数据加密>> softfido>> 返回
项目作者: ellerh

项目描述 :
A software FIDO2/U2F authenticator
高级语言: Rust
项目地址: git://github.com/ellerh/softfido.git
创建时间: 2020-01-11T12:21:10Z
项目社区:https://github.com/ellerh/softfido
开源协议:
下载


Softfido

Softfido is a software implementation of a
FIDO2/U2F authenticator. Most
FIDO2 authenticators are based on hardware like USB sticks or TPM-like
chips in smartphones. Softfido instead implements a virtual USB
device (via USBIP) so
that webbrowsers can talk to it.

The cryptographic operations are delegated to
SoftHSM. In theory other PKCS11
modules could be used, but I only tested with SoftHSM.

Build

  1. cargo build

Some USBIP related kernel headers must be installed during the build.

Use

Set up SoftHSM

Create a SoftHSM token with the following command:

  1. softhsm2-util --init-token --free --label softfido

Start Softfido

softfido --token-label softfido

This should print something like

  1. softfido::crypto: Generating secret key...
  2. softfido::crypto: Generating token counter...
  3. Softfido server running.

You may need to specify the —pkcs11-module argument if libsofthsm2.so
is not installed in /usr/lib/softhsm/libsofthsm2.so.

Kernel module

Insert the vhci-hcd module with:
modprobe vhci-hcd

Connect the kernel module to the server:
usbip attach -r 127.0.0.1 -d 1-1

After that lsusb -d 0:0 -v should describe the virtual USB device.
ls -l /sys/class/hidraw/ should also list a link to a vhci_hcd
device.

Device permissions

To allow non-root users to open the virtual hidraw device, its
permissions must be setup accordingly. This can be done manually with
chmod or with an udev rule like so:

  1. SUBSYSTEM=="hidraw", ATTRS{manufacturer}=="Fakecompany", \
  2. ,ATTRS{product}=="Softproduct", TAG+="uaccess", GROUP="plugdev", MODE="0660"

Testing

The python/ directory contains some (interactive) tests. You can run
them with python3 softfido_tests.py. The tests require the
fido2 Python module.

Test in browser

You can test the authenticator on Yubico’s test
page or
webauthn.io.

At the time of writing, Firefox supports U2F but not FIDO2. Chromium
supports both. In my experience, the only website that uses FIDO2
when available is github.com; all others use U2F even if the device
and the browser would support FIDO2.

Webauthn with a TPM

Some time after I had started Softfido, I found James Bottomley’s
Webauthn on TPM
project.
He describes the technical issues pretty well. He uses the HID
Gadget
machinery, which would probably have been a bit easier than USBIP.
OTOH, with USBIP the authenticator can run on a different machine than
the kernel module which is useful to sidestep kernel bugs. During
development I had a few kernel crashes/lockups. After debugging my
code, the only kernel related issue that I’m aware off is that the
kernel cannot properly hibernate as long as the virtual device is
connected. Removing the kernel module rmmod vhci-hcd before
hibernating is advisable.

Caution

Softfido is just a hobby project of mine to learn a bit about Rust,
USB, FIDO2, and cryptography. The code is potentially insecure. Use
it at your own risk.