[Cryptography] Google Titan Security Keys
Michael Nelson
nelson_mikel at yahoo.com
Tue Jan 8 16:47:36 EST 2019
Thanks David.
> The answer to how FIDO U2F mitigates against phishing attacks is indeed well documented in many places, so I'll not try to repeat them here. If you re-read them and have questions, though, please do ask.
> [1] https://www.ftsafe.com/Products/FIDO/Multi
> [2] https://cloud.google.com/titan-security-key/
I checked those links. They were high level and didn't say how the keys work, though. The most technical info was in the Google link that says:
"Because Google security keys use encryption and verify the legitimacy of the sites users visit, security keys are less prone to phishing attacks."
How do they do that? E.g., a GSK could run some local code that checks the SSL cert of the browser connection, and compares it to an acceptance criterion. Or a GSK could check a signature on a challenge to be signed. This latter would not work against real-time MITM proxying, but would indeed stop most simple phishing attacks. These two are just examples to clarify the kind of info I was after -- not saying that GSKs do that, as I have no idea.
Maybe you were actually referring to the hardcore FIDO specs, rather than links like that. If no one can help me with good link or a paragraph off the top of their head, then I guess I'll slog through that mountain of stuff. I'll report back if anyone's interested, if I find an answer.
Mike
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20190108/a510a200/attachment.html>
More information about the cryptography
mailing list