FIDO Authentication: Its Evolution and Opportunities in Business -FIDO Alliance -Tokyo Seminar -Gomi
FIDO Specifications Tutorial
-
Upload
fido-alliance -
Category
Technology
-
view
544 -
download
0
Transcript of FIDO Specifications Tutorial
FIDO SPECIFICATION TUTORIALJerrod Chong,
Yubico
All Rights Reserved | FIDO Alliance | Copyright 2016
How Secure is Authentication?
2All Rights Reserved | FIDO Alliance | Copyright 2016.
Passwords
Broken
Phishing
Widespread
Existing Options
Inadequate
Online Authentication
3
DeviceSomething Authentication
Risk Analytics
Internet
All Rights Reserved | FIDO Alliance | Copyright 2016.
Password Issues
4
DeviceSomething Authentication
Internet
Password could be stolen
from the server
1Password might be entered
into untrusted App / Web-
site (“phishing”)
2
Too many passwords to
remember
(>re-use / cart Abandonment)
3
Inconvenient to type
password on phone
4
All Rights Reserved | FIDO Alliance | Copyright 2016.
Classifying Threats
5
Remotely attacking central serverssteal data for impersonation
Remotely attacking lots of user devices
steal data for impersonation
Remotely attacking lots of user devices
misuse them for impersonation
Remotely attacking lots of user devices
misuse authenticated sessions
Physically attacking user devicessteal data for impersonation
Physically attacking user devices misuse them for impersonation
1
2 3 4
5 6
All Rights Reserved | FIDO Alliance | Copyright 2016.
Scalable63% of confirmed data breaches involved leveraging weak/default/stolen passwords *
* 2016 Verizon Data Breach
How does FIDO work?
6
AuthenticatorUser verification FIDO Authentication
Require user gesture before
private key can be used
Challenge
(Signed) Response
Private key
dedicated to one appPublic key
All Rights Reserved | FIDO Alliance | Copyright 2016.
How does FIDO work?
7
AuthenticatorUser verification FIDO Authentication
…SE
All Rights Reserved | FIDO Alliance | Copyright 2016.
How does FIDO work?
8
AuthenticatorUser verification FIDO Authentication
Same Authenticator
as registered before?
Same User as
enrolled before?
All Rights Reserved | FIDO Alliance | Copyright 2016.
How does FIDO work?
9
AuthenticatorUser verification FIDO Authentication
…SE
How is the key protected
(TPM, SE, TEE, …)?
Which user verification
method is used?
All Rights Reserved | FIDO Alliance | Copyright 2016.
FIDO ServerFIDO
AuthenticatorMetadata
Signed
Attestation
Object
Verify Trust Anchor
(Available from Metadata
Service or Other Source)
Understand Authenticator Characteristic
(Using Info From Metadata or Other Source)
ATTESTATION & METADATA
20Confidential
11
Single Factor Experience (UAF Standards)
Authenticated Online
3
Biometric User Verification*
21
?
Authentication Challenge Authenticated Online
3
Second Factor Challenge Insert Dongle* / Press Button
Second Factor Experience (U2F Standards)
*There are other types of authenticators
21
All Rights Reserved | FIDO Alliance | Copyright 2016.
U2F
Device Client
Relying
Party
challenge
challenge
Sign
with
kpriv signature(challenge)
s
Check
signature (s)
using kpub
s
Lookup
kpub
Authentication
U2F
Device Client
Relying
Party
challenge
challenge, origin, channel id
Sign
with kpriv
signature(c)
c, s
Check s
using kpub
Verify origin &
channel id
s
Lookup
kpub
Phishing/MitM Protection
U2F
Device Client
Relying
Partyhandle, app id, challenge
h, a; challenge, origin, channel id, etc.
c
a
Check
app id
Lookup
the kpriv
associated
with h
Sign
with kpriv
signature(a,c)
c, sCheck s
using kpub
Verify origin
& channel id
s
h
Lookup
the kpub
associated
with h
Application-Specific Keys
U2F
Device Client
Relying
Party
app id, challenge
a; challenge, origin, channel id, etc.
c
aCheck
app id
Generate:
kpub
kpriv
handle h kpub, h, attestation cert, signature(a,c,kpub,h)
c, kpub, h, attestation cert, s
Associate
kpub with
handle h
for user
s
Registration + Device Attestation
16
Authenticated
Online
3
Biometric User
Verification*
2
Single Factor Experience (UAF Standards)
1
?
Authentication Challenge Authenticated
Online
3
Second Factor Challenge Insert Dongle* / Press Button
Second Factor Experience (U2F Standards)
1 2
*There are other types of authenticators
All Rights Reserved | FIDO Alliance | Copyright 2016.
Registration Overview
17
Perform legacy authentication first, in order to bind authenticator to an
electronic identity, then perform FIDO registration.
FIDO CLIENT
FIDO AUTHENTICATOR
FIDO SERVER
Verify user
Generate key pair
Sign attestation object:
• Public key
• AAID
• Hash(FinalChallenge)
• Name of relying party
Signed by attestation key
Send Registration Request:
• Policy
• Random Challenge
Verify signature
Check AAID against policy
Store public key
Start
registration
AAID = Authenticator Attestation ID, i.e. model ID
FinalChallenge=AppID | FacetID | channelBinding
| serveChallenge
All Rights Reserved | FIDO Alliance | Copyright 2016.
Authentication Overview
18
FIDO CLIENT
FIDO AUTHENTICATOR
FIDO SERVER
Verify user
Opt: Display TransactionText
Sign signData object:
Signature alg
• Hash(FinalChallenge)
• Opt: Hash(TransactionText)
• Signature counter
Authenticator random
Signature (Uauth key)
Send Authentication Request:
• Policy
• Random Challenge
• Opt: TransactionText
Verify signature
Check AAID against policy
Start
authentication
FinalChallenge=AppID | FacetID | channelBinding
| serveChallenge
All Rights Reserved | FIDO Alliance | Copyright 2016.
Convenience & Security
19
Security
Convenience
Password + OTP
Password
All Rights Reserved | FIDO Alliance | Copyright 2016.
Common Authentication Stack
20
Security
Convenience
Password + OTP
Password
FIDO
In FIDO: Same user verification
method for all servers
In FIDO: Arbitrary user verification
methods are supported
and interoperable
All Rights Reserved | FIDO Alliance | Copyright 2016.
Scalable
21
Security
Convenience
Password + OTP
Password
FIDO
In FIDO: Scalable security
depending on Authenticator
implementation
In FIDO:
• Only public keys on server
• One authenticator to many
services
• Not phishable
All Rights Reserved | FIDO Alliance | Copyright 2016.
Conclusion
• Different authentication use-cases lead to different authentication requirements
• FIDO separates user verification from authentication and hence supports all user verification methods
• Simple, Single gesture authentication
• FIDO supports scalable convenience & security
• User verification data is known to Authenticator only
• FIDO complements federation
22All Rights Reserved | FIDO Alliance | Copyright 2016.