You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When creating a passkey with eddsa params, it appears that the algorithm is not properly implemented.
-> same challenge get different responses (RFC8032 is deterministic, as opposed to ECDSA)
-> KEY is twice long (as P256)
Everything seems to indicate that it is in reality P256 that is used, and that algoID is not checked.
(related to #2).
This is a security issue cause if another device implements Ed25519 properly, it will fail to have a backup in case of device loss in the Samsung.
The text was updated successfully, but these errors were encountered:
When creating a passkey with eddsa params, it appears that the algorithm is not properly implemented.
-> same challenge get different responses (RFC8032 is deterministic, as opposed to ECDSA)
-> KEY is twice long (as P256)
Everything seems to indicate that it is in reality P256 that is used, and that algoID is not checked.
(related to #2).
This is a security issue cause if another device implements Ed25519 properly, it will fail to have a backup in case of device loss in the Samsung.
The text was updated successfully, but these errors were encountered: