Embed Notice

HTML Code

<blockquote style="position: relative; padding-left: 55px;"><section><a href="https://agora.echelon.pl/objects/b527d4fa-acb9-4369-9dbf-178add5ce787">kravietz 🦇 (kravietz@agora.echelon.pl)'s status on Wednesday, 18-Oct-2023 05:56:59 JST</a><a href="https://agora.echelon.pl/users/kravietz" title="kravietz@agora.echelon.pl"><img src="https://gnusocial.jp/avatar/5480-48-20240917094343.webp" width="48" height="48" alt="kravietz 🦇" style="position: absolute; left: 0; top: 0;">kravietz 🦇</a><div><a href="https://mastodon.social/@saper/111250106157334698" rel="in-reply-to">in reply to</a><ul><li><li><a href="https://gnusocial.jp/user/111068" title="saper@mastodon.social">Marcin Cieślak</a></li><li><a href="https://gnusocial.jp/user/114200" title="planesailinggames@chirp.enworld.org">Alex White</a></li></ul></div></section><article><p><a href="https://mastodon.social/@saper">@saper</a></p><p>Under FIDO, to which Google declares compliance for passkeys[^1], the private key should never leave the client device so they shouldn’t be stored on the server… but that applies to the service provider (e.g. Shopify website). Identity provider, in this case Google or Apple, of course do store private keys on their servers for backup purposes, only they declare them to be encrypted by the sync passphrase.</p><p>I guess there are two workflows here: one under normal usage scenarios, one under TAO[^2] or other “law enforcement love letter” scenarios.</p><p>Granted that identity like Google provider controls all data flows for any software keys, from storage (Android), sync passphrase entry (Android) to operating system and application updates (especially after hosted developer keys were introduced to Android[^3]), it would be naive to have any illusions that under TAO scenario they won’t retrieve that one way or another.</p><p>This shouldn’t be the case with hardware authenticators, of course, which are also allowed by Passkeys. Or at least building a side channel for private key retrieval will be much more difficult even in TAO scenario.</p><p>[^1]: <a href="https://developers.google.com/identity/passkeys">https://developers.google.com/identity/passkeys</a></p><p>[^2]: <a href="https://en.wikipedia.org/wiki/Tailored_Access_Operations">https://en.wikipedia.org/wiki/Tailored_Access_Operations</a></p><p>[^3]: <a href="https://www.theregister.com/2021/07/01/android_app_bundle/">https://www.theregister.com/2021/07/01/android_app_bundle/</a></p><p><a href="https://chirp.enworld.org/@PlaneSailingGames">@PlaneSailingGames</a> <a href="https://cyberplace.social/@GossiTheDog">@GossiTheDog</a></p></article><footer><a rel="bookmark" href="https://gnusocial.jp/conversation/2198879#notice-4322438">In conversation</a><time datetime="2023-10-18T05:56:59+09:00" title="Wednesday, 18-Oct-2023 05:56:59 JST">about a year ago</time> <span>from <span><a href="https://agora.echelon.pl/objects/b527d4fa-acb9-4369-9dbf-178add5ce787" rel="external" title="Sent from agora.echelon.pl via ActivityPub">agora.echelon.pl</a></span></span><a href="https://agora.echelon.pl/objects/b527d4fa-acb9-4369-9dbf-178add5ce787">permalink</a><h4>Attachments</h4><ol><li><article><header><div>Domain not in remote thumbnail source whitelist: www.gstatic.com</div><h5><a href="https://developers.google.com/identity/passkeys">Passwordless login with passkeys  |  Authentication  |  Google for Developers</a></h5><div></div></header><div></div><footer></footer></article></li><li><article><header><div>Domain not in remote thumbnail source whitelist: upload.wikimedia.org</div><h5><a href="https://en.wikipedia.org/wiki/Tailored_Access_Operations">Tailored Access Operations</a></h5><div></div></header><div>The Office of Tailored Access Operations (TAO), now Computer Network Operations, and structured as S32, is a cyber-warfare intelligence-gathering unit of the National Security Agency (NSA). It has been active since at least 1998, possibly 1997, but was not named or structured as TAO until "the last days of 2000," according to General Michael Hayden.TAO identifies, monitors, infiltrates, and gathers intelligence on computer systems being used by entities foreign to the United States.HistoryTAO is reportedly "the largest and arguably the most important component of the NSA's huge Signals Intelligence Directorate (SID), consisting of more than 1,000 military and civilian computer hackers, intelligence analysts, targeting specialists, computer hardware and software designers, and electrical engineers".
Snowden leak
A document leaked by former NSA contractor Edward Snowden describing the unit's work says TAO has software templates allowing it to break into commonly used hardware, including "routers, switches, and firewalls from multiple product vendor lines...</div><footer></footer></article></li><li><label><a rel="external" href="https://gnusocial.jp/attachment/1669010">Untitled attachment</a></label><br></li></ol></footer></blockquote>

Corresponding Notice

Embed this notice
kravietz 🦇 (kravietz@agora.echelon.pl)'s status on Wednesday, 18-Oct-2023 05:56:59 JSTkravietz 🦇
in reply to
@saper
Under FIDO, to which Google declares compliance for passkeys[^1], the private key should never leave the client device so they shouldn’t be stored on the server… but that applies to the service provider (e.g. Shopify website). Identity provider, in this case Google or Apple, of course do store private keys on their servers for backup purposes, only they declare them to be encrypted by the sync passphrase.
I guess there are two workflows here: one under normal usage scenarios, one under TAO[^2] or other “law enforcement love letter” scenarios.
Granted that identity like Google provider controls all data flows for any software keys, from storage (Android), sync passphrase entry (Android) to operating system and application updates (especially after hosted developer keys were introduced to Android[^3]), it would be naive to have any illusions that under TAO scenario they won’t retrieve that one way or another.
This shouldn’t be the case with hardware authenticators, of course, which are also allowed by Passkeys. Or at least building a side channel for private key retrieval will be much more difficult even in TAO scenario.
[^1]: https://developers.google.com/identity/passkeys
[^2]: https://en.wikipedia.org/wiki/Tailored_Access_Operations
[^3]: https://www.theregister.com/2021/07/01/android_app_bundle/
@PlaneSailingGames @GossiTheDog
In conversationabout a year ago from agora.echelon.plpermalink
Attachments
1. Domain not in remote thumbnail source whitelist: www.gstatic.com
  Passwordless login with passkeys | Authentication | Google for Developers
2. Domain not in remote thumbnail source whitelist: upload.wikimedia.org
  Tailored Access Operations
  The Office of Tailored Access Operations (TAO), now Computer Network Operations, and structured as S32, is a cyber-warfare intelligence-gathering unit of the National Security Agency (NSA). It has been active since at least 1998, possibly 1997, but was not named or structured as TAO until "the last days of 2000," according to General Michael Hayden.TAO identifies, monitors, infiltrates, and gathers intelligence on computer systems being used by entities foreign to the United States. History TAO is reportedly "the largest and arguably the most important component of the NSA's huge Signals Intelligence Directorate (SID), consisting of more than 1,000 military and civilian computer hackers, intelligence analysts, targeting specialists, computer hardware and software designers, and electrical engineers". Snowden leak A document leaked by former NSA contractor Edward Snowden describing the unit's work says TAO has software templates allowing it to break into commonly used hardware, including "routers, switches, and firewalls from multiple product vendor lines...
3. Untitled attachment

Public

Embed Notice

HTML Code

Corresponding Notice