From f932679a842de9170493073ece71f39c7460697f Mon Sep 17 00:00:00 2001 From: Conor Date: Thu, 13 Sep 2018 03:35:02 +0000 Subject: [PATCH 1/9] Update README.md --- README.md | 59 +++++++++++++++++++++++++++++++++++++++++++++++-------- 1 file changed, 51 insertions(+), 8 deletions(-) diff --git a/README.md b/README.md index 958fed0..8a33e56 100644 --- a/README.md +++ b/README.md @@ -1,9 +1,30 @@ # Solo -This is the source code for Solo. It implements the authenticator U2F and FIDO2 protocols. It is designed -to be easily ported to lightweight embedded platforms, as well as run on the PC. +This is the source code for Solo. Solo is a security key that implements FIDO2/U2F and supports USB, NFC, and extensions. Extensions +include SSH, GPG, and cryptocurrency. Solo is a work in progress. + +![](https://i.imgur.com/O7qPR3o.png) +![](https://i.imgur.com/vwFbsQW.png?1) + +The Solo FIDO2/U2F code base is designed to be easily ported to different embedded systems. +Right now, it has been ported to the NRF52840 and EFM32J. Soon to be supported is the SAM L11. + +No hardware is needed for development. You can run and extend the FIDO2 code base +using just your PC. + +# Security + +Solo is based on the SAM L11 secure microcontroller. It offers the following security features. + +- True random number generation to guarantee random keys. +- Side channel resistant RAM and AES for physically secure key derivation. +- ARM TrustZone to provide security isolation for master key. +- Scrambled key storage to prevent invasive flash readout methods. +- Secure boot to ensure application integrity. + +The SAM L11 is one of the best chips for this application in terms of security, +when considering the NDA-free market. -No hardware is needed for development. # Setting up @@ -22,6 +43,10 @@ python setup.py install ``` +Note that our python-fido2 fork will only connect to the software FIDO2 application, +not a hardware authenticator. Install Yubico's fork to do that. + + Open `crypto/tiny-AES-c/aes.h` in a text editor and make sure AES256 is selected as follows. ``` @@ -53,27 +78,45 @@ Run FIDO 2 / U2F application. ./main ``` -Run client software. +Run example client software. This runs through a registration and authentication. ``` python python-fido2/examples/credential.py ``` -You should see messages exchange between the client and the authenticator but that's it. Follow specifications to develop further. +Run the FIDO2 tests. + +``` +python tools/ctap_test.py +``` + +Follow specifications to really dig in. [https://fidoalliance.org/specs/fido-v2.0-ps-20170927/fido-client-to-authenticator-protocol-v2.0-ps-20170927.html](https://fidoalliance.org/specs/fido-v2.0-ps-20170927/fido-client-to-authenticator-protocol-v2.0-ps-20170927.html) +## Extensions + +Extensions can be added to FIDO2/U2F to support things like SSH, GPG, and cryptocurrency. +Right now, an experimental cryptocurrency extension can be found in `fido2/extensions` and `web/index.html`. +More documentation to come. + +## Porting + +The main code base is in `fido2/`. See `targets/nrf52840`, `targets/efm32/src`, and `pc/` +for examples of FIDO2/U2F ports. In essence, you need to reimplement `device.c`. +More documentation to come. + # Contributors Contributors are welcome. The ultimate goal is to have a FIDO 2 hardware token capable of USB, Bluetooth, and NFC interfaces. There could be multiple tokens for each interface. [Hardware is still being decided on](https://github.com/conorpp/u2f-zero/issues/76). + +Look at the issues to see what is currently being worked on. Feel free to add issues as well. This is an upgrade to [U2F -Zero](https://github.com/conorpp/u2f-zero). A lot of the hardware and software -will be different so I think it's best to start a new repository. - +Zero](https://github.com/conorpp/u2f-zero). From 7c264a2404d4ab0d8cb5fcdb84ef236df400ec32 Mon Sep 17 00:00:00 2001 From: Conor Date: Thu, 13 Sep 2018 03:36:55 +0000 Subject: [PATCH 2/9] Update README.md --- README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/README.md b/README.md index 8a33e56..13a54c4 100644 --- a/README.md +++ b/README.md @@ -25,6 +25,8 @@ Solo is based on the SAM L11 secure microcontroller. It offers the following se The SAM L11 is one of the best chips for this application in terms of security, when considering the NDA-free market. +The firmware can be readout using a debugger to verify that a Solo is running +the code posted publicly. The secret information is of course inaccessible. # Setting up From 91baa206204a1601a6fccbd372326232852b9558 Mon Sep 17 00:00:00 2001 From: Conor Date: Thu, 13 Sep 2018 03:44:57 +0000 Subject: [PATCH 3/9] Update README.md --- README.md | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/README.md b/README.md index 13a54c4..3215633 100644 --- a/README.md +++ b/README.md @@ -28,6 +28,19 @@ when considering the NDA-free market. The firmware can be readout using a debugger to verify that a Solo is running the code posted publicly. The secret information is of course inaccessible. +# How do I get one? + +We are still working on open sourcing an implementation that anyone can cheaply +build and program, just like with U2F Zero. This will be released soon. + +In the meantime, you can port the code to your favorite microcontroller, or support +us by signing up for our Kickstarter. Our aim is to crowdfund enough to make an economic +bulk order and provide open source security tokens for everyone that is interested. We will offer +"hackable" tokens that come with USB bootloaders and are reprogrammable. + +[Sign up here](https://solokeys.com/)! + + # Setting up Clone and Compile CBOR library and FIDO 2 client library. From 3cb49d713da0b275ba6018df8af3246f7152b2fb Mon Sep 17 00:00:00 2001 From: Conor Date: Thu, 13 Sep 2018 03:47:40 +0000 Subject: [PATCH 4/9] Update README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 3215633..fb32f50 100644 --- a/README.md +++ b/README.md @@ -31,7 +31,7 @@ the code posted publicly. The secret information is of course inaccessible. # How do I get one? We are still working on open sourcing an implementation that anyone can cheaply -build and program, just like with U2F Zero. This will be released soon. +build and program, just like with U2F Zero. This will be released soon. It will be easy to solder :) In the meantime, you can port the code to your favorite microcontroller, or support us by signing up for our Kickstarter. Our aim is to crowdfund enough to make an economic From d7d00a12355509ddad3c033cbe7ea34c8a114a8b Mon Sep 17 00:00:00 2001 From: Conor Date: Thu, 13 Sep 2018 03:51:45 +0000 Subject: [PATCH 5/9] Update README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index fb32f50..e3edbf4 100644 --- a/README.md +++ b/README.md @@ -3,7 +3,7 @@ This is the source code for Solo. Solo is a security key that implements FIDO2/U2F and supports USB, NFC, and extensions. Extensions include SSH, GPG, and cryptocurrency. Solo is a work in progress. -![](https://i.imgur.com/O7qPR3o.png) +![](https://i.imgur.com/cXWtI1D.png) ![](https://i.imgur.com/vwFbsQW.png?1) The Solo FIDO2/U2F code base is designed to be easily ported to different embedded systems. From 20d40941b673c9d40dfbb76b913968bb34c27dcb Mon Sep 17 00:00:00 2001 From: Conor Date: Thu, 13 Sep 2018 13:56:36 +0000 Subject: [PATCH 6/9] Update README.md --- README.md | 29 +++++++++++++++++++++-------- 1 file changed, 21 insertions(+), 8 deletions(-) diff --git a/README.md b/README.md index e3edbf4..4111b46 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,6 @@ # Solo -This is the source code for Solo. Solo is a security key that implements FIDO2/U2F and supports USB, NFC, and extensions. Extensions +This is the source code for Solo. Solo is a security key that implements FIDO2/U2F and supports USB-A, USB-C, NFC, and extensions. Extensions include SSH, GPG, and cryptocurrency. Solo is a work in progress. ![](https://i.imgur.com/cXWtI1D.png) @@ -25,7 +25,7 @@ Solo is based on the SAM L11 secure microcontroller. It offers the following se The SAM L11 is one of the best chips for this application in terms of security, when considering the NDA-free market. -The firmware can be readout using a debugger to verify that a Solo is running +Solo can be trusted to be running the open source code. The firmware can be readout using a debugger to verify that a Solo is running the code posted publicly. The secret information is of course inaccessible. # How do I get one? @@ -34,7 +34,7 @@ We are still working on open sourcing an implementation that anyone can cheaply build and program, just like with U2F Zero. This will be released soon. It will be easy to solder :) In the meantime, you can port the code to your favorite microcontroller, or support -us by signing up for our Kickstarter. Our aim is to crowdfund enough to make an economic +us by [signing up for our Kickstarter](https://solokeys.com/). Our aim is to crowdfund enough to make an economic bulk order and provide open source security tokens for everyone that is interested. We will offer "hackable" tokens that come with USB bootloaders and are reprogrammable. @@ -81,10 +81,8 @@ make The application is set up to send and recv USB HID messages over UDP to ease development and reduce need for hardware. -Testing can be done using Yubico's client software. Note that the client -software is also a work in progress and the [FIDO 2.0 -specification](https://fidoalliance.org/specs/fido-v2.0-ps-20170927/fido-client-to-authenticator-protocol-v2.0-ps-20170927.html) -is ultimate. Some small changes to Yubico's Client software make it send +Testing can be done using our fork of Yubico's client software, `python-fido2`. +Our fork of `python-fido2` has small changes to make it send USB HID over UDP to the authenticator application. Run FIDO 2 / U2F application. @@ -115,10 +113,25 @@ Extensions can be added to FIDO2/U2F to support things like SSH, GPG, and crypto Right now, an experimental cryptocurrency extension can be found in `fido2/extensions` and `web/index.html`. More documentation to come. +The main goal is to expose an extensible API on Solo, like the following: +- Command to store private key +- Command to sign arbitrary hash +- Command to derive a public key +- Commands for setting/changing/authenticating a pin code (like in FIDO2) +- Command to expose entropy from TRNG. + +Using these generic commands, various external programs can be implemented for the security key. +Since FIDO2/U2F are implemented, these programs can potentially work in the browser on desktops +and mobile devices, with no drivers needed to be installed. + + ## Porting The main code base is in `fido2/`. See `targets/nrf52840`, `targets/efm32/src`, and `pc/` -for examples of FIDO2/U2F ports. In essence, you need to reimplement `device.c`. +for examples of FIDO2/U2F ports. In essence, you just need to reimplement `device.c`. Optionally you can +re-implement `crypto.c` to accelerate operations and/or add other security features. + + More documentation to come. # Contributors From ccdda1b67e9ebb8af7b2b961e0873e14b8e3a2c1 Mon Sep 17 00:00:00 2001 From: Nicolas Stalder Date: Thu, 13 Sep 2018 17:35:29 +0000 Subject: [PATCH 7/9] Update README.md --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 4111b46..8b894bd 100644 --- a/README.md +++ b/README.md @@ -46,8 +46,8 @@ bulk order and provide open source security tokens for everyone that is interest Clone and Compile CBOR library and FIDO 2 client library. ```bash -git clone https://github.com/conorpp/u2f-one -cd u2f-one/ +git clone https://gitlab.com/solokeys/solo +cd solo/ git submodule update --init cd tinycbor && make From 49966c1e17ebc370d99d372d6c003b8ec6010185 Mon Sep 17 00:00:00 2001 From: Conor Date: Thu, 13 Sep 2018 21:24:55 +0000 Subject: [PATCH 8/9] Update README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 8b894bd..798355b 100644 --- a/README.md +++ b/README.md @@ -46,7 +46,7 @@ bulk order and provide open source security tokens for everyone that is interest Clone and Compile CBOR library and FIDO 2 client library. ```bash -git clone https://gitlab.com/solokeys/solo +git clone https://github.com/SoloKeysSec/solo cd solo/ git submodule update --init From 4e8fc84d9275e241618ed545b12b540403440dc9 Mon Sep 17 00:00:00 2001 From: Conor Date: Thu, 13 Sep 2018 21:25:40 +0000 Subject: [PATCH 9/9] Update README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 798355b..bec5339 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,6 @@ # Solo -This is the source code for Solo. Solo is a security key that implements FIDO2/U2F and supports USB-A, USB-C, NFC, and extensions. Extensions +This is the source code for Solo. Solo is a security key that implements FIDO2/U2F and supports USB, NFC, and extensions. Extensions include SSH, GPG, and cryptocurrency. Solo is a work in progress. ![](https://i.imgur.com/cXWtI1D.png)