0

I am trying to create an application that can retrieve the public and private key from a U2F token such as Yubikey Neo in Java language. I tried using a simple Scanner in the console to get anything from the Yubikey Neo but it would not work as it would not be printed (probably because of the format), not like OTP that will be printed out in the Notepad so it can be captured by reader.

I know that like Yubico it offers only implementation in Javascript that is able to retrieve the public key when the user touches the button of the U2F token but until now I haven't found any library in Java that is able to do that. Is there somehow I could get the public and private key from U2F token?

Ihsan Haikal
  • 1,085
  • 4
  • 16
  • 42

1 Answers1

3

Short answer: You can't extract private keys.

U2F is based on Public-key cryptography (aka asymmetric cryptography). Private keys never leave U2F tokens and are only used inside the tokens (by the internal CPU, usually a built-in smart card) to sign random server challenges.

See simplified U2F authentication diagram here

By using Public-key cryptography, FIDO U2F is much more secure than OTP / TOTP.

More info on FIDO U2F:

http://www.slideshare.net/CloudIDSummit/cis-2015b-fido-u2-f-in-10-minutes-cis-2015

Frederic MARTIN
  • 124
  • 1
  • 3
  • Is there anyway I could get the public key instead when I pushed the button of my Yubikey Neo? – Ihsan Haikal Aug 23 '16 at 07:45
  • For each "identity", there is a pair of keys (public and private ones). Each public key is sent to the server during registrations (each identity creation), this is the only time you can "see it" traveling between U2F tokens and servers (through SSL, since https is mandatory). The public keys are then stored on the servers side and are not sent anymore during the following authentications. – Frederic MARTIN Aug 23 '16 at 07:54
  • If you want to see what a U2F token public key (and its certificate) looks like, you can go to https://demo.yubico.com/u2f?tab=register and after registration, click on "technical data" button. – Frederic MARTIN Aug 23 '16 at 08:01
  • I have tried the website and basically this website is controlled by the javascript of the u2f but I could not find the exact method in Java implementation to get the public key or the public key when the server sends the challenge and when user pushes the button of the Yubikey Neo it will be signed. – Ihsan Haikal Aug 23 '16 at 08:08
  • As far as I Know, on the client side, there is no existing Java FIDO U2F java implementation (not impossible, just that it was not done yet). – Frederic MARTIN Aug 23 '16 at 08:22
  • On the server side, you can use this on your own server https://developers.yubico.com/java-u2flib-server/ By the way, I am not sure to understand what your main goal was :) – Frederic MARTIN Aug 23 '16 at 08:23
  • My main goal is to be able for U2F authentication in Java application that I build. I notice that when the server sends the challenge to the client, the client will touch the button of the Yubikey Neo and it will generate the signature based on the challenge. My problem is that I do not know how to implement this into my java application, especially when the user touch the button and it will sign the challenge. – Ihsan Haikal Aug 23 '16 at 08:35
  • So... :( no easy solution for you since (AFAIK) there is no existing Java client for FIDO U2F. You'll have to wait, ask for it to the "FIDO alliance"... or implement your own. https://fidoalliance.org/specifications/download/ Good luck! :) – Frederic MARTIN Aug 24 '16 at 07:23