Merge pull request #2298 from w3c/issue-2285-clarify-prf-hmac-secret

pascoej · web-flow · commit a61ad90d7b22 · 2025-06-18T12:40:49.000-07:00
Generalize PRF extension processing to non-CTAP authenticators
diff --git a/index.bs b/index.bs
@@ -7440,11 +7440,23 @@ This [=client extension|client=] [=registration extension=] and [=authentication
 
 As a motivating example, PRF outputs could be used as symmetric keys to encrypt user data. Such encrypted data would be inaccessible without the ability to get assertions from the associated [=credential=]. By using the provision below to evaluate the PRF at two inputs in a single [=assertion=] operation, the encryption key could be periodically rotated during [=assertions=] by choosing a fresh, random input and reencrypting under the new output. If the evaluation inputs are unpredictable then even an attacker who could satisfy [=user verification=], and who had time-limited access to the authenticator, could not learn the encryption key without also knowing the correct PRF input.
 
-This extension is implemented on top of the [[FIDO-CTAP]] `hmac-secret` extension. It is a separate [=client extension=] because `hmac-secret` requires that inputs and outputs be encrypted in a manner that only the user agent can perform, and to provide separation between uses by WebAuthn and any uses by the underlying platform. This separation is achieved by hashing the provided PRF inputs with a context string to prevent evaluation of the PRFs for arbitrary inputs.
+This extension is modeled on top of the [[FIDO-CTAP]] `hmac-secret` extension, but can also be implemented by other means.
+It is a separate [=client extension=] because `hmac-secret` requires that inputs and outputs be encrypted
+in a manner that only the user agent can perform,
+and to provide separation between uses by WebAuthn and any uses by the underlying platform.
+This separation is achieved by hashing the provided PRF inputs with a context string
+to prevent evaluation of the PRFs for arbitrary inputs.
 
-The `hmac-secret` extension provides two PRFs per credential: one which is used for requests where [=user verification=] is performed and another for all other requests. This extension only exposes a single PRF per credential and, when implementing on top of `hmac-secret`, that PRF MUST be the one used for when [=user verification=] is performed. This overrides the {{UserVerificationRequirement}} if neccessary.
+The `hmac-secret` extension provides two PRFs per credential: one which is used for requests where [=user verification=] is performed and another for all other requests. This extension only exposes a single PRF per credential and, when implementing on top of `hmac-secret`, that PRF MUST be the one used for when [=user verification=] is performed. This overrides the {{UserVerificationRequirement}} if necessary.
+
+This extension MAY be implemented for [=authenticators=] that do not use [[FIDO-CTAP]].
+The interface for this between [=client=] and [=authenticator=],
+and the construction of the PRF by the authenticator, is only abstractly specified.
+
+Note: Implementing on top of `hmac-secret` causes [=authenticator extension outputs=] that are not present otherwise.
+These outputs are encrypted and cannot be used by the [=[RP]=],
+but also cannot be deleted by the client since the [=authenticator data=] is signed.
 
-Note: This extension may be implemented for [=authenticators=] that do not use [[FIDO-CTAP]] so long as the behavior observed by a [=[RP]=] is identical.
 
 : Extension identifier
 :: `prf`
@@ -7491,12 +7503,25 @@ Note: This extension may be implemented for [=authenticators=] that do not use [
 : Client extension processing ([=registration extension|registration=])
 ::
        1. If {{AuthenticationExtensionsPRFInputs/evalByCredential}} is present, return a {{DOMException}} whose name is “{{NotSupportedError}}”.
-       1. Set `hmac-secret` to [TRUE] in the authenticator extensions input.
-       1. If {{AuthenticationExtensionsPRFInputs/eval}} is present and a future extension to [[FIDO-CTAP]] permits evaluation of the PRF at creation time, configure `hmac-secret` inputs accordingly:
-           * Let `salt1` be the value of <code>SHA-256(UTF8Encode("WebAuthn PRF") || 0x00 || {{AuthenticationExtensionsPRFInputs/eval}}.{{AuthenticationExtensionsPRFValues/first}})</code>.
-           * If <code>{{AuthenticationExtensionsPRFInputs/eval}}.{{AuthenticationExtensionsPRFValues/second}}</code> is present, let `salt2` be the value of <code>SHA-256(UTF8Encode("WebAuthn PRF") || 0x00 || {{AuthenticationExtensionsPRFInputs/eval}}.{{AuthenticationExtensionsPRFValues/second}})</code>.
-       1. Set {{AuthenticationExtensionsPRFOutputs/enabled}} to the value of `hmac-secret` in the authenticator extensions output. If not present, set {{AuthenticationExtensionsPRFOutputs/enabled}} to [FALSE].
-       1. Set {{AuthenticationExtensionsPRFOutputs/results}} to the decrypted PRF result(s), if any.
+       1. If {{AuthenticationExtensionsPRFInputs/eval}} is present:
+            - Let |salt1| be the value of <code>SHA-256(UTF8Encode("WebAuthn PRF") || 0x00 || {{AuthenticationExtensionsPRFInputs/eval}}.{{AuthenticationExtensionsPRFValues/first}})</code>.
+            - If <code>{{AuthenticationExtensionsPRFInputs/eval}}.{{AuthenticationExtensionsPRFValues/second}}</code> is present,
+                let |salt2| be the value of <code>SHA-256(UTF8Encode("WebAuthn PRF") || 0x00 || {{AuthenticationExtensionsPRFInputs/eval}}.{{AuthenticationExtensionsPRFValues/second}})</code>.
+
+       1. If the authenticator supports the CTAP2 `hmac-secret` extension [[FIDO-CTAP]]:
+          1. Set `hmac-secret` to [TRUE] in the authenticator extensions input.
+          1. If |salt1| is defined and a future extension to [[FIDO-CTAP]] permits evaluation of the PRF at creation time,
+              configure `hmac-secret` inputs accordingly using the values of |salt1| and, if defined, |salt2|.
+          1. Set {{AuthenticationExtensionsPRFOutputs/enabled}} to the value of `hmac-secret` in the authenticator extensions output. If not present, set {{AuthenticationExtensionsPRFOutputs/enabled}} to [FALSE].
+          1. Set {{AuthenticationExtensionsPRFOutputs/results}} to the decrypted PRF result(s), if any.
+
+       1. If the authenticator does not support the CTAP2 `hmac-secret` extension [[FIDO-CTAP]],
+            but does support some other implementation compatible with the abstract authenticator processing defined below:
+          1. Set {{AuthenticationExtensionsPRFOutputs/enabled}} to [TRUE].
+          1. If |salt1| is defined, use some unspecified mechanism to convey |salt1| and,
+              if defined, |salt2| to the authenticator as PRF inputs, in that order.
+          1. Use some unspecified mechanism to receive the PRF outputs from the authenticator.
+              Set <code>{{AuthenticationExtensionsPRFOutputs/results}}</code> to the evaluation results, if any.
 
 : Client extension processing ([=authentication extension|authentication=])
 ::
@@ -7507,13 +7532,46 @@ Note: This extension may be implemented for [=authenticators=] that do not use [
           1. If {{AuthenticationExtensionsPRFInputs/evalByCredential}} is present and [=map/exists|contains=] an [=map/entry=] whose [=map/key=] is the [=base64url encoding=] of the [=credential ID=] that will be returned, let |ev| be the [=map/value=] of that entry.
           1. If |ev| is null and {{AuthenticationExtensionsPRFInputs/eval}} is present, then let |ev| be the value of {{AuthenticationExtensionsPRFInputs/eval}}.
       1. If |ev| is not null:
-          1. Let `salt1` be the value of <code>SHA-256(UTF8Encode("WebAuthn PRF") || 0x00 || |ev|.{{AuthenticationExtensionsPRFValues/first}})</code>.
-          1. If <code>|ev|.{{AuthenticationExtensionsPRFValues/second}}</code> is present, let `salt2` be the value of <code>SHA-256(UTF8Encode("WebAuthn PRF") || 0x00 || |ev|.{{AuthenticationExtensionsPRFValues/second}})</code>.
-          1. Send an `hmac-secret` extension to the [=authenticator=] using the values of `salt1` and, if set, `salt2` as the parameters of the same name in that process.
-          1. Decrypt the extension result and set {{AuthenticationExtensionsPRFOutputs/results}} to the PRF result(s), if any.
+          1. Let |salt1| be the value of <code>SHA-256(UTF8Encode("WebAuthn PRF") || 0x00 || |ev|.{{AuthenticationExtensionsPRFValues/first}})</code>.
+          1. If <code>|ev|.{{AuthenticationExtensionsPRFValues/second}}</code> is present, let |salt2| be the value of <code>SHA-256(UTF8Encode("WebAuthn PRF") || 0x00 || |ev|.{{AuthenticationExtensionsPRFValues/second}})</code>.
+          1. If the authenticator supports the CTAP2 `hmac-secret` extension [[FIDO-CTAP]]:
+              1. Send an `hmac-secret` extension to the [=authenticator=] using the values of |salt1| and, if set, |salt2| as the parameters of the same name in that process.
+              1. Decrypt the extension result and set {{AuthenticationExtensionsPRFOutputs/results}} to the PRF result(s), if any.
+          1. If the authenticator does not support the CTAP2 `hmac-secret` extension [[FIDO-CTAP]],
+              but does support some other implementation compatible with the abstract authenticator processing defined below:
+              1. Use some unspecified mechanism to convey |salt1| and, if defined, |salt2| to the authenticator as PRF inputs, in that order.
+              1. Use some unspecified mechanism to receive the PRF outputs from the authenticator as an {{AuthenticationExtensionsPRFValues}} value |results|.
+                  Set <code>{{AuthenticationExtensionsPRFOutputs/results}}</code> to |results|.
+
+: Authenticator extension input / output
+:: [=prf|This extension=] is abstract over the authenticator implementation,
+    using either the [[FIDO-CTAP]] `hmac-secret` extension or an unspecified interface for communication between the client and authenticator.
+    It thus does not specify a CBOR interface for inputs and outputs.
+
+: Authenticator extension processing
+:: [=Authenticators=] that support the [[FIDO-CTAP]] `hmac-secret` extension implement authenticator processing as defined in that extension.
+
+    [=Authenticators=] that do not support the [[FIDO-CTAP]] `hmac-secret` extension
+    MAY instead implement the following abstract procedure:
+
+    1. Let |PRF| be the pseudo-random function associated with the current [=credential=],
+        or initialize the association if uninitialized:
+
+        Let |PRF| be a pseudo-random function whose outputs are exactly 32 bytes long,
+        selected uniformly at random from a set of at least 2<sup>256</sup> such functions.
+        The choice of |PRF| MUST be independent of the state of [=user verification=].
+        The selected |PRF| SHOULD NOT be used for other purposes than implementing this extension.
+        Associate |PRF| with the current [=credential=] for the lifetime of the credential.
+
+    1. Use some unspecified mechanism to receive PRF inputs |salt1| and, optionally, |salt2| from the [=client=], in that order.
+        If none are received, let |salt1| and |salt2| be undefined.
 
-: Authenticator extension input / processing / output
-:: [=prf|This extension=] uses the [[FIDO-CTAP]] `hmac-secret` extension when communicating with the authenticator. It thus does not specify any direct authenticator interaction for [=[RPS]=].
+    1. If |salt1| is defined:
+        1. Let |results| be an {{AuthenticationExtensionsPRFValues}} structure containing the evaluations of |PRF| at the given inputs:
+            - Set <code>|results|.{{AuthenticationExtensionsPRFValues/first}}</code> to <code>PRF(|salt1|)</code>.
+            - If |salt2| is defined,
+                set <code>|results|.{{AuthenticationExtensionsPRFValues/second}}</code> to <code>PRF(|salt2|)</code>.
+        1. Use some unspecified mechanism to convey |results| to the [=client=] as the PRF outputs.
 
 : Client extension output
 :: <xmp class="idl">
