FIDO Technical Specifications Overview
2 likes•715 views
The document discusses technical specifications for device authentication provided by FIDO. It describes issues with traditional password authentication and how FIDO addresses these through standards that separate user verification from authentication. FIDO uses public key cryptography and relies on authenticators that can be integrated into devices to enable strong, passwordless authentication across multiple websites and applications.
![All Rights Reserved | FIDO Alliance | Copyright 201717
FIDO REGISTRATION
accountInfo, challenge, [cOpts]
rpId, ai, hash(clientData), cryptoP, [exts]
verify user
generate:
key kpub
key kpriv
credential c
c,kpub,clientData,ac,cdh,rpId,cntr,AAGUID[,exts],
signature(tbs)
c,kpub,clientData,ac,tbs, s
store:
key kpub
c
s
Authenticator
select Authenticator according to cOpts;
determine rpId, get tlsData;
clientData := {challenge, origin, rpId, hAlg, tlsData}
cOpts: crypto params, credential black list,
extensions
cdh
ai
tbs
ac: attestation certificate chain](https://image.slidesharecdn.com/fidotechnicalspecificationsoverviewsept2017-171005170823/85/FIDO-Technical-Specifications-Overview-17-320.jpg)
![All Rights Reserved | FIDO Alliance | Copyright 201718
FIDO AUTHENTICATION
Authenticator Relying Party
rpId, [c,] hash(clientData)
select Authenticator according to policy;
check rpId, get tlsData (i.e. channel id, etc.);
lookup key handle h;
clientData := {challenge, rpId, tlsData}
clientData,cntr,[exts],signature(cdh,cntr,exts)
clientData, cntr, exts, s
lookup kpub
from DB
check:
exts +
signature
using
key kpub
s
cdh
challenge, [aOpts]
verify user
find
key kpriv
cntr++;
process exts](https://image.slidesharecdn.com/fidotechnicalspecificationsoverviewsept2017-171005170823/85/FIDO-Technical-Specifications-Overview-18-320.jpg)
![All Rights Reserved | FIDO Alliance | Copyright 201722
RELYING PARTY APPLICATION
Browser “Application”:
A normal website - HTML, CSS,
JavaScript
Website, Inc. [US] https://www.acme.com
acme.com X](https://image.slidesharecdn.com/fidotechnicalspecificationsoverviewsept2017-171005170823/85/FIDO-Technical-Specifications-Overview-22-320.jpg)
![All Rights Reserved | FIDO Alliance | Copyright 201724
WEBAUTHN APIs: Create
User Device
Browser
Authenticator
Platform
RP AppWeb
Authentication
JS API
publicKeyCred = {
challenge, rp: {name=“Acme”},
user: { name=“john.smith@example.com”,
displayName = “John’s personal account”,
id: “1098237235409872”,
icon: "https://pics.acme.com/00/apqPb.png"
},
parameters: [ {
type: "public-key", algorithm: "ES256" }],
}
navigator.credentials.create( {publicKeyCred})
.then(function (newCredInfo) {
// Send new credential info to server for checking
// contains AuthenticatorAttestationResponse
})
);
John](https://image.slidesharecdn.com/fidotechnicalspecificationsoverviewsept2017-171005170823/85/FIDO-Technical-Specifications-Overview-24-320.jpg)
![All Rights Reserved | FIDO Alliance | Copyright 201725
WEBAUTHN APIs: Get
User Device
Browser
Authenticator
Platform
RP AppWeb
Authentication
JS API
var options = {
challenge: ValueFromServer,
timeout: 60000, // 1 minute
allowList: [{ type: "public-key" }]
};
navigator.credentials.get({ "publicKey": options })
.then(function (assertion) {
// Send assertion to server for verification
})
John](https://image.slidesharecdn.com/fidotechnicalspecificationsoverviewsept2017-171005170823/85/FIDO-Technical-Specifications-Overview-25-320.jpg)
FIDO Technical Specifications Overview
- 1. 1 TECHNICAL SPECIFICATIONS OVERVIEW REVISED SEPTEMBER 22ND 2017 All Rights Reserved | FIDO Alliance | Copyright 2017
- 2. All Rights Reserved | FIDO Alliance | Copyright 20172 HOW SECURE IS AUTHENTICATION?
- 3. All Rights Reserved | FIDO Alliance | Copyright 20173 CLOUD AUTHENTICATION DeviceSomething Authentication Risk Analytics Internet
- 4. All Rights Reserved | FIDO Alliance | Copyright 20174 PASSWORD ISSUES DeviceSomething Authentication Internet Password could be stolen from the server 1Password might be entered into untrusted App / Web- site (“phishing”) 2 Too many passwords to remember (>re-use / cart Abandonment) 3 Inconvenient to type password on phone 4
- 5. All Rights Reserved | FIDO Alliance | Copyright 20175 CLASSIFYING THREATS Attacks not focused on the client system, e.g. steal data from servers for impersonation, phishing pwds, or MITM attacks Remotely attacking lots of user devices steal data for impersonation Remotely attacking lots of user devices misuse them for impersonation Remotely attacking lots of user devices misuse authenticated sessions Physically attacking user devices steal data for impersonation Physically attacking user devices misuse them for impersonation 1 2 3 4 5 6 Physical attacks possible on lost or stolen devices (3% in the US in 2013) Scalable attacks
- 6. All Rights Reserved | FIDO Alliance | Copyright 20176 HOW DOES FIDO WORK?
- 7. All Rights Reserved | FIDO Alliance | Copyright 20177 HOW DOES FIDO WORK? DeviceUser verification FIDO Authentication Authenticator
- 8. All Rights Reserved | FIDO Alliance | Copyright 20178 HOW DOES FIDO WORK? AuthenticatorUser verification FIDO Authentication Require user gesture before private key can be used Challenge (Signed) Response Private key dedicated to one app Public key
- 9. All Rights Reserved | FIDO Alliance | Copyright 20179 HOW DOES FIDO WORK? AuthenticatorUser verification FIDO Authentication … …SE
- 10. All Rights Reserved | FIDO Alliance | Copyright 201710 HOW DOES FIDO WORK? AuthenticatorUser verification FIDO Authentication Same Authenticator as registered before? Same User as enrolled before? Can recognize the user (i.e. user verification), but doesn’t know its identity attributes.
- 11. All Rights Reserved | FIDO Alliance | Copyright 201711 HOW DOES FIDO WORK? AuthenticatorUser verification FIDO Authentication Same Authenticator as registered before? Same User as enrolled before? Can recognize the user (i.e. user verification), but doesn’t know its identity attributes. Identity binding to be done outside FIDO: This this “John Doe with customer ID X”.
- 12. All Rights Reserved | FIDO Alliance | Copyright 201712 HOW DOES FIDO WORK? AuthenticatorUser verification FIDO Authentication … …SE How is the key protected (TPM, SE, TEE, …)? Which user verification method is used?
- 13. All Rights Reserved | FIDO Alliance | Copyright 201713 ATTESTATION + METADATA Private attestation key Signed Attestation Object Metadata Understand Authenticator security characteristic by looking into Metadata from mds.fidoalliance.org FIDO Registration Verify using trust anchor included in Metadata
- 14. All Rights Reserved | FIDO Alliance | Copyright 201714 FIDO AUTHENTICATOR CONCEPT FIDO Authenticator User Verification / Presence Attestation Key Authentication Key(s) Injected at manufacturing, doesn’t change Generated at runtime (on Registration) Optional Components Transaction Confirmation Display
- 15. All Rights Reserved | FIDO Alliance | Copyright 201715 CLIENT SIDE BIOMETRICS Trusted Execution Environment (TEE) FIDO Authenticator as Trusted Application (TA) User Verification / Presence Attestation Key Authentication Key(s) Store at Enrollment Compare at Authentication Unlock after comparison
- 16. All Rights Reserved | FIDO Alliance | Copyright 201716 FIDO USE CASES Passwordless Experience (UAF Standards) Authenticated Online 3 Biometric User Verification* 21 ? Authentication Challenge Authenticated Online 3 Second Factor Challenge Insert Dongle* / Press Button Second Factor Experience (U2F Standards) *There are other types of authenticators 21
- 17. All Rights Reserved | FIDO Alliance | Copyright 201717 FIDO REGISTRATION accountInfo, challenge, [cOpts] rpId, ai, hash(clientData), cryptoP, [exts] verify user generate: key kpub key kpriv credential c c,kpub,clientData,ac,cdh,rpId,cntr,AAGUID[,exts], signature(tbs) c,kpub,clientData,ac,tbs, s store: key kpub c s Authenticator select Authenticator according to cOpts; determine rpId, get tlsData; clientData := {challenge, origin, rpId, hAlg, tlsData} cOpts: crypto params, credential black list, extensions cdh ai tbs ac: attestation certificate chain
- 18. All Rights Reserved | FIDO Alliance | Copyright 201718 FIDO AUTHENTICATION Authenticator Relying Party rpId, [c,] hash(clientData) select Authenticator according to policy; check rpId, get tlsData (i.e. channel id, etc.); lookup key handle h; clientData := {challenge, rpId, tlsData} clientData,cntr,[exts],signature(cdh,cntr,exts) clientData, cntr, exts, s lookup kpub from DB check: exts + signature using key kpub s cdh challenge, [aOpts] verify user find key kpriv cntr++; process exts
- 19. All Rights Reserved | FIDO Alliance | Copyright 201719 FIDO BUILDING BLOCKS (External) Authenticator FIDO USER DEVICE FIDO Client (Bound) Authenticator ASM RP App FIDO Authentication RP App Server FIDO Server Metadata
- 20. All Rights Reserved | FIDO Alliance | Copyright 201720 THE ROAD AHEAD FIDO 2 PROJECT: WEBAUTHN AND CTAP
- 21. All Rights Reserved | FIDO Alliance | Copyright 201721 WEB AUTHENTICATION Supported In: A new JavaScript API that enables FIDO Authentication in web browsers
- 22. All Rights Reserved | FIDO Alliance | Copyright 201722 RELYING PARTY APPLICATION Browser “Application”: A normal website - HTML, CSS, JavaScript Website, Inc. [US] https://www.acme.com acme.com X
- 23. All Rights Reserved | FIDO Alliance | Copyright 201723 FIDO BUILDING BLOCKS (Roaming) Authenticator User Device Browser (Bound) Authenticator Platform RP App FIDO Authentication RP App Server FIDO Server Metadata Web Authentication JS API CTAP
- 24. All Rights Reserved | FIDO Alliance | Copyright 201724 WEBAUTHN APIs: Create User Device Browser Authenticator Platform RP AppWeb Authentication JS API publicKeyCred = { challenge, rp: {name=“Acme”}, user: { name=“[email protected]”, displayName = “John’s personal account”, id: “1098237235409872”, icon: "https://pics.acme.com/00/apqPb.png" }, parameters: [ { type: "public-key", algorithm: "ES256" }], } navigator.credentials.create( {publicKeyCred}) .then(function (newCredInfo) { // Send new credential info to server for checking // contains AuthenticatorAttestationResponse }) ); John
- 25. All Rights Reserved | FIDO Alliance | Copyright 201725 WEBAUTHN APIs: Get User Device Browser Authenticator Platform RP AppWeb Authentication JS API var options = { challenge: ValueFromServer, timeout: 60000, // 1 minute allowList: [{ type: "public-key" }] }; navigator.credentials.get({ "publicKey": options }) .then(function (assertion) { // Send assertion to server for verification }) John
- 26. All Rights Reserved | FIDO Alliance | Copyright 201726 FIDO BUILDING BLOCKS (External) Authenticator User Device Browser (Bound) Authenticator Platform RP AppWeb Authentication JS API authenticaorGetInfo() authenticatorMakeCredential() authenticatorGetAssertion() authenticatorClientPIN() authenticatorCancel() Platform specific interface FIDO CTAP interface
- 27. All Rights Reserved | FIDO Alliance | Copyright 201727 FIDO AUTHENTICATION: SECURITY & CONVENIENCE
- 28. All Rights Reserved | FIDO Alliance | Copyright 201728 CONVENIENCE & SECURITY Security Convenience Password + OTP Password
- 29. All Rights Reserved | FIDO Alliance | Copyright 201729 CONVENIENCE & SECURITY Security Convenience Password + OTP Password FIDO In FIDO • Same user verification method for all servers In FIDO: Arbitrary user verification methods are supported (+ they are interoperable)
- 30. All Rights Reserved | FIDO Alliance | Copyright 201730 CONVENIENCE & SECURITY Security Convenience Password + OTP Password FIDO In FIDO: Scalable security depending on Authenticator implementation In FIDO: • Only public keys on server • Not phishable
- 31. All Rights Reserved | FIDO Alliance | Copyright 201731 CONCLUSION • Different authentication use-cases lead to different authentication requirements • FIDO separates user verification from authentication and hence supports all user verification methods • FIDO supports scalable convenience & security • User verification data is known to Authenticator only • FIDO complements federation
- 32. All Rights Reserved | FIDO Alliance | Copyright 201732
- 33. All Rights Reserved | FIDO Alliance | Copyright 201733 Please Silence All Electronic Devices