Overview#Key wrapping constructions are a class of Symmetric Key Cryptography encryption algorithms designed to encapsulate (encrypt) cryptographic Keying material
Key wrapping algorithms are intended for applications such as protecting keys while in untrusted storage or transmitting keys over untrusted communications networks. The constructions are typically built from standard primitives such as Block Ciphers and Cryptographic Hash Function ComparisonsU2F specification: “U2F tokens might not store Private Key material, and instead might export a wrapped Private Key as part of the key handle” (from the implementation considerations document).
What does exporting a wrapped Private Key mean? Basically this (somewhat simplified):
When a U2F device is registered, an Elliptic Curve key-pair (using the secp256r1 curve, as specified in the U2F standard) is generated on the device itself. The Private Key is then encrypted using a device master secret, forming the key handle, which is then sent together with the Public Key to be stored on the RP (WebAuthn Relying Party) server. To authenticate, the WebAuthn Relying Party sends a challenge together with the key handle, and the U2F device decrypts the wrapped Private Key to be able to produce a valid Digital Signature for the challenge.
Generally, this is a sound approach, and is secure when done correctly. It does have its drawbacks, however. One is that it feels less secure, as even though the Private Key is encrypted, it does leave the device. In practice as long as the encryption used for the Key wrapping is strong, this SHOULD NOT a problem. Another issue is that it introduces additional complexity to the protocol, as we now have a new cryptographic primitive (encryption), with possible pitfalls.