Re: Digital signatures in the browser

On Fri, Mar 9, 2018 at 5:56 AM, NAZARE GONCALVES Bruno Goncalo <> wrote:

> I've previously looked at FIDO U2F, and even though I believe there could
> be some openness here to the idea of USB keys (like the U2F authenticators)
> I believe that's not the biggest drawback of FIDO U2F. From my
> understanding of the technology, the FIDO API will take a challenge as
> input to the signing operation, however, somewhere along the stack that
> challenge will be wrapped in a larger structure and that's what will be
> signed. This would mean that it is not possible to simply sign the hash of
> a document, right?

Yes, this is correct. Using U2F to sign arbitrary data would be a bit of a
hack: you'd have to compute e.g. the SHA-256 hash of a document first
(perhaps with a static, prepended domain separation prefix) and then use
that as the U2F challenge message for an authentication request.

The resulting signature is over data that includes the challenge/document
hash, but also U2F client data, AppID, and the U2F key handle (each of
these are hashed prior to the U2F token computing the signature).

To verify a document, you'd need that data, along with the full U2F client
data which is a JSON string that includes the original challenge/document
hash along with the origin where the signing request was performed and the
client's public key.

It would be rather inelegant/hackish, but it is at least possible.

Tony Arcieri

Received on Friday, 9 March 2018 21:18:10 UTC