Skip to content

marmarek/qubes-app-u2f

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

79 Commits

Documentation

Documentation

 
 

debian

debian

 
 

post-install.d

post-install.d

 
 

qubes-rpc-policy

qubes-rpc-policy

 
 

qubes-rpc

qubes-rpc

 
 

qubesu2f

qubesu2f

 
 

rpm_spec

rpm_spec

 
 

systemd

systemd

 
 

udev

udev

 
 

.gitignore

.gitignore

 
 

.gitlab-ci.yml

.gitlab-ci.yml

 
 

.pylintrc

.pylintrc

 
 

.qubesbuilder

.qubesbuilder

 
 

Makefile

Makefile

 
 

Makefile.builder

Makefile.builder

 
 

README.markdown

README.markdown

 
 

setup.py

setup.py

 
 

version

version

 
 

Repository files navigation

Qubes OS U2F proxy

This tool is intended to securely forward U2F challenge-response authentication between Web browser and U2F HID token without exposing the browser and USB stack to one another.

This implements FIDO U2F version 1.2 with HID encapsulation. See also non-normative U2F Overview for introduction and U2F threat model.

Screenshot

HOWTO

Requirements

  • Qubes R3.2 or later (R4.0 or later recommended)
  • For Debian template: Debian 9 (stretch) or later
  • For Fedora template: Fedora 25 or later
  • Python 3.5
  • https://github.com/Yubico/python-u2flib-host
  • For building manpages: python3-sphinx

Installation

The guide assumes there is sys-usb qube which holds the USB Host PCI device and the qube which holds the browser (or other U2F client) is named work.

  1. In debian-9:
sudo apt install qubes-u2f
  1. In fedora-25:
sudo dnf install qubes-u2f
  1. In dom0:
qubes-dom0-update qubes-u2f-dom0
qvm-service --enable work qubes-u2f-proxy

Advanced: per-qube access enforced by policy

This requires Qubes R4.0 or later (as of this writing, available as release candidate).

In dom0, create a file /etc/qubes-rpc/policy/policy.RegisterArgument+u2f.Authenticate with the following content:

sys-usb $anyvm allow,target=dom0

Then remove /etc/qubes-rpc/policy/u2f.Authenticate and register your token. After doing this, any qube will have access only to tokens enrolled using that particular qube. Also, any previously registered token will not work.

Threat model

Threat model is two-ways, both frontend and backend are untrusted from each others point of view. It is assumed that either side could be taken control of by an attacker: for example the backend domain could have vulnerabilities in USB stack and frontend domain can be taken over via exploit against web browser. It is further assumed that either side is capable of sending arbitrary messages within the constraints of qrexec policy.

The aim of the frontend site would be typically to get unlimited access to token, and possibly key materiel if the token is software-only. The aim of the backend would be to get access to any secrets held in frontend domain, and there certainly are some, since the user is deploying U2F authentication to protect them in the first place. That access should not be possible.

It is explicitly not a goal to ensure any security properties already provided by the U2F protocol itself. It is also not a goal to prevent cooperative channels between the browser and the token.

Architecture diagram

Architecture diagram

Incompatibilities

WINK does not work, even if the underlying harware token does support it.

About

No description, website, or topics provided.

Resources

Readme
Activity

Stars

6 stars

Watchers

4 watching

Forks

1 fork
Report repository

Releases

32 tags

Packages

No packages published

Contributors 3

  •  
  •  
  •  

Languages