Soft U2F in Qubes?
68 views
Skip to first unread message
Micah Lee
Jul 25, 2017, 1:21:03 PM7/25/17
to qubes-users
GitHub has released an interesting piece of Mac software called Soft
U2F: https://githubengineering.com/soft-u2f/
It's basically a virtual security key, and it stores its secret in the
macOS keyring. When you login to a website with 2FA, instead of using a
physical USB security key, you just click an "approve" button that pops up.
Their blog about it says: "Authenticators are normally USB devices that
communicate over the HID protocol. By emulating a HID device, Soft U2F
is able to communicate with your U2F-enabled browser, and by extension,
any websites implementing U2F."
As it stands, U2F is a pain in Qubes because you have to deal with USB
passthrough, and exposing your VMs to sys-usb.
How hard would it be to build a Qubes version of Soft U2F that stores
the secret in a separate VM, similar to split gpg? This could make using
U2F much more usable and secure inside of Qubes, I think.
U2F: https://githubengineering.com/soft-u2f/
It's basically a virtual security key, and it stores its secret in the
macOS keyring. When you login to a website with 2FA, instead of using a
physical USB security key, you just click an "approve" button that pops up.
Their blog about it says: "Authenticators are normally USB devices that
communicate over the HID protocol. By emulating a HID device, Soft U2F
is able to communicate with your U2F-enabled browser, and by extension,
any websites implementing U2F."
As it stands, U2F is a pain in Qubes because you have to deal with USB
passthrough, and exposing your VMs to sys-usb.
How hard would it be to build a Qubes version of Soft U2F that stores
the secret in a separate VM, similar to split gpg? This could make using
U2F much more usable and secure inside of Qubes, I think.
Rusty Bird
Jul 25, 2017, 4:30:16 PM7/25/17
to Micah Lee, qubes-users
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Micah Lee:
surface) would be to have the separate VM implement only the "high
level" U2F device, connect it to the browsing VM via qrexec, and then
hook that up the browser (either by emulating a USB device, or via a
specialized browser extension). Someone could probably do this by
cannibalizing e.g. virtual-u2f [1].
If the website supports TOTP as well, and you're okay with Tor Browser
or Firefox, you may be interested in Split Browser [2]. Its TOTP login
is almost as slick - Ctrl-Shift-Enter to request logging in, Enter to
confirm.
Rusty
1. https://github.com/mplatt/virtual-u2f
2. https://github.com/rustybird/qubes-split-browser
-----BEGIN PGP SIGNATURE-----
iQJ8BAEBCgBmBQJZd6pCXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ4NEI1OUJDRkM2MkIxMjlGRTFCMDZEMDQ0
NjlENzhGNDdBQUYyQURGAAoJEEadePR6ryrfjm0QAI8yXlDCeycu0a6bwyGiTuHL
BT+9Ej8xWeKdLgAf61/kagSBn12M+w8aCpX/ZNjOSHMCl5j8mn+OLz0KpMivP1CL
rXakk9thv9DMh2MemvtTzaVpI4Zf50yvZG9kHFj0oT9Y+aEIuClj+lOmwmVKQ3Xi
iSZeu6uWwUNbUlRZ0hQgLJULd/H4uFkQyqzpAa9kC75KsgEZ/zwORUloO4JJZO7/
5YOw18/WH7k+X4XMLyNlTHmLI8NcG35R91t7yDSBrSxr6VQroj1QPEDW2rtESgkb
YuxlspIB3g+MzS+oXk3OSA/9ew5rMC4gp/Lk0vDtTTdA9HoY+YDnD93Xi54FBqJR
TjcVL8ODM3pTI2RYkQxOCqCxj4t8nXr18GzvNshNSfbUvZRFgOc7lnhkS8xnf1eW
nVbVcZV8yvv0uCslYrnWb451EAU8xsOcM5NOvX4paGjAWS2DjKsQXvEzez7bz4os
ziRQ0KO98Pd4RUOY+PMhCKBoZKQdzF3IcvcGeDcmhuxeYnFfpMXACkQ61reaijbV
dxUWrvzMZ6MxhW/StSQy9OMcNiP98UlHU1VfP1PfiEY+cFa/citfyK4cTdB0WEB/
4YjpxWyLd55UwMrGblJ+op3NyqbkpqAUcXjyhq6zdttkFgdNdST6deNDUr0MQjCU
LAJBzr/0WaOv8ZS/P/xu
=FSN9
-----END PGP SIGNATURE-----
Hash: SHA512
Micah Lee:
> How hard would it be to build a Qubes version of Soft U2F that stores
> the secret in a separate VM, similar to split gpg? This could make using
> U2F much more usable and secure inside of Qubes, I think.
I suppose the most secure way (which avoids the USB protocol's attack
> the secret in a separate VM, similar to split gpg? This could make using
> U2F much more usable and secure inside of Qubes, I think.
surface) would be to have the separate VM implement only the "high
level" U2F device, connect it to the browsing VM via qrexec, and then
hook that up the browser (either by emulating a USB device, or via a
specialized browser extension). Someone could probably do this by
cannibalizing e.g. virtual-u2f [1].
If the website supports TOTP as well, and you're okay with Tor Browser
or Firefox, you may be interested in Split Browser [2]. Its TOTP login
is almost as slick - Ctrl-Shift-Enter to request logging in, Enter to
confirm.
Rusty
1. https://github.com/mplatt/virtual-u2f
2. https://github.com/rustybird/qubes-split-browser
-----BEGIN PGP SIGNATURE-----
iQJ8BAEBCgBmBQJZd6pCXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ4NEI1OUJDRkM2MkIxMjlGRTFCMDZEMDQ0
NjlENzhGNDdBQUYyQURGAAoJEEadePR6ryrfjm0QAI8yXlDCeycu0a6bwyGiTuHL
BT+9Ej8xWeKdLgAf61/kagSBn12M+w8aCpX/ZNjOSHMCl5j8mn+OLz0KpMivP1CL
rXakk9thv9DMh2MemvtTzaVpI4Zf50yvZG9kHFj0oT9Y+aEIuClj+lOmwmVKQ3Xi
iSZeu6uWwUNbUlRZ0hQgLJULd/H4uFkQyqzpAa9kC75KsgEZ/zwORUloO4JJZO7/
5YOw18/WH7k+X4XMLyNlTHmLI8NcG35R91t7yDSBrSxr6VQroj1QPEDW2rtESgkb
YuxlspIB3g+MzS+oXk3OSA/9ew5rMC4gp/Lk0vDtTTdA9HoY+YDnD93Xi54FBqJR
TjcVL8ODM3pTI2RYkQxOCqCxj4t8nXr18GzvNshNSfbUvZRFgOc7lnhkS8xnf1eW
nVbVcZV8yvv0uCslYrnWb451EAU8xsOcM5NOvX4paGjAWS2DjKsQXvEzez7bz4os
ziRQ0KO98Pd4RUOY+PMhCKBoZKQdzF3IcvcGeDcmhuxeYnFfpMXACkQ61reaijbV
dxUWrvzMZ6MxhW/StSQy9OMcNiP98UlHU1VfP1PfiEY+cFa/citfyK4cTdB0WEB/
4YjpxWyLd55UwMrGblJ+op3NyqbkpqAUcXjyhq6zdttkFgdNdST6deNDUr0MQjCU
LAJBzr/0WaOv8ZS/P/xu
=FSN9
-----END PGP SIGNATURE-----
Reply all
Reply to author
Forward
0 new messages