FIDO U2F Support

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

FIDO U2F Support

Martin Gegenleitner
Hi,

I want to write a preauthentication plugin implementing the FIDO-U2F
Standard for my master thesis.
For this I thought about building it as a FAST-Factor (like the
OTP-PA-Plugin), but during my research I read this
krb-wiki article
(http://k5wiki.kerberos.org/wiki/Projects/PAKE_Preauthentication#Proposed_2FA_Methods)
about PEAK and a possible integration of FIDO U2F as a promising second
factor technology.

Since the wiki-page was updated on 2015-03-17, I wanted to know if there
is any progress in this project
that could be useful for my current work or (in reverse) my current work
could be useful for somebody?

Kind regards from austria,
Martin



_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev
Reply | Threaded
Open this post in threaded view
|

Re: FIDO U2F Support

Greg Hudson
On 12/16/2015 01:32 PM, Martin Gegenleitner wrote:
> (http://k5wiki.kerberos.org/wiki/Projects/PAKE_Preauthentication#Proposed_2FA_Methods)

> Since the wiki-page was updated on 2015-03-17, I wanted to know if there
> is any progress in this project

There has been substantial progress.  See:

http://k5wiki.kerberos.org/wiki/Projects/SPAKE_preauth_prereqs
http://k5wiki.kerberos.org/wiki/Projects/SPAKE_Preauthentication
https://github.com/npmccallum/ietf/blob/master/draft-mccallum-kitten-krb-spake-preauth-00.xml
https://github.com/greghudson/krb5/tree/spake

To summarize:

* We have a draft which hasn't been adopted by the kitten working group
yet (we need to make a few more changes, resubmit it, and then put it in
the queue for adoption).

* I have an in-progress implementation, using placeholder values, which
does the SPAKE exchange using OpenSSL's P-256 curve implementation.

* The next step is to add pluggable interfaces on the KDC and client
side for second factors.  This part is difficult.

Despite the lack of second-factor pluggable interfaces, you could
probably implement a proof of concept using the existing code, without
worrying about making it a proper plug-in module.
_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev