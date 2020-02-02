Photo credit: CC0 Public Domain

An implementation for security keys was recently released in the news. The main focus was on OpenSK.

Elie Bursztein, head of research for security and anti-abuse, and Jean-Michel Picod, software developer at Google, published the announcement about OpenSK as a research platform in their article on January 30th in the Google security blog.

It is open source; The reason for this is to improve access to FIDO authenticator implementations.

Who can benefit? Researchers, manufacturers of security keys and enthusiasts can use it to develop innovative functions. You can also speed up the adoption of security keys.

“You can create your own developer key by flashing the OpenSK firmware on a Nordic chip dongle. In addition to the low prices, we chose Nordic as the initial reference hardware because it supports all of the main transport protocols mentioned by FIDO2: NFC, Bluetooth Low Energy , USB and a dedicated hardware crypto core. “

(FIDO2 refers to the specifications of the FIDO Alliance. According to the FIDO Alliance, “FIDO2’s cryptographic credentials are unique on every website, never leave the user’s device and are never stored on a server. This security model eliminates the risk of phishing. All forms password theft and repeat attacks. “)

ZDNet confirmed that hardware vendors who need to create hardware security keys have help in the form of OpenSK. Catalin Cimpanu said this would make it easier for hobbyists and hardware vendors to create their own security key.

According to Cimpanu, the first versions of the OpenSK firmware for Nordic chip dongles were created.

“With this early version, developers can flash OpenSK on a Nordic chip dongle,” he said XDA developers,

It is written in Rust. The authors of the Google Security Blog stated that “Rust’s high storage security and low-cost abstractions make the code less susceptible to logical attacks”.

It runs on TockOS. According to GitHub, the latter is “a secure embedded operating system for microcontrollers”. Adam Conway in XDA developers “TockOS provides a sandbox architecture for better security key applet, driver, and kernel isolation.”

On the GitHub page for OpenSK, meanwhile, it says: “This project is a proof-of-concept and a research platform. It is still under development and therefore has some limitations.” The authors made some points about the restrictions and included the following points.

First, FIDO2. “Although we have tested and implemented our firmware based on the published CTAP2.0 specifications, our implementation has not been verified or officially tested and does not claim FIDO certification.” Second, cryptography. They implemented algorithms in Rust as placeholders; The implementations were code for research quality and were not checked. “They offer no guarantee of constant time and are not resistant to side-channel attacks.”

The blog post stated that “this version should be considered an experimental research project for testing and research purposes”.

What is on the authors’ wish list? “With the help of the research and developer communities, we hope OpenSK will offer innovative features, stronger embedded crypto, and widespread acceptance of trusted phishing-resistant tokens and a passwordless web over time,” they said.

Cimpanu in ZDNet: “Google also hopes that the project will be widely accepted by hardware vendors who have not yet made R&D investments in security key products.”

FIDO, W3C show strong and simple are not opposites for user authentication

