<p dir="ltr"><br>
Den 17 feb 2015 23:38 skrev "Jerry Leichter" <<a href="mailto:leichter@lrw.com">leichter@lrw.com</a>>:<br>
> A tangent, and just a matter of satisfying my curiosity: Can Achmed forge a session from me *to himself*? It sounds odd, but if he can, he can create a fake order apparently from me and insist I pay for it. Sure, I can add a separate signature to every order - but if it could someone come out of this protocol, so much the better.<br>
> -- Jerry</p>
<p dir="ltr">The U2F response is a ECDSA signature of the challenge, and only the hardware token is capable of decrypting the private key in question and thus only the token can sign. </p>
<p dir="ltr">However, it isn't meant to sign arbitary plaintext as a way to sign a contract. Achmed could send you a challenge to sign that references a different receipt via a hash, but you could argue that the protocol is designed to not care about that and that it by design wasn't displayed to you.</p>
<p dir="ltr">Your authentication is only directed to Achmed the service provider, nobody else. </p>
<p dir="ltr">The Yubikey NEO is however also PGP capable, he could ask you to sign the data via an interface showing what you're signing. That's however separate from the U2F functionality. </p>