On Fri, Mar 9, 2018 at 5:56 AM, NAZARE GONCALVES Bruno Goncalo < brunogoncalo.nazare@ext.europarl.europa.eu> wrote: > I've previously looked at FIDO U2F, and even though I believe there could > be some openness here to the idea of USB keys (like the U2F authenticators) > I believe that's not the biggest drawback of FIDO U2F. From my > understanding of the technology, the FIDO API will take a challenge as > input to the signing operation, however, somewhere along the stack that > challenge will be wrapped in a larger structure and that's what will be > signed. This would mean that it is not possible to simply sign the hash of > a document, right? > Yes, this is correct. Using U2F to sign arbitrary data would be a bit of a hack: you'd have to compute e.g. the SHA-256 hash of a document first (perhaps with a static, prepended domain separation prefix) and then use that as the U2F challenge message for an authentication request. The resulting signature is over data that includes the challenge/document hash, but also U2F client data, AppID, and the U2F key handle (each of these are hashed prior to the U2F token computing the signature). To verify a document, you'd need that data, along with the full U2F client data which is a JSON string that includes the original challenge/document hash along with the origin where the signing request was performed and the client's public key. It would be rather inelegant/hackish, but it is at least possible. -- Tony Arcieri
Received on Friday, 9 March 2018 21:18:10 UTC