2018-09-04 23:40:43 +00:00
|
|
|
# Solo
|
2018-04-28 18:15:41 +00:00
|
|
|
|
2018-09-13 03:35:02 +00:00
|
|
|
This is the source code for Solo. Solo is a security key that implements FIDO2/U2F and supports USB, NFC, and extensions. Extensions
|
|
|
|
include SSH, GPG, and cryptocurrency. Solo is a work in progress.
|
|
|
|
|
|
|
|
![](https://i.imgur.com/O7qPR3o.png)
|
|
|
|
![](https://i.imgur.com/vwFbsQW.png?1)
|
|
|
|
|
|
|
|
The Solo FIDO2/U2F code base is designed to be easily ported to different embedded systems.
|
|
|
|
Right now, it has been ported to the NRF52840 and EFM32J. Soon to be supported is the SAM L11.
|
|
|
|
|
|
|
|
No hardware is needed for development. You can run and extend the FIDO2 code base
|
|
|
|
using just your PC.
|
|
|
|
|
|
|
|
# Security
|
|
|
|
|
|
|
|
Solo is based on the SAM L11 secure microcontroller. It offers the following security features.
|
|
|
|
|
|
|
|
- True random number generation to guarantee random keys.
|
|
|
|
- Side channel resistant RAM and AES for physically secure key derivation.
|
|
|
|
- ARM TrustZone to provide security isolation for master key.
|
|
|
|
- Scrambled key storage to prevent invasive flash readout methods.
|
|
|
|
- Secure boot to ensure application integrity.
|
|
|
|
|
|
|
|
The SAM L11 is one of the best chips for this application in terms of security,
|
|
|
|
when considering the NDA-free market.
|
2018-04-28 18:15:41 +00:00
|
|
|
|
2018-09-13 03:36:55 +00:00
|
|
|
The firmware can be readout using a debugger to verify that a Solo is running
|
|
|
|
the code posted publicly. The secret information is of course inaccessible.
|
2018-04-28 18:15:41 +00:00
|
|
|
|
2018-09-13 03:44:57 +00:00
|
|
|
# How do I get one?
|
|
|
|
|
|
|
|
We are still working on open sourcing an implementation that anyone can cheaply
|
|
|
|
build and program, just like with U2F Zero. This will be released soon.
|
|
|
|
|
|
|
|
In the meantime, you can port the code to your favorite microcontroller, or support
|
|
|
|
us by signing up for our Kickstarter. Our aim is to crowdfund enough to make an economic
|
|
|
|
bulk order and provide open source security tokens for everyone that is interested. We will offer
|
|
|
|
"hackable" tokens that come with USB bootloaders and are reprogrammable.
|
|
|
|
|
|
|
|
[Sign up here](https://solokeys.com/)!
|
|
|
|
|
|
|
|
|
2018-04-28 18:15:41 +00:00
|
|
|
# Setting up
|
|
|
|
|
|
|
|
Clone and Compile CBOR library and FIDO 2 client library.
|
|
|
|
|
|
|
|
```bash
|
|
|
|
git clone https://github.com/conorpp/u2f-one
|
|
|
|
cd u2f-one/
|
|
|
|
git submodule update --init
|
|
|
|
|
|
|
|
cd tinycbor && make
|
|
|
|
cd ..
|
|
|
|
|
|
|
|
cd python-fido2/
|
|
|
|
python setup.py install
|
2018-09-05 02:11:21 +00:00
|
|
|
|
|
|
|
```
|
|
|
|
|
2018-09-13 03:35:02 +00:00
|
|
|
Note that our python-fido2 fork will only connect to the software FIDO2 application,
|
|
|
|
not a hardware authenticator. Install Yubico's fork to do that.
|
|
|
|
|
|
|
|
|
2018-09-05 02:11:21 +00:00
|
|
|
Open `crypto/tiny-AES-c/aes.h` in a text editor and make sure AES256 is selected as follows.
|
|
|
|
|
|
|
|
```
|
|
|
|
//#define AES128 1
|
|
|
|
//#define AES192 1
|
|
|
|
#define AES256 1
|
2018-04-28 18:15:41 +00:00
|
|
|
```
|
|
|
|
|
|
|
|
Now compile FIDO 2.0 and U2F authenticator.
|
|
|
|
|
|
|
|
```bash
|
|
|
|
make
|
|
|
|
```
|
|
|
|
|
|
|
|
# Testing and development
|
|
|
|
|
|
|
|
The application is set up to send and recv USB HID messages over UDP to ease
|
|
|
|
development and reduce need for hardware.
|
|
|
|
|
|
|
|
Testing can be done using Yubico's client software. Note that the client
|
|
|
|
software is also a work in progress and the [FIDO 2.0
|
|
|
|
specification](https://fidoalliance.org/specs/fido-v2.0-ps-20170927/fido-client-to-authenticator-protocol-v2.0-ps-20170927.html)
|
|
|
|
is ultimate. Some small changes to Yubico's Client software make it send
|
|
|
|
USB HID over UDP to the authenticator application.
|
|
|
|
|
|
|
|
Run FIDO 2 / U2F application.
|
|
|
|
|
|
|
|
```bash
|
|
|
|
./main
|
|
|
|
```
|
|
|
|
|
2018-09-13 03:35:02 +00:00
|
|
|
Run example client software. This runs through a registration and authentication.
|
2018-04-28 18:15:41 +00:00
|
|
|
|
|
|
|
```
|
|
|
|
python python-fido2/examples/credential.py
|
|
|
|
```
|
|
|
|
|
2018-09-13 03:35:02 +00:00
|
|
|
Run the FIDO2 tests.
|
|
|
|
|
|
|
|
```
|
|
|
|
python tools/ctap_test.py
|
|
|
|
```
|
|
|
|
|
|
|
|
Follow specifications to really dig in.
|
2018-04-28 18:15:41 +00:00
|
|
|
|
|
|
|
[https://fidoalliance.org/specs/fido-v2.0-ps-20170927/fido-client-to-authenticator-protocol-v2.0-ps-20170927.html](https://fidoalliance.org/specs/fido-v2.0-ps-20170927/fido-client-to-authenticator-protocol-v2.0-ps-20170927.html)
|
|
|
|
|
2018-09-13 03:35:02 +00:00
|
|
|
## Extensions
|
|
|
|
|
|
|
|
Extensions can be added to FIDO2/U2F to support things like SSH, GPG, and cryptocurrency.
|
|
|
|
Right now, an experimental cryptocurrency extension can be found in `fido2/extensions` and `web/index.html`.
|
|
|
|
More documentation to come.
|
|
|
|
|
|
|
|
## Porting
|
|
|
|
|
|
|
|
The main code base is in `fido2/`. See `targets/nrf52840`, `targets/efm32/src`, and `pc/`
|
|
|
|
for examples of FIDO2/U2F ports. In essence, you need to reimplement `device.c`.
|
|
|
|
More documentation to come.
|
|
|
|
|
2018-04-28 18:15:41 +00:00
|
|
|
# Contributors
|
|
|
|
|
|
|
|
Contributors are welcome. The ultimate goal is to have a FIDO 2 hardware token
|
|
|
|
capable of USB, Bluetooth, and NFC interfaces. There could be multiple tokens
|
|
|
|
for each interface. [Hardware is still being decided
|
|
|
|
on](https://github.com/conorpp/u2f-zero/issues/76).
|
2018-09-13 03:35:02 +00:00
|
|
|
|
|
|
|
Look at the issues to see what is currently being worked on. Feel free to add issues as well.
|
2018-04-28 18:15:41 +00:00
|
|
|
|
|
|
|
This is an upgrade to [U2F
|
2018-09-13 03:35:02 +00:00
|
|
|
Zero](https://github.com/conorpp/u2f-zero).
|
2018-04-28 18:15:41 +00:00
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|