Skip to content
OpenSK is an open-source implementation for security keys written in Rust that supports both FIDO U2F and FIDO2 standards.
Rust Python Shell Makefile
Branch: master
Clone or download

Latest commit

ia0 Merge pull request #111 from ia0/fix_hash
Update reproducible hashes
Latest commit 2e419fe May 27, 2020

Files

Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
.github Don't fail fast on reproducible workflow and update reference binaries. May 13, 2020
.vscode Fix style being used with yapf 0.30.0 Apr 24, 2020
boards/nordic Sync with upstream Tock to have reproducible builds. Apr 8, 2020
docs More detailed installation instructions. Apr 14, 2020
examples Initial commit Jan 30, 2020
libraries Remove unknown fields May 13, 2020
patches Sync with upstream Tock to have reproducible builds. Apr 8, 2020
reproducible Update reproducible hashes May 27, 2020
rules.d Initial commit Jan 30, 2020
src Parse credentials by value May 15, 2020
third_party Upgrade to Tock-1.5-rc2 Apr 24, 2020
tools Add missing license header Feb 28, 2020
.gitignore Change the way private key and cert are embedded. Feb 5, 2020
.gitmodules Initial commit Jan 30, 2020
.markdownlint.json Initial commit Jan 30, 2020
.pylintrc Make internal python linter happy. Mar 3, 2020
.travis.yml Enable Travis on OSX Feb 6, 2020
Cargo.toml adds a feature flag for CTAP2.1, addresses comments Apr 28, 2020
LICENSE Initial commit Jan 30, 2020
README.md adds cargo checks and tests to workflows and locally Apr 29, 2020
build.rs Fix clippy warnings. Mar 2, 2020
deploy.py Address review comments. May 13, 2020
layout.ld Initial commit Jan 30, 2020
nrf52840_layout.ld Rename linker script according to the chip Apr 30, 2020
reproduce_board.sh Add GitHub workflow to check that binaries are reproducible. May 12, 2020
reproduce_hashes.sh Add GitHub workflow to check that binaries are reproducible. May 12, 2020
reset.sh Initial commit Jan 30, 2020
run_desktop_tests.sh adds cargo checks and tests to workflows and locally Apr 29, 2020
rust-toolchain Bump rust-toolchain and linked-list-allocator versions. Feb 4, 2020
rustfmt.toml Initial commit Jan 30, 2020
setup.sh Address review comments. May 13, 2020

README.md

OpenSK logo

Build Status markdownlint pylint Cargo check Cargo format

OpenSK

This repository contains a Rust implementation of a FIDO2 authenticator.

We developed this as a Tock OS application and it has been successfully tested on the following boards:

Disclaimer

This project is proof-of-concept and a research platform. It is NOT meant for a daily usage. It's still under development and as such comes with a few limitations:

FIDO2

Although we tested and implemented our firmware based on the published CTAP2.0 specifications, our implementation was not reviewed nor officially tested and doesn't claim to be FIDO Certified. We started adding features of the upcoming next version of the CTAP2.1 specifications. The development is currently between 2.0 and 2.1, with updates hidden behind a feature flag. Please add the flag --ctap2.1 to the deploy command to include them.

Cryptography

We're currently still in the process on making the ARM® CryptoCell-310 embedded in the Nordic nRF52840 chip work to get hardware-accelerated cryptography. In the meantime we implemented the required cryptography algorithms (ECDSA, ECC secp256r1, HMAC-SHA256 and AES256) in Rust as a placeholder. Those implementations are research-quality code and haven't been reviewed. They don't provide constant-time guarantees and are not designed to be resistant against side-channel attacks.

Installation

For a more detailed guide, please refer to our installation guide.

  1. If you just cloned this repository, run the following script (Note: you only need to do this once):

    ./setup.sh
  2. Next step is to install Tock OS as well as the OpenSK application on your board (Warning: it will erase the locally stored credentials). Run:

    # Nordic nRF52840-DK board
    ./deploy.py --board=nrf52840dk --opensk
    # Nordic nRF52840-Dongle
    ./deploy.py --board=nrf52840_dongle --opensk
  3. On Linux, you may want to avoid the need for root privileges to interact with the key. For that purpose we provide a udev rule file that can be installed with the following command:

    sudo cp rules.d/55-opensk.rules /etc/udev/rules.d/ &&
    sudo udevadm control --reload

Customization

If you build your own security key, depending on the hardware you use, there are a few things you can personalize:

  1. If you have multiple buttons, choose the buttons responsible for user presence in main.rs.
  2. Decide whether you want to use batch attestation. There is a boolean flag in ctap/mod.rs. It is mandatory for U2F, and you can create your own self-signed certificate. The flag is used for FIDO2 and has some privacy implications. Please check WebAuthn for more information.
  3. Decide whether you want to use signature counters. Currently, only global signature counters are implemented, as they are the default option for U2F. The flag in ctap/mod.rs only turns them off for FIDO2. The most privacy preserving solution is individual or no signature counters. Again, please check WebAuthn for documentation.
  4. Depending on your available flash storage, choose an appropriate maximum number of supported residential keys and number of pages in ctap/storage.rs.

3D printed enclosure

To protect and carry your key, we partnered with a professional designer and we are providing a custom enclosure that can be printed on both professional 3D printers and hobbyist models.

All the required files can be downloaded from Thingiverse including the STEP file, allowing you to easily make the modifications you need to further customize it.

Contributing

See Contributing.md.

You can’t perform that action at this time.