UAF Tutorial
Transcript of UAF Tutorial
FIDO Registration
REGISTRATION BEGINS USER APPROVAL
REGISTRATION COMPLETE NEW KEY CREATED
USER APPROVALUSER APPROVAL
KEY REGISTEREDKEY REGISTERED
1 2
Using Public key
Cryptography
4 3
FIDO Login
LOGIN USER APPROVAL
LOGIN COMPLETE KEY SELECTED
LOGIN CHALLENGELOGIN CHALLENGE
LOGIN RESPONSELOGIN RESPONSE
1 2
4 3
Login
Using Public key
Cryptography
Decouple User Verification Method from Authentication Protocol
LOGIN USER APPROVAL
REGISTRATION COMPLETE KEY SELECTED
LOGIN CHALLENGE
LOGIN RESPONSE
1 2
4 3
Leverage public key cryptography
ONLINE SECURITY PROTOCOL
ONLINE SECURITY PROTOCOL
PLUGGABLE LOCAL AUTH
PLUGGABLE LOCAL AUTH
Focus on User Privacy
• Biometric data never leaves user’s device
• No linkability between RPs
• No linkability between RP accounts
User Device
User AgentUser Agent Mobile AppsMobile Apps
FIDO UAF ClientFIDO UAF Client
Authenticator AbstractionAuthenticator Abstraction
AuthenticatorsAuthenticatorsAuthenticatorsAuthenticators
Private KeysPrivate Keys
Authentication KeysAttestation Key
Authentication KeysAttestation Key
UAF AuthenticatorsUAF Authenticators
Relying Party
Web ApplicationWeb Application
FIDO UAF ServerFIDO UAF Server
Authentication KeysAttestation Key
Authentication KeysAttestation Key
Public KeysRegistration,
Authentication & Transaction Confirmation
UAFProtocol
UAF Protocol
• Discovery of authenticators on the client
• Registration
• Authentication
• Transaction Confirmation
• Deregistration
Registration
Initiate Registration
Registration Response + Attestation
+ User’s Public Key Validate Response
& Attestation, Store User’s
Public Key
Registration Request+ Policy
FIDOServe
r
FIDOServe
r
FIDOAuthenticat
or
FIDOAuthenticat
or
Web App
Browser or Native
App
2
4
5
Device Relying Party
1
3 Verify User &
Generate New Key Pair
(specific to RP Webapp)
Relying Party
(example.com)
username, policy, AppID, challenge
username, ak; hash(fcp)
a
generate:
key kpub
key kpriv
kh
aaid, kpub, fc, kh, attestation cert, cntr,
signature(aaid,fc,reg-cntr,cntr,kpub)
aaid, kpub, fc, attestation cert,
cntr, s store:
key kpub
s
UAF Registration
ASM + FIDO Client + Browser1stF IAuthnr
select Authenticator according to policy;check AppID, get tlsData (i.e. channel id, etc.);
generate APIKey random, compute access key
ak := hash(a|APIKey|PersonaID|CallerID)fcp := {a, challenge, facetID, tlsData}
fc
Note: This represents using a FIDO First-Factor Internal Authenticator -- it makes the differences to U2F more clear.
Attestation
FIDO Authenticator
FIDO Authenticator
Using HW based crypto
Pure SW based implementation
Based on FP Sensor X
Based on Face Recognition alg. Y
AAID 1
AAID 2
Attestation Key 1
Attestation Key 2
FIDOAuthenticat
or
FIDOAuthenticat
or
Initiate Authentication
Authentication Response
signed by User’s private key
ValidateResponse using
User’s Public Key
Authentication Request + Challenge
+ Policy
FIDOServe
r
FIDOServe
r
Web App
Browser or Native
App
2
4
5
Device Relying Party
1
3
Verify User & Exercise Private
Key(specific to User + RP)
Authentication
1stF IAuthnrASM + FIDO Client
+ BrowserRelying Party
kh, ak; hash(fcp)
select Authenticator according to policy;check AppID, get tlsData (i.e. channel id, etc.);
lookup key handle h and access key ak;fcp := {a, challenge, facetID, tlsData}check: ak
retrieve:
key kpriv
from kh;cntr++generate Authnr Nonce n
fc, n, cntr, signature(fc,n,cntr)
fcp, n, cntr, s
lookup kpub
from DBcheck:policy +signatureusing
key kpub
s
UAF Authentication
fc
a
policy, AppID, challenge
Note: NO username+Password login required before this sequence. Click on FIDO Button (or similar trigger) is sufficient.
FIDOServe
r
FIDOServe
r
Browser or Native
App
FIDOAuthenticat
or
FIDOAuthenticat
orInitiate Transaction
Authentication Response
+ Text Hash, signed by User’s private key
ValidateResponse &
Text Hashusing User’s Public
Key
Authentication Request +
Transaction Text
2
4
5
Device Relying Party
1
3
Web App
Display Text, Verify User &
Exercise Private Key
(specific to User + RP)
Transaction Confirmation
UAF Authenticator
• Bound Authenticator
• Roaming Authenticator
• Other metadata (verification method, key protection, secure display, …)
FIDO Authenticator
User Verification
Secure Display
Attestation Key
Authentication Key(s)
User
Injected at manufacturing, doesn’t change
Generated at runtime (on Registration)
Optional