[Cryptography] USB 3.0 authentication

[Pete]

> The USB 3.1 specs are available here:
>
> http://www.usb.org/developers/docs/usb_31_040816.zip
>
> Within the zip file is a "USB Power Delivery" directory and a
> "USB_PD_R2_0 V1.2 -20160325.pdf" power delivery spec.

Authentication isn't part of the USB Power Delivery spec, it's a separate
document in the zipfile:
"USB Authentication/USB_AUTHENTICATION_R1_0-20160325.pdf".

Take a look - it's fairly readable and I'm sure the USB-IF would appreciate
a few more eyes.

Authentication messages can be sent either using Power Delivery messages
over the Type-C CC wire (to authenticate chargers, etc) or as USB control
transfers (to authenticate "normal" USB devices). Both transports use the
same underlying protocol.


> Anyone know exactly what crypto is going into these things, and what
> its capabilities are?

>From section 2.2 of the spec:

Certificate Format: X.509v3, DER encoding

Digital signing of Certificates and Authentication Messages: ECDSA using
the NIST P256, secp256r1 curve, uncompressed point format

Hash algorithm: SHA256

Here's a brief protocol summary:

1) Initiator requests X.509 certificate chain(s) from the responder.
(Chains can be cached and just the SHA256 digests requested, to speed up
subsequent connections).

2) Initiator sends a challenge with a random nonce.

3) Responder responds with an ECDSA signature of various fields, including
the challenge from 2).

It's up to the Authentication Initiator's policy to decide what to do if
authentication fails. This might be to limit charging to a lower power from
a (potentially dangerous) uncertified charger, or an end-user (or their
employer) might configure their device to refuse access to an unrecognised
USB thumb drive or ignore keystrokes from an unrecognised "keyboard".
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20160418/f9892d17/attachment.html>