Technical Principles of FIDO Authentication
1 like2,546 views
The document discusses technical principles of FIDO authentication. It provides an overview of how FIDO works, including the FIDO ecosystem with authenticators, clients, servers and relying parties. It also summarizes the FIDO registration and authentication processes, which separate user verification from authentication through the use of public and private keys.
![All Rights Reserved | FIDO Alliance | Copyright 201925
FIDO REGISTRATION
accountInfo, challenge, [cOpts]
rpId, ai, hash(clientData), cryptoP, [exts]
verify user
generate:
key kpub
key kpriv
credential c
c,kpub,clientData,ac,cdh,rpId,cntr,AAGUID[,exts],
signature(tbs)
c,kpub,clientData,ac,tbs, s
store:
key kpub
c
s
Authenticator
select Authenticator according to cOpts;
determine rpId, get tlsData;
clientData := {challenge, origin, rpId, hAlg, tlsData}
cOpts: crypto params, credential black list,
extensions
cdh
ai
tbs
ac: attestation certificate chain](https://image.slidesharecdn.com/technical-principles-of-fido-authentication-190129201829/85/Technical-Principles-of-FIDO-Authentication-25-320.jpg)
![All Rights Reserved | FIDO Alliance | Copyright 201926
FIDO AUTHENTICATION
Authenticator Relying Party
rpId, [c,] hash(clientData)
select Authenticator according to policy;
check rpId, get tlsData (i.e. channel id, etc.);
lookup key handle h;
clientData := {challenge, rpId, tlsData}
clientData,cntr,[exts],signature(cdh,cntr,exts)
clientData, cntr, exts, s
lookup kpub
from DB
check:
exts +
signature
using
key kpub
s
cdh
challenge, [aOpts]
verify user
find
key kpriv
cntr++;
process exts](https://image.slidesharecdn.com/technical-principles-of-fido-authentication-190129201829/85/Technical-Principles-of-FIDO-Authentication-26-320.jpg)
Technical Principles of FIDO Authentication
- 1. 1 TECHNICAL PRINCIPLES OF FIDO AUTHENTICATION Rolf Lindemann, Nok Nok Labs All Rights Reserved | FIDO Alliance | Copyright 2019
- 2. 2 HOW SECURE IS AUTHENTICATION? All Rights Reserved | FIDO Alliance | Copyright 2019
- 3. All Rights Reserved | FIDO Alliance | Copyright 20193 HOW SECURE IS AUTHENTICATION? Attacks require physical action โ not scalable Things are never 100% secure, so focus on adequate security. Focus on the scalable attacks first. Scalable Attacks
- 4. All Rights Reserved | FIDO Alliance | Copyright 20194 CLOUD AUTHENTICATION DeviceSomething Authentication Risk Analytics Internet
- 5. All Rights Reserved | FIDO Alliance | Copyright 20195 HOW DOES FIDO WORK?
- 6. All Rights Reserved | FIDO Alliance | Copyright 20196 HOW DOES FIDO WORK? DeviceUser verification FIDO Authentication Authenticator
- 7. All Rights Reserved | FIDO Alliance | Copyright 20197 HOW DOES FIDO WORK? AuthenticatorUser verification FIDO Authentication Require user gesture before private key can be used Challenge (Signed) Response Private key dedicated to one app Public key
- 8. All Rights Reserved | FIDO Alliance | Copyright 20198 FIDO ECOSYSTEM AuthenticatorUser verification FIDO Authentication โฆ โฆSE
- 9. All Rights Reserved | FIDO Alliance | Copyright 20199 FIDO ECOSYSTEM AuthenticatorUser verification FIDO Authentication โฆ โฆSE How is the key protected (TPM, SE, TEE, โฆ)? Which user verification method is used?
- 10. All Rights Reserved | FIDO Alliance | Copyright 201910 ATTESTATION + METADATA Private attestation key Signed Attestation Object Metadata Understand Authenticator security characteristic by looking into Metadata from mds.fidoalliance.org FIDO Registration Verify using trust anchor included in Metadata Relying parties can store this for auditing purposes
- 11. All Rights Reserved | FIDO Alliance | Copyright 201911 FIDO AUTHENTICATORS We see โBoundโ Authenticators, i.e. authenticators that are an integral part of a smartphone or laptop. We see โRoamingโ Authenticators, i.e. authenticators that can be connected to different smartphones or laptops using CTAP. In both categories you find support for different modalities Verify User Verify User Presence
- 12. All Rights Reserved | FIDO Alliance | Copyright 201912 HOW DOES FIDO WORK? AuthenticatorUser verification FIDO Authentication Same Authenticator as registered before? Same User as enrolled before? Can recognize the user (i.e. user verification), but doesnโt know its identity attributes.
- 13. All Rights Reserved | FIDO Alliance | Copyright 201913 HOW DOES FIDO WORK? AuthenticatorUser verification FIDO Authentication Same Authenticator as registered before? Same User as enrolled before? Can recognize the user (i.e. user verification), but doesnโt know its identity attributes. Identity binding to be done outside FIDO: This this โJohn Doe with customer ID Xโ.
- 14. All Rights Reserved | FIDO Alliance | Copyright 201914 FIDO BUILDING BLOCKS (Roaming) Authenticator USER DEVICE FIDO Client (Bound) Authenticator ASM RP App FIDO Authentication RP App Server FIDO Server Metadata
- 15. All Rights Reserved | FIDO Alliance | Copyright 201915 FIDO BUILDING BLOCKS (Roaming) Authenticator User Device Browser (Bound) Authenticator Platform RP App FIDO Authentication RP App Server FIDO Server Metadata Web Authentication JS API CTAP
- 16. FIDO USER DEVICE FIDO CLIENT IdP FIDO SERVER FIDO AUTHENTICATOR FEDERATION SERVERBROWSER / APP FIDO Protocol Service Provider Federation Id DB Knows details about the Authentication strength Knows details about the Identity and its verification strength. First Mile Second Mile 16 FIDO & FEDERATION All Rights Reserved | FIDO Alliance | Copyright 2019
- 17. All Rights Reserved | FIDO Alliance | Copyright 201917 WEB AUTHENTICATION Supported In: JavaScript API that enables FIDO Authentication directly in web browsers
- 18. All Rights Reserved | FIDO Alliance | Copyright 201918 FIDO AUTHENTICATION: SECURITY & CONVENIENCE
- 19. All Rights Reserved | FIDO Alliance | Copyright 201919 CONVENIENCE & SECURITY Security Convenience Password
- 20. All Rights Reserved | FIDO Alliance | Copyright 201920 CONVENIENCE & SECURITY Security Convenience Password + OTP Password
- 21. All Rights Reserved | FIDO Alliance | Copyright 201921 CONVENIENCE & SECURITY Security Convenience Password + OTP Password FIDO In FIDO โข Same user verification method for all servers In FIDO: Arbitrary user verification methods are supported (+ they are interoperable)
- 22. All Rights Reserved | FIDO Alliance | Copyright 201922 CONVENIENCE & SECURITY Security Convenience Password + OTP Password FIDO In FIDO: Scalable security depending on Authenticator implementation In FIDO: โข Only public keys on server โข Not phishable
- 23. All Rights Reserved | FIDO Alliance | Copyright 201923 CONCLUSION โข Different authentication use-cases lead to different authentication requirements โข FIDO separates user verification from authentication and hence supports all user verification methods โข FIDO supports scalable convenience & security โข User verification data is known to Authenticator only โข FIDO complements federation
- 24. 24 FIDO TECHNICAL OVERVIEW Rolf Lindemann, Nok Nok Labs Thank You All Rights Reserved | FIDO Alliance | Copyright 2019
- 25. All Rights Reserved | FIDO Alliance | Copyright 201925 FIDO REGISTRATION accountInfo, challenge, [cOpts] rpId, ai, hash(clientData), cryptoP, [exts] verify user generate: key kpub key kpriv credential c c,kpub,clientData,ac,cdh,rpId,cntr,AAGUID[,exts], signature(tbs) c,kpub,clientData,ac,tbs, s store: key kpub c s Authenticator select Authenticator according to cOpts; determine rpId, get tlsData; clientData := {challenge, origin, rpId, hAlg, tlsData} cOpts: crypto params, credential black list, extensions cdh ai tbs ac: attestation certificate chain
- 26. All Rights Reserved | FIDO Alliance | Copyright 201926 FIDO AUTHENTICATION Authenticator Relying Party rpId, [c,] hash(clientData) select Authenticator according to policy; check rpId, get tlsData (i.e. channel id, etc.); lookup key handle h; clientData := {challenge, rpId, tlsData} clientData,cntr,[exts],signature(cdh,cntr,exts) clientData, cntr, exts, s lookup kpub from DB check: exts + signature using key kpub s cdh challenge, [aOpts] verify user find key kpriv cntr++; process exts