Upload
fido-alliance
View
660
Download
1
Embed Size (px)
Citation preview
#FIDOseminar
FIDO SPECIFICATIONS TUTORIAL
Rolf Lindemann, Nok Nok Labs3 October 2016
All Rights Reserved. FIDO Alliance. Copyright 2016.
2
How Secure is Authentication?
All Rights Reserved | FIDO Alliance | Copyright 2016.
3
Cloud Authentication
DeviceSomething Authentication
Risk Analytics
Internet
All Rights Reserved | FIDO Alliance | Copyright 2016.
4
Password Issues
DeviceSomething Authentication
Internet
Password could be stolen from the server
1Password might be entered into untrusted
App / Web-site (“phishing”)
2
Too many passwords to remember
(>re-use / cart Abandonment)
3
Inconvenient to type password on
phone
4
All Rights Reserved | FIDO Alliance | Copyright 2016.
5
Classifying Threats
Remotely attacking central serverssteal data for impersonation
Remotely attacking lots of user devices
steal data for impersonation
Remotely attacking lots of user devices
misuse them for impersonation
Remotely attacking lots of user devices
misuse authenticated sessions
Physically attacking user devicessteal data for impersonation
Physically attacking user devices misuse them for impersonation
1
2 3 4
5 6Physical attacks possible on lost or stolen devices(3% in the US in 2013)
Scalable attacks
All Rights Reserved | FIDO Alliance | Copyright 2016.
6
How does FIDO work?
DeviceUser verification FIDO AuthenticationAuthenticator
All Rights Reserved | FIDO Alliance | Copyright 2016.
7
How does FIDO work?
AuthenticatorUser verification FIDO Authentication
Require user gesture before private key can
be used
Challenge
(Signed) ResponsePrivate key
dedicated to one app Public key
All Rights Reserved | FIDO Alliance | Copyright 2016.
8
How does FIDO work?
AuthenticatorUser verification FIDO Authentication
… …SE
All Rights Reserved | FIDO Alliance | Copyright 2016.
9
How does FIDO work?
AuthenticatorUser verification FIDO Authentication
Same Authenticatoras registered before?
Same User as enrolled before?
Can recognize the user (i.e. user verification), but doesn’t know its identity
attributes.
All Rights Reserved | FIDO Alliance | Copyright 2016.
10
How does FIDO work?
AuthenticatorUser verification FIDO Authentication
Same Authenticatoras registered before?
Same User as enrolled before?
Can recognize the user (i.e. user verification), but doesn’t know its identity
attributes.
Identity binding to be done outside FIDO: This this “John Doe
with customer ID X”.
All Rights Reserved | FIDO Alliance | Copyright 2016.
11
How does FIDO work?
AuthenticatorUser verification FIDO Authentication
… …SE
How is the key protected (TPM, SE,
TEE, …)?Which user verification
method is used?
All Rights Reserved | FIDO Alliance | Copyright 2016.
12
Attestation & Metadata
Authenticator FIDO Registration
Signed Attestation Object
Metadata
Private attestation
key
Verify using trust anchor included in Metadata
Understand Authenticator security characteristic by looking into Metadata from mds.fidoalliance.org (or other sources)
All Rights Reserved | FIDO Alliance | Copyright 2016.
FIDO Authenticator Concept
FIDO Authenticator
User Verification /
PresenceAttestation Key
Authentication Key(s)
Injected at manufacturing, doesn’t change
Generated at runtime (on Registration)
Optional Components
Transaction Confirmation
Display
Trusted Execution Environment (TEE)
FIDO Authenticator as Trusted Application (TA)
User Verification / Presence Attestation Key
Authentication Key(s)
Store at Enrollment
Compare at Authentication Unlock after comparison
Client Side Biometrics
17
Passwordless Experience (UAF Standards)
Authenticated Online
3
Biometric User Verification*
21
?Authentication
ChallengeAuthenticated Online
3
Second Factor Challenge Insert Dongle* / Press Button
Second Factor Experience (U2F Standards)
*There are other types of authenticators
21
All Rights Reserved | FIDO Alliance | Copyright 2016.
Relying Party (example.com)
accountInfo, challenge, [cOpts]
rpId, ai, hash(clientData), cryptoP, [exts]verify usergenerate:key kpub key kpriv
credential c
c,kpub,clientData,ac,cdh,rpId,cntr,AAGUID[,exts],
signature(tbs) c,kpub,clientData,ac,tbs, sstore:key kpub
c
s
PlatformAuthenticatorselect Authenticator according to cOpts;
determine rpId, get tlsData;clientData := {challenge, origin, rpId, hAlg, tlsData}
cOpts: crypto params, credential black list, extensions
cdh
FIDO Registration
ai
tbs
ac: attestation certificate chain
Authenticator Platform Relying Party
rpId, [c,] hash(clientData)
select Authenticator according to policy;check rpId, get tlsData (i.e. channel id, etc.);
lookup key handle h;clientData := {challenge, rpId, tlsData}
clientData,cntr,[exts],signature(cdh,cntr,exts)
clientData, cntr, exts, s
lookup kpub from DBcheck:policy +signatureusingkey kpub
s
cdh
challenge, [aOpts]
FIDO Authentication
verify userfind key kpriv cntr++;process exts
20All Rights Reserved | FIDO Alliance | Copyright 2016.
Terminology• Instead of rpId you will find AppID in some specs• Instead of accountInfo (ai) you will find username in
some specs• Instead of cOpts.webauthn_authnSel you will find policy
in some specs• Instead of AAGUID you will find AAID in some specs• Instead of clientData you will find FinalChallengeParam
in some specs• Instead of clientDataHash (cdh) you will find fc in some
specs• Instead of credential you will find key handle (h) in
some specs
21All Rights Reserved | FIDO Alliance | Copyright 2016.
Comments• External 2nd Factor Authenticators
• The key handle (aka credential) is known by the relying party server before authentication.
• It can be provided to the authenticator• It can contain the wrapped private key to allow authenticator
implementations without persistent writeable storage• First factor authenticators
• The key handle (aka credential) is not known by the relying party server before authentication.
• The authenticator has to store the key material itself (or securely offload its storage to the platform it is bound to) – no key handle needs to be provided
22
Convenience & SecuritySecurity
Convenience
Password + OTP
Password
All Rights Reserved | FIDO Alliance | Copyright 2016.
23
Convenience & SecuritySecurity
Convenience
Password + OTP
Password
FIDOIn FIDO• Same user verification
method for all servers
In FIDO: Arbitrary user verification methods are
supported(+ they are interoperable)
All Rights Reserved | FIDO Alliance | Copyright 2016.
24
Convenience & SecuritySecurity
Convenience
Password + OTP
Password
FIDOIn FIDO: Scalable security depending on Authenticator implementation
In FIDO: • Only public keys on server• Not phishable
All Rights Reserved | FIDO Alliance | Copyright 2016.
25
Conclusion• Different authentication use-cases lead to different
authentication requirements• FIDO separates user verification from authentication
and hence supports all user verification methods• FIDO supports scalable convenience & security• User verification data is known to Authenticator only• FIDO complements federation
All Rights Reserved | FIDO Alliance | Copyright 2016.
What about rubber fingers?
Protection methods in FIDO1. Attacker needs access to the Authenticator and swipe
rubber finger on it. This makes it a non-scalable attack.
2. Authenticators might implement presentation attack detection methods.
Remember:Creating hundreds of millions of rubber fingers + stealing the related authenticators is expensive. Stealing hundreds of millions of passwords from a server has low cost per password.
But I can’t revoke my finger…• Protection methods in FIDO
You don’t need to revoke your finger, you can simply de-register the old (=attacked) authenticator. Then,
1. Get a new authenticator2. Enroll your finger (or iris, …) to it3. Register the new authenticator to the service