Gates predicted the death of passwords in the RSA conference in 2003, so why are we in the era of passwords even after more than a decade. How can FIDO help us go to password-less using Public Key Cryptography standards. How are FIDO and Aadhar inherently different even though both are based on Public Key Cryptography.
2. PAGE 2 | GRACE HOPPER CELEBRATION INDIA 17
Presented by AnitaB.org and Association for Computing Machinery India (ACM) India
#GHCI17
Password
3. PAGE 3 | GRACE HOPPER CELEBRATION INDIA 17
Presented by AnitaB.org and Association for Computing Machinery India (ACM) India
#GHCI17
Password Challenge
Yet Another password
Complex
Rotate your passwords
Reuse
Write it down
Vulnerable
4. PAGE 4 | GRACE HOPPER CELEBRATION INDIA 17
Presented by AnitaB.org and Association for Computing Machinery India (ACM) India
#GHCI17
Password Maturity
5. PAGE 5 | GRACE HOPPER CELEBRATION INDIA 17
Presented by AnitaB.org and Association for Computing Machinery India (ACM) India
#GHCI17
Passwordless
6. PAGE 6 | GRACE HOPPER CELEBRATION INDIA 17
Presented by AnitaB.org and Association for Computing Machinery India (ACM) India
#GHCI17
Authentication
What I
KNOW
What I
HAVE
What I
AM
Username
Password
Sign In
Enter OTP
Submit
7. PAGE 7 | GRACE HOPPER CELEBRATION INDIA 17
Presented by AnitaB.org and Association for Computing Machinery India (ACM) India
#GHCI17
What I Am
• Universal
• Unique
• Permanent
• Record once and match
later
Physical
Biometrics
Behavioral
Biometrics
8. PAGE 8 | GRACE HOPPER CELEBRATION INDIA 17
Presented by AnitaB.org and Association for Computing Machinery India (ACM) India
#GHCI17
Biometric Challenges
• Specialized device/hardware
• Reliability can change over time
• Match is not an exact match
• Can’t be stored as hash values
• Can’t be changed if forged or stolen
9. PAGE 9 | GRACE HOPPER CELEBRATION INDIA 17
Presented by AnitaB.org and Association for Computing Machinery India (ACM) India
#GHCI17
FIDO
10. PAGE 10 | GRACE HOPPER CELEBRATION INDIA 17
Presented by AnitaB.org and Association for Computing Machinery India (ACM) India
#GHCI17
What is FIDO
• Fast IDentity Online
• Industry consortium formed in July 2012
• Two protocol specs
• Universal Authentication Framework - UAF
• Universal Second Factor - U2F
• Based on public key cryptography
11. PAGE 11 | GRACE HOPPER CELEBRATION INDIA 17
Presented by AnitaB.org and Association for Computing Machinery India (ACM) India
#GHCI17
UAF
12. PAGE 12 | GRACE HOPPER CELEBRATION INDIA 17
Presented by AnitaB.org and Association for Computing Machinery India (ACM) India
#GHCI17
UAF – Universal Authentication Framework
• Passwordless
• Any Device, Any Application, Any
Authenticator
• No secrets on Server
• Biometric data never leaves the device
13. PAGE 13 | GRACE HOPPER CELEBRATION INDIA 17
Presented by AnitaB.org and Association for Computing Machinery India (ACM) India
#GHCI17
UAF – User Device
FIDO Authenticators
Browser/Mobile App
…
FIDO UAF Client
Authenticator Abstraction
…
14. PAGE 14 | GRACE HOPPER CELEBRATION INDIA 17
Presented by AnitaB.org and Association for Computing Machinery India (ACM) India
#GHCI17
UAF – User Device
FIDO Authenticators
Browser/Mobile App
…
FIDO UAF Client
Authenticator Abstraction
…
FIDO Authenticator
Attestation Key Authentication
Keys
Private Keys
15. PAGE 15 | GRACE HOPPER CELEBRATION INDIA 17
Presented by AnitaB.org and Association for Computing Machinery India (ACM) India
#GHCI17
UAF – Relying Party
Web Server
FIDO Server
FIDO Metadata Service
Public Keys
• Attestation Keys
• Authentication Keys
16. PAGE 16 | GRACE HOPPER CELEBRATION INDIA 17
Presented by AnitaB.org and Association for Computing Machinery India (ACM) India
#GHCI17
UAF – Architecture
Web Server
FIDO Server
FIDO Metadata Service
FIDO Authenticators
Browser/ App
FIDO UAF Client
Authenticator Abstraction
UAF Protocol
1. Registration
2. Authentication
3. Tx Confirmation
4. Deregisteration
User Device Relying Party
17. PAGE 17 | GRACE HOPPER CELEBRATION INDIA 17
Presented by AnitaB.org and Association for Computing Machinery India (ACM) India
#GHCI17
UAF – Registration
Web
Server
FIDO Server
FIDO Metadata
Service
FIDO
Authenticator
User
Agent
FIDO UAF
Client
User Device Relying Party
A B C
1. Initiate Registration
2. Registration Request +
Policy
3.Verify User
Create Private Key Per User andApp
4. Registration Response +
Attestation +
User’s Public Key
5.Validate response and
attestation, Store User’s
Public Key
18. PAGE 18 | GRACE HOPPER CELEBRATION INDIA 17
Presented by AnitaB.org and Association for Computing Machinery India (ACM) India
#GHCI17
UAF – Authentication
Web
Server
FIDO Server
FIDO Metadata
Service
FIDO
Authenticator
User
Agent
FIDO UAF
Client
User Device Relying Party
A B C
1. Initiate Authentication
2. Authentication Request +
Challenge + Policy
3.Verify User and unlock Private Key
4. Authentication Response
signed by User’s private Key
5.Validate response
using user’s Public Key
19. PAGE 19 | GRACE HOPPER CELEBRATION INDIA 17
Presented by AnitaB.org and Association for Computing Machinery India (ACM) India
#GHCI17
FIDO helps with biometric challenges
• Specialized device/hardware - Standardization
• Reliability can change over time – Multi Modal
• Match is not an exact match – Per Authenticator & Risk Based
• Can’t be stored as hash values – Store on client
• Can’t be changed if forged or stolen – Deregister
20. PAGE 20 | GRACE HOPPER CELEBRATION INDIA 17
Presented by AnitaB.org and Association for Computing Machinery India (ACM) India
#GHCI17
Adopting Organizations
21. PAGE 21 | GRACE HOPPER CELEBRATION INDIA 17
Presented by AnitaB.org and Association for Computing Machinery India (ACM) India
#GHCI17
ASA
Server
Aadhaar
Biometric
Capture
Device
Or
Application
1. Provide biometrics
2. Create Pid XML block, D
3. Generate Session Key,SK
4. Base64 (Encrypt(D, SK))
5. Encrypt (SK, UPbK) : RSA
AUA
Server
6. HMAC : Base64 of
Encrypt( SHA-256 (D), SK)
UIDAI
Server
8. Add License Key
7.
9. Sign using
Private Key
10.
11.Verify signature
12. Decrypt SK
13.Validate Pid
14.Y/N
22. PAGE 22 | GRACE HOPPER CELEBRATION INDIA 17
Presented by AnitaB.org and Association for Computing Machinery India (ACM) India
#GHCI17
FIDO vs Aadhaar
Biometrics on Client Biometrics on Server
FIDO Aadhaar
Biometrics never leave client Biometrics travel over network
No Symmetric Key Crypto AES to encrypt data
Public key not by CA Public Key Cert by CA
24. PAGE 24 | GRACE HOPPER CELEBRATION INDIA 17
Presented by AnitaB.org and Association for Computing Machinery India (ACM) India
#GHCI17
Appendix
25. PAGE 25 | GRACE HOPPER CELEBRATION INDIA 17
Presented by AnitaB.org and Association for Computing Machinery India (ACM) India
#GHCI17
UAF - Registration
Taken From - https://www.ietf.org/proceedings/92/slides/slides-92-tokbind-3.pdf
26. PAGE 26 | GRACE HOPPER CELEBRATION INDIA 17
Presented by AnitaB.org and Association for Computing Machinery India (ACM) India
#GHCI17
UAF - Authentication
Taken From - https://www.ietf.org/proceedings/92/slides/slides-92-tokbind-3.pdf
27. PAGE 27 | GRACE HOPPER CELEBRATION INDIA 17
Presented by AnitaB.org and Association for Computing Machinery India (ACM) India
#GHCI17
References
• https://fidoalliance.org/specs/
• https://fidoalliance.org/specs/fido-uaf-v1.1-id-20170202/fido-
uaf-protocol-v1.1-id-20170202.html
• https://www.ietf.org/proceedings/92/slides/slides-92-
tokbind-3.pdf
• https://fidoalliance.org/specs/fido-uaf-v1.0-ps-20141208/fido-
security-ref-v1.0-ps-20141208.html
• http://zeropasswords.com/pdfs/WHATisWRONG_FIDO.pdf
• https://authportal.uidai.gov.in/static/aadhaar_authenticatio
n_api_1_6.pdf
Editor's Notes
If not password, then what?
Challenges in going passwordless?
Universal – Everyone has it
Unique - There are about 30 minutiae in a fingerprint scan obtained by a live fingerprint reader. The US Federal Bureau of Investigation
(FBI) has evidenced that no two individuals can have more than 8 common minutiae.
Permanent – There could be minor changes over time but its largely permanent
Record once and match later - the recorded value to match later for authentication
FIDO authenticators perform the actual biometric authentication
Private attestation key
Corresponding public key is shared with FIDO Server OOB
First time use - register the biometric with the authenticator
Attestation Key – AAID (Authenticator Attestation ID)
Autehntication Key – KeyID
AAID and KeyID Tuple uniquely identifies an authenticator's registration for a relying party
User provides the biometrics to the authenticator
Compared locally with the registered data
Biometric verified => unlock authentication private key
Authn response sent to FIDO server signed by private authentication key, attested withattestation key
FIDO Server verifies the authentication message using User’s Public key
FIDO Server verifies the authenticator attestation assertions using authenticator’s attestation public certificate.