HW
Uploaded byHaniyama Wataru
PPTX, PDF1,950 views

U2F/FIDO2 implementation of YubiKey

This document discusses Yubico's implementation of the U2F and FIDO2 authentication protocols. It covers key topics like key generation during registration, signature generation during authentication using an application private key, and the use of attestation certificates to verify the authenticator. Resident keys, PIN support, and extensions are also mentioned as differences between U2F and FIDO2.

Embed presentation

Downloaded 38 times
YubiKey の U2F, FIDO2 実装のナカミ U2F/FIDO2 implementation of YubiKey
Wataru Haniyama @watahani 3 years ago… I worked at book store
マニアックな 話します https://developers.yubico.com/U2F/Protocol_details/Key_generation.html
Implementation of U2F Host Library It’s interesting looking FIDO2 overall from U2F (^^)/
TODAY I talk about U2F
TODAY I talk about U2F and FIDO2
using publicKey
CTAP1 Security Points Check App ID in Authenticator, Client, Server Make Private Key for Each Applications
Yubico’s Implementation U2F https://developers.yubico.com/U2F/Protocol_details/Key_generation.html
rpId, challengerpId, clientData CredID, Public key CredID, Public key AttestationAttestation Registration clientData Check rpId Generate Key-pair for rpId RP Hash of ClientData { type: “webauthn.create” origin: “example.com”, challenge: “xxxxxxxxx”, tokenBinding: { status: …} }
Registration Generate Random Nonce RNG Device Secret App ID Challenge HMAC 0 0 0 0 https://developers.yubico.com/U2F/Protocol_details/Key_generation.html Response Attestation Certificate Attestation Secret
Registration Generate Random Nonce RNG Nonce App ID App ID Challenge Generate Application Private Key HMAC 0 0 0 0 https://developers.yubico.com/U2F/Protocol_details/Key_generation.html Response Device Secret
Registration Generate Random Nonce RNG Nonce Application Private Key Application Public Key App ID App ID Challenge Generate Application Private Key HMAC 0 0 0 0 https://developers.yubico.com/U2F/Protocol_details/Key_generation.html ECDSA P-256 Response Device Secret
Yubico’s Implementation U2F Generate Credential ID Application Private Key Application Public Key Nonce App ID Challenge HMAC 0 0 0 0 Response Device Secret
Yubico’s Implementation U2F Generate Credential ID HASH MAC Application Private Key Nonce App ID Challenge HMAC 0 0 0 0 Response Device Secret Application Public Key
Yubico’s Implementation U2F Generate Credential ID HASH MAC Application Private Key Nonce App ID Challenge HMAC 0 0 0 0 Nonce Response Device Secret Application Public Key
Yubico’s Implementation U2F Generate Credential ID HASH MAC Application Private Key Credential ID Nonce App ID Challenge HMAC 0 0 0 0 Nonce Response Device Secret Application Public Key
Yubico’s Implementation U2F Generate Credential ID HASH MAC Application Private Key Credential ID Nonce App ID Challenge HMAC 0 0 0 0 Nonce Response Device Secret Application Public Key U2F protocol KeyHandle
Attestation Statement fido-u2f Attestation Certificate Credential ID ECDSAP256 App ID Challenge 0 0 0 0 Response Attestation Secret Application Public Key
Attestation Statement fido-u2f Attestation Certificate Credential ID ECDSAP256 App ID App ID Challenge 0 0 0 0 Challenge Client Data Response Attestation Secret Application Public Key
Attestation Statement fido-u2f Credential ID ECDSAP256 Application Public Key Credential ID App ID Challenge App ID Challenge Client Data 0 0 0 0 Response Application Public Key Attestation Certificate Attestation Secret
Attestation Statement fido-u2f Signing by Device Secret Attestation Certificate Credential ID Attestation Signature Application Private Key Application Public Key ECDSAP256 Application Public Key Credential ID App ID Challenge App ID Challenge Client Data https://www.w3.org/TR/webauthn/#fido-u2f-attestation 0 0 0 0Attestation Secret
Attestation Statement fido-u2f Signing by Device Secret Attestation Certificate Credential ID Attestation Signature Application Private Key Application Public Key ECDSAP256 Application Public Key Credential ID App ID Challenge App ID Challenge Client Data https://www.w3.org/TR/webauthn/#fido-u2f-attestation 0 0 0 0 Certificate: Data: Version: 3 (0x2) Serial Number: 305582463 (0x1236d17f) Signature Algorithm: sha256WithRSAEncryption Issuer: CN = Yubico U2F Root CA Serial 457200631 Validity Not Before: Aug 1 00:00:00 2014 GMT Not After : Sep 4 00:00:00 2050 GMT Subject: CN = Yubico U2F EE Serial 23925734103241087 Subject Public Key Info: Public Key Algorithm: id-ecPublicKey Public-Key: (256 bit) pub: 04:d3:65:a9:1e:5e:99:e0:d5:b4:39:c0:d9:af:bb: 87:f4:05:8e:47:dd:12:b1:44:ed:b1:4d:2b:33:f8: d3:5c:15:13:e4:0d:79:f0:f9:99:ab:e2:36:71:95: 93:81:c9:dc:2b:07:85:8b:82:ac:63:47:62:04:cc: f7:34:d6:ae:21 ASN1 OID: prime256v1 NIST CURVE: P-256 X509v3 extensions: 1.3.6.1.4.1.41482.2: 1.3.6.1.4.1.41482.1.5 1.3.6.1.4.1.45724.2.1.1: ... Signature Algorithm: sha256WithRSAEncryption 22:1b:9b:b3:b2:72:24:f1:3e:be:a3:22:… SHA1 Fingerprint=5C:5C:14:02:D0:9B:7D:3D:FE:C3:79:3F:C9:E6:33:49:57:81:46:C0 Attestation Secret Signed by Yubico Root CA
Attestation Statement fido-u2f Signing by Device Secret Attestation Certificate Credential ID Attestation Signature ECDSAP256 Application Public Key Credential ID App ID Challenge App ID Challenge Client Data 0 0 0 0 Attestation Certificate Response Attestation Secret Application Public Key
Attestation Statement fido-u2f Signing by Device Secret Attestation Certificate Credential ID ECDSAP256 Application Public Key Credential ID App ID Challenge App ID Challenge Client Data 0 0 0 0 Response Attestation Secret Application Public Key Attestation Signature Attestation Certificate
rpId, challenge, CredIDrpId, clientData CredID, sign CredID, clientData Authentication CredID CredID sign Kpriv RP Hash of ClientData { type: “webauthn.get” origin: “example.com”, challenge: “xxxxxxxxx”, tokenBinding: { status: …} }
Authentication re-generate private key Generate Private Key from Credential ID Credential ID Attestation Certificate App ID Challenge Credential ID HASH MACNonce App ID HMAC 0 0 0 0Device Secret Attestation Secret
Authentication re-generate private key Generate Private Key from Credential ID Credential ID Attestation Certificate App ID Challenge Credential ID HASH MACNonce Nonce App ID HMAC 0 0 0 0Device Secret Attestation Secret
Authentication re-generate private key Generate Private Key from Credential ID Credential ID Attestation Certificate App ID Challenge Credential ID HASH MACNonce Nonce App ID Application Private Key HMAC 0 0 0 0Device Secret Attestation Secret
Authentication verify private key Credential ID Attestation Certificate App ID Challenge Credential ID Nonce Application Private Key HMAC HASH MACNonce 0 0 0 0 Application Private Key Device Secret Attestation Secret
Authentication verify private key Credential ID Attestation Certificate App ID Challenge Credential ID Nonce Application Private Key HASH MAC HMAC HASH MACNonce 0 0 0 0Device Secret Attestation Secret
Authentication verify private key Check HMAC Credential ID Attestation Certificate App ID Challenge Credential ID Nonce Application Private Key HASH MAC HMAC HASH MACNonce 0 0 0 0Device Secret Attestation Secret
Authentication signature Attestation Certificate App ID Challenge Credential ID Application Private Key ECDSA App ID Challenge 0 0 0 1 Attestation Secret
Authentication signature Attestation Certificate App ID Challenge Credential ID Application Private Key ECDSA App ID Challenge 0 0 0 1 0 0 0 1 Attestation Secret
Authentication signature Attestation Certificate App ID Challenge Credential ID Application Private Key ECDSA App ID Challenge 0 0 0 1 0 0 0 1 0 0 0 0 0 0 0 1 UP Attestation Secret
Authentication signature Attestation Certificate App ID Challenge Credential ID Application Private Key ECDSA App ID Challenge 0 0 0 1 Signature 0 0 0 1 Attestation Secret
Authentication signature Attestation Certificate App ID Challenge Credential ID Application Private Key ECDSA App ID Challenge 0 0 0 1 Signature 0 0 0 1 0 0 0 1 Attestation Secret
using publicKey Credential ID
What’s difference
Extensions Resident Space Space New Security Key (FIDO2 Spec) Attestation CertificateAAGUID 0 0 0 0 ****** PIN Support Device Secret Attestation Secret
Extensions Resident Space Space PIN Support Attestation CertificateAAGUID 0 0 0 0 ****** PIN Support Device Secret Attestation Secret
Extensions Resident Space Space Resident Key Attestation CertificateAAGUID 0 0 0 0 ****** PIN Support Device Secret Attestation Secret
Extensions Resident Space Space AAGUID Attestation CertificateAAGUID 0 0 0 0 ****** PIN Support Device Secret Attestation Secret
Attestation Secret Device SecretExtensions Resident Space Space Support CTAP2 Extensions (hmac-secret) Attestation CertificateAAGUID 0 0 0 0 ****** PIN Support https://fidoalliance.org/specs/fido-v2.0-id-20180227/fido-client-to-authenticator-protocol-v2.0-id-20180227.html#sctn-hmac-secret-extension
Resident Key (FIDO2 Spec) Attestation Certificate Credential IDApp ID User Info Handle AAGUID 0 0 0 0 Resident Space Space Extensions Device Secret Attestation Secret
rpId, challengerpId, clientData CredID, Public key CredID, Public key AttestationAttestation Registration clientData Check rpId Generate Key-pair for rpId RP Hash of ClientData { type: “webauthn.create” origin: “example.com”, challenge: “xxxxxxxxx”, tokenBinding: { status: …} }
rpId, challengerpId, clientData CredID, Public key CredID, Public key AttestationAttestation Registration clientData Check rpId Generate Key-pair for rpId User Info,User Info RP
rpId, challengerpId, clientData CredID, Public key CredID, Public key authenticatorSelection: { userVerification: “required“, requireResidentKey: true, authenticatorAttachment: “cross-platform” } AttestationAttestation Registration clientData Check rpId Generate Key-pair for rpId User Info,User Info CTAP RP
rpId, challengerpId, clientData CredID, Public key CredID, Public key authenticatorSelection: { userVerification: “required“, requireResidentKey: true, authenticatorAttachment: “cross-platform” } AttestationAttestation Registration clientData Check rpId Generate Key-pair for rpId User Info,User Info CTAP RP
rpId, challengerpId, clientData CredID, Public key CredID, Public key authenticatorSelection: { userVerification: “required“, requireResidentKey: true, authenticatorAttachment: “cross-platform” } AttestationAttestation Registration clientData Check rpId Generate Key-pair for rpId User Info,User Info ****** PIN CTAP RP
rpId, challengerpId, clientData CredID, Public key CredID, Public key authenticatorSelection: { userVerification: “required“, requireResidentKey: true, authenticatorAttachment: “cross-platform” } AttestationAttestation Registration clientData Check rpId Generate Key-pair for rpId User Info,User Info rpId User Info CredID ****** PIN CTAP ****** PIN Store Credential of www.example.com ? RP
rpId, challengerpId, clientData CredID, Public key CredID, Public key authenticatorSelection: { userVerification: “required“, requireResidentKey: true, authenticatorAttachment: “cross-platform” } AttestationAttestation Registration clientData Check rpId Generate Key-pair for rpId User Info,User Info rpId User Info CredID ****** PIN CTAP ****** PIN Store Credential of www.example.com ? RP
Registration with Resident Key Attestation Certificate App ID Challenge AAGUID 0 0 0 0 Resident Space Space Extensions Device Secret Attestation Secret User Info WebAuthn spec!
Registration with Resident Key Attestation Certificate App ID Challenge AAGUID 0 0 0 0 Resident Space Space Extensions Device Secret Attestation Secret User Info App ID Challenge RNG Nonce
Registration with Resident Key Attestation Certificate App ID Challenge AAGUID 0 0 0 0 Resident Space Space Extensions Device Secret Attestation Secret User Info Credential ID Application Public Key App ID Challenge RNG Nonce
Registration with Resident Key Attestation Certificate App ID Challenge AAGUID 0 0 0 0 Resident Space Space Extensions Device Secret Attestation Secret User Info Credential ID Application Public Key Credential ID App ID User Info
Registration with Resident Key Attestation Certificate App ID Challenge AAGUID 0 0 0 0 Resident Space Space Extensions Device Secret Attestation Secret User Info Credential ID App ID User Info 必須なのは User Handle のみ
Registration with Resident Key Attestation Certificate App ID Challenge AAGUID 0 0 0 0 Resident Space Space Extensions Device Secret Attestation Secret User Info Credential ID App ID User Info 必須なのは User Handle のみ
rpId, challenge, CredIDrpId, clientData CredID, sign CredID, clientData Hash { origin: “example.com”, challenge: “xxxxxxxxx” } Authentication CredID CredID sign Kpriv RP Check rpId
CredID, sign CredID, clientData Authentication CredID sign Kpriv User Info CredID ****** PIN rpId RP rpId, challenge, CredID Resident Key PIN Support rpId, clientData CredID Optional
rpId, clientData CredID, sign CredID, clientData Authentication CredID sign Kpriv User Info CredID ****** PIN rpId RP rpId, challenge, CredID [空にする]
rpId, challengerpId, clientData CredID, sign CredID, clientData Authentication CredID sign Kpriv User Info CredID ****** PIN rpId RP CTAP
rpId, challengerpId, clientData CredID, sign CredID, clientData Authentication CredID sign Kpriv User Info CredID ****** PIN rpId RP CTAP
rpId, challengerpId, clientData CredID, sign CredID, clientData Authentication CredID sign Kpriv User Info CredID ****** PIN rpId RP CTAP User Info
rpId, challengerpId, clientData CredID, sign CredID, clientData Authentication CredID sign Kpriv User Info CredID ****** PIN User Info User Info login rpId RP ユーザ情報が複数ある場合 はリスト表示される
rpId, challengerpId, clientData CredID, sign CredID, clientData Authentication CredID sign Kpriv User Info CredID ****** PIN user.id userHandleUser Info User Info login rpId RP
rpId, challengerpId, clientData CredID, sign CredID, clientData Authentication CredID sign Kpriv User Info CredID ****** PIN user.id userHandleUser Info User Info login rpId RP userHandle Kpub
Authentication Attestation Certificate App ID Challenge AAGUID 0 0 0 0Extensions Device Secret Attestation Secret RP doesn’t send Credential ID when id-less authentication Credential ID Resident Space Space Credential ID App ID User Info
Authentication Attestation Certificate App ID AAGUID 0 0 0 0Extensions Device Secret Attestation Secret Authenticator list credentials for specific AppID after User Info Verification(or User Info Presence) Challenge Resident Space Space Credential ID App ID User Info ******
Origin bound Stored Credentials
Authenticate Attestation Certificate App ID Challenge AAGUID 0 0 0 0Extensions Device Secret Attestation Secret Credential ID Application Private Key Resident Space Space Credential ID App ID User Info
Authenticate Attestation Certificate App ID Challenge AAGUID 0 0 0 0Extensions Device Secret Attestation Secret Credential ID Application Private Key Resident Space Space Credential ID App ID User Info
FIDO2 • Single factor Authentication Credential Management API Support PublicKey Crypto • 2nd Factor Authentication WebAuthn Support both CTAP1 and CTAP2 • Multi-Factor: Passwordless + PIN or Biometric CTAP2 Support User Info Verification
Thank you

More Related Content

PDF
Getting Started with FIDO2
byFIDO Alliance
 
PDF
FIDO2 Specifications Overview
byFIDO Alliance
 
PDF
FIDO2 Specifications Overview
byFIDO Alliance
 
PPTX
Idcon25 FIDO2 の概要と YubiKey の実装
byHaniyama Wataru
 
PDF
Securing a Web App with Security Keys
byFIDO Alliance
 
PDF
Securing a Web App with Passwordless Web Authentication
byFIDO Alliance
 
PPTX
Technical Considerations for Deploying FIDO Authentication
byFIDO Alliance
 
PDF
FIDO Specifications Overview: UAF & U2F
byFIDO Alliance
 
Getting Started with FIDO2
byFIDO Alliance
 
FIDO2 Specifications Overview
byFIDO Alliance
 
FIDO2 Specifications Overview
byFIDO Alliance
 
Idcon25 FIDO2 の概要と YubiKey の実装
byHaniyama Wataru
 
Securing a Web App with Security Keys
byFIDO Alliance
 
Securing a Web App with Passwordless Web Authentication
byFIDO Alliance
 
Technical Considerations for Deploying FIDO Authentication
byFIDO Alliance
 
FIDO Specifications Overview: UAF & U2F
byFIDO Alliance
 

What's hot

PDF
IDA,VC,DID関連仕様 最新情報 - OpenID BizDay #15
byOpenID Foundation Japan
 
PDF
FIDO2 ~ パスワードのいらない世界へ
byFIDO Alliance
 
PPTX
Fido Technical Overview
byFIDO Alliance
 
PPTX
Introduction to FIDO Alliance
byFIDO Alliance
 
PDF
FIDO認証によるパスワードレスログイン実装入門
byYahoo!デベロッパーネットワーク
 
PDF
FIDO and the Future of User Authentication
byFIDO Alliance
 
PPTX
User Management Life Cycle with Keycloak
byMuhammad Edwin
 
PDF
Developer Tutorial: WebAuthn for Web & FIDO2 for Android
byFIDO Alliance
 
PDF
FIDOのキホン
byYahoo!デベロッパーネットワーク
 
PPTX
Getting Started With WebAuthn
byFIDO Alliance
 
PDF
What are Passkeys.pdf
byKeiko Itakura
 
PDF
SAML / OpenID Connect / OAuth / SCIM 技術解説 - ID&IT 2014 #idit2014
byNov Matake
 
PPTX
Building secure applications with keycloak
byAbhishek Koserwal
 
PDF
Post-quantum zk-SNARKs on Hyperledger Fabric​
byLFDT Tokyo Meetup
 
PDF
WebAuthn and Security Keys
byFIDO Alliance
 
PDF
OAuth2 and Spring Security
byOrest Ivasiv
 
PDF
FIDO Authentication Technical Overview
byFIDO Alliance
 
PDF
MicrosoftのDID/VC実装概要
byNaohiro Fujie
 
PDF
Webauthn Tutorial
byFIDO Alliance
 
PPTX
Best Practices for Certificate Management
byAppViewX
 
IDA,VC,DID関連仕様 最新情報 - OpenID BizDay #15
byOpenID Foundation Japan
 
FIDO2 ~ パスワードのいらない世界へ
byFIDO Alliance
 
Fido Technical Overview
byFIDO Alliance
 
Introduction to FIDO Alliance
byFIDO Alliance
 
FIDO認証によるパスワードレスログイン実装入門
byYahoo!デベロッパーネットワーク
 
FIDO and the Future of User Authentication
byFIDO Alliance
 
User Management Life Cycle with Keycloak
byMuhammad Edwin
 
Developer Tutorial: WebAuthn for Web & FIDO2 for Android
byFIDO Alliance
 
FIDOのキホン
byYahoo!デベロッパーネットワーク
 
Getting Started With WebAuthn
byFIDO Alliance
 
What are Passkeys.pdf
byKeiko Itakura
 
SAML / OpenID Connect / OAuth / SCIM 技術解説 - ID&IT 2014 #idit2014
byNov Matake
 
Building secure applications with keycloak
byAbhishek Koserwal
 
Post-quantum zk-SNARKs on Hyperledger Fabric​
byLFDT Tokyo Meetup
 
WebAuthn and Security Keys
byFIDO Alliance
 
OAuth2 and Spring Security
byOrest Ivasiv
 
FIDO Authentication Technical Overview
byFIDO Alliance
 
MicrosoftのDID/VC実装概要
byNaohiro Fujie
 
Webauthn Tutorial
byFIDO Alliance
 
Best Practices for Certificate Management
byAppViewX
 

Similar to U2F/FIDO2 implementation of YubiKey

PDF
W3C Web Authentication - #idcon vol.24
byNov Matake
 
PDF
FIDO @ LINE - #idcon vol.24
byNov Matake
 
PDF
FIDO U2F Specifications: Overview & Tutorial
byFIDO Alliance
 
PDF
Future-proofing Authentication with Passkeys
byNordic APIs
 
PDF
Web Authentication API
byFIDO Alliance
 
PPTX
U2F Tutorial - Authentication Tokens for Enterprise and Consumers
byFIDO Alliance
 
PPTX
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
byapidays
 
PDF
CIS14: An Overview of FIDO's Universal Factor (UAF) Specifications
byCloudIDSummit
 
PDF
Go passwordless with fido2
byRob Dudley
 
PPTX
FIDOAlliance
bySanjeev Verma, PhD
 
PDF
FIDO Authentication: Its Evolution and Opportunities in Business -FIDO Allian...
byFIDO Alliance
 
PDF
RPで受け入れる認証器を選択する ~Idance lesson 2~
by5 6
 
PPTX
New FIDO Specifications Overview -FIDO Alliance -Tokyo Seminar -Nadalin
byFIDO Alliance
 
PDF
Webinar: Case Study: FIDO, Federation, ID Proofing
byAds Manager
 
PDF
FIDO Authentication & Blockchain
byFIDO Alliance
 
PDF
Everything_You_Never_Knew_You_Wanted_to_Know_About_Passkeys.pdf
bydtpentest
 
PDF
FIDO Alliance Osaka Seminar: Overview.pdf
byFIDO Alliance
 
PDF
FIDO alliance #idcon vol.18
byNov Matake
 
PDF
2019 FIDO Tokyo Seminar - LINE PayへのFIDO2実装
byFIDO Alliance
 
PDF
FIDO Technical Specifications Overview
byFIDO Alliance
 
W3C Web Authentication - #idcon vol.24
byNov Matake
 
FIDO @ LINE - #idcon vol.24
byNov Matake
 
FIDO U2F Specifications: Overview & Tutorial
byFIDO Alliance
 
Future-proofing Authentication with Passkeys
byNordic APIs
 
Web Authentication API
byFIDO Alliance
 
U2F Tutorial - Authentication Tokens for Enterprise and Consumers
byFIDO Alliance
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
byapidays
 
CIS14: An Overview of FIDO's Universal Factor (UAF) Specifications
byCloudIDSummit
 
Go passwordless with fido2
byRob Dudley
 
FIDOAlliance
bySanjeev Verma, PhD
 
FIDO Authentication: Its Evolution and Opportunities in Business -FIDO Allian...
byFIDO Alliance
 
RPで受け入れる認証器を選択する ~Idance lesson 2~
by5 6
 
New FIDO Specifications Overview -FIDO Alliance -Tokyo Seminar -Nadalin
byFIDO Alliance
 
Webinar: Case Study: FIDO, Federation, ID Proofing
byAds Manager
 
FIDO Authentication & Blockchain
byFIDO Alliance
 
Everything_You_Never_Knew_You_Wanted_to_Know_About_Passkeys.pdf
bydtpentest
 
FIDO Alliance Osaka Seminar: Overview.pdf
byFIDO Alliance
 
FIDO alliance #idcon vol.18
byNov Matake
 
2019 FIDO Tokyo Seminar - LINE PayへのFIDO2実装
byFIDO Alliance
 
FIDO Technical Specifications Overview
byFIDO Alliance
 

Recently uploaded

PDF
2026 Safety Roadmap: Systems, Skills, and Scale for EHS Leaders
byTECH EHS Solution
 
PDF
Track Phone Location Android (2026)_ What Actually Works, What’s New, and the...
byRachel Green
 
PPTX
GraphQL Day Paris 2025 | Bringing DevOps to GraphQL with the Apollo GraphOS O...
byapidays
 
PDF
Massage Booking App Development Company
byV3CUBE TECHNOLABS
 
PDF
Build a Scalable On-Demand Courier Service App
byV3CUBE TECHNOLABS
 
PDF
software architecture for busy developers
byMuhammadAwaisQaisran
 
PDF
Track Phone Location Free by Number (2026)_ What’s Real, What’s a Scam, and t...
byRachel Green
 
PDF
On Demand Grocery Delivery App Development
byV3CUBE TECHNOLABS
 
PPTX
Edison MuleSoft Meetup : Vibe Coding | MuleSoft Meetups
bySravan Lingam
 
PDF
Image and video processing: From Mars to Hollywood with a stop at the hospita...
byHarinath Palavalli
 
PDF
apidays Australia 2025 | Build Your First MCP Server with Postman Flows
byapidays
 
PDF
Artificial Intelligence Planning (Harinath Palavalli)
byHarinath Palavalli
 
PPTX
2025 S/4HANA Cloud Release Upgrade Overview.pptx
byssuser835a7b
 
PDF
Metrics, Logs, Traces, and Mayhem_ Introducing an observability adventure gam...
byImma Valls Bernaus
 
PDF
Project Tracking in Software Project Management
bySahanaBarveen1
 
PPTX
HR Software for Construction: Smarter Workforce & Payroll Management
byhelixtahr
 
PDF
Attendance Dashboard – Time & Attendance Analytics
byHajir Pro
 
PDF
apidays Australia 2025 | Orchestrator vs. Choreography
byapidays
 
PDF
Animated Safety Induction: A Smarter Way to Onboard for Workplace Safety
byTECH EHS Solution
 
PPTX
BUSY Software Business Management Solution.pptx
byMoving Cloud
 
2026 Safety Roadmap: Systems, Skills, and Scale for EHS Leaders
byTECH EHS Solution
 
Track Phone Location Android (2026)_ What Actually Works, What’s New, and the...
byRachel Green
 
GraphQL Day Paris 2025 | Bringing DevOps to GraphQL with the Apollo GraphOS O...
byapidays
 
Massage Booking App Development Company
byV3CUBE TECHNOLABS
 
Build a Scalable On-Demand Courier Service App
byV3CUBE TECHNOLABS
 
software architecture for busy developers
byMuhammadAwaisQaisran
 
Track Phone Location Free by Number (2026)_ What’s Real, What’s a Scam, and t...
byRachel Green
 
On Demand Grocery Delivery App Development
byV3CUBE TECHNOLABS
 
Edison MuleSoft Meetup : Vibe Coding | MuleSoft Meetups
bySravan Lingam
 
Image and video processing: From Mars to Hollywood with a stop at the hospita...
byHarinath Palavalli
 
apidays Australia 2025 | Build Your First MCP Server with Postman Flows
byapidays
 
Artificial Intelligence Planning (Harinath Palavalli)
byHarinath Palavalli
 
2025 S/4HANA Cloud Release Upgrade Overview.pptx
byssuser835a7b
 
Metrics, Logs, Traces, and Mayhem_ Introducing an observability adventure gam...
byImma Valls Bernaus
 
Project Tracking in Software Project Management
bySahanaBarveen1
 
HR Software for Construction: Smarter Workforce & Payroll Management
byhelixtahr
 
Attendance Dashboard – Time & Attendance Analytics
byHajir Pro
 
apidays Australia 2025 | Orchestrator vs. Choreography
byapidays
 
Animated Safety Induction: A Smarter Way to Onboard for Workplace Safety
byTECH EHS Solution
 
BUSY Software Business Management Solution.pptx
byMoving Cloud
 

U2F/FIDO2 implementation of YubiKey

  • 1.
    YubiKey の U2F, FIDO2実装のナカミ U2F/FIDO2 implementation of YubiKey
  • 2.
    Wataru Haniyama @watahani 3 yearsago… I worked at book store
  • 3.
  • 4.
    Implementation of U2FHost Library It’s interesting looking FIDO2 overall from U2F (^^)/
  • 5.
    TODAY I talkabout U2F
  • 6.
    TODAY I talkabout U2F and FIDO2
  • 7.
  • 8.
    CTAP1 Security Points CheckApp ID in Authenticator, Client, Server Make Private Key for Each Applications
  • 9.
  • 10.
    rpId, challengerpId, clientData CredID,Public key CredID, Public key AttestationAttestation Registration clientData Check rpId Generate Key-pair for rpId RP Hash of ClientData { type: “webauthn.create” origin: “example.com”, challenge: “xxxxxxxxx”, tokenBinding: { status: …} }
  • 11.
    Registration Generate Random Nonce RNG DeviceSecret App ID Challenge HMAC 0 0 0 0 https://developers.yubico.com/U2F/Protocol_details/Key_generation.html Response Attestation Certificate Attestation Secret
  • 12.
    Registration Generate Random Nonce RNG Nonce AppID App ID Challenge Generate Application Private Key HMAC 0 0 0 0 https://developers.yubico.com/U2F/Protocol_details/Key_generation.html Response Device Secret
  • 13.
    Registration Generate Random Nonce RNG Nonce ApplicationPrivate Key Application Public Key App ID App ID Challenge Generate Application Private Key HMAC 0 0 0 0 https://developers.yubico.com/U2F/Protocol_details/Key_generation.html ECDSA P-256 Response Device Secret
  • 14.
    Yubico’s Implementation U2F GenerateCredential ID Application Private Key Application Public Key Nonce App ID Challenge HMAC 0 0 0 0 Response Device Secret
  • 15.
    Yubico’s Implementation U2F GenerateCredential ID HASH MAC Application Private Key Nonce App ID Challenge HMAC 0 0 0 0 Response Device Secret Application Public Key
  • 16.
    Yubico’s Implementation U2F GenerateCredential ID HASH MAC Application Private Key Nonce App ID Challenge HMAC 0 0 0 0 Nonce Response Device Secret Application Public Key
  • 17.
    Yubico’s Implementation U2F GenerateCredential ID HASH MAC Application Private Key Credential ID Nonce App ID Challenge HMAC 0 0 0 0 Nonce Response Device Secret Application Public Key
  • 18.
    Yubico’s Implementation U2F GenerateCredential ID HASH MAC Application Private Key Credential ID Nonce App ID Challenge HMAC 0 0 0 0 Nonce Response Device Secret Application Public Key U2F protocol KeyHandle
  • 19.
    Attestation Statement fido-u2f AttestationCertificate Credential ID ECDSAP256 App ID Challenge 0 0 0 0 Response Attestation Secret Application Public Key
  • 20.
    Attestation Statement fido-u2f AttestationCertificate Credential ID ECDSAP256 App ID App ID Challenge 0 0 0 0 Challenge Client Data Response Attestation Secret Application Public Key
  • 21.
    Attestation Statement fido-u2f CredentialID ECDSAP256 Application Public Key Credential ID App ID Challenge App ID Challenge Client Data 0 0 0 0 Response Application Public Key Attestation Certificate Attestation Secret
  • 22.
    Attestation Statement fido-u2f Signingby Device Secret Attestation Certificate Credential ID Attestation Signature Application Private Key Application Public Key ECDSAP256 Application Public Key Credential ID App ID Challenge App ID Challenge Client Data https://www.w3.org/TR/webauthn/#fido-u2f-attestation 0 0 0 0Attestation Secret
  • 23.
    Attestation Statement fido-u2f Signingby Device Secret Attestation Certificate Credential ID Attestation Signature Application Private Key Application Public Key ECDSAP256 Application Public Key Credential ID App ID Challenge App ID Challenge Client Data https://www.w3.org/TR/webauthn/#fido-u2f-attestation 0 0 0 0 Certificate: Data: Version: 3 (0x2) Serial Number: 305582463 (0x1236d17f) Signature Algorithm: sha256WithRSAEncryption Issuer: CN = Yubico U2F Root CA Serial 457200631 Validity Not Before: Aug 1 00:00:00 2014 GMT Not After : Sep 4 00:00:00 2050 GMT Subject: CN = Yubico U2F EE Serial 23925734103241087 Subject Public Key Info: Public Key Algorithm: id-ecPublicKey Public-Key: (256 bit) pub: 04:d3:65:a9:1e:5e:99:e0:d5:b4:39:c0:d9:af:bb: 87:f4:05:8e:47:dd:12:b1:44:ed:b1:4d:2b:33:f8: d3:5c:15:13:e4:0d:79:f0:f9:99:ab:e2:36:71:95: 93:81:c9:dc:2b:07:85:8b:82:ac:63:47:62:04:cc: f7:34:d6:ae:21 ASN1 OID: prime256v1 NIST CURVE: P-256 X509v3 extensions: 1.3.6.1.4.1.41482.2: 1.3.6.1.4.1.41482.1.5 1.3.6.1.4.1.45724.2.1.1: ... Signature Algorithm: sha256WithRSAEncryption 22:1b:9b:b3:b2:72:24:f1:3e:be:a3:22:… SHA1 Fingerprint=5C:5C:14:02:D0:9B:7D:3D:FE:C3:79:3F:C9:E6:33:49:57:81:46:C0 Attestation Secret Signed by Yubico Root CA
  • 24.
    Attestation Statement fido-u2f Signingby Device Secret Attestation Certificate Credential ID Attestation Signature ECDSAP256 Application Public Key Credential ID App ID Challenge App ID Challenge Client Data 0 0 0 0 Attestation Certificate Response Attestation Secret Application Public Key
  • 25.
    Attestation Statement fido-u2f Signingby Device Secret Attestation Certificate Credential ID ECDSAP256 Application Public Key Credential ID App ID Challenge App ID Challenge Client Data 0 0 0 0 Response Attestation Secret Application Public Key Attestation Signature Attestation Certificate
  • 26.
    rpId, challenge, CredIDrpId,clientData CredID, sign CredID, clientData Authentication CredID CredID sign Kpriv RP Hash of ClientData { type: “webauthn.get” origin: “example.com”, challenge: “xxxxxxxxx”, tokenBinding: { status: …} }
  • 27.
    Authentication re-generate privatekey Generate Private Key from Credential ID Credential ID Attestation Certificate App ID Challenge Credential ID HASH MACNonce App ID HMAC 0 0 0 0Device Secret Attestation Secret
  • 28.
    Authentication re-generate privatekey Generate Private Key from Credential ID Credential ID Attestation Certificate App ID Challenge Credential ID HASH MACNonce Nonce App ID HMAC 0 0 0 0Device Secret Attestation Secret
  • 29.
    Authentication re-generate privatekey Generate Private Key from Credential ID Credential ID Attestation Certificate App ID Challenge Credential ID HASH MACNonce Nonce App ID Application Private Key HMAC 0 0 0 0Device Secret Attestation Secret
  • 30.
    Authentication verify privatekey Credential ID Attestation Certificate App ID Challenge Credential ID Nonce Application Private Key HMAC HASH MACNonce 0 0 0 0 Application Private Key Device Secret Attestation Secret
  • 31.
    Authentication verify privatekey Credential ID Attestation Certificate App ID Challenge Credential ID Nonce Application Private Key HASH MAC HMAC HASH MACNonce 0 0 0 0Device Secret Attestation Secret
  • 32.
    Authentication verify privatekey Check HMAC Credential ID Attestation Certificate App ID Challenge Credential ID Nonce Application Private Key HASH MAC HMAC HASH MACNonce 0 0 0 0Device Secret Attestation Secret
  • 33.
    Authentication signature Attestation Certificate AppID Challenge Credential ID Application Private Key ECDSA App ID Challenge 0 0 0 1 Attestation Secret
  • 34.
    Authentication signature Attestation Certificate AppID Challenge Credential ID Application Private Key ECDSA App ID Challenge 0 0 0 1 0 0 0 1 Attestation Secret
  • 35.
    Authentication signature Attestation Certificate AppID Challenge Credential ID Application Private Key ECDSA App ID Challenge 0 0 0 1 0 0 0 1 0 0 0 0 0 0 0 1 UP Attestation Secret
  • 36.
    Authentication signature Attestation Certificate AppID Challenge Credential ID Application Private Key ECDSA App ID Challenge 0 0 0 1 Signature 0 0 0 1 Attestation Secret
  • 37.
    Authentication signature Attestation Certificate AppID Challenge Credential ID Application Private Key ECDSA App ID Challenge 0 0 0 1 Signature 0 0 0 1 0 0 0 1 Attestation Secret
  • 38.
  • 39.
  • 41.
    Extensions Resident Space Space NewSecurity Key (FIDO2 Spec) Attestation CertificateAAGUID 0 0 0 0 ****** PIN Support Device Secret Attestation Secret
  • 42.
    Extensions Resident Space Space PINSupport Attestation CertificateAAGUID 0 0 0 0 ****** PIN Support Device Secret Attestation Secret
  • 43.
    Extensions Resident Space Space ResidentKey Attestation CertificateAAGUID 0 0 0 0 ****** PIN Support Device Secret Attestation Secret
  • 44.
    Extensions Resident Space Space AAGUID AttestationCertificateAAGUID 0 0 0 0 ****** PIN Support Device Secret Attestation Secret
  • 45.
    Attestation Secret Device SecretExtensions ResidentSpace Space Support CTAP2 Extensions (hmac-secret) Attestation CertificateAAGUID 0 0 0 0 ****** PIN Support https://fidoalliance.org/specs/fido-v2.0-id-20180227/fido-client-to-authenticator-protocol-v2.0-id-20180227.html#sctn-hmac-secret-extension
  • 46.
    Resident Key (FIDO2Spec) Attestation Certificate Credential IDApp ID User Info Handle AAGUID 0 0 0 0 Resident Space Space Extensions Device Secret Attestation Secret
  • 47.
    rpId, challengerpId, clientData CredID,Public key CredID, Public key AttestationAttestation Registration clientData Check rpId Generate Key-pair for rpId RP Hash of ClientData { type: “webauthn.create” origin: “example.com”, challenge: “xxxxxxxxx”, tokenBinding: { status: …} }
  • 48.
    rpId, challengerpId, clientData CredID,Public key CredID, Public key AttestationAttestation Registration clientData Check rpId Generate Key-pair for rpId User Info,User Info RP
  • 49.
    rpId, challengerpId, clientData CredID,Public key CredID, Public key authenticatorSelection: { userVerification: “required“, requireResidentKey: true, authenticatorAttachment: “cross-platform” } AttestationAttestation Registration clientData Check rpId Generate Key-pair for rpId User Info,User Info CTAP RP
  • 50.
    rpId, challengerpId, clientData CredID,Public key CredID, Public key authenticatorSelection: { userVerification: “required“, requireResidentKey: true, authenticatorAttachment: “cross-platform” } AttestationAttestation Registration clientData Check rpId Generate Key-pair for rpId User Info,User Info CTAP RP
  • 51.
    rpId, challengerpId, clientData CredID,Public key CredID, Public key authenticatorSelection: { userVerification: “required“, requireResidentKey: true, authenticatorAttachment: “cross-platform” } AttestationAttestation Registration clientData Check rpId Generate Key-pair for rpId User Info,User Info ****** PIN CTAP RP
  • 52.
    rpId, challengerpId, clientData CredID,Public key CredID, Public key authenticatorSelection: { userVerification: “required“, requireResidentKey: true, authenticatorAttachment: “cross-platform” } AttestationAttestation Registration clientData Check rpId Generate Key-pair for rpId User Info,User Info rpId User Info CredID ****** PIN CTAP ****** PIN Store Credential of www.example.com ? RP
  • 53.
    rpId, challengerpId, clientData CredID,Public key CredID, Public key authenticatorSelection: { userVerification: “required“, requireResidentKey: true, authenticatorAttachment: “cross-platform” } AttestationAttestation Registration clientData Check rpId Generate Key-pair for rpId User Info,User Info rpId User Info CredID ****** PIN CTAP ****** PIN Store Credential of www.example.com ? RP
  • 54.
    Registration with ResidentKey Attestation Certificate App ID Challenge AAGUID 0 0 0 0 Resident Space Space Extensions Device Secret Attestation Secret User Info WebAuthn spec!
  • 55.
    Registration with ResidentKey Attestation Certificate App ID Challenge AAGUID 0 0 0 0 Resident Space Space Extensions Device Secret Attestation Secret User Info App ID Challenge RNG Nonce
  • 56.
    Registration with ResidentKey Attestation Certificate App ID Challenge AAGUID 0 0 0 0 Resident Space Space Extensions Device Secret Attestation Secret User Info Credential ID Application Public Key App ID Challenge RNG Nonce
  • 57.
    Registration with ResidentKey Attestation Certificate App ID Challenge AAGUID 0 0 0 0 Resident Space Space Extensions Device Secret Attestation Secret User Info Credential ID Application Public Key Credential ID App ID User Info
  • 58.
    Registration with ResidentKey Attestation Certificate App ID Challenge AAGUID 0 0 0 0 Resident Space Space Extensions Device Secret Attestation Secret User Info Credential ID App ID User Info 必須なのは User Handle のみ
  • 59.
    Registration with ResidentKey Attestation Certificate App ID Challenge AAGUID 0 0 0 0 Resident Space Space Extensions Device Secret Attestation Secret User Info Credential ID App ID User Info 必須なのは User Handle のみ
  • 60.
    rpId, challenge, CredIDrpId,clientData CredID, sign CredID, clientData Hash { origin: “example.com”, challenge: “xxxxxxxxx” } Authentication CredID CredID sign Kpriv RP Check rpId
  • 61.
    CredID, sign CredID,clientData Authentication CredID sign Kpriv User Info CredID ****** PIN rpId RP rpId, challenge, CredID Resident Key PIN Support rpId, clientData CredID Optional
  • 62.
    rpId, clientData CredID, signCredID, clientData Authentication CredID sign Kpriv User Info CredID ****** PIN rpId RP rpId, challenge, CredID [空にする]
  • 63.
    rpId, challengerpId, clientData CredID,sign CredID, clientData Authentication CredID sign Kpriv User Info CredID ****** PIN rpId RP CTAP
  • 64.
    rpId, challengerpId, clientData CredID,sign CredID, clientData Authentication CredID sign Kpriv User Info CredID ****** PIN rpId RP CTAP
  • 65.
    rpId, challengerpId, clientData CredID,sign CredID, clientData Authentication CredID sign Kpriv User Info CredID ****** PIN rpId RP CTAP User Info
  • 66.
    rpId, challengerpId, clientData CredID,sign CredID, clientData Authentication CredID sign Kpriv User Info CredID ****** PIN User Info User Info login rpId RP ユーザ情報が複数ある場合 はリスト表示される
  • 67.
    rpId, challengerpId, clientData CredID,sign CredID, clientData Authentication CredID sign Kpriv User Info CredID ****** PIN user.id userHandleUser Info User Info login rpId RP
  • 68.
    rpId, challengerpId, clientData CredID,sign CredID, clientData Authentication CredID sign Kpriv User Info CredID ****** PIN user.id userHandleUser Info User Info login rpId RP userHandle Kpub
  • 69.
    Authentication Attestation Certificate App IDChallenge AAGUID 0 0 0 0Extensions Device Secret Attestation Secret RP doesn’t send Credential ID when id-less authentication Credential ID Resident Space Space Credential ID App ID User Info
  • 70.
    Authentication Attestation Certificate App ID AAGUID0 0 0 0Extensions Device Secret Attestation Secret Authenticator list credentials for specific AppID after User Info Verification(or User Info Presence) Challenge Resident Space Space Credential ID App ID User Info ******
  • 73.
  • 74.
    Authenticate Attestation Certificate App IDChallenge AAGUID 0 0 0 0Extensions Device Secret Attestation Secret Credential ID Application Private Key Resident Space Space Credential ID App ID User Info
  • 75.
    Authenticate Attestation Certificate App IDChallenge AAGUID 0 0 0 0Extensions Device Secret Attestation Secret Credential ID Application Private Key Resident Space Space Credential ID App ID User Info
  • 76.
    FIDO2 • Single factorAuthentication Credential Management API Support PublicKey Crypto • 2nd Factor Authentication WebAuthn Support both CTAP1 and CTAP2 • Multi-Factor: Passwordless + PIN or Biometric CTAP2 Support User Info Verification
  • 77.

Editor's Notes

  • #12 RP provide AppID and challenge (appID has been verified by client) YubiKey Generate Random Nonce and calculate HMAC from AppID and Nonce using Device Secret. Generated HMAC is Application Private Key Generate public key from private key (ECDSA P-256)
  • #13 RP provide AppID and challenge (appID has been verified by client) YubiKey Generate Random Nonce and calculate HMAC from AppID and Nonce using Device Secret. Generated HMAC is Application Private Key Generate public key from private key (ECDSA P-256)
  • #14 RP provide AppID and challenge (appID has been verified by client) YubiKey Generate Random Nonce and calculate HMAC from AppID and Nonce using Device Secret. Generated HMAC is Application Private Key Generate public key from private key (ECDSA P-256)
  • #15 Calculate HMAC from Application Private Key and Nonce Concat HMAC and Nonce. It is Credential ID
  • #16 Calculate HMAC from Application Private Key and Nonce Concat HMAC and Nonce. It is Credential ID
  • #17 Calculate HMAC from Application Private Key and Nonce Concat HMAC and Nonce. It is Credential ID
  • #18 Calculate HMAC from Application Private Key and Nonce Concat HMAC and Nonce. It is Credential ID
  • #19 Credential ID is called “KeyHandle” in U2F protocol
  • #21 Attestation Statement FIDO U2F statement is defined in W3C WebAuthentication API FIDO U2F statement include signature and certificate YubiKey sign to App ID, Challenge(ClientData), Credential ID, Application public Key with Device Secret Attestation Certificate (Attestation Certificate) is pair of Device secret. Attestation Certificate is signed by Yubico Root CA.
  • #22 Attestation Statement FIDO U2F statement is defined in W3C WebAuthentication API FIDO U2F statement include signature and certificate YubiKey sign to App ID, Challenge(ClientData), Credential ID, Application public Key with Device Secret Attestation Certificate (Attestation Certificate) is pair of Device secret. Attestation Certificate is signed by Yubico Root CA.
  • #23 Attestation Statement FIDO U2F statement is defined in W3C WebAuthentication API FIDO U2F statement include signature and certificate YubiKey sign to App ID, Challenge(ClientData), Credential ID, Application public Key with Device Secret Attestation Certificate (Attestation Certificate) is pair of Device secret. Attestation Certificate is signed by Yubico Root CA.
  • #24 Attestation Statement FIDO U2F statement is defined in W3C WebAuthentication API FIDO U2F statement include signature and certificate YubiKey sign to App ID, Challenge(ClientData), Credential ID, Application public Key with Device Secret Attestation Certificate (Attestation Certificate) is pair of Device secret. Attestation Certificate is signed by Yubico Root CA.
  • #25 Attestation Statement FIDO U2F statement is defined in W3C WebAuthentication API FIDO U2F statement include signature and certificate YubiKey sign to App ID, Challenge(ClientData), Credential ID, Application public Key with Device Secret Attestation Certificate (Attestation Certificate) is pair of Device secret. Attestation Certificate is signed by Yubico Root CA.
  • #26 Attestation Statement FIDO U2F statement is defined in W3C WebAuthentication API FIDO U2F statement include signature and certificate YubiKey sign to App ID, Challenge(ClientData), Credential ID, Application public Key with Device Secret Attestation Certificate (Attestation Certificate) is pair of Device secret. Attestation Certificate is signed by Yubico Root CA.
  • #28 Authentication Credential ID include Nonce and HMAC Calculate HMAC from AppID and Nonce using Device Secret. It is Application Private Key
  • #29 Authentication Credential ID include Nonce and HMAC Calculate HMAC from AppID and Nonce using Device Secret. It is Application Private Key
  • #30 Authentication Credential ID include Nonce and HMAC Calculate HMAC from AppID and Nonce using Device Secret. It is Application Private Key
  • #31 Verify Private Key is generated on this device Calculate HMAC form Application Private Key and Nonce. If generated HMAC equals to HMAC from RP, It has been verified the private key was generated on this device.
  • #32 Verify Private Key is generated on this device Calculate HMAC form Application Private Key and Nonce. If generated HMAC equals to HMAC from RP, It has been verified the private key was generated on this device.
  • #33 Verify Private Key is generated on this device Calculate HMAC form Application Private Key and Nonce. If generated HMAC equals to HMAC from RP, It has been verified the private key was generated on this device. And AppID is correct!
  • #35 Calculate a
  • #36 U2F support only UP flag. UP: User Info Presence
  • #46 I don’t know about it...
  • #47 - Resident Key store AppID
  • #55 - Resident Key store AppID
  • #56 - Resident Key store AppID
  • #57 - Resident Key store AppID
  • #58 - Resident Key store AppID
  • #59 - Resident Key store AppID
  • #60 - Resident Key store AppID
  • #70 - Authenticate
  • #71 - Authenticate
  • #72 DEMO https://youtu.be/XjfR9cVmqJE
  • #75 Application Private Key can be re-generate from credential ID. Authenticator return signature and “User Info Handle” which identifier the RP’s User Info.
  • #76 Application Private Key can be re-generate from credential ID. Authenticator return signature and “User Info Handle” which identifier the RP’s User Info.