[Cryptography] Google Titan Security Keys Crypto
I'm wondering how the Google Titan Security Keys work for 2FA. I'm not sure what's going on under the surface here. The Google blurb, and write-ups on various middle-brow sites, just say something like: "You enter a URL in your browser, and put in your username, and you are prompted to stick your USB/Bluetooth key where it belongs. This authenticates you based on a secret key protected in the physical key." There was a demo phishing attack recently on LinkedIn, where the phishing site acted as MITM to LI. The user entered two factors of some 2FA (not Google Security Keys as I recall), which were happily proxied to LI, giving the phisher login access. So with this Google key, does it do anything other than protect the 2nd factor key in a handy portable form. I presume it presents itself as a keyboard and types into the browser window. Does it somehow enforce the target URL in a way that would defeat the LI attack? The Google key is based on the FIDO/WebAuthn spec. I slogged through that stuff a year ago, and have forgotten it. Maybe part of the answer is in there. If so, can someone have mercy and save me from reading that again... Mike _______________________________________________ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
On Mon, Jan 7, 2019 at 6:18 PM Michael Nelson via cryptography <cryptography@metzdowd.com> wrote: > I'm wondering how the Google Titan Security Keys work for 2FA. Google Titan Security Keys are re-branded and slightly modified Feitian MultiPass FIDO security keys[1]. Google says they've modified the firmware to verify the integrity of keys[2]. It's just a normal FIDO (not FIDO2) security key. The answer to how FIDO U2F mitigates against phishing attacks is indeed well documented in many places, so I'll not try to repeat them here. If you re-read them and have questions, though, please do ask. - d. [1] https://www.ftsafe.com/Products/FIDO/Multi [2] https://cloud.google.com/titan-security-key/ _______________________________________________ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Thanks David. > The answer to how FIDO U2F mitigates against phishing attacks is indeed well documented in many places, so I'll not try to repeat them here.  If you re-read them and have questions, though, please do ask. > [1] https://www.ftsafe.com/Products/FIDO/Multi > [2] https://cloud.google.com/titan-security-key/ I checked those links. They were high level and didn't say how the keys work, though. The most technical info was in the Google link that says: "Because Google security keys use encryption and verify the legitimacy of the sites users visit, security keys are less prone to phishing attacks." How do they do that? E.g., a GSK could run some local code that checks the SSL cert of the browser connection, and compares it to an acceptance criterion. Or a GSK could check a signature on a challenge to be signed. This latter would not work against real-time MITM proxying, but would indeed stop most simple phishing attacks. These two are just examples to clarify the kind of info I was after -- not saying that GSKs do that, as I have no idea. Maybe you were actually referring to the hardcore FIDO specs, rather than links like that. If no one can help me with good link or a paragraph off the top of their head, then I guess I'll slog through that mountain of stuff. I'll report back if anyone's interested, if I find an answer. Mike _______________________________________________ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
On Tue, Jan 8, 2019 at 2:02 PM Michael Nelson via cryptography <cryptography@metzdowd.com> wrote: > If no one can help me with good link or a paragraph off the top of their head, then I guess I'll slog through that mountain of stuff. I'll report back if anyone's interested, if I find an answer. https://developers.yubico.com/U2F/Protocol_details/Overview.html is not a "hardcore" FIDO spec, but I believe might be at the level of granularity you're looking for. - d. _______________________________________________ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
On Wed, Jan 9, 2019 at 3:32 AM Michael Nelson via cryptography < cryptography@metzdowd.com> wrote: I checked those links. They were high level and didn't say how the keys > work, though. > Does this help? https://research.aurainfosec.io/u2f-phishing-proof-2FA-for-general-human-beings/ Udhay -- ((Udhay Shankar N)) ((udhay @ pobox.com)) ((www.digeratus.com)) _______________________________________________ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
89.2 MB 3,873 messages
Last sync: 15 July 2019 22:44

Move Messages

Save

Apply Labels


Warning: Unknown: write failed: No space left on device (28) in Unknown on line 0

Warning: Unknown: Failed to write session data (files). Please verify that the current setting of session.save_path is correct (/var/lib/php/sessions) in Unknown on line 0