Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Idcon25 FIDO2 の概要と YubiKey の実装

1,070 views

Published on

FIDO2 の概要と YubiKey といった FIDO2 対応デバイスで実現可能な新しい認証について説明しています。 #idcon #fidcon

ResidentKey の Authentication 部分に誤りがありました。
PublicKeyCredentialRequestOptions には authenticatorSelection Option はありません。

Published in: Technology
  • ResidentKey の Authentication 部分に誤りがありました。 PublicKeyCredentialRequestOptions には authenticatorSelection Option はありません。
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

Idcon25 FIDO2 の概要と YubiKey の実装

  1. 1. FIDO2の概要と YubiKey の実装 What’s difference between U2F and FIDO2
  2. 2. アジェンダ • 自己紹介 • FIDO2 Projectの概要 • FIDO の特徴と WebAuthn 実装 • YubiKey 新機能のご紹介
  3. 3. 埴山 遂 Haniyama Wataru @watahani 職業: もとほんやのエンジニア3年目 自己紹介
  4. 4. ガッツリプロトコルの話しません https://developers.yubico.com/U2F/Protocol_details/Key_generation.html
  5. 5. ガッツリプロトコルの話書きます! https://techbookfest.org/event/tbf05/circle/28720014 10月8日 技術書典 け35 サークル:もとほんや 買ってね!
  6. 6. FIDO2 Project とは RPClient Platform API NFC External Authenticator Internal Authenticator CTAP Platform Web Authentication API HTTPS
  7. 7. FIDO2 Project RPClient Platform API NFC External Authenticator Internal Authenticator CTAP Platform Web Authentication API HTTPS ブラウザなど OS OSのAPI OSについてるセキュリティチップ等 YubiKey W3C Credential Management API の 拡張
  8. 8. FIDO2 Project RPClient Platform API NFC External Authenticator Internal Authenticator CTAP Platform Web Authentication API HTTPS Google Play Services
  9. 9. 今日はこのあたりをしゃべります RPBrowser Platform API NFC External Authenticator Internal Authenticator CTAP Platform Web Authentication API HTTPS CTAP1 と 2 がある
  10. 10. FIDO2 対応のキー Security Key by Yubico YubiKey 5 Series
  11. 11. FIDO2 対応のキーで実現可能な認証方法 • Single factor Authentication 従来のパスワード認証の代わりに利用。FIDO2対応のキーであればID/Password-less 認証も 可能。 • 2nd Factor Authentication U2F と同様に 2段階認証のキーとして利用 • Multi-Factor: Password-less + PIN or Biometric キーのみで、PINあるいは生体認証を利用したマルチファクター認証。ID/Password-less 認証 も可能。 Login 1 2 3 4 5 6 7 8 9 0
  12. 12. 復習
  13. 13. FIDOは公開鍵暗号認証 Challenge Server Private key Signature UserID PublicKey hani Efdsddgc.. 検証 User 署名
  14. 14. Generate Key-pair for rpId rpId: sgk.co.jp origin: sgk.co.jp OK origin: api.sgk.co.jp OK origin: sgk.com NG Authenticator の登録 rpId origin OK/NG sgk.co.jp sgk.co.jp OK sgk.co.jp api.sgk.co.jp OK api.sgk.co.jp sgk.co.jp NG co.jp sgk.co.jp NG credId rpId Key Pair cred1 sgk.co.jp K1 cred2 example.com K2 Store credId and Public Key rpId credId, Kpub credId, Kpub Check rpId RP rpId 登録 credId Kpriv rpId Kpub clientData challenge Attestation clientData rpId Attestation Hash of ClientData { type: “webauthn.create” origin: “example.com”, challenge: “xxxxxxxxx”, tokenBinding: { status: …} } ClientAuthenticator Authenticator の登録(一部パラメータ略) user credId Public Key hani cred1 K1 pub
  15. 15. credId, Kpub rpId Attestation 登録 clientData Apriv Acert Kpub clientData rpId credId credId K1priv Kpub Generate Key-pair for rpId rpId Attestation Signature Hash { type: “webauthn.get” origin: “example.com”, challenge: “xxxxxxxxx” } Root CA Attestation Acert Attestation の生成
  16. 16. rpId credId, Kpub RP Attestation challenge Acert clientData rpId Attestation Kpub clientData rpId credId Attestation Signature Verify( ( | | | ), Attestation Signature , Acert ) rpId clientData credId Kpub Check rpId Attestation の検証
  17. 17. 認証 Authenticator による認証 rpId origin OK/NG sgk.co.jp sgk.co.jp OK sgk.co.jp api.sgk.co.jp OK api.sgk.co.jp sgk.co.jp NG co.jp sg0k.co.jp NG rpId, challenge, credIdrpId, clientData credId sign credId credId credId sign Kpriv RP Check credId & rpId rpId Check rpId Restore rpId and Key- pair from credId allowedCredentials = [ { id: credentialId, type: “public-key” transports: [“usb”, ”nfc”, ”ble”]} ] Verify Counter Counter clientData credId rpId Key Pair cred1 sgk.co.jp K1 cred2 example.com K2 user credId Public Key hani cred1 K1 pub
  18. 18. ポイント
  19. 19. FIDO認証のポイント • 秘密鍵は Authenticator 内に保存 • RPごとに一意の credentialId/キーペア を毎回新しく生成 • Client & Authenticator が RPID の正当性を検証 • キーペアは Attestation によって信頼性を保証※ (※デフォルトは検証しない。エンタープライズ向け)
  20. 20. FIDO認証のポイント • 秘密鍵は Authenticator 内に保存 • RPごとに一意の credentialId/キーペア を毎回新しく生成 • Client & Authenticator が RPID の正当性を検証 • キーペアは Attestation によって信頼性を保証※ (※デフォルトは検証しない。エンタープライズ向け)
  21. 21. Authenticator で秘密鍵を保護
  22. 22. FIDO2 Project RPClient Platform API NFC External Authenticator Internal Authenticator CTAP Platform Web Authentication API HTTPS cross-platform platform
  23. 23. 秘密鍵は Authenticator 内に保存 Challenge RP Signature UserID PublicKey 検証署名 ユーザ認証 ユーザーはキーペア等を意識せずともよい ローカル 認証 公開鍵暗号 Authenticator
  24. 24. FIDO認証のポイント • 秘密鍵は Authenticator 内に保存 • RPごとに一意の credentialId/キーペア を毎回新しく生成 • Client & Authenticator が RPID の正当性を検証 • キーペアは Attestation によって信頼性を保証※ (※デフォルトは検証しない。エンタープライズ向け)
  25. 25. RPごとにキーペアを生成 Authenticator RP ごとに キーペア を作成して、credentialId で管理 RP1 RP2 credId1, K1PUB credId2, K2PUB rpId 登録 rpId Authenticator内で credentialId と rpID, Key Pair の組み合わせを記 憶 credId rpId Key Pair cred1 sgk.co.jp K1 cred2 example.com K2 user credId Public Key hani cred1 K1 pub user credId Public Key hani cred2 K2 pub example.com sgk.co.jp
  26. 26. RPごとにキーペアを生成 RP は認証時に Challenge と rpId, credentialId を送信 RP1 認証 credId1 rpId1 Challenge user credId Public Key hani cred1 K1 pub credId rpId Key Pair cred1 sgk.co.jp K1 cred2 example.com K2
  27. 27. credId rpId Key Pair cred1 sgk.co.jp K1 cred2 example.com K2 RPごとにキーペアを生成 Private key Authenticator は credentialId から rpId キーペアを特定 RP1 認証 credId1 credId1 K1priv rpId1 rpId1 Challenge user credId Public Key hani cred1 K1 pub
  28. 28. RPごとにキーペアを生成 Private key rpId の 検証が正しければチャレンジにサインして返す RP1 認証 credId1 credId1 K1priv rpId1 rpId1 signOK Challenge credId rpId Key Pair cred1 sgk.co.jp K1 cred2 example.com K2 user credId Public Key hani cred1 K1 pub
  29. 29. 認証 rpId が正しいか、ClientとAuthenticator どちらでも検証 RPの検証 rpId origin OK/NG sgk.co.jp sgk.co.jp OK sgk.co.jp api.sgk.co.jp OK api.sgk.co.jp sgk.co.jp NG co.jp sg0k.co.jp NG rpId, challenge, credIdrpId, clientData credId, sign credId, clientData credId credId sign Kpriv RP Check credId & rpId rpId Check rpId Restore rpId and Key- pair from credId rpId: sgk.co.jp origin: sgk.co.jp OK origin: api.sgk.co.jp OK origin: sgk.com NG Verify credId rpId Key Pair cred1 sgk.co.jp K1 cred2 example.com K2 user credId Public Key hani cred1 K1 pub
  30. 30. RPごとにキーペアを生成 Authenticator RP ごとに キーペア を作成して、credentialId で管理 credId rpId Key Pair xxxxxx sgk.co.jp KeyPair1 yyyyy example.com KeyPair2 … … … 保存上限は…? Authenticator内で credentialId と rpID, Key Pair の組み合わせを 記憶
  31. 31. Yubico’s Implementation U2F https://developers.yubico.com/U2F/Protocol_details/Key_generation.html Authenticator credId rpId Key Pair xxxxxx sgk.co.jp KeyPair1 yyyyy example.com KeyPair2 … … … サーバーから送られる credential ID から 導出可能なので保存領域が無くてもよい
  32. 32. What’s difference
  33. 33. FIDO2 対応のキーで実現可能な認証方法 • Single factor Authentication 従来のパスワード認証の代わりに利用。FIDO2対応のキーであればID/Password-less 認証も可 能。 • 2nd Factor Authentication U2F と同様に 2段階認証のキーとして利用 • Multi-Factor: Password-less + PIN or Biometric キーのみで、PINあるいは生体認証を利用したマルチファクター認証。ID/Password-less 認証も可能。 Resident Key User Verification Login 1 2 3 4 5 6 7 8 9 0
  34. 34. DEMO Origin bound Stored Credentials
  35. 35. rpId, challengerpId, clientData credId, Public key credId, Public key AttestationAttestation Registration clientData Check rpId Generate Key-pair for rpId RP Hash of ClientData { type: “webauthn.get” origin: “example.com”, challenge: “xxxxxxxxx”, tokenBinding: { status: …} }
  36. 36. rpId, challengerpId, clientData credId, Public key credId, Public key AttestationAttestation Registration clientData Check rpId Generate Key-pair for rpId User Info,User Info RP
  37. 37. rpId, challengerpId, clientData credId, Public key credId, Public key authenticatorSelection: { userVerification: “required“, requireResidentKey: true, authenticatorAttachment: “cross-platform” } AttestationAttestation Registration clientData Check rpId Generate Key-pair for rpId User Info,User Info CTAP RP
  38. 38. rpId, challengerpId, clientData credId, Public key credId, Public key authenticatorSelection: { userVerification: “required“, requireResidentKey: true, authenticatorAttachment: “cross-platform” } AttestationAttestation Registration clientData Check rpId Generate Key-pair for rpId User Info,User Info CTAP RP
  39. 39. rpId, challengerpId, clientData credId, Public key credId, Public key authenticatorSelection: { userVerification: “required“, requireResidentKey: true, authenticatorAttachment: “cross-platform” } AttestationAttestation Registration clientData Check rpId Generate Key-pair for rpId User Info,User Info ****** PIN CTAP RP
  40. 40. rpId, challengerpId, clientData credId, Public key credId, Public key authenticatorSelection: { userVerification: “required“, requireResidentKey: true, authenticatorAttachment: “cross-platform” } AttestationAttestation Registration clientData Check rpId Generate Key-pair for rpId User Info,User Info rpId User Info credId ****** PIN CTAP ****** PIN Store Credential of www.example.com ? RP rpId credId user Info rp1 cred1 hani
  41. 41. rpId, challengerpId, clientData credId, Public key credId, Public key authenticatorSelection: { userVerification: “required“, requireResidentKey: true, authenticatorAttachment: “cross-platform” } AttestationAttestation Registration clientData Check rpId Generate Key-pair for rpId User Info,User Info rpId User Info credId ****** PIN CTAP ****** PIN Store Credential of www.example.com ? RP rpId credId user Info rp1 cred1 hani
  42. 42. rpId, challenge, credIdrpId, clientData credId, sign credId, clientData Authentication credId credId sign Kpriv RP Check rpId
  43. 43. credId, sign credId, clientData Authentication credId sign Kpriv User Info credId ****** PIN rpId RP rpId, challenge, credId PIN Support rpId, clientData credId Optional rpId credId user Info rp1 cred1 hani
  44. 44. rpId, clientData credId, sign credId, clientData Authentication credId sign Kpriv User Info credId ****** PIN rpId authenticatorSelection: { userVerification: “required“, requireResidentKey: true, authenticatorAttachment: “cross-platform” } RP rpId, challenge rpId credId user Info rp1 cred1 hani
  45. 45. rpId, challengerpId, clientData credId, sign credId, clientData Authentication credId sign Kpriv User Info credId ****** PIN rpId authenticatorSelection: { userVerification: “required“, requireResidentKey: true, authenticatorAttachment: “cross-platform” } RP CTAP rpId credId user Info rp1 cred1 hani
  46. 46. rpId, challengerpId, clientData credId, sign credId, clientData Authentication credId sign Kpriv User Info credId ****** PIN rpId authenticatorSelection: { userVerification: “required“, requireResidentKey: true, authenticatorAttachment: “cross-platform” } RP CTAP rpId credId user Info rp1 cred1 hani
  47. 47. rpId, challengerpId, clientData credId, sign credId, clientData Authentication credId sign Kpriv User Info credId ****** PIN rpId authenticatorSelection: { userVerification: “required“, requireResidentKey: true, authenticatorAttachment: “cross-platform” } RP CTAP User Info rpId credId user Info rp1 cred1 hani
  48. 48. rpId, challengerpId, clientData credId, sign credId, clientData Authentication credId sign Kpriv User Info credId ****** PIN User Info User Info login rpId authenticatorSelection: { userVerification: “required“, requireResidentKey: true, authenticatorAttachment: “cross-platform” } RP rpId credId user Info rp1 cred1 hani
  49. 49. rpId, challengerpId, clientData credId, sign credId, clientData Authentication credId sign Kpriv User Info credId ****** PIN user.id userHandleUser Info User Info login rpId authenticatorSelection: { userVerification: “required“, requireResidentKey: true, authenticatorAttachment: “cross-platform” } RP rpId credId user Info rp1 cred1 hani
  50. 50. rpId, challengerpId, clientData credId, sign credId, clientData Authentication credId sign Kpriv User Info credId ****** PIN user.id userHandleUser Info User Info login rpId authenticatorSelection: { userVerification: “required“, requireResidentKey: true, authenticatorAttachment: “cross-platform” } RP userHandle Kpub rpId credId user Info rp1 cred1 hani
  51. 51. Resident Space clientDatarpId Device Secret AcertApriv Counter 0 0 0 1AAGUIDExtensions RNG clientData rpId nonce K1pub credentialId K1priv userrpId credentialId Authentication credentialId
  52. 52. Resident Space clientDatarpId Device Secret AcertApriv Counter 0 0 0 1AAGUIDExtensions userrpId credentialId Authentication credentialId HMAC credentialId HMACnonce nonce rpId K1priv
  53. 53. まとめ • Single factor Authentication 従来のパスワード認証の代わりに利用。FIDO2対応のキーであればID/Password-less 認証も 可能。 • 2nd Factor Authentication U2F と同様に 2段階認証のキーとして利用 • Multi-Factor: Password-less + PIN or Biometric キーのみで、PINあるいは生体認証を利用したマルチファクター認証。ID/Password-less 認証 も可能。 Login 1 2 3 4 5 6 7 8 9 0
  54. 54. Thank you

×