Hardware in Feitian K5 (USB U2F)?

[David Manouchehri]

Hi,

I recently started to look into the Feitian K5 (USB U2F) device, and it was suggested by @FIDOAlliance that I post here. I'll start with background information and conclude with questions I still have.

Brief Technical Info

The device is signed by the "FT FIDO 0100" attestation certificate (which I'm assuming is Feitian Technologies).

Attestation Certificate

Certificate:

    Data:

        Version: 3 (0x2)

        Serial Number:

             (Negative)79:98:8a:6b:69:9a:8a:a6:97:fc

    Signature Algorithm: ecdsa-with-SHA256

        Issuer: CN=FT FIDO 0100

        Validity

            Not Before: Aug 14 18:29:32 2014 GMT

            Not After : Aug 14 18:29:32 2024 GMT

        Subject: CN=PilotGnubby-0.4.1-86677594966575596804

        Subject Public Key Info:

            Public Key Algorithm: id-ecPublicKey

                Public-Key: (256 bit)

                pub: 

                    04:26:dd:f0:6e:dc:df:fd:81:e4:88:c9:8d:06:50:

                    f2:e9:1c:8d:22:7c:fa:56:47:36:bc:1e:a2:10:62:

                    76:d6:f5:81:e8:2d:27:6e:1a:d0:c3:51:12:66:85:

                    2a:d9:a1:75:2e:13:36:ad:a1:55:27:9e:1c:cd:b1:

                    ae:83:86:83:eb

                ASN1 OID: prime256v1

    Signature Algorithm: ecdsa-with-SHA256

         30:44:02:20:c8:a7:89:c3:79:1d:a6:2e:76:78:41:f9:b5:e2:

         e0:9a:68:b1:9e:9d:6c:77:7f:af:cb:f3:76:a8:bf:cb:7d:6d:

         02:20:32:44:75:9b:a6:f3:25:af:a8:99:4e:96:a5:2a:f7:da:

         75:e1:19:eb:e7:53:cf:64:91:81:37:4e:99:c2:69:0c

-----BEGIN CERTIFICATE-----

MIIBPDCB5KADAgECAgqGZ3WUlmV1WWgEMAoGCCqGSM49BAMCMBcxFTATBgNVBAMT

DEZUIEZJRE8gMDEwMDAeFw0xNDA4MTQxODI5MzJaFw0yNDA4MTQxODI5MzJaMDEx

LzAtBgNVBAMTJlBpbG90R251YmJ5LTAuNC4xLTg2Njc3NTk0OTY2NTc1NTk2ODA0

MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEJt3wbtzf/YHkiMmNBlDy6RyNInz6

Vkc2vB6iEGJ21vWB6C0nbhrQw1ESZoUq2aF1LhM2raFVJ54czbGug4aD6zAKBggq

hkjOPQQDAgNHADBEAiDIp4nDeR2mLnZ4Qfm14uCaaLGenWx3f6/L83aov8t9bQIg

MkR1m6bzJa+omU6WpSr32nXhGevnU89kkYE3TpnCaQw=

-----END CERTIFICATE-----

However, after opening it I was surprised to see that the crypto chip is not actually made by Feitian. 

The markings are "nationz" (line 1), "Z8D256U" (line 2) and "NB507019" (line 3).

The model is a Z8D256U, which appears to be part of Nationz Technologies' "USBKEY" series. I have not been able to find any datasheet. Thanks to @TProphet, I found out that this chip has previously been used by the China Construction Bank in their "U-Shield" (U盾) device. 

U-Shield from China Construction Bank

The only hardware validation I can find is a Chinese government authority classifying it as "EAL4+" for export. Currently there is no publicly known security flaws in the product that I could find online.

Technical Questions

1. Is Nationz Technologies is in possession of Feitian Technologies' certificate authority private key? (If so, is that allowed by FIDO?)

2. Does anyone have a datasheet or any technical info for the nationz Z8D256U?

3. Has there been any public audit/test results for the nationz Z8D256U (or Feitian K5)?

Certification Questions

4. Should FIDO Certified Products be required to label the country of origin of critical cryptographic chips?

5. Should vendors be required to list the cryptographic chips used in their U2F/UAF products?

Thanks,

David Manouchehri

[Adam Powers]

Hi David,

I can't speak to FT's implementation, but I can add some clarity to your questions #4 and #5 below. At this time, FIDO is offering functional certification to ensure that implementations work together. FIDO's functional certification is agnostic to how the hardware or software is actually implemented; however, FIDO is in the process of launching security certification that will make sure implementations meet certain security requirements. The security certification will take a much closer look at the hardware and software.

I hope that helps.

Adam

--
You received this message because you are subscribed to the Google Groups "FIDO Dev (fido-dev)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to fido-dev+u...@fidoalliance.org.
To post to this group, send email to fido...@fidoalliance.org.
Visit this group at https://groups.google.com/a/fidoalliance.org/group/fido-dev/.
To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/c806bc5a-bfcf-481f-950e-6a7788999fd3%40fidoalliance.org.