Hardware-Backed Keys Keys stored on specialized, trusted hardware that: ● Can perform crypto operations (decrypt / sign data) with the keys, but ● Will resist all attempts to retrieve the keys themselves
Review: SSH Keys user@client:~$ ssh-keygen -f ./id_foo -t rsa -b 2048 Generating public/private rsa key pair. Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in ./id_foo. Your public key has been saved in ./id_foo.pub. The key fingerprint is: SHA256:hd6NfiXuxRkRUwfisdSyUeAfTlYgS+623BA7ouKyE4I foo@localhost ...
SSHv2 Protocol - Pubkey Signature The value of 'signature' is a signature by the corresponding private key over the following data, in the following order: string session identifier byte SSH_MSG_USERAUTH_REQUEST string user name string service name string "publickey" boolean TRUE string public key algorithm name string public key to be used for authentication
Problem: Exclusivity Problem: Only one process can talk to the epass2003 at a time Solution: Share one ssh-agent process across all authorized users on the system! ... Problem: ssh-agent doesn't like that Solution: scary hax!
Touch Policy Problem: Even if malware can't steal your SSH key, it still could ask the YK4 to sign things! Mitigation: YK4s can be configured to require a physical tap for every single crypto operation.
Sleep / Wake on OS X Problem: YK4 PIV applet drops your PIN-auth when your laptop goes to sleep Solution: I hacked up some ObjC code to listen for "wake" events and nudge the ssh-agent back into functioning properly: https://github.com/duosecurity/ykpiv-ssh-agent-helper
Out-MacGyver'ing "MacGyver" Problem: chrome.certificateProvider extensions can do everything we need, but other extensions aren't allowed to call their API. Solution: Shove the 'MacGyver' ssh-agent code into one of the chrome.certificateProvider smartcard middleware extensions itself! https://github.com/duosecurity/chromeos-ssh-smartcard-hack
Possibilities that excite me ● SSH CA ○ See e.g. https://code.facebook.com/posts/365787980419535/scalable-and-secure-access-with-ssh/ ● YK4 "Attestation" ○ https://developers.yubico.com/PIV/Introduction/PIV_attestation.html
A note about U2F Hardware-Backed Keys for the Web! Really nice protocol overview here: https://developers.yubico.com/U2F/ Protocol_details/Overview.html