[systemd-devel] systemd-crypttab: FIDO2 and passwords

Lennart Poettering lennart at poettering.net
Mon Mar 8 20:24:41 UTC 2021 

On Mo, 08.03.21 18:29, Christian Kastner (ckk at debian.org) wrote:

> On 07.03.21 23:34, Lennart Poettering wrote:
> > Right now whether to require the FIDO2 PIN is not configurable. We
> > could make it configurable though, so that you could use it in 1FA
> > situations.
>
> I myself am only interested in 2FA; I misread the documentation as the
> current implementation being 1FA, but that misunderstanding is now
> resolved. Thanks!
>
> If I understand src/cryptsetup/{cryptsetup-fido2,cryptsetup}.c
> correctly, then the PIN is used as input to the security token, and
> whatever the token returns is base64-encoded and then used as the key
> for LUKS, right?
>
> If so, I wonder whether this isn't vulnerable to physical USB attacks
> (see [1] for an example how simple this can be).

The way I read the FIDO2 spec the PIN is sent over the USB wire encrypted
with a shared secret that authenticator and host first securely agreed
on, to make such man-in-the-middle attacks are not possible. Moreover,
once the PIN is configured on the device it is never passed at all
anymore, but just hashes of it when authenticating.

Hence, to my knowledge there's no reason to second guess that and do
another level of password checking separately from that.

> As I mentioned earlier, I speculate that the fido2luks project hashes
> the password before FIDO2, and then again with the FIDO2 response, to
> alleviate this.

It would be easy for us to combine the FIDO2 secret we acquire with a
user supplied pw that never is seen by the FIDO2 libraries, all before
passing it to the next layer, but as mentioned I don't think this is
necessary, the FIDO2 spec is well enough designed to make this
unnecessary.

But then again, I am not a security analyst nor cryptographer. Maybe
the FIDO2 spec has a vulnerability there, but the way I read it it
already addresses that. Maybe better ask FIDO2 community for more
information on this, and whether their "clientPin" feature is
reasonably safely designed.

Lennart

--
Lennart Poettering, Berlin

More information about the systemd-devel mailing list