FIDO U2F Support
Greg Hudson
ghudson at mit.edu
Wed Dec 16 14:42:53 EST 2015
On 12/16/2015 01:32 PM, Martin Gegenleitner wrote:
> (http://k5wiki.kerberos.org/wiki/Projects/PAKE_Preauthentication#Proposed_2FA_Methods)
> Since the wiki-page was updated on 2015-03-17, I wanted to know if there
> is any progress in this project
There has been substantial progress. See:
http://k5wiki.kerberos.org/wiki/Projects/SPAKE_preauth_prereqs
http://k5wiki.kerberos.org/wiki/Projects/SPAKE_Preauthentication
https://github.com/npmccallum/ietf/blob/master/draft-mccallum-kitten-krb-spake-preauth-00.xml
https://github.com/greghudson/krb5/tree/spake
To summarize:
* We have a draft which hasn't been adopted by the kitten working group
yet (we need to make a few more changes, resubmit it, and then put it in
the queue for adoption).
* I have an in-progress implementation, using placeholder values, which
does the SPAKE exchange using OpenSSL's P-256 curve implementation.
* The next step is to add pluggable interfaces on the KDC and client
side for second factors. This part is difficult.
Despite the lack of second-factor pluggable interfaces, you could
probably implement a proof of concept using the existing code, without
worrying about making it a proper plug-in module.
More information about the krbdev
mailing list