Upload File

Download - UAF Tutorial

Transcript
Page 1: UAF Tutorial

UAF Technical Overview

Davit Baghdasaryan – Nok Nok Labs

Page 2: UAF Tutorial

UAF

http://www.fidoalliance.org/specifications

Page 3: UAF Tutorial

How does UAF work?

Relying Party

FIDO Authenticators

Verification

Page 4: UAF Tutorial

FIDO Registration

REGISTRATION BEGINS USER APPROVAL

REGISTRATION COMPLETE NEW KEY CREATED

USER APPROVALUSER APPROVAL

KEY REGISTEREDKEY REGISTERED

1 2

Using Public key

Cryptography

4 3

Page 5: UAF Tutorial

FIDO Login

LOGIN USER APPROVAL

LOGIN COMPLETE KEY SELECTED

LOGIN CHALLENGELOGIN CHALLENGE

LOGIN RESPONSELOGIN RESPONSE

1 2

4 3

Login

Using Public key

Cryptography

Page 6: UAF Tutorial

UAF Design Considerations

Page 7: UAF Tutorial

Decouple User Verification Method from Authentication Protocol

LOGIN USER APPROVAL

REGISTRATION COMPLETE KEY SELECTED

LOGIN CHALLENGE

LOGIN RESPONSE

1 2

4 3

Leverage public key cryptography

ONLINE SECURITY PROTOCOL

ONLINE SECURITY PROTOCOL

PLUGGABLE LOCAL AUTH

PLUGGABLE LOCAL AUTH

Page 8: UAF Tutorial

No 3rd Party in the Protocol

Page 9: UAF Tutorial

No secrets on Server side

Page 10: UAF Tutorial

Focus on User Privacy

• Biometric data never leaves user’s device

• No linkability between RPs

• No linkability between RP accounts

Page 11: UAF Tutorial

Embrace all kinds of Authenticators

software, proprietary hardware, certified hardware, ...

Page 12: UAF Tutorial

Risk Based Authentication

Login to online account

Change shipping address

Transfer $10.000

Low

High

Page 13: UAF Tutorial

UAF Architecture

Page 14: UAF Tutorial

User Device

User AgentUser Agent Mobile AppsMobile Apps

FIDO UAF ClientFIDO UAF Client

Authenticator AbstractionAuthenticator Abstraction

AuthenticatorsAuthenticatorsAuthenticatorsAuthenticators

Private KeysPrivate Keys

Authentication KeysAttestation Key

Authentication KeysAttestation Key

UAF AuthenticatorsUAF Authenticators

Relying Party

Web ApplicationWeb Application

FIDO UAF ServerFIDO UAF Server

Authentication KeysAttestation Key

Authentication KeysAttestation Key

Public KeysRegistration,

Authentication & Transaction Confirmation

UAFProtocol

Page 15: UAF Tutorial

UAF Protocol

• Discovery of authenticators on the client

• Registration

• Authentication

• Transaction Confirmation

• Deregistration

Page 16: UAF Tutorial

Registration

Initiate Registration

Registration Response + Attestation

+ User’s Public Key Validate Response

& Attestation, Store User’s

Public Key

Registration Request+ Policy

FIDOServe

r

FIDOServe

r

FIDOAuthenticat

or

FIDOAuthenticat

or

Web App

Browser or Native

App

2

4

5

Device Relying Party

1

3 Verify User &

Generate New Key Pair

(specific to RP Webapp)

Page 17: UAF Tutorial

Relying Party

(example.com)

username, policy, AppID, challenge

username, ak; hash(fcp)

a

generate:

key kpub

key kpriv

kh

aaid, kpub, fc, kh, attestation cert, cntr,

signature(aaid,fc,reg-cntr,cntr,kpub)

aaid, kpub, fc, attestation cert,

cntr, s store:

key kpub

s

UAF Registration

ASM + FIDO Client + Browser1stF IAuthnr

select Authenticator according to policy;check AppID, get tlsData (i.e. channel id, etc.);

generate APIKey random, compute access key

ak := hash(a|APIKey|PersonaID|CallerID)fcp := {a, challenge, facetID, tlsData}

fc

Note: This represents using a FIDO First-Factor Internal Authenticator -- it makes the differences to U2F more clear.

Page 18: UAF Tutorial

Attestation

FIDO Authenticator

FIDO Authenticator

Using HW based crypto

Pure SW based implementation

Based on FP Sensor X

Based on Face Recognition alg. Y

AAID 1

AAID 2

Attestation Key 1

Attestation Key 2

Page 19: UAF Tutorial

FIDOAuthenticat

or

FIDOAuthenticat

or

Initiate Authentication

Authentication Response

signed by User’s private key

ValidateResponse using

User’s Public Key

Authentication Request + Challenge

+ Policy

FIDOServe

r

FIDOServe

r

Web App

Browser or Native

App

2

4

5

Device Relying Party

1

3

Verify User & Exercise Private

Key(specific to User + RP)

Authentication

Page 20: UAF Tutorial

1stF IAuthnrASM + FIDO Client

+ BrowserRelying Party

kh, ak; hash(fcp)

select Authenticator according to policy;check AppID, get tlsData (i.e. channel id, etc.);

lookup key handle h and access key ak;fcp := {a, challenge, facetID, tlsData}check: ak

retrieve:

key kpriv

from kh;cntr++generate Authnr Nonce n

fc, n, cntr, signature(fc,n,cntr)

fcp, n, cntr, s

lookup kpub

from DBcheck:policy +signatureusing

key kpub

s

UAF Authentication

fc

a

policy, AppID, challenge

Note: NO username+Password login required before this sequence. Click on FIDO Button (or similar trigger) is sufficient.

Page 21: UAF Tutorial

FIDOServe

r

FIDOServe

r

Browser or Native

App

FIDOAuthenticat

or

FIDOAuthenticat

orInitiate Transaction

Authentication Response

+ Text Hash, signed by User’s private key

ValidateResponse &

Text Hashusing User’s Public

Key

Authentication Request +

Transaction Text

2

4

5

Device Relying Party

1

3

Web App

Display Text, Verify User &

Exercise Private Key

(specific to User + RP)

Transaction Confirmation

Page 22: UAF Tutorial

UAF Authenticator

• Bound Authenticator

• Roaming Authenticator

• Other metadata (verification method, key protection, secure display, …)

Page 23: UAF Tutorial

FIDO Authenticator

User Verification

Secure Display

Attestation Key

Authentication Key(s)

User

Injected at manufacturing, doesn’t change

Generated at runtime (on Registration)

Optional

Page 24: UAF Tutorial
Page 25: UAF Tutorial

Thank you


Top Related

1133 UAF INCODER.pdf
1133 UAF INCODER.pdf
Resale - UAF
Resale - UAF
FIDO U2F & UAF Tutorial
FIDO U2F & UAF Tutorial
The Student Voice - UAF
The Student Voice - UAF
K1234567 - UAF Home
K1234567 - UAF Home
Uaf Imaging Photo Lab
Uaf Imaging Photo Lab
Circular UAF N°54
Circular UAF N°54
ZI - uaf-math251.github.io
ZI - uaf-math251.github.io