocation will make
u2f-server
generate a registration challenge, save the key handle tokeyhandle-precursor.dat
and the user key touserkey-precursor.dat
:This will print to
stdout
some JSON:Note that for exact reproduction, you can make it reuse that exact challenge again by passing it in with
-c "[...challenge...]"
as such:Pass challenge to Precursor
Invoke
u2f-host
as:and then copy-paste the JSON output by
u2f-server
onstdin
of theu2f-host
process. End with a newline and EOF (Ctrl-D).The Precursor will now prompt:
Clicking accept will make
u2f-host
error out:at which point you cannot continue with registration. The USB conversation between
u2f-host
and the Precursor, as captured by Wireshark, should be this:precursor-u2f-register-fail.pcapng.gz
Pass challenge to Nitrokey
Again, invoke
u2f-host
as:and then copy-paste the JSON output by
u2f-server
onstdin
of theu2f-host
process. End with a newline and EOF (Ctrl-D). I used the exact same challenge as for the Precursor.The Nitrokey starts to blink, touch it.
u2f-host
outputs some JSON onstdout
:(I did it twice with the same challenge.
registrationData
changed,clientData
stayed the same)I am hoping that the following capture by Wireshark is the correct conversation for this exact response:
nitrokey-u2f-success.pcapng.gz
Finish registration of Nitrokey
Paste the JSON that
u2f-host
outputted on stdin of the still runningu2f-server
process, ending in newline and EOF.u2f-host
will reply:and will save the credentials in the two files: key handle and user key.
Authenticate with Nitrokey
Very similar to the steps we did up to now, but instead of
-aregister
we now do-aauthenticate
and the files are now input instead of output.gives us some JSON:
Paste the JSON from
u2f-server
intou2f-host
as before, touch the Nitrokey, andu2f-host
will output the challenge response:Paste that back again to
u2f-server
and it will say:I suspect that with all this data, people might be able to pose as the
https://example.org
server to my Nitrokey. But that server is not going to exist and it seems like a weird attacker model anyway; what should protect me from people posing asexample.org
is a signed SSL certificate, not this exchange above. Still, I decided not to use a real hostname.The text was updated successfully, but these errors were encountered: