FIDO Specifications Overview

#FIDOseminar

FIDO SPECIFICATIONS TUTORIAL

Rolf Lindemann, Nok Nok Labs3 October 2016

All Rights Reserved. FIDO Alliance. Copyright 2016.

2

How Secure is Authentication?

All Rights Reserved | FIDO Alliance | Copyright 2016.

3

Cloud Authentication

DeviceSomething Authentication

Risk Analytics

Internet


4

Password Issues

DeviceSomething Authentication

Internet

Password could be stolen from the server

1Password might be entered into untrusted

App / Web-site (“phishing”)

2

Too many passwords to remember

(>re-use / cart Abandonment)

3

Inconvenient to type password on

phone

4


5

Classifying Threats

Remotely attacking central serverssteal data for impersonation

Remotely attacking lots of user devices

steal data for impersonation


misuse them for impersonation


misuse authenticated sessions

Physically attacking user devicessteal data for impersonation

Physically attacking user devices misuse them for impersonation

1

2 3 4

5 6Physical attacks possible on lost or stolen devices(3% in the US in 2013)

Scalable attacks


6

How does FIDO work?

DeviceUser verification FIDO AuthenticationAuthenticator


7

How does FIDO work?

AuthenticatorUser verification FIDO Authentication

Require user gesture before private key can

be used

Challenge

(Signed) ResponsePrivate key

dedicated to one app Public key


8

How does FIDO work?


… …SE


9

How does FIDO work?


Same Authenticatoras registered before?

Same User as enrolled before?

Can recognize the user (i.e. user verification), but doesn’t know its identity

attributes.


10

How does FIDO work?


Same Authenticatoras registered before?

Same User as enrolled before?

Can recognize the user (i.e. user verification), but doesn’t know its identity

attributes.

Identity binding to be done outside FIDO: This this “John Doe

with customer ID X”.


11

How does FIDO work?


… …SE

How is the key protected (TPM, SE,

TEE, …)?Which user verification

method is used?


12

Attestation & Metadata

Authenticator FIDO Registration

Signed Attestation Object

Metadata

Private attestation

key

Verify using trust anchor included in Metadata

Understand Authenticator security characteristic by looking into Metadata from mds.fidoalliance.org (or other sources)


FIDO Authenticator Concept

FIDO Authenticator

User Verification /

PresenceAttestation Key

Authentication Key(s)

Injected at manufacturing, doesn’t change

Generated at runtime (on Registration)

Optional Components

Transaction Confirmation

Display

Trusted Execution Environment (TEE)

FIDO Authenticator as Trusted Application (TA)

User Verification / Presence Attestation Key

Authentication Key(s)

Store at Enrollment

Compare at Authentication Unlock after comparison

Client Side Biometrics

17

Passwordless Experience (UAF Standards)

Authenticated Online

3

Biometric User Verification*

21

?Authentication

ChallengeAuthenticated Online

3

Second Factor Challenge Insert Dongle* / Press Button

Second Factor Experience (U2F Standards)

*There are other types of authenticators

21


Relying Party (example.com)

accountInfo, challenge, [cOpts]

rpId, ai, hash(clientData), cryptoP, [exts]verify usergenerate:key kpub key kpriv

credential c

c,kpub,clientData,ac,cdh,rpId,cntr,AAGUID[,exts],

signature(tbs) c,kpub,clientData,ac,tbs, sstore:key kpub

c

s

PlatformAuthenticatorselect Authenticator according to cOpts;

determine rpId, get tlsData;clientData := {challenge, origin, rpId, hAlg, tlsData}

cOpts: crypto params, credential black list, extensions

cdh

FIDO Registration

ai

tbs

ac: attestation certificate chain

Authenticator Platform Relying Party

rpId, [c,] hash(clientData)

select Authenticator according to policy;check rpId, get tlsData (i.e. channel id, etc.);

lookup key handle h;clientData := {challenge, rpId, tlsData}

clientData,cntr,[exts],signature(cdh,cntr,exts)

clientData, cntr, exts, s

lookup kpub from DBcheck:policy +signatureusingkey kpub

s

cdh

challenge, [aOpts]

FIDO Authentication

verify userfind key kpriv cntr++;process exts

20All Rights Reserved | FIDO Alliance | Copyright 2016.

Terminology• Instead of rpId you will find AppID in some specs• Instead of accountInfo (ai) you will find username in

some specs• Instead of cOpts.webauthn_authnSel you will find policy

in some specs• Instead of AAGUID you will find AAID in some specs• Instead of clientData you will find FinalChallengeParam

in some specs• Instead of clientDataHash (cdh) you will find fc in some

specs• Instead of credential you will find key handle (h) in

some specs

21All Rights Reserved | FIDO Alliance | Copyright 2016.

Comments• External 2nd Factor Authenticators

• The key handle (aka credential) is known by the relying party server before authentication.

• It can be provided to the authenticator• It can contain the wrapped private key to allow authenticator

implementations without persistent writeable storage• First factor authenticators

• The key handle (aka credential) is not known by the relying party server before authentication.

• The authenticator has to store the key material itself (or securely offload its storage to the platform it is bound to) – no key handle needs to be provided

22

Convenience & SecuritySecurity

Convenience

Password + OTP

Password


23


Convenience

Password + OTP

Password

FIDOIn FIDO• Same user verification

method for all servers

In FIDO: Arbitrary user verification methods are

supported(+ they are interoperable)


24


Convenience

Password + OTP

Password

FIDOIn FIDO: Scalable security depending on Authenticator implementation

In FIDO: • Only public keys on server• Not phishable


25

Conclusion• Different authentication use-cases lead to different

authentication requirements• FIDO separates user verification from authentication

and hence supports all user verification methods• FIDO supports scalable convenience & security• User verification data is known to Authenticator only• FIDO complements federation


What about rubber fingers?

Protection methods in FIDO1. Attacker needs access to the Authenticator and swipe

rubber finger on it. This makes it a non-scalable attack.

2. Authenticators might implement presentation attack detection methods.

Remember:Creating hundreds of millions of rubber fingers + stealing the related authenticators is expensive. Stealing hundreds of millions of passwords from a server has low cost per password.

But I can’t revoke my finger…• Protection methods in FIDO

You don’t need to revoke your finger, you can simply de-register the old (=attacked) authenticator. Then,

1. Get a new authenticator2. Enroll your finger (or iris, …) to it3. Register the new authenticator to the service

Technology

FIDO Specifications Overview