#2 - U2F Case Study
Transcript of #2 - U2F Case Study
![Page 1: #2 - U2F Case Study](https://reader034.fdocuments.us/reader034/viewer/2022042619/584c2eb81a28ab85738e4df1/html5/thumbnails/1.jpg)
1
![Page 2: #2 - U2F Case Study](https://reader034.fdocuments.us/reader034/viewer/2022042619/584c2eb81a28ab85738e4df1/html5/thumbnails/2.jpg)
U2F Case StudyExamining the U2F paradox
![Page 3: #2 - U2F Case Study](https://reader034.fdocuments.us/reader034/viewer/2022042619/584c2eb81a28ab85738e4df1/html5/thumbnails/3.jpg)
3
What is Universal 2nd
Factor (U2F)?
![Page 4: #2 - U2F Case Study](https://reader034.fdocuments.us/reader034/viewer/2022042619/584c2eb81a28ab85738e4df1/html5/thumbnails/4.jpg)
4
Simple, Secure, Scalable 2FA
![Page 5: #2 - U2F Case Study](https://reader034.fdocuments.us/reader034/viewer/2022042619/584c2eb81a28ab85738e4df1/html5/thumbnails/5.jpg)
5
Didn’t We Solve This Already?
SMS OTP DevicesCoverageDelayCostBatteryPolicy
One per siteProvisioning costsBattery
Smart CardsReaders/driversMiddlewareCost
![Page 6: #2 - U2F Case Study](https://reader034.fdocuments.us/reader034/viewer/2022042619/584c2eb81a28ab85738e4df1/html5/thumbnails/6.jpg)
6
Bad User experience Still phishableUsers find it hard to use Successful attacks
carried out today
MitMSuccessful attacks carried out today
And...
![Page 7: #2 - U2F Case Study](https://reader034.fdocuments.us/reader034/viewer/2022042619/584c2eb81a28ab85738e4df1/html5/thumbnails/7.jpg)
7
Why U2F?• Simple
– To register and authenticate -- a simple touch!– No drivers or client software to install
• Secure– Public key cryptography– Protects against phishing and man-in-the-middle
•Scalable– One U2F device, many services
•Protects Privacy – No secrets shared between service providers
![Page 8: #2 - U2F Case Study](https://reader034.fdocuments.us/reader034/viewer/2022042619/584c2eb81a28ab85738e4df1/html5/thumbnails/8.jpg)
8
1. Enter username/pwd 2. Insert U2F Key 3. Touch device
Google Login With U2F
![Page 9: #2 - U2F Case Study](https://reader034.fdocuments.us/reader034/viewer/2022042619/584c2eb81a28ab85738e4df1/html5/thumbnails/9.jpg)
9
1. Enter username/pwd 2. Insert U2F Key 3. Touch device
Dropbox Login With U2F
![Page 10: #2 - U2F Case Study](https://reader034.fdocuments.us/reader034/viewer/2022042619/584c2eb81a28ab85738e4df1/html5/thumbnails/10.jpg)
10
1. Enter username/pwd 2. Insert U2F Key 3. Touch device
GitHub Login With U2F
![Page 11: #2 - U2F Case Study](https://reader034.fdocuments.us/reader034/viewer/2022042619/584c2eb81a28ab85738e4df1/html5/thumbnails/11.jpg)
11
1. Enter username/pwd 2. Insert U2F Key 3. Touch device
Your Login With U2F
![Page 12: #2 - U2F Case Study](https://reader034.fdocuments.us/reader034/viewer/2022042619/584c2eb81a28ab85738e4df1/html5/thumbnails/12.jpg)
12
1. Enter username/pwd 2. Insert U2F Key 3. Touch device
Your Login With U2F
![Page 13: #2 - U2F Case Study](https://reader034.fdocuments.us/reader034/viewer/2022042619/584c2eb81a28ab85738e4df1/html5/thumbnails/13.jpg)
13
1. Enter username/pwd 2. Insert U2F Key 3. Touch device
Your Login With U2F
![Page 14: #2 - U2F Case Study](https://reader034.fdocuments.us/reader034/viewer/2022042619/584c2eb81a28ab85738e4df1/html5/thumbnails/14.jpg)
14
Protocol Overview
![Page 15: #2 - U2F Case Study](https://reader034.fdocuments.us/reader034/viewer/2022042619/584c2eb81a28ab85738e4df1/html5/thumbnails/15.jpg)
Serversendschallenge1
Serverreceivesandverifiesdevicesignatureusingattestationcert5Keyhandleandpublickeyarestoredindatabase6
Devicegenerates keypair2Devicecreateskeyhandle3Devicesignschallenge+clientinfo4
Registration
Serversendschallenge+keyhandle1
Serverreceivesandverifiesusingstoredpublickey4
Deviceunwraps/derivesprivatekeyfromkeyhandle2Devicesignschallenge+clientinfo3
Authentication
Individu
alwith
U2FDevice
,RelyingParty
![Page 16: #2 - U2F Case Study](https://reader034.fdocuments.us/reader034/viewer/2022042619/584c2eb81a28ab85738e4df1/html5/thumbnails/16.jpg)
16
Protocol DesignStep-By-Step
![Page 17: #2 - U2F Case Study](https://reader034.fdocuments.us/reader034/viewer/2022042619/584c2eb81a28ab85738e4df1/html5/thumbnails/17.jpg)
17
U2F Device Client
Relying Party
challenge
challenge
Sign with kpriv signature(challenge)
s
Checksignature (s)using kpub
s
Lookupkpub
Authentication
![Page 18: #2 - U2F Case Study](https://reader034.fdocuments.us/reader034/viewer/2022042619/584c2eb81a28ab85738e4df1/html5/thumbnails/18.jpg)
18
U2F Device Client
Relying Party
challenge
challenge, origin, channel id
Sign with kpriv
signature(c)
c, sCheck susing kpub
Verify origin & channel id
s
Lookupkpub
Phishing/MitM Protection
![Page 19: #2 - U2F Case Study](https://reader034.fdocuments.us/reader034/viewer/2022042619/584c2eb81a28ab85738e4df1/html5/thumbnails/19.jpg)
19
U2F Device Client
Relying Party
handle, app id, challenge
h, a; challenge, origin, channel id, etc.
c
aCheckapp id
Lookupthe kpriv
associated with h
Sign with kpriv
signature(a,c)
c, sCheck susing kpub
Verify origin & channel id
s
h
Lookup the kpub
associated with h
Application-Specific Keys
![Page 20: #2 - U2F Case Study](https://reader034.fdocuments.us/reader034/viewer/2022042619/584c2eb81a28ab85738e4df1/html5/thumbnails/20.jpg)
20
U2F Device Client
Relying Party
handle, app id, challenge
h, a; challenge, origin, channel id, etc.
c
aCheckapp id
Lookupthe kpriv
associated with h
Sign with kpriv
counter++
counter, signature(a,c, counter)
counter, c, sCheck susing kpub
Verify origin, channel id & counter
s
h
Lookup the kpub
associated with h
Device Cloning
![Page 21: #2 - U2F Case Study](https://reader034.fdocuments.us/reader034/viewer/2022042619/584c2eb81a28ab85738e4df1/html5/thumbnails/21.jpg)
21
U2F Device Client
Relying Party
app id, challenge
a; challenge, origin, channel id, etc.
c
aCheckapp id
Generate:kpub
kpriv
handle h kpub, h, attestation cert, signature(a,c,kpub,h)
c, kpub, h, attestation cert, s
Associate kpub with handle hfor user
s
Registration + Device Attestation
![Page 22: #2 - U2F Case Study](https://reader034.fdocuments.us/reader034/viewer/2022042619/584c2eb81a28ab85738e4df1/html5/thumbnails/22.jpg)
22
Bad User Experience
StillPhishable
MitM
x xxSo How Did We Do?
![Page 23: #2 - U2F Case Study](https://reader034.fdocuments.us/reader034/viewer/2022042619/584c2eb81a28ab85738e4df1/html5/thumbnails/23.jpg)
23
ResourcesStrengthen 2 step verification with Security Key
Yubico Security Key
Yubico Libraries, Plugins, Sample Code, Documentation
FIDO U2F Protocol Specification
Yubico Demo Server - Test U2F
Yubico Demo Server - Test Yubico OTP
Google security blog
yubico.com/security-key
developers.yubico.com
fidoalliance.org/specifications
demo.yubico.com/u2f
demo.yubico.com
![Page 25: #2 - U2F Case Study](https://reader034.fdocuments.us/reader034/viewer/2022042619/584c2eb81a28ab85738e4df1/html5/thumbnails/25.jpg)