Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

W3C Web Authentication - #idcon vol.24

W3C Web Authentication - #idcon vol.24

  • Login to see the comments

W3C Web Authentication - #idcon vol.24

  1. 1. W3C Web Authentication (a.k.a. FIDO 2.0) @nov
  2. 2. #idcon vol.20 - またの名を #fidcon https://idcon.org
  3. 3. Overview FIDO Authenticator User Agent End-User Device FIDO Authenticator FIDO Client Relying Party Web Apps FIDO Authenticator Metadata FIDO Server
  4. 4. FIDO の基本的な流れ ❖ Registration と Authentication の2フェーズ ❖ Registration ❖ FIDO Authenticator 内で鍵ペアを生成し公開鍵を FIDO Server に登録 ❖ Authentication ❖ 登録済の鍵を持つ FIDO Authenticator でローカル認証 ❖ FIDO Assertion を FIDO Server に送ってリモート認証
  5. 5. Registration User Agent End-User Device FIDO Authenticator FIDO Client Relying Party Web Apps FIDO Authenticator Metadata FIDO Server
  6. 6. Registration User Agent End-User Device FIDO Authenticator FIDO Client Relying Party Web Apps FIDO Authenticator Metadata FIDO Server Init Reg. Request
  7. 7. Registration User Agent End-User Device FIDO Authenticator FIDO Client Relying Party Web Apps FIDO Authenticator Metadata FIDO Server init Register Request
  8. 8. Registration User Agent End-User Device FIDO Authenticator FIDO Client Relying Party Web Apps FIDO Authenticator Metadata FIDO Server init Reg. Request Select Authenticator & Authenticate
  9. 9. Registration User Agent End-User Device FIDO Authenticator FIDO Client Relying Party Web Apps FIDO Authenticator Metadata FIDO Server init Reg. Request Select Authenticator & Authenticate Key Generation
  10. 10. Registration User Agent End-User Device FIDO Authenticator FIDO Client Relying Party Web Apps FIDO Authenticator Metadata FIDO Server init Reg. Request AttestationAuth Key Generation
  11. 11. Registration User Agent End-User Device FIDO Authenticator FIDO Client Relying Party Web Apps FIDO Authenticator Metadata FIDO Server init Reg. Request Reg. Response AttestationAuth Key Generation
  12. 12. Registration User Agent End-User Device FIDO Authenticator FIDO Client Relying Party Web Apps FIDO Authenticator Metadata FIDO Server init Reg. Request Select Authenticator & Authenticate Reg. Response
  13. 13. Registration User Agent End-User Device FIDO Authenticator FIDO Client Relying Party Web Apps FIDO Authenticator Metadata FIDO Server init Reg. Request Reg. Response Verify Authenticator Key Generation AttestationAuth
  14. 14. Authentication User Agent End-User Device FIDO Authenticator FIDO Client Relying Party Web Apps FIDO Authenticator Metadata FIDO Server
  15. 15. Authentication User Agent End-User Device FIDO Authenticator FIDO Client Relying Party Web Apps FIDO Authenticator Metadata FIDO Server Init Auth Request
  16. 16. Authentication User Agent End-User Device FIDO Authenticator FIDO Client Relying Party Web Apps FIDO Authenticator Metadata FIDO Server Init Auth Request
  17. 17. Authentication User Agent End-User Device FIDO Authenticator FIDO Client Relying Party Web Apps FIDO Authenticator Metadata FIDO Server Init Auth Request AssertionAuth Fetch Key
  18. 18. Authentication User Agent End-User Device FIDO Authenticator FIDO Client Relying Party Web Apps FIDO Authenticator Metadata FIDO Server Auth Response Init Auth Request AssertionAuth
  19. 19. Authentication User Agent End-User Device FIDO Authenticator FIDO Client Relying Party Web Apps FIDO Authenticator Metadata FIDO Server Authenticate Auth Response Init Auth Request
  20. 20. ❖ Web AuthN 仕様的には (一部) 考慮されて いるように見えるが、現状実装はなし。 ❖ まだ解決すべき課題が残っている、らしい。 ❖ 詳細は後の関水さんの発表で。 ❖ Chrome, FireFox, Edge が実装済。 ❖ WebKit も実装は開始している痕跡有。 ❖ この発表ではこちらを扱う。
  21. 21. W3C Web Authentication
  22. 22. https://www.w3.org/TR/webauthn
  23. 23. W3C Web Authentication ❖ 対象は Browser, FIDO Authenticator, FIDO Server ❖ FIDO Server 側の処理については後ほど倉林くんから ❖ この発表では JS API の話をメインに ❖ Browser and/or FIDO Authenticator 作る人は自分で頑張れ (!?) ❖ JS API Interface は W3C Credential Management API (*1) ベース ❖ “public-key” という Credential Type を追加定義 (*1) Credential Management API については #idcon vol.23 参照
  24. 24. https://web-authn.self-issued.app/u2f.js
  25. 25. https://web-authn.self-issued.app/u2f.js
  26. 26. https://web-authn.self-issued.app/u2f.js ※ 現状利用する鍵を指定する必要あり。
  27. 27. allowCredentials 必須 = U2F 相当 (chrome v68.0.3432.3)
  28. 28. open "Google Chrome (dev).app” --args --enable-features=WebAuthenticationCtap2
  29. 29. CTAP2 Authenticators?
  30. 30. FIDO Attestation & Assertion
  31. 31. FIDO Attestation (Registration Response)
  32. 32. URL-safe Base64 Encoded JSON URL-safe Base64 Encoded CBOR Obj ※ CBOR については @ritou より
  33. 33. Decoded Attestation Object
  34. 34. authData contains.. Name Length (in bytes) Description rpIdHash 32 SHA-256 hash of the RP ID associated with the credential. flags 1 Flags (bit 0 is the least significant bit): • Bit 0: User Present (UP) result. • Bit 1: Reserved for future use (RFU1). • Bit 2: User Verified (UV) result. • Bits 3-5: Reserved for future use (RFU2). • Bit 6: Attested credential data included (AT). • Bit 7: Extension data included (ED). signCount 4 Signature counter, 32-bit unsigned big-endian integer. attestedCredentialData variable (if present) attested credential data (if present). See §6.3.1 Attested credential data for details. Its length depends on the length of the credential ID and credential public key being attested. extensions variable (if present) Extension-defined authenticator data. This is a CBOR [RFC7049] map with extension identifiers as keys, and authenticator extension outputs as values. See §9 WebAuthn Extensions for details.
  35. 35. attestedCredentialData contains.. Name Length (in bytes) Description aaguid 16 The AAGUID of the authenticator. credentialIdLength 2 Byte length L of Credential ID, 16-bit unsigned big-endian integer. credentialId L Credential ID credentialPublicKey variable The credential public key encoded in COSE_Key format, as defined in Section 7 of [RFC8152], using the CTAP2 canonical CBOR encoding form. The COSE_Key-encoded credential public key MUST contain the optional "alg" parameter and MUST NOT contain any other optional parameters. The "alg" parameter MUST contain a COSEAlgorithmIdentifier value. The encoded credential public key MUST also contain any additional required parameters stipulated by the relevant key type specification, i.e., required for the key type "kty" and algorithm "alg" (see Section 8 of [RFC8152]).
  36. 36. Credential Public Key ※ 実際には COSE Key フォーマット
  37. 37. Decoded Client Data JSON
  38. 38. FIDO Assertion (Authentication Response)
  39. 39. Decoded Client Data JSON
  40. 40. authData contains.. Name Length (in bytes) Description rpIdHash 32 SHA-256 hash of the RP ID associated with the credential. flags 1 Flags (bit 0 is the least significant bit): • Bit 0: User Present (UP) result. • Bit 1: Reserved for future use (RFU1). • Bit 2: User Verified (UV) result. • Bits 3-5: Reserved for future use (RFU2). • Bit 6: Attested credential data included (AT). • Bit 7: Extension data included (ED). signCount 4 Signature counter, 32-bit unsigned big-endian integer. attestedCredentialData variable (if present) attested credential data (if present). See §6.3.1 Attested credential data for details. Its length depends on the length of the credential ID and credential public key being attested. extensions variable (if present) Extension-defined authenticator data. This is a CBOR [RFC7049] map with extension identifiers as keys, and authenticator extension outputs as values. See §9 WebAuthn Extensions for details.
  41. 41. Android OS as FIDO Authenticator
  42. 42. What's new in Android security (Google I/O '18)
  43. 43. iOS as FIDO Authenticator?
  44. 44. https://github.com/WebKit/webkit/blob/master/Source/ WebCore/Modules/webauthn/cocoa/LocalAuthenticator.mm

×