SlideShare ist ein Scribd-Unternehmen logo

U2F/FIDO2 implementation of YubiKey

Als PPTX, PDF herunterladen
H
Haniyama Wataru

発表する場所が無かったので供養… 個人の調査に基づいたものであり、Yubicoの見解ではありません。

Software
1 von 77
YubiKey の U2F, FIDO2 実装のナカミ U2F/FIDO2 implementation of YubiKey
Wataru Haniyama @watahani 3 years ago… I worked at book store
マニアックな 話します https://developers.yubico.com/U2F/Protocol_details/Key_generation.html
Implementation of U2F Host Library It’s interesting looking FIDO2 overall from U2F (^^)/
TODAY I talk about U2F
TODAY I talk about U2F and FIDO2
using publicKey
CTAP1 Security Points Check App ID in Authenticator, Client, Server Make Private Key for Each Applications
Yubico’s Implementation U2F https://developers.yubico.com/U2F/Protocol_details/Key_generation.html
rpId, challengerpId, clientData CredID, Public key CredID, Public key AttestationAttestation Registration clientData Check rpId Generate Key-pair for rpId RP Hash of ClientData { type: “webauthn.create” origin: “example.com”, challenge: “xxxxxxxxx”, tokenBinding: { status: …} }
Registration Generate Random Nonce RNG Device Secret App ID Challenge HMAC 0 0 0 0 https://developers.yubico.com/U2F/Protocol_details/Key_generation.html Response Attestation Certificate Attestation Secret
Registration Generate Random Nonce RNG Nonce App ID App ID Challenge Generate Application Private Key HMAC 0 0 0 0 https://developers.yubico.com/U2F/Protocol_details/Key_generation.html Response Device Secret
Registration Generate Random Nonce RNG Nonce Application Private Key Application Public Key App ID App ID Challenge Generate Application Private Key HMAC 0 0 0 0 https://developers.yubico.com/U2F/Protocol_details/Key_generation.html ECDSA P-256 Response Device Secret
Yubico’s Implementation U2F Generate Credential ID Application Private Key Application Public Key Nonce App ID Challenge HMAC 0 0 0 0 Response Device Secret
Yubico’s Implementation U2F Generate Credential ID HASH MAC Application Private Key Nonce App ID Challenge HMAC 0 0 0 0 Response Device Secret Application Public Key
Yubico’s Implementation U2F Generate Credential ID HASH MAC Application Private Key Nonce App ID Challenge HMAC 0 0 0 0 Nonce Response Device Secret Application Public Key
Yubico’s Implementation U2F Generate Credential ID HASH MAC Application Private Key Credential ID Nonce App ID Challenge HMAC 0 0 0 0 Nonce Response Device Secret Application Public Key
Yubico’s Implementation U2F Generate Credential ID HASH MAC Application Private Key Credential ID Nonce App ID Challenge HMAC 0 0 0 0 Nonce Response Device Secret Application Public Key U2F protocol KeyHandle
Attestation Statement fido-u2f Attestation Certificate Credential ID ECDSAP256 App ID Challenge 0 0 0 0 Response Attestation Secret Application Public Key
Attestation Statement fido-u2f Attestation Certificate Credential ID ECDSAP256 App ID App ID Challenge 0 0 0 0 Challenge Client Data Response Attestation Secret Application Public Key
Attestation Statement fido-u2f Credential ID ECDSAP256 Application Public Key Credential ID App ID Challenge App ID Challenge Client Data 0 0 0 0 Response Application Public Key Attestation Certificate Attestation Secret
Attestation Statement fido-u2f Signing by Device Secret Attestation Certificate Credential ID Attestation Signature Application Private Key Application Public Key ECDSAP256 Application Public Key Credential ID App ID Challenge App ID Challenge Client Data https://www.w3.org/TR/webauthn/#fido-u2f-attestation 0 0 0 0Attestation Secret
Attestation Statement fido-u2f Signing by Device Secret Attestation Certificate Credential ID Attestation Signature Application Private Key Application Public Key ECDSAP256 Application Public Key Credential ID App ID Challenge App ID Challenge Client Data https://www.w3.org/TR/webauthn/#fido-u2f-attestation 0 0 0 0 Certificate: Data: Version: 3 (0x2) Serial Number: 305582463 (0x1236d17f) Signature Algorithm: sha256WithRSAEncryption Issuer: CN = Yubico U2F Root CA Serial 457200631 Validity Not Before: Aug 1 00:00:00 2014 GMT Not After : Sep 4 00:00:00 2050 GMT Subject: CN = Yubico U2F EE Serial 23925734103241087 Subject Public Key Info: Public Key Algorithm: id-ecPublicKey Public-Key: (256 bit) pub: 04:d3:65:a9:1e:5e:99:e0:d5:b4:39:c0:d9:af:bb: 87:f4:05:8e:47:dd:12:b1:44:ed:b1:4d:2b:33:f8: d3:5c:15:13:e4:0d:79:f0:f9:99:ab:e2:36:71:95: 93:81:c9:dc:2b:07:85:8b:82:ac:63:47:62:04:cc: f7:34:d6:ae:21 ASN1 OID: prime256v1 NIST CURVE: P-256 X509v3 extensions: 1.3.6.1.4.1.41482.2: 1.3.6.1.4.1.41482.1.5 1.3.6.1.4.1.45724.2.1.1: ... Signature Algorithm: sha256WithRSAEncryption 22:1b:9b:b3:b2:72:24:f1:3e:be:a3:22:… SHA1 Fingerprint=5C:5C:14:02:D0:9B:7D:3D:FE:C3:79:3F:C9:E6:33:49:57:81:46:C0 Attestation Secret Signed by Yubico Root CA
Attestation Statement fido-u2f Signing by Device Secret Attestation Certificate Credential ID Attestation Signature ECDSAP256 Application Public Key Credential ID App ID Challenge App ID Challenge Client Data 0 0 0 0 Attestation Certificate Response Attestation Secret Application Public Key
Attestation Statement fido-u2f Signing by Device Secret Attestation Certificate Credential ID ECDSAP256 Application Public Key Credential ID App ID Challenge App ID Challenge Client Data 0 0 0 0 Response Attestation Secret Application Public Key Attestation Signature Attestation Certificate
rpId, challenge, CredIDrpId, clientData CredID, sign CredID, clientData Authentication CredID CredID sign Kpriv RP Hash of ClientData { type: “webauthn.get” origin: “example.com”, challenge: “xxxxxxxxx”, tokenBinding: { status: …} }
Authentication re-generate private key Generate Private Key from Credential ID Credential ID Attestation Certificate App ID Challenge Credential ID HASH MACNonce App ID HMAC 0 0 0 0Device Secret Attestation Secret
Authentication re-generate private key Generate Private Key from Credential ID Credential ID Attestation Certificate App ID Challenge Credential ID HASH MACNonce Nonce App ID HMAC 0 0 0 0Device Secret Attestation Secret
Authentication re-generate private key Generate Private Key from Credential ID Credential ID Attestation Certificate App ID Challenge Credential ID HASH MACNonce Nonce App ID Application Private Key HMAC 0 0 0 0Device Secret Attestation Secret
Authentication verify private key Credential ID Attestation Certificate App ID Challenge Credential ID Nonce Application Private Key HMAC HASH MACNonce 0 0 0 0 Application Private Key Device Secret Attestation Secret
Authentication verify private key Credential ID Attestation Certificate App ID Challenge Credential ID Nonce Application Private Key HASH MAC HMAC HASH MACNonce 0 0 0 0Device Secret Attestation Secret
Authentication verify private key Check HMAC Credential ID Attestation Certificate App ID Challenge Credential ID Nonce Application Private Key HASH MAC HMAC HASH MACNonce 0 0 0 0Device Secret Attestation Secret
Authentication signature Attestation Certificate App ID Challenge Credential ID Application Private Key ECDSA App ID Challenge 0 0 0 1 Attestation Secret
Authentication signature Attestation Certificate App ID Challenge Credential ID Application Private Key ECDSA App ID Challenge 0 0 0 1 0 0 0 1 Attestation Secret
Authentication signature Attestation Certificate App ID Challenge Credential ID Application Private Key ECDSA App ID Challenge 0 0 0 1 0 0 0 1 0 0 0 0 0 0 0 1 UP Attestation Secret
Authentication signature Attestation Certificate App ID Challenge Credential ID Application Private Key ECDSA App ID Challenge 0 0 0 1 Signature 0 0 0 1 Attestation Secret
Authentication signature Attestation Certificate App ID Challenge Credential ID Application Private Key ECDSA App ID Challenge 0 0 0 1 Signature 0 0 0 1 0 0 0 1 Attestation Secret
using publicKey Credential ID
What’s difference
Extensions Resident Space Space New Security Key (FIDO2 Spec) Attestation CertificateAAGUID 0 0 0 0 ****** PIN Support Device Secret Attestation Secret
Extensions Resident Space Space PIN Support Attestation CertificateAAGUID 0 0 0 0 ****** PIN Support Device Secret Attestation Secret
Extensions Resident Space Space Resident Key Attestation CertificateAAGUID 0 0 0 0 ****** PIN Support Device Secret Attestation Secret
Extensions Resident Space Space AAGUID Attestation CertificateAAGUID 0 0 0 0 ****** PIN Support Device Secret Attestation Secret
Attestation Secret Device SecretExtensions Resident Space Space Support CTAP2 Extensions (hmac-secret) Attestation CertificateAAGUID 0 0 0 0 ****** PIN Support https://fidoalliance.org/specs/fido-v2.0-id-20180227/fido-client-to-authenticator-protocol-v2.0-id-20180227.html#sctn-hmac-secret-extension
Resident Key (FIDO2 Spec) Attestation Certificate Credential IDApp ID User Info Handle AAGUID 0 0 0 0 Resident Space Space Extensions Device Secret Attestation Secret
rpId, challengerpId, clientData CredID, Public key CredID, Public key AttestationAttestation Registration clientData Check rpId Generate Key-pair for rpId RP Hash of ClientData { type: “webauthn.create” origin: “example.com”, challenge: “xxxxxxxxx”, tokenBinding: { status: …} }
rpId, challengerpId, clientData CredID, Public key CredID, Public key AttestationAttestation Registration clientData Check rpId Generate Key-pair for rpId User Info,User Info RP
rpId, challengerpId, clientData CredID, Public key CredID, Public key authenticatorSelection: { userVerification: “required“, requireResidentKey: true, authenticatorAttachment: “cross-platform” } AttestationAttestation Registration clientData Check rpId Generate Key-pair for rpId User Info,User Info CTAP RP
rpId, challengerpId, clientData CredID, Public key CredID, Public key authenticatorSelection: { userVerification: “required“, requireResidentKey: true, authenticatorAttachment: “cross-platform” } AttestationAttestation Registration clientData Check rpId Generate Key-pair for rpId User Info,User Info CTAP RP
rpId, challengerpId, clientData CredID, Public key CredID, Public key authenticatorSelection: { userVerification: “required“, requireResidentKey: true, authenticatorAttachment: “cross-platform” } AttestationAttestation Registration clientData Check rpId Generate Key-pair for rpId User Info,User Info ****** PIN CTAP RP
rpId, challengerpId, clientData CredID, Public key CredID, Public key authenticatorSelection: { userVerification: “required“, requireResidentKey: true, authenticatorAttachment: “cross-platform” } AttestationAttestation Registration clientData Check rpId Generate Key-pair for rpId User Info,User Info rpId User Info CredID ****** PIN CTAP ****** PIN Store Credential of www.example.com ? RP
rpId, challengerpId, clientData CredID, Public key CredID, Public key authenticatorSelection: { userVerification: “required“, requireResidentKey: true, authenticatorAttachment: “cross-platform” } AttestationAttestation Registration clientData Check rpId Generate Key-pair for rpId User Info,User Info rpId User Info CredID ****** PIN CTAP ****** PIN Store Credential of www.example.com ? RP
Registration with Resident Key Attestation Certificate App ID Challenge AAGUID 0 0 0 0 Resident Space Space Extensions Device Secret Attestation Secret User Info WebAuthn spec!
Registration with Resident Key Attestation Certificate App ID Challenge AAGUID 0 0 0 0 Resident Space Space Extensions Device Secret Attestation Secret User Info App ID Challenge RNG Nonce
Registration with Resident Key Attestation Certificate App ID Challenge AAGUID 0 0 0 0 Resident Space Space Extensions Device Secret Attestation Secret User Info Credential ID Application Public Key App ID Challenge RNG Nonce
Registration with Resident Key Attestation Certificate App ID Challenge AAGUID 0 0 0 0 Resident Space Space Extensions Device Secret Attestation Secret User Info Credential ID Application Public Key Credential ID App ID User Info
Registration with Resident Key Attestation Certificate App ID Challenge AAGUID 0 0 0 0 Resident Space Space Extensions Device Secret Attestation Secret User Info Credential ID App ID User Info 必須なのは User Handle のみ
Registration with Resident Key Attestation Certificate App ID Challenge AAGUID 0 0 0 0 Resident Space Space Extensions Device Secret Attestation Secret User Info Credential ID App ID User Info 必須なのは User Handle のみ
rpId, challenge, CredIDrpId, clientData CredID, sign CredID, clientData Hash { origin: “example.com”, challenge: “xxxxxxxxx” } Authentication CredID CredID sign Kpriv RP Check rpId
CredID, sign CredID, clientData Authentication CredID sign Kpriv User Info CredID ****** PIN rpId RP rpId, challenge, CredID Resident Key PIN Support rpId, clientData CredID Optional
rpId, clientData CredID, sign CredID, clientData Authentication CredID sign Kpriv User Info CredID ****** PIN rpId RP rpId, challenge, CredID [空にする]
rpId, challengerpId, clientData CredID, sign CredID, clientData Authentication CredID sign Kpriv User Info CredID ****** PIN rpId RP CTAP
rpId, challengerpId, clientData CredID, sign CredID, clientData Authentication CredID sign Kpriv User Info CredID ****** PIN rpId RP CTAP
rpId, challengerpId, clientData CredID, sign CredID, clientData Authentication CredID sign Kpriv User Info CredID ****** PIN rpId RP CTAP User Info
rpId, challengerpId, clientData CredID, sign CredID, clientData Authentication CredID sign Kpriv User Info CredID ****** PIN User Info User Info login rpId RP ユーザ情報が複数ある場合 はリスト表示される
rpId, challengerpId, clientData CredID, sign CredID, clientData Authentication CredID sign Kpriv User Info CredID ****** PIN user.id userHandleUser Info User Info login rpId RP
rpId, challengerpId, clientData CredID, sign CredID, clientData Authentication CredID sign Kpriv User Info CredID ****** PIN user.id userHandleUser Info User Info login rpId RP userHandle Kpub
Authentication Attestation Certificate App ID Challenge AAGUID 0 0 0 0Extensions Device Secret Attestation Secret RP doesn’t send Credential ID when id-less authentication Credential ID Resident Space Space Credential ID App ID User Info
Authentication Attestation Certificate App ID AAGUID 0 0 0 0Extensions Device Secret Attestation Secret Authenticator list credentials for specific AppID after User Info Verification(or User Info Presence) Challenge Resident Space Space Credential ID App ID User Info ******
Origin bound Stored Credentials
Authenticate Attestation Certificate App ID Challenge AAGUID 0 0 0 0Extensions Device Secret Attestation Secret Credential ID Application Private Key Resident Space Space Credential ID App ID User Info
Authenticate Attestation Certificate App ID Challenge AAGUID 0 0 0 0Extensions Device Secret Attestation Secret Credential ID Application Private Key Resident Space Space Credential ID App ID User Info
FIDO2 • Single factor Authentication Credential Management API Support PublicKey Crypto • 2nd Factor Authentication WebAuthn Support both CTAP1 and CTAP2 • Multi-Factor: Passwordless + PIN or Biometric CTAP2 Support User Info Verification
Thank you

Empfohlen

FIDO2 Specifications Overview
FIDO2 Specifications OverviewFIDO2 Specifications Overview
FIDO2 Specifications Overview
FIDO Alliance
 
Securing a Web App with Passwordless Web Authentication
Securing a Web App with Passwordless Web AuthenticationSecuring a Web App with Passwordless Web Authentication
Securing a Web App with Passwordless Web Authentication
FIDO Alliance
 
Technical Considerations for Deploying FIDO Authentication
Technical Considerations for Deploying FIDO Authentication Technical Considerations for Deploying FIDO Authentication
Technical Considerations for Deploying FIDO Authentication
FIDO Alliance
 
Google & FIDO Authentication
Google & FIDO AuthenticationGoogle & FIDO Authentication
Google & FIDO Authentication
FIDO Alliance
 
Securing a Web App with Security Keys
Securing a Web App with Security KeysSecuring a Web App with Security Keys
Securing a Web App with Security Keys
FIDO Alliance
 
Fido Technical Overview
Fido Technical OverviewFido Technical Overview
Fido Technical Overview
FIDO Alliance
 
FIDO Authentication: Unphishable MFA for All
FIDO Authentication: Unphishable MFA for AllFIDO Authentication: Unphishable MFA for All
FIDO Authentication: Unphishable MFA for All
FIDO Alliance
 
Getting Started with FIDO2
Getting Started with FIDO2Getting Started with FIDO2
Getting Started with FIDO2
FIDO Alliance
 

Empfohlen

FIDO2 Specifications Overview
FIDO2 Specifications OverviewFIDO2 Specifications Overview
FIDO2 Specifications Overview
FIDO Alliance
 
Securing a Web App with Passwordless Web Authentication
Securing a Web App with Passwordless Web AuthenticationSecuring a Web App with Passwordless Web Authentication
Securing a Web App with Passwordless Web Authentication
FIDO Alliance
 
Technical Considerations for Deploying FIDO Authentication
Technical Considerations for Deploying FIDO Authentication Technical Considerations for Deploying FIDO Authentication
Technical Considerations for Deploying FIDO Authentication
FIDO Alliance
 
Google & FIDO Authentication
Google & FIDO AuthenticationGoogle & FIDO Authentication
Google & FIDO Authentication
FIDO Alliance
 
Securing a Web App with Security Keys
Securing a Web App with Security KeysSecuring a Web App with Security Keys
Securing a Web App with Security Keys
FIDO Alliance
 
Fido Technical Overview
Fido Technical OverviewFido Technical Overview
Fido Technical Overview
FIDO Alliance
 
FIDO Authentication: Unphishable MFA for All
FIDO Authentication: Unphishable MFA for AllFIDO Authentication: Unphishable MFA for All
FIDO Authentication: Unphishable MFA for All
FIDO Alliance
 
Getting Started with FIDO2
Getting Started with FIDO2Getting Started with FIDO2
Getting Started with FIDO2
FIDO Alliance
 
Webauthn Tutorial
Webauthn TutorialWebauthn Tutorial
Webauthn Tutorial
FIDO Alliance
 
REST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTsREST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTs
Jon Todd
 
Idcon25 FIDO2 の概要と YubiKey の実装
Idcon25 FIDO2 の概要と YubiKey の実装Idcon25 FIDO2 の概要と YubiKey の実装
Idcon25 FIDO2 の概要と YubiKey の実装
Haniyama Wataru
 
Web Authentication API
Web Authentication APIWeb Authentication API
Web Authentication API
FIDO Alliance
 
FIDO and the Future of User Authentication
FIDO and the Future of User AuthenticationFIDO and the Future of User Authentication
FIDO and the Future of User Authentication
FIDO Alliance
 
WebAuthn - The End of the Password As We Know It?
WebAuthn - The End of the Password As We Know It?WebAuthn - The End of the Password As We Know It?
WebAuthn - The End of the Password As We Know It?
Thomas Konrad
 
WebAuthn and Security Keys
WebAuthn and Security KeysWebAuthn and Security Keys
WebAuthn and Security Keys
FIDO Alliance
 
“How to Secure Your Applications With a Keycloak?
“How to Secure Your Applications With a Keycloak?“How to Secure Your Applications With a Keycloak?
“How to Secure Your Applications With a Keycloak?
GlobalLogic Ukraine
 
Secure your app with keycloak
Secure your app with keycloakSecure your app with keycloak
Secure your app with keycloak
Guy Marom
 
Mit 2014 introduction to open id connect and o-auth 2
Mit 2014 introduction to open id connect and o-auth 2Mit 2014 introduction to open id connect and o-auth 2
Mit 2014 introduction to open id connect and o-auth 2
Justin Richer
 
Introduction to OpenID Connect
Introduction to OpenID Connect Introduction to OpenID Connect
Introduction to OpenID Connect
Nat Sakimura
 
OpenID Connect: An Overview
OpenID Connect: An OverviewOpenID Connect: An Overview
OpenID Connect: An Overview
Pat Patterson
 
Secure Spring Boot Microservices with Keycloak
Secure Spring Boot Microservices with KeycloakSecure Spring Boot Microservices with Keycloak
Secure Spring Boot Microservices with Keycloak
Red Hat Developers
 
Integrating FIDO Authentication & Federation Protocols
Integrating FIDO Authentication & Federation ProtocolsIntegrating FIDO Authentication & Federation Protocols
Integrating FIDO Authentication & Federation Protocols
FIDO Alliance
 
FIDO & PSD2: Solving the Strong Customer Authentication Challenge in Europe
FIDO & PSD2: Solving the Strong Customer Authentication Challenge in EuropeFIDO & PSD2: Solving the Strong Customer Authentication Challenge in Europe
FIDO & PSD2: Solving the Strong Customer Authentication Challenge in Europe
FIDO Alliance
 
FIDO2 & Microsoft
FIDO2 & MicrosoftFIDO2 & Microsoft
FIDO2 & Microsoft
FIDO Alliance
 
Getting Started With WebAuthn
Getting Started With WebAuthnGetting Started With WebAuthn
Getting Started With WebAuthn
FIDO Alliance
 
Abusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get itAbusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get it
Benjamin Delpy
 
OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0
Uwe Friedrichsen
 
IBM: Hey FIDO, Meet Passkey!.pptx
IBM: Hey FIDO, Meet Passkey!.pptxIBM: Hey FIDO, Meet Passkey!.pptx
IBM: Hey FIDO, Meet Passkey!.pptx
FIDO Alliance
 
Android Vulnerability: Fake ID
Android Vulnerability: Fake ID Android Vulnerability: Fake ID
Android Vulnerability: Fake ID
Blueboxer2014
 
FIDO UAF 1.0 Specs: Overview and Insights
FIDO UAF 1.0 Specs: Overview and InsightsFIDO UAF 1.0 Specs: Overview and Insights
FIDO UAF 1.0 Specs: Overview and Insights
FIDO Alliance
 

Weitere ähnliche Inhalte

Was ist angesagt?

Was ist angesagt? (20)

Webauthn Tutorial
Webauthn TutorialWebauthn Tutorial
Webauthn Tutorial
 
REST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTsREST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTs
 
Idcon25 FIDO2 の概要と YubiKey の実装
Idcon25 FIDO2 の概要と YubiKey の実装Idcon25 FIDO2 の概要と YubiKey の実装
Idcon25 FIDO2 の概要と YubiKey の実装
 
Web Authentication API
Web Authentication APIWeb Authentication API
Web Authentication API
 
FIDO and the Future of User Authentication
FIDO and the Future of User AuthenticationFIDO and the Future of User Authentication
FIDO and the Future of User Authentication
 
WebAuthn - The End of the Password As We Know It?
WebAuthn - The End of the Password As We Know It?WebAuthn - The End of the Password As We Know It?
WebAuthn - The End of the Password As We Know It?
 
WebAuthn and Security Keys
WebAuthn and Security KeysWebAuthn and Security Keys
WebAuthn and Security Keys
 
“How to Secure Your Applications With a Keycloak?
“How to Secure Your Applications With a Keycloak?“How to Secure Your Applications With a Keycloak?
“How to Secure Your Applications With a Keycloak?
 
Secure your app with keycloak
Secure your app with keycloakSecure your app with keycloak
Secure your app with keycloak
 
Mit 2014 introduction to open id connect and o-auth 2
Mit 2014 introduction to open id connect and o-auth 2Mit 2014 introduction to open id connect and o-auth 2
Mit 2014 introduction to open id connect and o-auth 2
 
Introduction to OpenID Connect
Introduction to OpenID Connect Introduction to OpenID Connect
Introduction to OpenID Connect
 
OpenID Connect: An Overview
OpenID Connect: An OverviewOpenID Connect: An Overview
OpenID Connect: An Overview
 
Secure Spring Boot Microservices with Keycloak
Secure Spring Boot Microservices with KeycloakSecure Spring Boot Microservices with Keycloak
Secure Spring Boot Microservices with Keycloak
 
Integrating FIDO Authentication & Federation Protocols
Integrating FIDO Authentication & Federation ProtocolsIntegrating FIDO Authentication & Federation Protocols
Integrating FIDO Authentication & Federation Protocols
 
FIDO & PSD2: Solving the Strong Customer Authentication Challenge in Europe
FIDO & PSD2: Solving the Strong Customer Authentication Challenge in EuropeFIDO & PSD2: Solving the Strong Customer Authentication Challenge in Europe
FIDO & PSD2: Solving the Strong Customer Authentication Challenge in Europe
 
FIDO2 & Microsoft
FIDO2 & MicrosoftFIDO2 & Microsoft
FIDO2 & Microsoft
 
Getting Started With WebAuthn
Getting Started With WebAuthnGetting Started With WebAuthn
Getting Started With WebAuthn
 
Abusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get itAbusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get it
 
OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0
 
IBM: Hey FIDO, Meet Passkey!.pptx
IBM: Hey FIDO, Meet Passkey!.pptxIBM: Hey FIDO, Meet Passkey!.pptx
IBM: Hey FIDO, Meet Passkey!.pptx
 

Ähnlich wie U2F/FIDO2 implementation of YubiKey

Android Vulnerability: Fake ID
Android Vulnerability: Fake ID Android Vulnerability: Fake ID
Android Vulnerability: Fake ID
Blueboxer2014
 
Apache Milagro Presentation at ApacheCon Europe 2016
Apache Milagro Presentation at ApacheCon Europe 2016Apache Milagro Presentation at ApacheCon Europe 2016
Apache Milagro Presentation at ApacheCon Europe 2016
Brian Spector
 
FIDO Specifications Overview
FIDO Specifications OverviewFIDO Specifications Overview
FIDO Specifications Overview
FIDO Alliance
 
Multifactor authenticationMultifactor authentication or MFA .docx
Multifactor authenticationMultifactor authentication or MFA .docxMultifactor authenticationMultifactor authentication or MFA .docx
Multifactor authenticationMultifactor authentication or MFA .docx
gilpinleeanna
 

Ähnlich wie U2F/FIDO2 implementation of YubiKey (20)

Android Vulnerability: Fake ID
Android Vulnerability: Fake ID Android Vulnerability: Fake ID
Android Vulnerability: Fake ID
 
FIDO UAF 1.0 Specs: Overview and Insights
FIDO UAF 1.0 Specs: Overview and InsightsFIDO UAF 1.0 Specs: Overview and Insights
FIDO UAF 1.0 Specs: Overview and Insights
 
CIS14: FIDO 101 (What, Why and Wherefore of FIDO)
CIS14: FIDO 101 (What, Why and Wherefore of FIDO)CIS14: FIDO 101 (What, Why and Wherefore of FIDO)
CIS14: FIDO 101 (What, Why and Wherefore of FIDO)
 
Fast IDentity Online New wave of open authentication standards
Fast IDentity Online New wave of open authentication standardsFast IDentity Online New wave of open authentication standards
Fast IDentity Online New wave of open authentication standards
 
W3C Web Authentication - #idcon vol.24
W3C Web Authentication - #idcon vol.24W3C Web Authentication - #idcon vol.24
W3C Web Authentication - #idcon vol.24
 
Catching Pitfalls in Authentication Implementations (Yuchen Zhou)
Catching Pitfalls in Authentication Implementations (Yuchen Zhou)Catching Pitfalls in Authentication Implementations (Yuchen Zhou)
Catching Pitfalls in Authentication Implementations (Yuchen Zhou)
 
FIDO Technical Specifications Overview
FIDO Technical Specifications OverviewFIDO Technical Specifications Overview
FIDO Technical Specifications Overview
 
Steam Learn: HTTPS and certificates explained
Steam Learn: HTTPS and certificates explainedSteam Learn: HTTPS and certificates explained
Steam Learn: HTTPS and certificates explained
 
FIDO Specifications Overview: UAF & U2F
FIDO Specifications Overview: UAF & U2FFIDO Specifications Overview: UAF & U2F
FIDO Specifications Overview: UAF & U2F
 
New FIDO Specifications Overview -FIDO Alliance -Tokyo Seminar -Nadalin
New FIDO Specifications Overview -FIDO Alliance -Tokyo Seminar -NadalinNew FIDO Specifications Overview -FIDO Alliance -Tokyo Seminar -Nadalin
New FIDO Specifications Overview -FIDO Alliance -Tokyo Seminar -Nadalin
 
ASP.NET Single Sign On
ASP.NET Single Sign OnASP.NET Single Sign On
ASP.NET Single Sign On
 
CIS14: An Overview of FIDO's Universal Factor (UAF) Specifications
CIS14: An Overview of FIDO's Universal Factor (UAF) SpecificationsCIS14: An Overview of FIDO's Universal Factor (UAF) Specifications
CIS14: An Overview of FIDO's Universal Factor (UAF) Specifications
 
Mobile Cloud Identity
Mobile Cloud IdentityMobile Cloud Identity
Mobile Cloud Identity
 
FIDOAlliance
FIDOAllianceFIDOAlliance
FIDOAlliance
 
Apache Milagro Presentation at ApacheCon Europe 2016
Apache Milagro Presentation at ApacheCon Europe 2016Apache Milagro Presentation at ApacheCon Europe 2016
Apache Milagro Presentation at ApacheCon Europe 2016
 
FIDO Technical Specifications Overview
FIDO Technical Specifications OverviewFIDO Technical Specifications Overview
FIDO Technical Specifications Overview
 
OpenID for SSI
OpenID for SSIOpenID for SSI
OpenID for SSI
 
FIDO Specifications Overview
FIDO Specifications OverviewFIDO Specifications Overview
FIDO Specifications Overview
 
OpenID for Verifiable Credentials
OpenID for Verifiable CredentialsOpenID for Verifiable Credentials
OpenID for Verifiable Credentials
 
Multifactor authenticationMultifactor authentication or MFA .docx
Multifactor authenticationMultifactor authentication or MFA .docxMultifactor authenticationMultifactor authentication or MFA .docx
Multifactor authenticationMultifactor authentication or MFA .docx
 

Kürzlich hochgeladen

%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
masabamasaba
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
Delhi Call girls
 
AI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplateAI & Machine Learning Presentation Template
AI & Machine Learning Presentation Template
Presentation.STUDIO
 
Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) SolutionIntroducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
OnePlan Solutions
 
Architecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the pastArchitecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the past
Papp Krisztián
 
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
masabamasaba
 
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
Medical / Health Care (+971588192166) Mifepristone and Misoprostol tablets 200mg
 
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
masabamasaba
 
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM TechniquesAI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
VictorSzoltysek
 
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
masabamasaba
 

Kürzlich hochgeladen (20)

Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...
Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...
Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...
 
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
 
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
 
WSO2CON 2024 - Does Open Source Still Matter?
WSO2CON 2024 - Does Open Source Still Matter?WSO2CON 2024 - Does Open Source Still Matter?
WSO2CON 2024 - Does Open Source Still Matter?
 
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
 
AI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplateAI & Machine Learning Presentation Template
AI & Machine Learning Presentation Template
 
Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) SolutionIntroducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
 
%in Harare+277-882-255-28 abortion pills for sale in Harare
%in Harare+277-882-255-28 abortion pills for sale in Harare%in Harare+277-882-255-28 abortion pills for sale in Harare
%in Harare+277-882-255-28 abortion pills for sale in Harare
 
Payment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdf
Payment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdfPayment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdf
Payment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdf
 
VTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learnVTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learn
 
Microsoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdfMicrosoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdf
 
Architecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the pastArchitecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the past
 
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
 
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
 
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
 
%in Midrand+277-882-255-28 abortion pills for sale in midrand
%in Midrand+277-882-255-28 abortion pills for sale in midrand%in Midrand+277-882-255-28 abortion pills for sale in midrand
%in Midrand+277-882-255-28 abortion pills for sale in midrand
 
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM TechniquesAI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
 
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
 
%in Soweto+277-882-255-28 abortion pills for sale in soweto
%in Soweto+277-882-255-28 abortion pills for sale in soweto%in Soweto+277-882-255-28 abortion pills for sale in soweto
%in Soweto+277-882-255-28 abortion pills for sale in soweto
 

U2F/FIDO2 implementation of YubiKey

  • 1. YubiKey の U2F, FIDO2 実装のナカミ U2F/FIDO2 implementation of YubiKey
  • 2. Wataru Haniyama @watahani 3 years ago… I worked at book store
  • 4. Implementation of U2F Host Library It’s interesting looking FIDO2 overall from U2F (^^)/
  • 5. TODAY I talk about U2F
  • 6. TODAY I talk about U2F and FIDO2
  • 8. CTAP1 Security Points Check App ID in Authenticator, Client, Server Make Private Key for Each Applications
  • 10. rpId, challengerpId, clientData CredID, Public key CredID, Public key AttestationAttestation Registration clientData Check rpId Generate Key-pair for rpId RP Hash of ClientData { type: “webauthn.create” origin: “example.com”, challenge: “xxxxxxxxx”, tokenBinding: { status: …} }
  • 11. Registration Generate Random Nonce RNG Device Secret App ID Challenge HMAC 0 0 0 0 https://developers.yubico.com/U2F/Protocol_details/Key_generation.html Response Attestation Certificate Attestation Secret
  • 12. Registration Generate Random Nonce RNG Nonce App ID App ID Challenge Generate Application Private Key HMAC 0 0 0 0 https://developers.yubico.com/U2F/Protocol_details/Key_generation.html Response Device Secret
  • 13. Registration Generate Random Nonce RNG Nonce Application Private Key Application Public Key App ID App ID Challenge Generate Application Private Key HMAC 0 0 0 0 https://developers.yubico.com/U2F/Protocol_details/Key_generation.html ECDSA P-256 Response Device Secret
  • 14. Yubico’s Implementation U2F Generate Credential ID Application Private Key Application Public Key Nonce App ID Challenge HMAC 0 0 0 0 Response Device Secret
  • 15. Yubico’s Implementation U2F Generate Credential ID HASH MAC Application Private Key Nonce App ID Challenge HMAC 0 0 0 0 Response Device Secret Application Public Key
  • 16. Yubico’s Implementation U2F Generate Credential ID HASH MAC Application Private Key Nonce App ID Challenge HMAC 0 0 0 0 Nonce Response Device Secret Application Public Key
  • 17. Yubico’s Implementation U2F Generate Credential ID HASH MAC Application Private Key Credential ID Nonce App ID Challenge HMAC 0 0 0 0 Nonce Response Device Secret Application Public Key
  • 18. Yubico’s Implementation U2F Generate Credential ID HASH MAC Application Private Key Credential ID Nonce App ID Challenge HMAC 0 0 0 0 Nonce Response Device Secret Application Public Key U2F protocol KeyHandle
  • 19. Attestation Statement fido-u2f Attestation Certificate Credential ID ECDSAP256 App ID Challenge 0 0 0 0 Response Attestation Secret Application Public Key
  • 20. Attestation Statement fido-u2f Attestation Certificate Credential ID ECDSAP256 App ID App ID Challenge 0 0 0 0 Challenge Client Data Response Attestation Secret Application Public Key
  • 21. Attestation Statement fido-u2f Credential ID ECDSAP256 Application Public Key Credential ID App ID Challenge App ID Challenge Client Data 0 0 0 0 Response Application Public Key Attestation Certificate Attestation Secret
  • 22. Attestation Statement fido-u2f Signing by Device Secret Attestation Certificate Credential ID Attestation Signature Application Private Key Application Public Key ECDSAP256 Application Public Key Credential ID App ID Challenge App ID Challenge Client Data https://www.w3.org/TR/webauthn/#fido-u2f-attestation 0 0 0 0Attestation Secret
  • 23. Attestation Statement fido-u2f Signing by Device Secret Attestation Certificate Credential ID Attestation Signature Application Private Key Application Public Key ECDSAP256 Application Public Key Credential ID App ID Challenge App ID Challenge Client Data https://www.w3.org/TR/webauthn/#fido-u2f-attestation 0 0 0 0 Certificate: Data: Version: 3 (0x2) Serial Number: 305582463 (0x1236d17f) Signature Algorithm: sha256WithRSAEncryption Issuer: CN = Yubico U2F Root CA Serial 457200631 Validity Not Before: Aug 1 00:00:00 2014 GMT Not After : Sep 4 00:00:00 2050 GMT Subject: CN = Yubico U2F EE Serial 23925734103241087 Subject Public Key Info: Public Key Algorithm: id-ecPublicKey Public-Key: (256 bit) pub: 04:d3:65:a9:1e:5e:99:e0:d5:b4:39:c0:d9:af:bb: 87:f4:05:8e:47:dd:12:b1:44:ed:b1:4d:2b:33:f8: d3:5c:15:13:e4:0d:79:f0:f9:99:ab:e2:36:71:95: 93:81:c9:dc:2b:07:85:8b:82:ac:63:47:62:04:cc: f7:34:d6:ae:21 ASN1 OID: prime256v1 NIST CURVE: P-256 X509v3 extensions: 1.3.6.1.4.1.41482.2: 1.3.6.1.4.1.41482.1.5 1.3.6.1.4.1.45724.2.1.1: ... Signature Algorithm: sha256WithRSAEncryption 22:1b:9b:b3:b2:72:24:f1:3e:be:a3:22:… SHA1 Fingerprint=5C:5C:14:02:D0:9B:7D:3D:FE:C3:79:3F:C9:E6:33:49:57:81:46:C0 Attestation Secret Signed by Yubico Root CA
  • 24. Attestation Statement fido-u2f Signing by Device Secret Attestation Certificate Credential ID Attestation Signature ECDSAP256 Application Public Key Credential ID App ID Challenge App ID Challenge Client Data 0 0 0 0 Attestation Certificate Response Attestation Secret Application Public Key
  • 25. Attestation Statement fido-u2f Signing by Device Secret Attestation Certificate Credential ID ECDSAP256 Application Public Key Credential ID App ID Challenge App ID Challenge Client Data 0 0 0 0 Response Attestation Secret Application Public Key Attestation Signature Attestation Certificate
  • 26. rpId, challenge, CredIDrpId, clientData CredID, sign CredID, clientData Authentication CredID CredID sign Kpriv RP Hash of ClientData { type: “webauthn.get” origin: “example.com”, challenge: “xxxxxxxxx”, tokenBinding: { status: …} }
  • 27. Authentication re-generate private key Generate Private Key from Credential ID Credential ID Attestation Certificate App ID Challenge Credential ID HASH MACNonce App ID HMAC 0 0 0 0Device Secret Attestation Secret
  • 28. Authentication re-generate private key Generate Private Key from Credential ID Credential ID Attestation Certificate App ID Challenge Credential ID HASH MACNonce Nonce App ID HMAC 0 0 0 0Device Secret Attestation Secret
  • 29. Authentication re-generate private key Generate Private Key from Credential ID Credential ID Attestation Certificate App ID Challenge Credential ID HASH MACNonce Nonce App ID Application Private Key HMAC 0 0 0 0Device Secret Attestation Secret
  • 30. Authentication verify private key Credential ID Attestation Certificate App ID Challenge Credential ID Nonce Application Private Key HMAC HASH MACNonce 0 0 0 0 Application Private Key Device Secret Attestation Secret
  • 31. Authentication verify private key Credential ID Attestation Certificate App ID Challenge Credential ID Nonce Application Private Key HASH MAC HMAC HASH MACNonce 0 0 0 0Device Secret Attestation Secret
  • 32. Authentication verify private key Check HMAC Credential ID Attestation Certificate App ID Challenge Credential ID Nonce Application Private Key HASH MAC HMAC HASH MACNonce 0 0 0 0Device Secret Attestation Secret
  • 33. Authentication signature Attestation Certificate App ID Challenge Credential ID Application Private Key ECDSA App ID Challenge 0 0 0 1 Attestation Secret
  • 34. Authentication signature Attestation Certificate App ID Challenge Credential ID Application Private Key ECDSA App ID Challenge 0 0 0 1 0 0 0 1 Attestation Secret
  • 35. Authentication signature Attestation Certificate App ID Challenge Credential ID Application Private Key ECDSA App ID Challenge 0 0 0 1 0 0 0 1 0 0 0 0 0 0 0 1 UP Attestation Secret
  • 36. Authentication signature Attestation Certificate App ID Challenge Credential ID Application Private Key ECDSA App ID Challenge 0 0 0 1 Signature 0 0 0 1 Attestation Secret
  • 37. Authentication signature Attestation Certificate App ID Challenge Credential ID Application Private Key ECDSA App ID Challenge 0 0 0 1 Signature 0 0 0 1 0 0 0 1 Attestation Secret
  • 40.
  • 41. Extensions Resident Space Space New Security Key (FIDO2 Spec) Attestation CertificateAAGUID 0 0 0 0 ****** PIN Support Device Secret Attestation Secret
  • 42. Extensions Resident Space Space PIN Support Attestation CertificateAAGUID 0 0 0 0 ****** PIN Support Device Secret Attestation Secret
  • 43. Extensions Resident Space Space Resident Key Attestation CertificateAAGUID 0 0 0 0 ****** PIN Support Device Secret Attestation Secret
  • 44. Extensions Resident Space Space AAGUID Attestation CertificateAAGUID 0 0 0 0 ****** PIN Support Device Secret Attestation Secret
  • 45. Attestation Secret Device SecretExtensions Resident Space Space Support CTAP2 Extensions (hmac-secret) Attestation CertificateAAGUID 0 0 0 0 ****** PIN Support https://fidoalliance.org/specs/fido-v2.0-id-20180227/fido-client-to-authenticator-protocol-v2.0-id-20180227.html#sctn-hmac-secret-extension
  • 46. Resident Key (FIDO2 Spec) Attestation Certificate Credential IDApp ID User Info Handle AAGUID 0 0 0 0 Resident Space Space Extensions Device Secret Attestation Secret
  • 47. rpId, challengerpId, clientData CredID, Public key CredID, Public key AttestationAttestation Registration clientData Check rpId Generate Key-pair for rpId RP Hash of ClientData { type: “webauthn.create” origin: “example.com”, challenge: “xxxxxxxxx”, tokenBinding: { status: …} }
  • 48. rpId, challengerpId, clientData CredID, Public key CredID, Public key AttestationAttestation Registration clientData Check rpId Generate Key-pair for rpId User Info,User Info RP
  • 49. rpId, challengerpId, clientData CredID, Public key CredID, Public key authenticatorSelection: { userVerification: “required“, requireResidentKey: true, authenticatorAttachment: “cross-platform” } AttestationAttestation Registration clientData Check rpId Generate Key-pair for rpId User Info,User Info CTAP RP
  • 50. rpId, challengerpId, clientData CredID, Public key CredID, Public key authenticatorSelection: { userVerification: “required“, requireResidentKey: true, authenticatorAttachment: “cross-platform” } AttestationAttestation Registration clientData Check rpId Generate Key-pair for rpId User Info,User Info CTAP RP
  • 51. rpId, challengerpId, clientData CredID, Public key CredID, Public key authenticatorSelection: { userVerification: “required“, requireResidentKey: true, authenticatorAttachment: “cross-platform” } AttestationAttestation Registration clientData Check rpId Generate Key-pair for rpId User Info,User Info ****** PIN CTAP RP
  • 52. rpId, challengerpId, clientData CredID, Public key CredID, Public key authenticatorSelection: { userVerification: “required“, requireResidentKey: true, authenticatorAttachment: “cross-platform” } AttestationAttestation Registration clientData Check rpId Generate Key-pair for rpId User Info,User Info rpId User Info CredID ****** PIN CTAP ****** PIN Store Credential of www.example.com ? RP
  • 53. rpId, challengerpId, clientData CredID, Public key CredID, Public key authenticatorSelection: { userVerification: “required“, requireResidentKey: true, authenticatorAttachment: “cross-platform” } AttestationAttestation Registration clientData Check rpId Generate Key-pair for rpId User Info,User Info rpId User Info CredID ****** PIN CTAP ****** PIN Store Credential of www.example.com ? RP
  • 54. Registration with Resident Key Attestation Certificate App ID Challenge AAGUID 0 0 0 0 Resident Space Space Extensions Device Secret Attestation Secret User Info WebAuthn spec!
  • 55. Registration with Resident Key Attestation Certificate App ID Challenge AAGUID 0 0 0 0 Resident Space Space Extensions Device Secret Attestation Secret User Info App ID Challenge RNG Nonce
  • 56. Registration with Resident Key Attestation Certificate App ID Challenge AAGUID 0 0 0 0 Resident Space Space Extensions Device Secret Attestation Secret User Info Credential ID Application Public Key App ID Challenge RNG Nonce
  • 57. Registration with Resident Key Attestation Certificate App ID Challenge AAGUID 0 0 0 0 Resident Space Space Extensions Device Secret Attestation Secret User Info Credential ID Application Public Key Credential ID App ID User Info
  • 58. Registration with Resident Key Attestation Certificate App ID Challenge AAGUID 0 0 0 0 Resident Space Space Extensions Device Secret Attestation Secret User Info Credential ID App ID User Info 必須なのは User Handle のみ
  • 59. Registration with Resident Key Attestation Certificate App ID Challenge AAGUID 0 0 0 0 Resident Space Space Extensions Device Secret Attestation Secret User Info Credential ID App ID User Info 必須なのは User Handle のみ
  • 60. rpId, challenge, CredIDrpId, clientData CredID, sign CredID, clientData Hash { origin: “example.com”, challenge: “xxxxxxxxx” } Authentication CredID CredID sign Kpriv RP Check rpId
  • 61. CredID, sign CredID, clientData Authentication CredID sign Kpriv User Info CredID ****** PIN rpId RP rpId, challenge, CredID Resident Key PIN Support rpId, clientData CredID Optional
  • 62. rpId, clientData CredID, sign CredID, clientData Authentication CredID sign Kpriv User Info CredID ****** PIN rpId RP rpId, challenge, CredID [空にする]
  • 63. rpId, challengerpId, clientData CredID, sign CredID, clientData Authentication CredID sign Kpriv User Info CredID ****** PIN rpId RP CTAP
  • 64. rpId, challengerpId, clientData CredID, sign CredID, clientData Authentication CredID sign Kpriv User Info CredID ****** PIN rpId RP CTAP
  • 65. rpId, challengerpId, clientData CredID, sign CredID, clientData Authentication CredID sign Kpriv User Info CredID ****** PIN rpId RP CTAP User Info
  • 66. rpId, challengerpId, clientData CredID, sign CredID, clientData Authentication CredID sign Kpriv User Info CredID ****** PIN User Info User Info login rpId RP ユーザ情報が複数ある場合 はリスト表示される
  • 67. rpId, challengerpId, clientData CredID, sign CredID, clientData Authentication CredID sign Kpriv User Info CredID ****** PIN user.id userHandleUser Info User Info login rpId RP
  • 68. rpId, challengerpId, clientData CredID, sign CredID, clientData Authentication CredID sign Kpriv User Info CredID ****** PIN user.id userHandleUser Info User Info login rpId RP userHandle Kpub
  • 69. Authentication Attestation Certificate App ID Challenge AAGUID 0 0 0 0Extensions Device Secret Attestation Secret RP doesn’t send Credential ID when id-less authentication Credential ID Resident Space Space Credential ID App ID User Info
  • 70. Authentication Attestation Certificate App ID AAGUID 0 0 0 0Extensions Device Secret Attestation Secret Authenticator list credentials for specific AppID after User Info Verification(or User Info Presence) Challenge Resident Space Space Credential ID App ID User Info ******
  • 71.
  • 72.
  • 74. Authenticate Attestation Certificate App ID Challenge AAGUID 0 0 0 0Extensions Device Secret Attestation Secret Credential ID Application Private Key Resident Space Space Credential ID App ID User Info
  • 75. Authenticate Attestation Certificate App ID Challenge AAGUID 0 0 0 0Extensions Device Secret Attestation Secret Credential ID Application Private Key Resident Space Space Credential ID App ID User Info
  • 76. FIDO2 • Single factor Authentication Credential Management API Support PublicKey Crypto • 2nd Factor Authentication WebAuthn Support both CTAP1 and CTAP2 • Multi-Factor: Passwordless + PIN or Biometric CTAP2 Support User Info Verification

Hinweis der Redaktion

  1. RP provide AppID and challenge (appID has been verified by client) YubiKey Generate Random Nonce and calculate HMAC from AppID and Nonce using Device Secret. Generated HMAC is Application Private Key Generate public key from private key (ECDSA P-256)
  2. RP provide AppID and challenge (appID has been verified by client) YubiKey Generate Random Nonce and calculate HMAC from AppID and Nonce using Device Secret. Generated HMAC is Application Private Key Generate public key from private key (ECDSA P-256)
  3. RP provide AppID and challenge (appID has been verified by client) YubiKey Generate Random Nonce and calculate HMAC from AppID and Nonce using Device Secret. Generated HMAC is Application Private Key Generate public key from private key (ECDSA P-256)
  4. Calculate HMAC from Application Private Key and Nonce Concat HMAC and Nonce. It is Credential ID
  5. Calculate HMAC from Application Private Key and Nonce Concat HMAC and Nonce. It is Credential ID
  6. Calculate HMAC from Application Private Key and Nonce Concat HMAC and Nonce. It is Credential ID
  7. Calculate HMAC from Application Private Key and Nonce Concat HMAC and Nonce. It is Credential ID
  8. Credential ID is called “KeyHandle” in U2F protocol
  9. Attestation Statement FIDO U2F statement is defined in W3C WebAuthentication API FIDO U2F statement include signature and certificate YubiKey sign to App ID, Challenge(ClientData), Credential ID, Application public Key with Device Secret Attestation Certificate (Attestation Certificate) is pair of Device secret. Attestation Certificate is signed by Yubico Root CA.
  10. Attestation Statement FIDO U2F statement is defined in W3C WebAuthentication API FIDO U2F statement include signature and certificate YubiKey sign to App ID, Challenge(ClientData), Credential ID, Application public Key with Device Secret Attestation Certificate (Attestation Certificate) is pair of Device secret. Attestation Certificate is signed by Yubico Root CA.
  11. Attestation Statement FIDO U2F statement is defined in W3C WebAuthentication API FIDO U2F statement include signature and certificate YubiKey sign to App ID, Challenge(ClientData), Credential ID, Application public Key with Device Secret Attestation Certificate (Attestation Certificate) is pair of Device secret. Attestation Certificate is signed by Yubico Root CA.
  12. Attestation Statement FIDO U2F statement is defined in W3C WebAuthentication API FIDO U2F statement include signature and certificate YubiKey sign to App ID, Challenge(ClientData), Credential ID, Application public Key with Device Secret Attestation Certificate (Attestation Certificate) is pair of Device secret. Attestation Certificate is signed by Yubico Root CA.
  13. Attestation Statement FIDO U2F statement is defined in W3C WebAuthentication API FIDO U2F statement include signature and certificate YubiKey sign to App ID, Challenge(ClientData), Credential ID, Application public Key with Device Secret Attestation Certificate (Attestation Certificate) is pair of Device secret. Attestation Certificate is signed by Yubico Root CA.
  14. Attestation Statement FIDO U2F statement is defined in W3C WebAuthentication API FIDO U2F statement include signature and certificate YubiKey sign to App ID, Challenge(ClientData), Credential ID, Application public Key with Device Secret Attestation Certificate (Attestation Certificate) is pair of Device secret. Attestation Certificate is signed by Yubico Root CA.
  15. Authentication Credential ID include Nonce and HMAC Calculate HMAC from AppID and Nonce using Device Secret. It is Application Private Key
  16. Authentication Credential ID include Nonce and HMAC Calculate HMAC from AppID and Nonce using Device Secret. It is Application Private Key
  17. Authentication Credential ID include Nonce and HMAC Calculate HMAC from AppID and Nonce using Device Secret. It is Application Private Key
  18. Verify Private Key is generated on this device Calculate HMAC form Application Private Key and Nonce. If generated HMAC equals to HMAC from RP, It has been verified the private key was generated on this device.
  19. Verify Private Key is generated on this device Calculate HMAC form Application Private Key and Nonce. If generated HMAC equals to HMAC from RP, It has been verified the private key was generated on this device.
  20. Verify Private Key is generated on this device Calculate HMAC form Application Private Key and Nonce. If generated HMAC equals to HMAC from RP, It has been verified the private key was generated on this device. And AppID is correct!
  21. Calculate a
  22. U2F support only UP flag. UP: User Info Presence
  23. I don’t know about it...
  24. - Resident Key store AppID
  25. - Resident Key store AppID
  26. - Resident Key store AppID
  27. - Resident Key store AppID
  28. - Resident Key store AppID
  29. - Resident Key store AppID
  30. - Resident Key store AppID
  31. - Authenticate
  32. - Authenticate
  33. DEMO https://youtu.be/XjfR9cVmqJE
  34. Application Private Key can be re-generate from credential ID. Authenticator return signature and “User Info Handle” which identifier the RP’s User Info.
  35. Application Private Key can be re-generate from credential ID. Authenticator return signature and “User Info Handle” which identifier the RP’s User Info.