I am trying to understand how FIDO2 CTAP2 protocol works reading different manuals like:
Actually I am even not sure is it description of U2F CTAP1 or FIDO2 CTAP2 protocol.
According to mentioned documentation an authenticator creates a key pair:
Authenticator Creates New Key Pair and Attestation - Before doing anything, the authenticator will typically ask for some form of user verification. This could be entering a PIN, using a fingerprint, doing an iris scan, etc. to prove that the user is present and consenting to the registration. After the user verification, the authenticator will create a new asymmetric key pair and safely store the private key for future reference. The public key will become part of the attestation, which the authenticator will sign over with a private key that was burned into the authenticator during its manufacturing process and that has a certificate chain that can be validated back to a root of trust.
After reading above paragraph from the documentation a hardware token looks for me like a small user’s own local “certificate authority” with a secure private key inside the hardware token used for a signature and attestation of a newly generated key pair. It looks like creating a signed certificate, is not it?
Please explain, private key of the newly generated pair is stored on user’s the disk file system? and in which format? Is it just a raw plaintext private key material or is it somehow encrypted and by which another key?
For example if we look at how the latest version of OpenSSH works with U2F tokens we can see that
ssh-keygen -t ecdsa-sk generates a new key pair somehow related also to another third key - private key inside a hardware token.
Lets after executing ssh-keygen we get in result two files: id_ecdsa_sk and id_ecdsa_sk.pub.
What exactly is inside a id_ecdsa_sk ? Is it just a raw private key material used in OpenSSH like any other keys stored on the disks? If it is stolen then we loose a protection from a MITM or only if also a hardware key is stolen? How is it provided/implemented in simple words without reading sources of OpenSSH?
The private key file
should be useless to an attacker who does not have access to the
What about MITM, how is it achieved?
I know OpenSSH for now uses only U2F/CTAP1 protocol yet.
In CTAP2 protocol a keypair is generated the same way too? Is it being stored more secure or the same way as in CTAP1 protocol too?