KICA Case Study: Bio-Authentication and PKI Trends in Korea -FIDO Alliance -Tokyo Seminar -Kim
FIDO Authentication: Its Evolution and Opportunities in Business -FIDO Alliance -Tokyo Seminar -Gomi
-
Upload
fido-alliance -
Category
Technology
-
view
274 -
download
1
Transcript of FIDO Authentication: Its Evolution and Opportunities in Business -FIDO Alliance -Tokyo Seminar -Gomi
Copyright (C) 2016 Yahoo Japan Corporation. All Rights Reserved.FIDO Seminar in Tokyo #3 12/08/2016
FIDO AUTHENTICATION: ITS EVOLUTION AND OPPORTUNITIES
IN YOUR BUSINESS
Hidehito GomiSenior Chief Researcher, Yahoo! JAPAN Research
2Copyright (C) 2016 Yahoo Japan Corporation. All Rights Reserved.FIDO Seminar in Tokyo #3 12/08/2016
Ø Recap: FIDO Authentication ModelØ Web Authentication & CTAPØ Solutions using FIDO AuthenticationØ Summary
3Copyright (C) 2016 Yahoo Japan Corporation. All Rights Reserved.FIDO Seminar in Tokyo #3 12/08/2016
Recap: FIDO Authentication Model
Trend of Authentication
Copyright (C) 2016 Yahoo Japan Corporation. All Rights Reserved.FIDO Seminar in Tokyo #3 12/08/2016 4
Accurate and realtime user context can be captured so that the nature of authentication is changing.
High-reliability sensors and secure storages enable the following types of authentications:• Local authn: user verification is operated at his own device with which he can interact easily.• Continuous authn: user behavior continues to be monitored for authentication.• Implicit authn: user is authenticated without explicit gesture or ceremony.• Context-aware authn: data on context to which user belongs is used for user authentication.
User
User contextSecure storage
GeolocationOrientationTemperatureSoundAccelerationStepsWalking distanceEtc.
Data on user context
Authentication Models: local vs. remote
Copyright (C) 2016 Yahoo Japan Corporation. All Rights Reserved.FIDO Seminar in Tokyo #3 12/08/2016 5
ID・PWD
OKPWD inputIdentification
AuthenticationTraditional authn model (e.g. password) for web applications
Verification
Verification results
OK
FIDO Authentication
separationFIDO Server
FIDO authn modelFIDO Client
Verification Identification
Authenticator
User
Credential
Concept: Pluggable Authentication (Recap)
Copyright (C) 2016 Yahoo Japan Corporation. All Rights Reserved.FIDO Seminar in Tokyo #3 12/08/2016 6
FIDO ServerFIDO ClientFIDO Authenticator
Fingerprint
Iris
Face
USB Key
Smart Card
New Method
Plugged authenticators provide you with scalability for authentication.Updated specs UAF & U2F 1.1 have been released.
FIDO standard messages
Service 3
Service 1
Service 2
Service N
7Copyright (C) 2016 Yahoo Japan Corporation. All Rights Reserved.FIDO Seminar in Tokyo #3 12/08/2016
Web Authentication & CTAP
*CTAP (Client To Authenticator Protocol)
Scoped Credential in Web Authentication
Copyright (C) 2016 Yahoo Japan Corporation. All Rights Reserved.FIDO Seminar in Tokyo #3 12/08/2016 8
Relying Party (RP)User Authenticator
Public key
“Cryptographic” credential for web applications
(Static) link
Private key(Credential)
particular for authenticator and RP
(Static) linkLink (to be verified)
particular for user
ID
cf. Anthony Nadalin’s slides for more detail.
Trust chain
Another userAnother RP
Web Authentication API
Copyright (C) 2016 Yahoo Japan Corporation. All Rights Reserved.FIDO Seminar in Tokyo #3 12/08/2016 9
Relying Party (RP)
User
AuthenticatorBrowser
• makeCredential() • getAssertion()
Server sideUser side
User devices
Abstract API for browser accessing credential using Javascript
Web Authn API
Credential
Authenticator Registration
Copyright (C) 2016 Yahoo Japan Corporation. All Rights Reserved.FIDO Seminar in Tokyo #3 12/08/2016 10
Relying Party (RP)
User AuthenticatorBrowser
Private key forAuthentication
3. Creation of private/public keys
* A pair of keys for attestation are omitted in this picture.
Public key forAuthentication
6. Registering public keyfor FIDO authentication
ID
1. makeCredential() request
Web Authn API
5. Response with signed dataabout credential4. Producing the following data:
Credential info.AttestationPublic keySignature
2. User verification
Web Authentication using Authenticator
Copyright (C) 2016 Yahoo Japan Corporation. All Rights Reserved.FIDO Seminar in Tokyo #3 12/08/2016 11
Relying Party (RP)
AuthenticatorBrowser
Private key
1. getAssertion() request
3. Producing the following data:
Credential Info.AssertionSignature
4. Response with signed dataabout assertion
Public key
5. Verifying signature
* A pair of keys for attestation are omitted in this picture.
ID
Web Authn API
2. Verification of user using a particular method
User
6. Discovering user ID
Mobile Phone as Authenticator
Copyright (C) 2016 Yahoo Japan Corporation. All Rights Reserved.FIDO Seminar in Tokyo #3 12/08/2016 12
FIDO ServerWeb Authn API
Fingerprint
Iris
Face
USB Key
“Mobile phone authenticator” advances the scalability for authentication more.
Smart Card
Authenticators
Service 3
Service 1
Service 2
Service NMobile Phone
Smart watch
Authenticator Variation
Copyright (C) 2016 Yahoo Japan Corporation. All Rights Reserved.FIDO Seminar in Tokyo #3 12/08/2016 13
Authenticator
Embedded authenticator External authenticator
Wireless communication type
Removable type
ClientWeb Authn API
CTAP (Client To Authenticator Protocol)
User device
Authenticator Web Authn API Client
14Copyright (C) 2016 Yahoo Japan Corporation. All Rights Reserved.FIDO Seminar in Tokyo #3 12/08/2016
Solutions using FIDO Authentication
Authentication: Foundation of trusted applications
Copyright (C) 2016 Yahoo Japan Corporation. All Rights Reserved.FIDO Seminar in Tokyo #3 12/08/2016 15
User
Single sign-on
Server
Traditional identity and access management system
Authentication
Verifying user privileges(Access control)
ID
Access response(OK/NG)
Access request
Personal attributes sharing
Personal service provisioning
User activities after authentication
Server
Authentication is the first step that is required to do various online activities.
• User verification that the user is who he/she claims to be• User presence nearby authenticator• User confirmation of (consent to) his/her identity/transaction/context
Semantics for Assertion
Copyright (C) 2016 Yahoo Japan Corporation. All Rights Reserved.FIDO Seminar in Tokyo #3 12/08/2016 16
User
User context Credential
Authenticator
Relying Party (RP)
Signed challenge(Assertion)
challenge
Proofing
FIDO authentication is a mechanism for proofing user’s identity and context.
Authenticator Adoption
Copyright (C) 2016 Yahoo Japan Corporation. All Rights Reserved.FIDO Seminar in Tokyo #3 12/08/2016 17
Authenticator implementing existing/legacy/new authentication methods/devices• Biometrics• Behavioral characteristics• Wearable devices
cf. Jae Jung Kim’s slides for more detail.
Authenticator implementing certificate-based authentication (KICA’s case study)
Relying Party (RP)
Certificate Authority (CA)
PKI Module
Authenticator
certificate
Fingerprint sensor Iris sensor
Certificate verification(Online certificate status protocol,OCSP)
FIDO Authentication(without any modification)
Certificate Issuance(Legacy protocol)
Biometric APIEncrypted private key
FIDO Authentication and Federation
Copyright (C) 2016 Yahoo Japan Corporation. All Rights Reserved.FIDO Seminar in Tokyo #3 12/08/2016 18
User
FIDO Authentication
FIDO Server
RP/IdP (Identity Provider)
Assertionissueing
Identityservice
Federated RP
Federation
FIDO Client
Authenticator
AuthenticationAssertion
Simpler and StrongerAuthentication
More seamless and secure service
AuthnContext
AuthnContext
Authn context transits from authenticator to federated RP.cf. https://fidoalliance.org/assets/images/general/FIDOTokyoSeminar101014_gomi.pdf
Proof Information Transition
Copyright (C) 2016 Yahoo Japan Corporation. All Rights Reserved.FIDO Seminar in Tokyo #3 12/08/2016 19
Federated RPRP/IdP
User proof generated by authenticator can be used to provide user with trusted applications at Internet scale
User
User context
Credential
Authenticator
IdentityContextTransaction
Proof Proof
Proof
Proof
Transaction Confirmation
Copyright (C) 2016 Yahoo Japan Corporation. All Rights Reserved.FIDO Seminar in Tokyo #3 12/08/2016 20
Bank for transfer: AAA BankRecipient Account #: 1234567Amount: 10000 yen
Bank for transfer: XXX BankRecipient Account #: 7654321Amount: 1000000 yen
Protecting against MITM (Man-in-the-Middle) attacks by detecting falsified transaction data (already in UAF spec and deployed by several banks)
RP (Bank)Malware
User
User device
Authenticator
Falsified transaction data
Original transaction data
Client
Transaction data presentedis signed using private key Signature of original transaction data
RP can prevent illegal money transfer by verifying the signature of transaction data even if it is falsified.
signature
Identity Proofing Offline
Copyright (C) 2016 Yahoo Japan Corporation. All Rights Reserved.FIDO Seminar in Tokyo #3 12/08/2016 21
User IDE-tickets
E-Ticket Server FIDO Server
AuthnLog
Realtime biometric FIDO authentication enables “identity proofing” when accessing physical service.
User(online)
FIDO Authentication online
(visit Yahoo Japan’s demo booth)
Entrance gate at eventPresenting identity proof With e-ticket offline
Proof verification
Protecting from impersonationMalicious user(offline)
User(offline)
Same person?(to be verified)
E-ticket use case
身分証明書
氏名: 山田太郎住所: 東京都港区赤坂9-7-1年齢: 30歳性別: 男
証明書発行元: ヤフー株式会社証明書配布先: ABCサービス株式会社証明書発行時刻: 2013年8月10日13時証明書有効期限: 2014年8月10日13時まで証明書識別番号: s8e3d5y9z0g3
本人画像 (2013年1月10日撮影)
身分証明書
氏名:山田太郎
住所:東京都港区赤坂9-7-1
年齢:30歳
性別:男
証明書発行元:ヤフー株式会社
証明書配布先:ABCサービス株式会社
証明書発行時刻:2013年8月
10日13時
証明書有効期限:2014年8月
10日13時まで
証明書識別番号:s8e3d5y9z0g3
本人画像(2013年1月10日撮影)
User Verification Caching Spec (New)
Copyright (C) 2016 Yahoo Japan Corporation. All Rights Reserved.FIDO Seminar in Tokyo #3 12/08/2016 22
Developing a new spec to fulfill use cases provided by EMVCo.Supporting CDCVM, enabling consumers to conveniently use on-device authenticators.
User FIDO authentication (online)
Server
Private key
User Device
Authenticator
App1App2
X
User verification(App1)
Do not ask user for verification to authorizepayment for app2 if the user completed verification within last 5 minutes.
Policy example
User verification process can be simplified for offline by authenticator referring to previous verification results depending on user’s policy.
*CDCVM: Consumer Device Cardholder Verification Method
User verification(App2)
• FIDO authentication model• Local authentication using pluggable authenticators• Consistent in specifications
• Web authentication & CTAP• Scoped cryptographic credential• Abstract API for various types of authenticators via browsers
• Solutions using FIDO authentication• Authenticator adoption• Enhancement of identity federated systems• Identity/context proofing offline as well as online
Summary
Copyright (C) 2016 Yahoo Japan Corporation. All Rights Reserved.FIDO Seminar in Tokyo #3 12/08/2016 23
FIDO authentication is encouraged to be adopted for developing secure and trust systems both online and offline.
All Rights Reserved. FIDO Alliance. Copyright 2016. 24
Please Silence All Electronic Devices
All Rights Reserved. FIDO Alliance. Copyright 2016.