Make Your Own Security Key With Google’s OpenSK ((LINK))
OpenSK is coded in Rust and runs on TockOS, an embedded operating system designed for "mutually distrustful applications" and also written in Rust. Google's Elie Bursztein, security & anti-abuse research lead, and Jean-Michel Picod, software engineer, said: "Rust's strong memory safety and zero-cost abstractions makes the code less vulnerable to logical attacks."
Make Your Own Security Key With Google’s OpenSK
Google is letting developers build their own security key by flashing the OpenSK firmware on an off-the-shelf Nordic chip dongle that costs $10. The hardware features NFC, Bluetooth Low Energy, and USB-A with a dedicated hardware crypto core. Google is also providing a custom, 3D-printable case to protect and carry the key.
OpenSK is an open-source implementation developed by Google for security keys, written in Rust that supports both FIDO U2F and FIDO2 standards. Google's OpenSK open-source firmware, combined with an open-source USB hardware dongle, allows end-users to make their own security key to use for authentication and security.
While Google has done a lot for mobile security, a little known fact about the company is that they love to dabble with security keys. The Titan line of security keys has full integration with your Android or iOS smartphone and can be used to authenticate your login to your Google account. Google has now launched OpenSK, an open-source project that will allow developers to create and build their own 2FA security key.
FIDO2 does away with passwords altogether while using a hardware key by using an authentication protocol called WebAuthn. This uses the digital token on your security key to log straight into a compatible online service.
Google has designed the OpenSK firmware to work on a Nordic dongle, which is a small uncased board with a USB connector on it. It handles all the communication channels supported by FIDO2, including not just USB but wireless ones like Bluetooth Low Energy (BLE), and near-field communications (NFC). That means you could use a Nordic chip flashed with OpenSK as a wireless security key if you like.
Security keys are designed to make logging in to devices simpler and more secure, but not everyone has access to them, or the inclination to use them. Until now. Today, Google has launched an open source project that will help hobbyists and hardware vendors build their own security keys, and contribute to the technology's ongoing development.
By making these resources available to everyone, Google is helping to advance the password-less security field -- people tinkering with their own projects gives rise to innovation, after all. Indeed, Google seems to be looking quite far ahead with OpenSK, noting in its blog post that "While you can make your own fully functional FIDO authenticator today ... this release should be considered as an experimental research project to be used for testing and research purposes." Kjetil Holstad, director of product management at Nordic, meanwhile, says he hopes the collaboration will "help the industry gain mainstream adoption of security keys."Turn on browser notifications to receive breaking news alerts from EngadgetYou can disable notifications at any time in your settings menu.Not nowTurn onTurned onTurn on
Written in Rust, OpenSK supports both FIDO2 and FIDO U2F standards, and promises to allow security key manufacturers, researchers, and anyone else interested in better security for online accounts to make their own security keys with innovative features, just by flashing a firmware on a Nordic chip dongle.
Below, Google is providing a quick demo of how its OpenSK open-source security key platform works. For more details and to get started developing your own FIDO authenticator, visit the official GitHub repository.
The decision to provide OpenSK as an open-source project may prove to be a welcome one. Barely a day goes by without yet more news of security breaches. Authentication keys play a role in securing data, so Google offering a new platform on which developers can create security keys may help.
The crypto materials downloaded here were pre-generated just to show how to use the firmware update tool. To keep the hardware security and privacy, OpenSK dongle sold publicly uses different crypto materials.You can generate your own crypto materials (for example, use XCA tool).
Please make sure you have downloaded firmware nrf52840_dongle_dfu_dfu.zip package to the same directory of this tool.To perform this step, choose second "Update" Tab, insert your OpenSK USB Dongle to your USB port, press the user button on hardware for more than 10 seconds to switch your OpenSK USB Dongle to bootloader mode, then click "Update" button, wait for the firmware to be 100% flashed.
Apply udev rule (Linux only).If you are using Linux, you should add a udev rule to make OpenSK work well with FIDO applications and browsers.sudo cp rules.d/55-opensk.rules /etc/udev/rules.d/sudo udevadm control --reloadThen unplug and replug the key for the rule to trigger.
Configure the OpenSK security parameter.Please follow the description to change the Attestation Certificate as you want. If you are not familiar with OpenSK and FIDO, we recommend you do not change anything.
$ ./deploy.py --board=nrf52840_dongle_dfu --programmer=nordicdfu --opensk When prompt Press [ENTER] when ready. Just press Enter, the firmware will be flashed to your OpenSK USB Dongle. When the progress bar reaches 100%, OpenSK USB Dongle will be in working mode automatically.
When you add a security to Google services, you may encount problem because OpenSK uses self attestation. So plesae click "Skip" when Chrome prompts "allow this site to see your security key? google.com wants to see the make and model of your security key."
Your point about hardware tokens being much more expensive, especially in countries that have import restrictions on encryption devices, is well taken. It makes sense that this new technology might be out of reach for billions of people worldwide. Even the cheaper android-based phones that you could afford, likely will not have the hardware security chip for many years.So forget Yubikey or Apple phones or even Android, because it seems you could not afford ANY device capable of this security.
Google has open-sourced a new project called OpenSK that will make it easier for hobbyists and hardware vendors to build their own security key. The open-sourced GitHub project contains Rust-based firmware that can be installed on Nordic chip dongles and effectively convert the dongle into a FIDO U2F and FIDO2-compliant security key. Furthermore, Google also published stereolithography source code files. Users can use these files to 3D-print a physical case, and place the Nordic chip dongle to assemble a real-life security key they can carry around.
The TrickBot Trojan has switched to a new Windows 10 UAC bypass to execute itself with elevated privileges without showing a User Account Control prompt. Windows uses a security mechanism called User Account Control (UAC) that will display a prompt every time a program is run with administrative privileges. These UAC bypasses are found in legitimate Microsoft Windows programs that are used by the operating system to launch other applications.
Our friend Marco is doing some fantastic work over on his own cybersecurity blog and just published a brilliant dashboard used to visualize and monitor trends over thousands even millions of samples providing quantitative analyses on what has observed during the performed automatic analyses. Head on over and check it out, he welcomes your thoughts, feedback and feature requests! -threat-trends/
At this time, OpenSky does not integrate with GCS. We are actively pursuing opportunities for GCS integration. Sign up for our mailing list at wing.com/opensky to be informed of the latest developments.
OpenSky continuously receives airspace data from regulatory bodies. In some circumstances an authorization for airspace access may be canceled due to a change in airspace data. In such a case, OpenSky will notify you that your authorization was canceled and the checklist will be updated to provide you with the reason for cancellation.
So what is a security key and what makes it pretty cool? Essentially, in addition to other MFA solutions such as TOTP Authenticator codes, fingerprint or facial matching, it acts as a non-primary login authentication tool for many services. It works a bit like TOTP codes, but that only one that your specific USB Key is able to provide to the system requesting it. It's a hardware key for your PC really.
I am all for letting some services be responsible for many quality of life features for me to take advantage of, unless it comes with security. For me, only if I have the option to self-host or locally provide the service myself using their infrastructure, or if they are completely opened sources, would I then consider using it. YubiKey is neither, so if the company goes belly-up, well, your security keys may still work but the support is questionable.
So when I found out about Google's openSK package and a few boards sporting a Nordic chipset such as this MakerDiary board, I figured why not make my own security key! Oh boy I was not expecting the troubles I faced but it was worth it.
Ideally, I would also have NFC as a functionality but sadly, while it is semi possible with the chip on the USB key to support its functionality, the power the NFC antenna would get from the wireless technology would not be enough to power the chip on the board, let alone anything else connected to it. So sadly, no wireless security key for my phone.
Since I could not build the OpenSK firmware, I had to result to using this specific nrf U2F build. I didn't need to build it from scratch as it came with a prebuilt binary, however, it lacks FIDO2 support. It only works as a security key with FIDO 1 and U2F. Additionally, it was no longer related to Google's open source project.
But once I had all my fingerprints recorded, half the battle was done! Now came how it can interface with the security key. I knew that I could power it with 5v from a pin off the key, but how about the data line? I can't just wire one thing to the pin on the key for the presence button override because the sensor takes multiple wires and needs logic to decipher the random values it spits out. So this is where the tiniest chip/microcontroller I had laying around comes in. 350c69d7ab