| No, the Relying Party absolutely does provide entropy here. Specifically the "challenge" field which you probably think of as just being for subsequent authentication is _also_ present in the registration and is important. This challenge field, as well as the origin (determined by the client and thus protected from phishing) are turned into JSON in a specified way by the client. Then it calculates SHA-256(json) and it sends this to the Security Key along with a second parameter that depends on exactly what we're doing (U2F, WebAuthn, etcetera) You can see this discussed at the low level in FIDO's protocol documentation:
https://fidoalliance.org/specs/fido-u2f-v1.0-ps-20141009/fid...
and you can see the Javascript end discussed in WebAuthn:
https://www.w3.org/TR/webauthn/#createCredential The Security Key doesn't get told the origin separately, it just gets the SHA256 output, this allows a Security Key to be simpler (it needn't be able to parse JSON for example) and so the entropy from the Relying Party has been stirred in with the origin before the Security Key gets involved. As well as values B and E, a Security Key actually also delivers a Signature, which can be verified using B, over the SHA-256 hash it was sent. The Client sends this back to the Relying Party, along with the JSON, the Relying Party can check: That this JSON is as expected (has the challenge chosen by the Relying Party and the Relying Party's origin) AND That SHA256(json) gives the value indicated AND That public key B has indeed signed the SHA256(json) The reason they go to this extra effort with "challenge" and confirming signatures during registration is that it lets a Relying Party confirm freshness. Without this effort the Relying Party has no assurance that the "new" Registration it just did actually happened in response to its request, I could have recorded this Registration last week, or last year, and (without the "challenge" nonce from the Relying Party) it would have no way to know that. Thanks for correcting me on how Yubico have approached the problem of choosing E such that they don't need to remember A anywhere. [edited: minor layout tweaks/ typos] |