michaelkuc6/U2FDevice
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Updated READMEs with new certificate details.

Browse Source
This commit is contained in:
Michael Kuc
2019-09-10 10:52:02 +01:00
parent 784f3803f9
commit c8061d373f
2 changed files with 19 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
Readme.AttestationCertificateGeneration.md
View File

@@ -1,3 +1,9 @@
# Automatically generate keys
Run `./GenCertificates.sh`, answering the prompt to produce your own certificate.
# Manually generate keys
From [Teensy U2F](https://github.com/pratikd650/Teensy_U2F/blob/master/Teensy_U2F.cpp) line 292
Instructions to generate attestation certificate using open ssl

16
Readme.md
View File

@@ -211,6 +211,12 @@ Then, reload the rules using `sudo udevadm control --reload-rules `
4. Make the object file directories using `mkdir obj && mkdir cpp-base64/obj && mkdir micro-ecc/obj`
5. Grab the required library using `sudo apt-get install libmbedtls-dev`
## Generate a certificate
If you wish to do this automatically, just run `./GenCertificates.sh`, and answer the prompt with as much detail as you feel like entrusting to websites.
Alternatively, see `Readme.AttestationCertifcateGeneration.md` for a much more manual approach.
## Build the program
1. Run `make`
@@ -243,11 +249,15 @@ For these reasons, if you want to use this as a way to backup your other U2F dev
1. Install `rng-tools` with `sudo apt-get install rng-tools`
## To change the Attestation certificate
## Notes about a custom attestation certificate
This may be highly advisable, or inadvisable - I am currently unsure. <br />All registration requests use this private key, so likely advisable. <br/>However, you can be uniquely identified by having a unique attestation certificate.
By using a custom attestation certificate, you lose the anonymity of conventional u2f keys. This is because they are produced in large batches and thus can share a single certificate, burned into some private ROM. However, since you require the private key to sign, and this repo is public, it is impossible to use a single signature for everyone who uses this repository.
See the `Readme.AttestationCertificateGeneration.txt`
However, by generating your own certificate, you can be more assured about the inherent security of your certificate (no-one can leak the private key but you).
Note, however, that this key and certificate is only used for registration - not for further authentication.
See the `Readme.AttestationCertificateGeneration.md`
# Running the program