yubikit-ios icon indicating copy to clipboard operation
yubikit-ios copied to clipboard

Published 20 hours ago verified publisher icon Yubico

PIV : Store informations in slot

Open redDwarf03 opened this issue 2 years ago • 1 comments

Hello

The Yubikey allows to generate a key pair and stores it in a specific PIV slot.

i would like to store 3 keypairs and 1 information "index" (integer). This index allows to know which slot we can use when we want to sign something.

  1. Where can i store my informations because the documentation specify slots 82 to 95 is for retired keys ?
  2. Have you got a method to check if a slot is available before store keypair or index ? Or perhaps it's possible to predetermined slots who are already in used to use free slots.
  3. Have you got a method to sign something from the private key store in a specific slot ?

Thank you

redDwarf03 avatar Feb 20 '23 22:02 redDwarf03

some infos about the goal of my request

Context

Currently, the Archethic wallet generates its private/public key pair from a derivation of the seed represented in the wallet by a series of 24 words that can be understood by the user.

These keys allow for the retrieval of information within the keychain and decryption of information.

Objective

In addition to the 24 words, Archethic aims to add another key pair storage system by relying on the Yubikey electronic authentication device.

The Yubikey doesn’t replace the seed phrase, as if the user loses an authentication method, they must be able to use another method to secure their funds.

Key Storage in the Yubikey

Observation:

The Yubikey allows to generate a key pair and link it to a specific PIV slot (1) (numbers 82 to 95). Once the key pair is registered in a slot, it is not possible to change it.

As there isn’t an unlimited number of available slots, only minimal useful information is stored, leading to the use of 3 slots with a key rotation system:

  • 1 "genesis" slot containing the genesis key pair to be able to position oneself at the beginning of the transaction chain. Currently, there is no associated use case. This slot will not change.
  • 1 "last" slot containing the key pair of the last generated transaction, allowing access to the secret of the keychain's access via ownership
  • 1 "next" slot containing the key pair of the next address which allows building the next keychain's access

NB: It isn’t possible to access the private key of each slot.

NB: We need to request users to choose 4 slots to avoid data overwriting.

Lifecycle:

If we evolve the keychain's access in the transaction chain:

  • The slot containing the "next" information becomes "last" (reminder: it isn’t possible to move the keys from one slot to another, so it’s the use of the slots that performs a rotation),
  • We generate a key pair in the initially "next" slot,
  • We don’t change the "genesis" slot.

Alternating between the "last" and "next" slots requires adding a slot containing the value of the transaction index in the chain in order to position oneself on the correct information.

Capture d’écran 2023-02-18 à 11 26 56

In the context of a signature, the Yubikey signs with the slot according to the index.

Generating Secret Access

When creating a secret in a transaction, an AES key created by a cryptographically secure random number generator is encrypted. This encryption is done using an ECIES (2) algorithm using the public key.

In the case of using the Yubikey, an ECDH (3) operation is performed with the public key of the last address to calculate the secret

To retrieve the secret, and as ECDH is symmetric, we can retrieve the AES key to decrypt the secret by reusing ECDH and the public key.

Implementation

On the technical side, the Archethic wallet is developed using Google's "Flutter" framework to facilitate the deployment of the solution on multiple platforms from a single source code (4).

As for the Yubikey, its editor Yubico provides native APIs

To simplify the use of the Yubikey SDKs, Archethic has implemented a Flutter library YubiDart (https://pub.dev/packages/yubidart) to embed the two SDKs and facilitate integration on any platform.

The currently available methods are:

  • Generates a new key pair within the YubiKey
  • Perform an ECDH operation with a given public key to compute a shared secret.
  • To develop: Check if slots have information or not to allow the user to choose their 4 slots for Archethic
  • To develop: Sign with a determined slot

All available methods meet the requirements of this article.

redDwarf03 avatar Feb 27 '23 10:02 redDwarf03