Download as PDF, PPTX
![User Presence API
u2f.register({
‘challenge’: ‘KSDJsdASAS-AIS_AsS’,
‘app_id’: ‘https://www.google.com/facets.json’
}, callback);
callback = function(response) {
sendToServer(
response[‘clientData’],
response[‘tokenData’]);
};](https://image.slidesharecdn.com/u2f-fido-balfanz-16x9-140806083406-phpapp02/85/CIS14-An-Overview-of-FIDO-s-Universal-2nd-Factor-U2F-Specification-17-320.jpg)
![u2f..handleRegistrationRequest({
‘challenge’: ‘KSDJsdASAS-AIS_AsS’,
‘app_id’: ‘https://www.google.com/facets.json’
}, callback);
callback = function(response) {
sendToServer(
response[‘clientData’],
response[‘tokenData’]);
};
User Presence API{
"typ":"register",
"challenge":"KSDJsdASAS-AIS_AsS",
"cid_pubkey": {
"kty":"EC",
"crv":"P-256",
"x":"HzQwlfXX7Q4S5MtCRMzPO9tOyWjBqRl4tJ8",
"y":"XVguGFLIZx1fXg375hi4-7-BxhMljw42Ht4"
},
"origin":"https://accounts.google.com"
}](https://image.slidesharecdn.com/u2f-fido-balfanz-16x9-140806083406-phpapp02/85/CIS14-An-Overview-of-FIDO-s-Universal-2nd-Factor-U2F-Specification-18-320.jpg)
![User Presence API
u2f.sign({
‘challenge’: ‘KSDJsdASAS-AIS_AsS’,
‘app_id’: ‘https://www.google.com/facets.json’,
‘key_handle’: ‘JkjhdsfkjSDFKJ_ld-sadsAJDKLSAD’
}, callback);
callback = function(response) {
sendToServer(
response[‘clientData’],
response[‘tokenData’]);
};](https://image.slidesharecdn.com/u2f-fido-balfanz-16x9-140806083406-phpapp02/85/CIS14-An-Overview-of-FIDO-s-Universal-2nd-Factor-U2F-Specification-19-320.jpg)
![User Presence API
u2f.sign({
‘challenge’: ‘KSDJsdASAS-AIS_AsS’,
‘app_id’: ‘https://www.google.com/facets.json’,
‘key_handle’: ‘JkjhdsfkjSDFKJ_ld-sadsAJDKLSAD’
}, callback);
callback = function(response) {
sendToServer(
response[‘clientData’],
response[‘tokenData’]);
};
{
"typ":"authenticate",
"challenge":"KSDJsdASAS-AIS_AsS",
"cid_pubkey": {
"kty":"EC",
"crv":"P-256",
"x":"HzQwlfXX7Q4S5MtCRMzPO9tOyWjBqRl4tJ8",
"y":"XVguGFLIZx1fXg375hi4-7-BxhMljw42Ht4"
},
"origin":"https://accounts.google.com"
}](https://image.slidesharecdn.com/u2f-fido-balfanz-16x9-140806083406-phpapp02/85/CIS14-An-Overview-of-FIDO-s-Universal-2nd-Factor-U2F-Specification-20-320.jpg)
Uploaded byCloudIDSummit
CIS14: An Overview of FIDO’s Universal 2nd Factor (U2F) Specification
The document outlines the Universal 2nd Factor (U2F) authentication protocol developed by Google, emphasizing its security against phishing through the use of a single device for multiple services and unique public key cryptography. It describes how U2F works, including device registration, key generation, and user verification processes. Additionally, it discusses implementation considerations for servers and service providers, as well as future developments in compatibility with various platforms and token types.
More Related Content
Similar to CIS14: An Overview of FIDO’s Universal 2nd Factor (U2F) Specification
CIS14: An Overview of FIDO’s Universal 2nd Factor (U2F) Specification
- 1. U2F - Universal2nd Factor Dirk Balfanz (Google)
- 3. password == bearertoken
- 4.
- 5. Today's solution: Onetime codes: SMS or Device SMS USABILITY Coverage Issues - Delay - User Cost DEVICE USABILITY One Per Site - Expensive - Fragile USER EXPERIENCE Users find it hard PHISHABLE German Police re: iTan: ".. we still lose money"
- 6. The U2F solution:How it works ● One device, many services ● Easy: Insert and press button ● Safe: Un-phishable Security
- 7. U2F Protocol Core idea:Standard public key cryptography: ● User's device mints new key pair, gives public key to server ● Server asks user's device to sign data to verify the user. ● One device, many services, "bring your own device" enabled Lots of refinement for this to be consumer facing: ● Privacy: Site Specific Keys, No unique ID per device ● Security: No phishing, man-in-the-middles ● Trust: Verify who made the device ● Pragmatics: Affordable today, ride hardware cost curve down ● Speed for user: Fast crypto in device (Elliptic Curve) Think "Smartcard re-designed for modern consumer web"
- 8.
- 10.
- 11.
- 12. proofThatUserIsThere “I promise auser is here”, “the server challenge was: 337423”, “the origin was: accounts.google.com”, “the TLS connection state was: 342384” Signed
- 13. proofThatUserIsThere “I promise auser is here”, “the server challenge was: 337423”, “the origin was: accounts.google.com”, “the TLS connection state was: 342384” Signed this is where the key is this guy knows the key
- 14. Relying Party FIDO Client 1.Setup 2. Processing 3. Verification
- 15. U2F Token FIDO Client/ Browser Relying Party appid, challenge a; challenge, origin, channel id, etc. c a check app id generate: key kpub key kpriv handle h kpub , h, attestation cert, signature(a,c,kpub ,h) c, kpub , h, attestation cert, s store: key kpub handle h s Registration cookie
- 16. U2F Token FIDO Client/ Browser Relying Party handle,app id, challenge h, a; challenge, origin, channel id, etc. c a check app id retrieve: key kpriv from handle h; counter++ counter, signature(a,c,counter) counter, c, s check: signature using key kpub s h retrieve: key kpub from handle h Authentication set cookie
- 17. User Presence API u2f.register({ ‘challenge’:‘KSDJsdASAS-AIS_AsS’, ‘app_id’: ‘https://www.google.com/facets.json’ }, callback); callback = function(response) { sendToServer( response[‘clientData’], response[‘tokenData’]); };
- 18. u2f..handleRegistrationRequest({ ‘challenge’: ‘KSDJsdASAS-AIS_AsS’, ‘app_id’: ‘https://www.google.com/facets.json’ },callback); callback = function(response) { sendToServer( response[‘clientData’], response[‘tokenData’]); }; User Presence API{ "typ":"register", "challenge":"KSDJsdASAS-AIS_AsS", "cid_pubkey": { "kty":"EC", "crv":"P-256", "x":"HzQwlfXX7Q4S5MtCRMzPO9tOyWjBqRl4tJ8", "y":"XVguGFLIZx1fXg375hi4-7-BxhMljw42Ht4" }, "origin":"https://accounts.google.com" }
- 19. User Presence API u2f.sign({ ‘challenge’:‘KSDJsdASAS-AIS_AsS’, ‘app_id’: ‘https://www.google.com/facets.json’, ‘key_handle’: ‘JkjhdsfkjSDFKJ_ld-sadsAJDKLSAD’ }, callback); callback = function(response) { sendToServer( response[‘clientData’], response[‘tokenData’]); };
- 20. User Presence API u2f.sign({ ‘challenge’:‘KSDJsdASAS-AIS_AsS’, ‘app_id’: ‘https://www.google.com/facets.json’, ‘key_handle’: ‘JkjhdsfkjSDFKJ_ld-sadsAJDKLSAD’ }, callback); callback = function(response) { sendToServer( response[‘clientData’], response[‘tokenData’]); }; { "typ":"authenticate", "challenge":"KSDJsdASAS-AIS_AsS", "cid_pubkey": { "kty":"EC", "crv":"P-256", "x":"HzQwlfXX7Q4S5MtCRMzPO9tOyWjBqRl4tJ8", "y":"XVguGFLIZx1fXg375hi4-7-BxhMljw42Ht4" }, "origin":"https://accounts.google.com" }
- 21. What if… ...I wantto accept U2F logins? ● Browser: Call JS APIs ○ (simulated today with browser extension) ● Server: Implement registration flow ○ decide how to handle attestation certificates ○ verify registration response ○ store public key, key handle with user account ● Server: Implement login flow ○ check username/password, look up key handle ○ verify authentication response (origin, signature, counter, …) ● Check your account recovery flow
- 22. What if… ...I wantto offer a USB U2F token? ● Implement ECDSA P-256 ● Implement counter ● Decide on key handle strategy ○ must recover private key, app id ● Implement USB framing spec ● No responses without user presence! ○ (with one exception) ○ check that app id matches
- 23. What if… ...I wantto offer a NFC/BLE/... token? ● Come join FIDO!
- 24. What if… ...I havea different token form factor? ● Come join FIDO!
- 25. Next Steps ● Otherplatforms: browsers on Android, etc. ● Other platforms: native apps on Android, etc. ● Other message framing: BLE, NFC, etc. ● Other plugin mechanisms: ASM
- 26.