Dedicated cryptocurrency hardware wallets are expensive; however, inexpensive FIDO U2F hardware second factor devices are becoming more popular as Google, Facebook, and others add support and can enable the same level of security. Adoption of these devices will grow as privacy and security become a larger global concern.

What it does

kEth implements support for registering a FIDO u2f key with a smart contract and requiring an elliptic curve signature from the device to authorize transactions. This can be easily extended to secure multisig, governance contracts, etc. FIDO U2F is a standard protocol with devices manufactured by number of companies, supporting USB A, C, NFC, and bluetooth. The javascript API is built into Chrome, Opera, and is coming soon to Firefox.

How I built it

kEth uses the FIDO U2F javascript API to communicate with the device and implements U2F signature verification on-chain, enabling greater security in contracts.

Challenges I ran into

The FIDO U2F plaintext message format was reverse engineered from several U2F server implementations, taking about 14h to perfect.

Ethereum at present does not natively support the secp256r1 ecdsa curve. We leveraged an ECDSA Solidity contract, which exacerbated the difficulty of determining the cause of signature verification failures. Byzantium adds support for faster elliptic curve primitive that enable optimization and will be an important feature.

Passing variable length parameters in Web3 is not supported, and passing large parameters is non-obvious. Debug support for solidity is non-existent and runtime errors are virtually useless.

Accomplishments that we’re proud of

Getting everything to work end-to-end!

What we learned

Solidity, Web3, Truffle, react, DSA, elliptic curves, DSA serialization standards, FIDO standards.

What's next for kEth

Optimization and generalization of the smart contract will be crucial to making this successful.

Built With

Share this project: