使用MathJax,语法为 $\LaTeX$。
$$
\begin{align}
\nabla \times \vec{\mathbf{B}} -\, \frac1c\, \frac{\partial\vec{\mathbf{E}}}{\partial t} & = \frac{4\pi}{c}\vec{\mathbf{j}} \\
\nabla \cdot \vec{\mathbf{E}} & = 4 \pi \rho \\
\nabla \times \vec{\mathbf{E}}\, +\, \frac1c\, \frac{\partial\vec{\mathbf{B}}}{\partial t} & = \vec{\mathbf{0}} \\
\nabla \cdot \vec{\mathbf{B}} & = 0
\end{align}
$$
participant Device
participant Browser
participant Server
Browser->Server: username and password
Note over Server: verify password
Note over Server: generate challenge
Server->Browser: challenge
Browser->Device: challenge
Note over Device: user touches button
Device-->Browser: response
Browser->Server: response
Note over Server: verify response
语法参见: https://bramp.github.io/js-sequence-diagrams/
```seq
participant Device
participant Browser
participant Server
Browser->Server: username and password
Note over Server: verify password
Note over Server: generate challenge
Server->Browser: challenge
Browser->Device: challenge
Note over Device: user touches button
Device-->Browser: response
Browser->Server: response
Note over Server: verify response
```
我定义的语法糖: sequence类型可以带有动画
participant Device
participant Browser
participant Server
Browser->Server: username and password
Note over Server: verify password
Note over Server: generate challenge
Server->Browser: challenge
Browser->Device: challenge
Note over Device: user touches button
Device-->Browser: response
Browser->Server: response
Note over Server: verify response
a=>operation: Atmel
ATECC508A
密码学芯片:>http://www.atmel.com/Images/Atmel-8923S-CryptoAuth-ATECC508A-Datasheet-Summary.pdf
b=>operation: Silabs
EFM8UB11F16G
单片机 :>https://www.silabs.com/Support%20Documents/TechnicalDocs/EFM8UB1_DataSheet.pdf
c=>inputoutput: USB
d=>operation: 主机
a(right)->b(right)->c(right)->d
```flowchart
a=>operation: Atmel
ATECC508A
密码学芯片:>http://www.atmel.com/Images/Atmel-8923S-CryptoAuth-ATECC508A-Datasheet-Summary.pdf
b=>operation: Silabs
EFM8UB11F16G
单片机 :>https://www.silabs.com/Support%20Documents/TechnicalDocs/EFM8UB1_DataSheet.pdf
c=>inputoutput: USB
d=>operation: 主机
a(right)->b(right)->c(right)->d
```
st=>start: Start:>http://www.google.com[blank]
e=>end:>http://www.google.com
op1=>operation: My Operation
sub1=>subroutine: My Subroutine
cond=>condition: Yes
or No?:>http://www.google.com
io=>inputoutput: catch something...
st->op1->cond
cond(yes)->io->e
cond(no)->sub1(right)->op1
```flowchart
st=>start: Start:>http://www.google.com[blank]
e=>end:>http://www.google.com
op1=>operation: My Operation
sub1=>subroutine: My Subroutine
cond=>condition: Yes
or No?:>http://www.google.com
io=>inputoutput: catch something...
st->op1->cond
cond(yes)->io->e
cond(no)->sub1(right)->op1
```
[U2F]{Universal 2 Factor} 标准是由Yubico公司和Google发起的FIDO(Fast IDentity Online)联盟推出的标准, 旨在提供一个方便的免驱动、通用型的密码认证令牌, 期望能在让用户在有U2F认证的情况下, 即使用短密码, 也能实现高强度的认证. 而且这种认证是不依赖中心服务器的, 完全基于公私钥/PKI体系.
U2F的物理层可以是USB-HID, 也可以是NFC(目前Yubikey Neo支持), 也可以是BTLE(在国外开会的时候遇到Yubico的Sales, 他们说这两年就会有支持BTLE的Yubikey, 这样iPhone就能用上了).
U2F-Zero是一个以BSD协议开源的U2F令牌. 代码在github上的conorpp/u2f-zero. 文档见其Wiki.
下面打算先讲使用, 再讲U2F的原理, 最后再讲一讲U2F-Zero的硬件及制造流程.
U2F-Zero上有15个Slot, 可以存15组公私钥对. (后面会提到, Yubikey是如何实现无限多组U2F的)
以Debian系为例:
echo 'KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="10c4", ATTRS{idProduct}=="8acf", TAG+="uaccess"' >> /etc/udev/rules.d/70-u2f.rules
sudo udevadm trigger
sudo apt-get install libpam-u2f pamu2fcfg
# 如果源里没有, 可以先添加ppa:
# sudo add-apt-repository ppa:yubico/stable
# sudo apt-get update
man pamu2fcfg
pamu2fcfg >> /etc/u2f_mappings
sudo chmod 644 /etc/u2f_mappings
sudo chown root:root /etc/u2f_mappings
#以下是必须有密码和U2F同时通过, 才放行
echo "auth required pam_u2f.so authfile=/etc/u2f_mappings cue" >> /etc/pam.d/sudo
# 如果想password或U2F二者其一即可认证的话, 把以下
# auth sufficient pam_u2f.so authfile=/etc/u2f_mappings cue
# 加到 /etc/pam.d/sudo 的开头
# 如果在Ubuntu里,想要登录的时候也能用
# 可以加到 /etc/pam.d/common-auth
echo "auth sufficient pam_u2f.so authfile=/etc/u2f_mappings cue" >> /etc/pam.d/common-auth
如果有多个U2F Key, 不能直接在u2f_mappings里放两行, 同一个用户名只能放一行, 按以下格式, 以:
分隔:
<username1>:<KeyHandle1>,<UserKey1>:<KeyHandle2>,<UserKey2>:...
<username2>:<KeyHandle1>,<UserKey1>:<KeyHandle2>,<UserKey2>:...
如:
scateu:BJkQhw,04efe995ba9361b9530e2d3572662f01da08e6f28e77cfdac8981000128c0597ee5d706b7eaee9ea3a79f572654c482daa0ef9193407a3a2b379e284c08bb95a59:axh4xfEr6o_i6z8BAXcW24Q_2AWGgfx2HiW7FURLV-Wz-hCPIh_UWS1ANASSUDsxNDklsZsf2tqQ_ECy4KdRmA,04c113c247a2233665f58c1f949f25c91f9408b7dc769e69c844e147fabc6cba73be629f2dc4a8c559aeab72ca24fcd5bce221b29ea5cd0a52131f2426625376d7
它可以远程遥控。Master/Client,以及Token。
控制权限只需要在URL后面加一个GET参数:
?multiplex_secret=12345677898098324
(由Token获得)
for ( var i in io.managers ) {
io.managers[i].removeAllListeners();
}
我的模板里, 在URL后面加上一个
?no_multiplex=true
即可执行此段代码.
例如本文的强制不受控链接