Can we store any sensitive data in device(yubikey) #598
-
|
As we have https://developers.yubico.com/libfido2/Manuals/fido_dev_largeblob_get.html commands for storing the large blobs. |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 2 replies
-
|
Edit: I realize now that you were asking about the confidentiality and authenticity aspects of |
Beta Was this translation helpful? Give feedback.
-
|
Thanks for replying. Let me try to elaborate my query here. *The “largeBlobs” extension is not meant to be used to store sensitive data. When retrieved, a credential's “largeBlobs” encryption key is transmitted in the clear, and an authenticator's “largeBlobs” CBOR array can be read without user interaction or verification." Do we have any other way/API available which we can use to push some secret (like password) in the key, which later can be verified? Like we pass the secret later and key(yubikey) authenticate it! |
Beta Was this translation helpful? Give feedback.
-
|
I am afraid such a mechanism is outside the scope of FIDO2. There are, however, FIDO2 extensions such as the hmac-secret extension (used by systemd for disk encryption) which could be used to compose a solution. |
Beta Was this translation helpful? Give feedback.
I am not sure I understand the question; my apologies.largeBlobsis a FIDO CTAP 2.1 extension allowing the storage of discretionary data on a FIDO authenticator. The data is opaque to the authenticator and can be anything. The only FIDO authenticator supportinglargeBlobs- that I am aware of - is the YubiKey Bio, which supports blobs adding up to ~1000 bytes in size. Please note that fido2-token(1) can be used to store/fetchlargeBlobs.Edit: I realize now that you were asking about the confidentiality and authenticity aspects of
largeBlobs. If libfido2 APIs (or fido2-token) are used,largeBlobswill be encrypted with a AEAD algorithm (specifically, AES-256 GCM) before being stored on t…