This document discusses Yubico's implementation of the U2F and FIDO2 authentication protocols. It covers key topics like key generation during registration, signature generation during authentication using an application private key, and the use of attestation certificates to verify the authenticator. Resident keys, PIN support, and extensions are also mentioned as differences between U2F and FIDO2.
W3C - Web Authentication API by Korea ETRI (Electronics and Telecommunication Research Institute)
- Presented at FIDO Technical Seminar on July 16th, 2018
W3C - Web Authentication API by Korea ETRI (Electronics and Telecommunication Research Institute)
- Presented at FIDO Technical Seminar on July 16th, 2018
WebAuthn - The End of the Password As We Know It?Thomas Konrad
WebAuthn has been around for some time now, and it has quite some potential to shape the future of authentication. In this Meetup, we'll explore how it works and walk through a sample implementation. Questions we'll answer in this Meetup:
- What is WebAuthn?
- How exactly does it work?
- How is WebAuthn better than traditional password authentication?
- How can I implement WebAuthn for my web application?
- Is WebAuthn multi-factor authentication?
- What are the weaknesses and practical pitfalls?
- What about user and public key enumeration?
- Is WebAuthn also usable for computer logins and on smartphones?
- Does it have the potential to superseed password authentication?
OpenID Connect 4 SSI is an initiative conducted at OpenID Foundation in liaison with the Decentralized Identity Foundation. It aims at specifying a set of protocols based on OpenID Connect to enable SSI applications.
Presented at GSMA Mobile Connect + FIDO Alliance: The Future of Strong Authentication
By: Rolf Lindemann, Senior Director of Technology and Products, Nok Nok Labs
FIDO U2F (Universal Authentication Framework) Specifications: Overview & Tutorial
by Jerrod Chong, Yubico
Explore how FIDO U2F works and how it is used in the world today.
The FIDO Alliance invites you to learn how simplify strong authentication for web services. FIDO specifications can help all organizations, especially service providers who want to scale these features for consumer services over the web. Essentially, FIDO offers a simple, low-cost way to improve security and the online experience.
A tutorial on how the process of writing an application using a browser’s WebAuthn API, plus how to install a server, how to generate authentication challenges & responses, and how to integrate with related IAM infrastructure.
Code: https://github.com/fido-alliance/webauthn-demo
Live slides: http://slides.com/herrjemand/jan-2018-fido-seminar-webauthn-tutorial#/
The Shift from Federated to Decentralized IdentityEvernym
Up until recently, the majority of digital identity systems have been federated, where a small group of “identity providers” supply individuals with a digital identity that can be used to access other websites and services within the federation. Now we’re seeing the shift to decentralized identity solutions and open ecosystems based on verifiable credentials, where anyone can participate, issue, and verify.
In the first of a new series on digital identity and government, we invited leading experts from Accenture and Evernym to discuss the state of digital identity systems within the public sector and the reasons why government interest in decentralized models continues to increase.
We covered:
- The key differences between federated and decentralized identity systems
- An analysis of a few notable government-led projects, such as Aadhaar (India), Verify (UK), eIDAS (EU), and the Ontario Digital Identity Program (Canada)
- What decentralization means for portability, scalability, flexibility, and privacy
- How governments and commercial organizations can enhance existing federated identity systems with verifiable credentials
Introduction to FIDO2 (Korean Language)FIDO Alliance
Introduction to FIDO2 by Korea ETRI (Electronics and Telecommunication Research Institute)
- Presented at FIDO Korea Working Group Technical Seminar on July 16th, 2018
Every Android application has its own unique identity, typically inherited from the corporate developer’s identity. In July 2014, the Bluebox Security research team, Bluebox Labs, released the details of a new vulnerability discovered in Android, which allows these identities to be copied and used for nefarious purposes.
Dubbed “Fake ID,” the vulnerability allows malicious applications to impersonate specially recognized trusted applications without any user notification. This can result in a wide spectrum of consequences. For example, the vulnerability can be used by malware to escape the normal application sandbox and take one or more malicious actions: insert a Trojan horse into an application by impersonating Adobe Systems; gain access to NFC financial and payment data by impersonating Google Wallet; or take full management control of the entire device by impersonating 3LM.
This year at Black Hat USA, Jeff Forristal, CTO of Bluebox, presented on Fake ID. His presentation explains the technical details of how the vulnerability works.
Watch a demo of the vulnerability here:
http://offers.bluebox.com/resource-video-fakeID-recording.html?aliId=903578
WebAuthn and Security Keys = Unlocking the key to authentication by John Fontana, Yubico on behalf of Christiaan Brand at Google
- Presented at FIDO Seoul Public Seminar on December 5th, 2018
WebAuthn - The End of the Password As We Know It?Thomas Konrad
WebAuthn has been around for some time now, and it has quite some potential to shape the future of authentication. In this Meetup, we'll explore how it works and walk through a sample implementation. Questions we'll answer in this Meetup:
- What is WebAuthn?
- How exactly does it work?
- How is WebAuthn better than traditional password authentication?
- How can I implement WebAuthn for my web application?
- Is WebAuthn multi-factor authentication?
- What are the weaknesses and practical pitfalls?
- What about user and public key enumeration?
- Is WebAuthn also usable for computer logins and on smartphones?
- Does it have the potential to superseed password authentication?
OpenID Connect 4 SSI is an initiative conducted at OpenID Foundation in liaison with the Decentralized Identity Foundation. It aims at specifying a set of protocols based on OpenID Connect to enable SSI applications.
Presented at GSMA Mobile Connect + FIDO Alliance: The Future of Strong Authentication
By: Rolf Lindemann, Senior Director of Technology and Products, Nok Nok Labs
FIDO U2F (Universal Authentication Framework) Specifications: Overview & Tutorial
by Jerrod Chong, Yubico
Explore how FIDO U2F works and how it is used in the world today.
The FIDO Alliance invites you to learn how simplify strong authentication for web services. FIDO specifications can help all organizations, especially service providers who want to scale these features for consumer services over the web. Essentially, FIDO offers a simple, low-cost way to improve security and the online experience.
A tutorial on how the process of writing an application using a browser’s WebAuthn API, plus how to install a server, how to generate authentication challenges & responses, and how to integrate with related IAM infrastructure.
Code: https://github.com/fido-alliance/webauthn-demo
Live slides: http://slides.com/herrjemand/jan-2018-fido-seminar-webauthn-tutorial#/
The Shift from Federated to Decentralized IdentityEvernym
Up until recently, the majority of digital identity systems have been federated, where a small group of “identity providers” supply individuals with a digital identity that can be used to access other websites and services within the federation. Now we’re seeing the shift to decentralized identity solutions and open ecosystems based on verifiable credentials, where anyone can participate, issue, and verify.
In the first of a new series on digital identity and government, we invited leading experts from Accenture and Evernym to discuss the state of digital identity systems within the public sector and the reasons why government interest in decentralized models continues to increase.
We covered:
- The key differences between federated and decentralized identity systems
- An analysis of a few notable government-led projects, such as Aadhaar (India), Verify (UK), eIDAS (EU), and the Ontario Digital Identity Program (Canada)
- What decentralization means for portability, scalability, flexibility, and privacy
- How governments and commercial organizations can enhance existing federated identity systems with verifiable credentials
Introduction to FIDO2 (Korean Language)FIDO Alliance
Introduction to FIDO2 by Korea ETRI (Electronics and Telecommunication Research Institute)
- Presented at FIDO Korea Working Group Technical Seminar on July 16th, 2018
Every Android application has its own unique identity, typically inherited from the corporate developer’s identity. In July 2014, the Bluebox Security research team, Bluebox Labs, released the details of a new vulnerability discovered in Android, which allows these identities to be copied and used for nefarious purposes.
Dubbed “Fake ID,” the vulnerability allows malicious applications to impersonate specially recognized trusted applications without any user notification. This can result in a wide spectrum of consequences. For example, the vulnerability can be used by malware to escape the normal application sandbox and take one or more malicious actions: insert a Trojan horse into an application by impersonating Adobe Systems; gain access to NFC financial and payment data by impersonating Google Wallet; or take full management control of the entire device by impersonating 3LM.
This year at Black Hat USA, Jeff Forristal, CTO of Bluebox, presented on Fake ID. His presentation explains the technical details of how the vulnerability works.
Watch a demo of the vulnerability here:
http://offers.bluebox.com/resource-video-fakeID-recording.html?aliId=903578
WebAuthn and Security Keys = Unlocking the key to authentication by John Fontana, Yubico on behalf of Christiaan Brand at Google
- Presented at FIDO Seoul Public Seminar on December 5th, 2018
FIDO UAF 1.0 Specs: Overview and InsightsFIDO Alliance
Explore how FIDO UAF works, how to perform FIDO registration, and how FIDO is used in the world today, as well as the process from start to finish of UAF authentication.
From FIDO Alliance Seminar in Washington, D.C., October, 2015.
CIS14: FIDO 101 (What, Why and Wherefore of FIDO)CloudIDSummit
Rajiv Dholakia, Nok Nok Labs
Basics of how FIDO protocols work, how they fit into the broader identity ecosystem, the benefits of the design and the state of implementation/deployment in the market; appropriate for both technical and non-technical individuals, giving orientation before diving into the details of the specific FIDO protocols.
Steam Learn: HTTPS and certificates explainedinovia
You've seen it somewhere, you already know about it, maybe without even knowing it... that's embarrassing, it is. If you don't understand what I'm saying, it doesn't matter, have a look at the presentation and you'll understand how credit card information is secured.
CIS14: An Overview of FIDO's Universal Factor (UAF) SpecificationsCloudIDSummit
Rolf Lindemann,
Nok Nok Labs
Introduction to the UAF protocol, which is designed to provide a “passwordless” experience, discussing potential use cases and implementation models, with a real-world example shown via the FIDO client on the Samsung Galaxy S5.
Apache Milagro Presentation at ApacheCon Europe 2016Brian Spector
Apache Milagro (incubating) establishes a new internet security framework purpose-built for cloud-connected app-centric software and IoT devices that require Internet scale. Milagro's purpose is to provide a secure, free, and positive open source alternative to centralised and proprietary monolithic trust providers such as commercial certificate authorities and the certificate backed cryptosystems that rely on them.
Milagro is an open source, pairing-based cryptographic platform that delivers solutions for device and end user authentication, secure communications and fintech / blockchain security; issues challenging Cloud Providers and their customers. It does this without the need for certificate authorities, putting into place a new category of service providers called Distributed Trust Authorities (D-TA®).
Milagro's M-Pin® protocol, and its existing open-source MIRACL® implementation on which MILAGRO is built, is already in use by Experian, NTT, Ingram Micro, and Gov.UK and rolled out to perform at Internet scale for Zero Password® multi-factor authentication and certificate-less HTTPS / secure channel.
What if we could replace passwords with authentication that is stronger and simpler? Web service providers and enterprises worldwide are looking for a solution to move beyond the frustrating user experience and less-than-stellar security of single-factor password authentication systems. Today FIDO is that solution, providing a rich set of specifications and certifications for an emerging and interoperable ecosystem of hardware, mobile and biometrics-based devices. This ecosystem enables enterprises and web service providers to easily deploy strong authentication solutions that reduce password dependencies and provide a superior, simpler and trusted user experience.
- Learn the ins and outs of FIDO’s specifications, including their applicability to both passwordless (UAF) and second factor (U2F) authentication use cases.
- Learn how FIDO separates user verification from authentication along with other details on the FIDO registration and login process.
- Learn how FIDO authentication protects user privacy and prevents phishing and man-in-the-middle attacks.
Multifactor authenticationMultifactor authentication or MFA .docxgilpinleeanna
Multifactor authentication
Multifactor authentication or MFA is a security system that requires more than on method of authentication from independent categories of credentials to verify the user’s identity for a login or other transaction.
Multifactor authentication combines two or more independent credentials: what the user knows like a password, what the user has the security token and what the user is like biometric verification. The goal of multifactor authentication is to create a layer of defense and make it more difficult for an unauthorized person to access a some like a physical location, network or database, or a computing device. If one of the factor is compromised, an attacker still needs at least one more barrier to breach before successfully breaking into the target.
Multifactor authentication cont…
Typical MFA scenarios include:
Swiping a card and entering a PIN.
Logging into a website and being requested to enter an additional one-time password OTP that the website’s authentication server sends to the requester’s phone, email address, or any other form.
Downloading a VPN client with a valid digital certificate and logging into the VPN before being granted access to a network.
Swiping a card, scanning a fingerprint and answering a security question
Attaching a USB hardware token to a Desktop that generates a one-time passcode and using the one-time passcode to log into a VPN client.
RSA Token/Symantec VIP Access
RSA token or security token is a two-factor authentication technology that is used to protect network resources. The authentication is based on two factors. The two factors are first something you know like your password or pin and the second factor is something you have the authenticator (RSA Token). The code that RSA Token produces changes every 60 seconds as an added form of security.
Symantec VIP Access is a software that protects your online accounts and transactions. The VIP credential provides a dynamic security code that you can use in addition to your user name and password for safe and secure account access. The code that VIP Access produces changes every 30 seconds as an added form of security.
How RSA Token/VIP software work
The way RSA Token and the VIP software work is when a user attempts to access a protected resource, he or she is prompted for a unique code. The code is a combination of their user’s password or pin and the code that is displayed on the authenticator token or VIP application at the time of logging in.
The user ID and pass code are intercepted by the RSA Authentication Agent and presented to the RSA Authentication Manager software which validates the pass code. The RSA SecurID system computes what number the token is supposed to be showing at that moment in time, checks it against what the user entered, and makes the decision to allow or deny access. This is also the case with the VIP software.
Reference
http://www.webopedia.com/TERM/R/rsa_secure_id.html
https://idprote ...
The FIDO Alliance invites you to learn how simplify strong authentication for web services. FIDO specifications can help all organizations, especially service providers who want to scale these features for consumer services over the web. Essentially, FIDO offers a simple, low-cost way to improve security and the online experience. From FIDO Alliance Seminar in Tokyo, Japan, November, 2015.
Similar to U2F/FIDO2 implementation of YubiKey (20)
Advanced Flow Concepts Every Developer Should KnowPeter Caitens
Tim Combridge from Sensible Giraffe and Salesforce Ben presents some important tips that all developers should know when dealing with Flows in Salesforce.
Developing Distributed High-performance Computing Capabilities of an Open Sci...Globus
COVID-19 had an unprecedented impact on scientific collaboration. The pandemic and its broad response from the scientific community has forged new relationships among public health practitioners, mathematical modelers, and scientific computing specialists, while revealing critical gaps in exploiting advanced computing systems to support urgent decision making. Informed by our team’s work in applying high-performance computing in support of public health decision makers during the COVID-19 pandemic, we present how Globus technologies are enabling the development of an open science platform for robust epidemic analysis, with the goal of collaborative, secure, distributed, on-demand, and fast time-to-solution analyses to support public health.
Software Engineering, Software Consulting, Tech Lead.
Spring Boot, Spring Cloud, Spring Core, Spring JDBC, Spring Security,
Spring Transaction, Spring MVC,
Log4j, REST/SOAP WEB-SERVICES.
Quarkus Hidden and Forbidden ExtensionsMax Andersen
Quarkus has a vast extension ecosystem and is known for its subsonic and subatomic feature set. Some of these features are not as well known, and some extensions are less talked about, but that does not make them less interesting - quite the opposite.
Come join this talk to see some tips and tricks for using Quarkus and some of the lesser known features, extensions and development techniques.
How Does XfilesPro Ensure Security While Sharing Documents in Salesforce?XfilesPro
Worried about document security while sharing them in Salesforce? Fret no more! Here are the top-notch security standards XfilesPro upholds to ensure strong security for your Salesforce documents while sharing with internal or external people.
To learn more, read the blog: https://www.xfilespro.com/how-does-xfilespro-make-document-sharing-secure-and-seamless-in-salesforce/
Modern design is crucial in today's digital environment, and this is especially true for SharePoint intranets. The design of these digital hubs is critical to user engagement and productivity enhancement. They are the cornerstone of internal collaboration and interaction within enterprises.
A Comprehensive Look at Generative AI in Retail App Testing.pdfkalichargn70th171
Traditional software testing methods are being challenged in retail, where customer expectations and technological advancements continually shape the landscape. Enter generative AI—a transformative subset of artificial intelligence technologies poised to revolutionize software testing.
Paketo Buildpacks : la meilleure façon de construire des images OCI? DevopsDa...Anthony Dahanne
Les Buildpacks existent depuis plus de 10 ans ! D’abord, ils étaient utilisés pour détecter et construire une application avant de la déployer sur certains PaaS. Ensuite, nous avons pu créer des images Docker (OCI) avec leur dernière génération, les Cloud Native Buildpacks (CNCF en incubation). Sont-ils une bonne alternative au Dockerfile ? Que sont les buildpacks Paketo ? Quelles communautés les soutiennent et comment ?
Venez le découvrir lors de cette session ignite
Globus Connect Server Deep Dive - GlobusWorld 2024Globus
We explore the Globus Connect Server (GCS) architecture and experiment with advanced configuration options and use cases. This content is targeted at system administrators who are familiar with GCS and currently operate—or are planning to operate—broader deployments at their institution.
Your Digital Assistant.
Making complex approach simple. Straightforward process saves time. No more waiting to connect with people that matter to you. Safety first is not a cliché - Securely protect information in cloud storage to prevent any third party from accessing data.
Would you rather make your visitors feel burdened by making them wait? Or choose VizMan for a stress-free experience? VizMan is an automated visitor management system that works for any industries not limited to factories, societies, government institutes, and warehouses. A new age contactless way of logging information of visitors, employees, packages, and vehicles. VizMan is a digital logbook so it deters unnecessary use of paper or space since there is no requirement of bundles of registers that is left to collect dust in a corner of a room. Visitor’s essential details, helps in scheduling meetings for visitors and employees, and assists in supervising the attendance of the employees. With VizMan, visitors don’t need to wait for hours in long queues. VizMan handles visitors with the value they deserve because we know time is important to you.
Feasible Features
One Subscription, Four Modules – Admin, Employee, Receptionist, and Gatekeeper ensures confidentiality and prevents data from being manipulated
User Friendly – can be easily used on Android, iOS, and Web Interface
Multiple Accessibility – Log in through any device from any place at any time
One app for all industries – a Visitor Management System that works for any organisation.
Stress-free Sign-up
Visitor is registered and checked-in by the Receptionist
Host gets a notification, where they opt to Approve the meeting
Host notifies the Receptionist of the end of the meeting
Visitor is checked-out by the Receptionist
Host enters notes and remarks of the meeting
Customizable Components
Scheduling Meetings – Host can invite visitors for meetings and also approve, reject and reschedule meetings
Single/Bulk invites – Invitations can be sent individually to a visitor or collectively to many visitors
VIP Visitors – Additional security of data for VIP visitors to avoid misuse of information
Courier Management – Keeps a check on deliveries like commodities being delivered in and out of establishments
Alerts & Notifications – Get notified on SMS, email, and application
Parking Management – Manage availability of parking space
Individual log-in – Every user has their own log-in id
Visitor/Meeting Analytics – Evaluate notes and remarks of the meeting stored in the system
Visitor Management System is a secure and user friendly database manager that records, filters, tracks the visitors to your organization.
"Secure Your Premises with VizMan (VMS) – Get It Now"
Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...informapgpstrackings
Keep tabs on your field staff effortlessly with Informap Technology Centre LLC. Real-time tracking, task assignment, and smart features for efficient management. Request a live demo today!
For more details, visit us : https://informapuae.com/field-staff-tracking/
Designing for Privacy in Amazon Web ServicesKrzysztofKkol1
Data privacy is one of the most critical issues that businesses face. This presentation shares insights on the principles and best practices for ensuring the resilience and security of your workload.
Drawing on a real-life project from the HR industry, the various challenges will be demonstrated: data protection, self-healing, business continuity, security, and transparency of data processing. This systematized approach allowed to create a secure AWS cloud infrastructure that not only met strict compliance rules but also exceeded the client's expectations.
Understanding Globus Data Transfers with NetSageGlobus
NetSage is an open privacy-aware network measurement, analysis, and visualization service designed to help end-users visualize and reason about large data transfers. NetSage traditionally has used a combination of passive measurements, including SNMP and flow data, as well as active measurements, mainly perfSONAR, to provide longitudinal network performance data visualization. It has been deployed by dozens of networks world wide, and is supported domestically by the Engagement and Performance Operations Center (EPOC), NSF #2328479. We have recently expanded the NetSage data sources to include logs for Globus data transfers, following the same privacy-preserving approach as for Flow data. Using the logs for the Texas Advanced Computing Center (TACC) as an example, this talk will walk through several different example use cases that NetSage can answer, including: Who is using Globus to share data with my institution, and what kind of performance are they able to achieve? How many transfers has Globus supported for us? Which sites are we sharing the most data with, and how is that changing over time? How is my site using Globus to move data internally, and what kind of performance do we see for those transfers? What percentage of data transfers at my institution used Globus, and how did the overall data transfer performance compare to the Globus users?
Check out the webinar slides to learn more about how XfilesPro transforms Salesforce document management by leveraging its world-class applications. For more details, please connect with sales@xfilespro.com
If you want to watch the on-demand webinar, please click here: https://www.xfilespro.com/webinars/salesforce-document-management-2-0-smarter-faster-better/
Strategies for Successful Data Migration Tools.pptxvarshanayak241
Data migration is a complex but essential task for organizations aiming to modernize their IT infrastructure and leverage new technologies. By understanding common challenges and implementing these strategies, businesses can achieve a successful migration with minimal disruption. Data Migration Tool like Ask On Data play a pivotal role in this journey, offering features that streamline the process, ensure data integrity, and maintain security. With the right approach and tools, organizations can turn the challenge of data migration into an opportunity for growth and innovation.
Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...Globus
The U.S. Geological Survey (USGS) has made substantial investments in meeting evolving scientific, technical, and policy driven demands on storing, managing, and delivering data. As these demands continue to grow in complexity and scale, the USGS must continue to explore innovative solutions to improve its management, curation, sharing, delivering, and preservation approaches for large-scale research data. Supporting these needs, the USGS has partnered with the University of Chicago-Globus to research and develop advanced repository components and workflows leveraging its current investment in Globus. The primary outcome of this partnership includes the development of a prototype enterprise repository, driven by USGS Data Release requirements, through exploration and implementation of the entire suite of the Globus platform offerings, including Globus Flow, Globus Auth, Globus Transfer, and Globus Search. This presentation will provide insights into this research partnership, introduce the unique requirements and challenges being addressed and provide relevant project progress.
Providing Globus Services to Users of JASMIN for Environmental Data AnalysisGlobus
JASMIN is the UK’s high-performance data analysis platform for environmental science, operated by STFC on behalf of the UK Natural Environment Research Council (NERC). In addition to its role in hosting the CEDA Archive (NERC’s long-term repository for climate, atmospheric science & Earth observation data in the UK), JASMIN provides a collaborative platform to a community of around 2,000 scientists in the UK and beyond, providing nearly 400 environmental science projects with working space, compute resources and tools to facilitate their work. High-performance data transfer into and out of JASMIN has always been a key feature, with many scientists bringing model outputs from supercomputers elsewhere in the UK, to analyse against observational or other model data in the CEDA Archive. A growing number of JASMIN users are now realising the benefits of using the Globus service to provide reliable and efficient data movement and other tasks in this and other contexts. Further use cases involve long-distance (intercontinental) transfers to and from JASMIN, and collecting results from a mobile atmospheric radar system, pushing data to JASMIN via a lightweight Globus deployment. We provide details of how Globus fits into our current infrastructure, our experience of the recent migration to GCSv5.4, and of our interest in developing use of the wider ecosystem of Globus services for the benefit of our user community.
TROUBLESHOOTING 9 TYPES OF OUTOFMEMORYERRORTier1 app
Even though at surface level ‘java.lang.OutOfMemoryError’ appears as one single error; underlyingly there are 9 types of OutOfMemoryError. Each type of OutOfMemoryError has different causes, diagnosis approaches and solutions. This session equips you with the knowledge, tools, and techniques needed to troubleshoot and conquer OutOfMemoryError in all its forms, ensuring smoother, more efficient Java applications.
20. Attestation Statement fido-u2f
Attestation Certificate
Credential ID
ECDSAP256
App ID
App ID Challenge
0 0 0 0
Challenge
Client Data
Response
Attestation Secret
Application Public Key
21. Attestation Statement fido-u2f
Credential ID
ECDSAP256
Application Public Key
Credential ID
App ID
Challenge
App ID Challenge
Client Data
0 0 0 0
Response
Application Public Key
Attestation Certificate
Attestation Secret
22. Attestation Statement fido-u2f
Signing by Device Secret
Attestation Certificate
Credential ID
Attestation Signature
Application Private Key Application Public Key
ECDSAP256
Application Public Key
Credential ID
App ID
Challenge
App ID Challenge
Client Data
https://www.w3.org/TR/webauthn/#fido-u2f-attestation
0 0 0 0Attestation Secret
23. Attestation Statement fido-u2f
Signing by Device Secret
Attestation Certificate
Credential ID
Attestation Signature
Application Private Key Application Public Key
ECDSAP256
Application Public Key
Credential ID
App ID
Challenge
App ID Challenge
Client Data
https://www.w3.org/TR/webauthn/#fido-u2f-attestation
0 0 0 0
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 305582463 (0x1236d17f)
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN = Yubico U2F Root CA Serial 457200631
Validity
Not Before: Aug 1 00:00:00 2014 GMT
Not After : Sep 4 00:00:00 2050 GMT
Subject: CN = Yubico U2F EE Serial 23925734103241087
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
04:d3:65:a9:1e:5e:99:e0:d5:b4:39:c0:d9:af:bb:
87:f4:05:8e:47:dd:12:b1:44:ed:b1:4d:2b:33:f8:
d3:5c:15:13:e4:0d:79:f0:f9:99:ab:e2:36:71:95:
93:81:c9:dc:2b:07:85:8b:82:ac:63:47:62:04:cc:
f7:34:d6:ae:21
ASN1 OID: prime256v1
NIST CURVE: P-256
X509v3 extensions:
1.3.6.1.4.1.41482.2:
1.3.6.1.4.1.41482.1.5
1.3.6.1.4.1.45724.2.1.1:
...
Signature Algorithm: sha256WithRSAEncryption
22:1b:9b:b3:b2:72:24:f1:3e:be:a3:22:…
SHA1 Fingerprint=5C:5C:14:02:D0:9B:7D:3D:FE:C3:79:3F:C9:E6:33:49:57:81:46:C0
Attestation Secret
Signed by Yubico Root CA
24. Attestation Statement fido-u2f
Signing by Device Secret
Attestation Certificate
Credential ID
Attestation Signature
ECDSAP256
Application Public Key
Credential ID
App ID
Challenge
App ID Challenge
Client Data
0 0 0 0
Attestation Certificate
Response
Attestation Secret
Application Public Key
25. Attestation Statement fido-u2f
Signing by Device Secret
Attestation Certificate
Credential ID
ECDSAP256
Application Public Key
Credential ID
App ID
Challenge
App ID Challenge
Client Data
0 0 0 0
Response
Attestation Secret
Application Public Key
Attestation Signature Attestation Certificate
45. Attestation Secret
Device SecretExtensions
Resident Space Space
Support CTAP2 Extensions
(hmac-secret)
Attestation CertificateAAGUID 0 0 0 0
******
PIN Support
https://fidoalliance.org/specs/fido-v2.0-id-20180227/fido-client-to-authenticator-protocol-v2.0-id-20180227.html#sctn-hmac-secret-extension
46. Resident Key (FIDO2 Spec)
Attestation Certificate
Credential IDApp ID
User Info
Handle
AAGUID 0 0 0 0
Resident Space Space
Extensions Device Secret
Attestation Secret
47. rpId, challengerpId, clientData
CredID, Public key CredID, Public key
AttestationAttestation
Registration
clientData
Check rpId
Generate Key-pair
for rpId
RP
Hash of ClientData
{ type: “webauthn.create”
origin: “example.com”,
challenge: “xxxxxxxxx”,
tokenBinding: { status: …} }
48. rpId, challengerpId, clientData
CredID, Public key CredID, Public key
AttestationAttestation
Registration
clientData
Check rpId
Generate Key-pair
for rpId
User Info,User Info RP
49. rpId, challengerpId, clientData
CredID, Public key CredID, Public key
authenticatorSelection: {
userVerification: “required“,
requireResidentKey: true,
authenticatorAttachment: “cross-platform”
}
AttestationAttestation
Registration
clientData
Check rpId
Generate Key-pair
for rpId
User Info,User Info
CTAP
RP
50. rpId, challengerpId, clientData
CredID, Public key CredID, Public key
authenticatorSelection: {
userVerification: “required“,
requireResidentKey: true,
authenticatorAttachment: “cross-platform”
}
AttestationAttestation
Registration
clientData
Check rpId
Generate Key-pair
for rpId
User Info,User Info
CTAP
RP
51. rpId, challengerpId, clientData
CredID, Public key CredID, Public key
authenticatorSelection: {
userVerification: “required“,
requireResidentKey: true,
authenticatorAttachment: “cross-platform”
}
AttestationAttestation
Registration
clientData
Check rpId
Generate Key-pair
for rpId
User Info,User Info
******
PIN
CTAP
RP
52. rpId, challengerpId, clientData
CredID, Public key CredID, Public key
authenticatorSelection: {
userVerification: “required“,
requireResidentKey: true,
authenticatorAttachment: “cross-platform”
}
AttestationAttestation
Registration
clientData
Check rpId
Generate Key-pair
for rpId
User Info,User Info
rpId
User Info
CredID
******
PIN
CTAP ******
PIN
Store Credential of
www.example.com ?
RP
53. rpId, challengerpId, clientData
CredID, Public key CredID, Public key
authenticatorSelection: {
userVerification: “required“,
requireResidentKey: true,
authenticatorAttachment: “cross-platform”
}
AttestationAttestation
Registration
clientData
Check rpId
Generate Key-pair
for rpId
User Info,User Info
rpId
User Info
CredID
******
PIN
CTAP ******
PIN
Store Credential of
www.example.com ?
RP
54. Registration with Resident Key
Attestation Certificate
App ID Challenge
AAGUID 0 0 0 0
Resident Space Space
Extensions Device Secret
Attestation Secret
User Info WebAuthn spec!
55. Registration with Resident Key
Attestation Certificate
App ID Challenge
AAGUID 0 0 0 0
Resident Space Space
Extensions Device Secret
Attestation Secret
User Info
App ID
Challenge
RNG
Nonce
56. Registration with Resident Key
Attestation Certificate
App ID Challenge
AAGUID 0 0 0 0
Resident Space Space
Extensions Device Secret
Attestation Secret
User Info
Credential ID
Application Public Key
App ID
Challenge
RNG
Nonce
57. Registration with Resident Key
Attestation Certificate
App ID Challenge
AAGUID 0 0 0 0
Resident Space Space
Extensions Device Secret
Attestation Secret
User Info
Credential ID
Application Public Key
Credential ID
App ID User Info
58. Registration with Resident Key
Attestation Certificate
App ID Challenge
AAGUID 0 0 0 0
Resident Space Space
Extensions Device Secret
Attestation Secret
User Info
Credential ID
App ID User Info
必須なのは User Handle のみ
59. Registration with Resident Key
Attestation Certificate
App ID Challenge
AAGUID 0 0 0 0
Resident Space Space
Extensions Device Secret
Attestation Secret
User Info
Credential ID
App ID User Info
必須なのは User Handle のみ
66. rpId, challengerpId, clientData
CredID, sign CredID, clientData
Authentication
CredID
sign
Kpriv
User Info
CredID
******
PIN
User Info
User Info
login
rpId
RP
ユーザ情報が複数ある場合
はリスト表示される
67. rpId, challengerpId, clientData
CredID, sign CredID, clientData
Authentication
CredID
sign
Kpriv
User Info
CredID
******
PIN
user.id
userHandleUser Info
User Info
login
rpId
RP
68. rpId, challengerpId, clientData
CredID, sign CredID, clientData
Authentication
CredID
sign
Kpriv
User Info
CredID
******
PIN
user.id
userHandleUser Info
User Info
login
rpId
RP
userHandle
Kpub
69. Authentication
Attestation Certificate
App ID Challenge
AAGUID 0 0 0 0Extensions Device Secret
Attestation Secret
RP doesn’t send Credential ID
when id-less authentication
Credential ID
Resident Space Space
Credential ID
App ID User Info
70. Authentication
Attestation Certificate
App ID
AAGUID 0 0 0 0Extensions Device Secret
Attestation Secret
Authenticator list credentials for specific
AppID after User Info Verification(or
User Info Presence)
Challenge
Resident Space Space
Credential ID
App ID User Info
******
74. Authenticate
Attestation Certificate
App ID Challenge
AAGUID 0 0 0 0Extensions Device Secret
Attestation Secret
Credential ID Application Private Key
Resident Space Space
Credential ID
App ID User Info
75. Authenticate
Attestation Certificate
App ID Challenge
AAGUID 0 0 0 0Extensions Device Secret
Attestation Secret
Credential ID Application Private Key
Resident Space Space
Credential ID
App ID User Info
76. FIDO2
• Single factor Authentication
Credential Management API Support PublicKey Crypto
• 2nd Factor Authentication
WebAuthn Support both CTAP1 and CTAP2
• Multi-Factor: Passwordless + PIN or Biometric
CTAP2 Support User Info Verification
RP provide AppID and challenge (appID has been verified by client)
YubiKey Generate Random Nonce and calculate HMAC from AppID and Nonce using Device Secret.
Generated HMAC is Application Private Key
Generate public key from private key (ECDSA P-256)
RP provide AppID and challenge (appID has been verified by client)
YubiKey Generate Random Nonce and calculate HMAC from AppID and Nonce using Device Secret.
Generated HMAC is Application Private Key
Generate public key from private key (ECDSA P-256)
RP provide AppID and challenge (appID has been verified by client)
YubiKey Generate Random Nonce and calculate HMAC from AppID and Nonce using Device Secret.
Generated HMAC is Application Private Key
Generate public key from private key (ECDSA P-256)
Calculate HMAC from Application Private Key and Nonce
Concat HMAC and Nonce. It is Credential ID
Calculate HMAC from Application Private Key and Nonce
Concat HMAC and Nonce. It is Credential ID
Calculate HMAC from Application Private Key and Nonce
Concat HMAC and Nonce. It is Credential ID
Calculate HMAC from Application Private Key and Nonce
Concat HMAC and Nonce. It is Credential ID
Credential ID is called “KeyHandle” in U2F protocol
Attestation Statement
FIDO U2F statement is defined in W3C WebAuthentication API
FIDO U2F statement include signature and certificate
YubiKey sign to App ID, Challenge(ClientData), Credential ID, Application public Key with Device Secret
Attestation Certificate (Attestation Certificate) is pair of Device secret.
Attestation Certificate is signed by Yubico Root CA.
Attestation Statement
FIDO U2F statement is defined in W3C WebAuthentication API
FIDO U2F statement include signature and certificate
YubiKey sign to App ID, Challenge(ClientData), Credential ID, Application public Key with Device Secret
Attestation Certificate (Attestation Certificate) is pair of Device secret.
Attestation Certificate is signed by Yubico Root CA.
Attestation Statement
FIDO U2F statement is defined in W3C WebAuthentication API
FIDO U2F statement include signature and certificate
YubiKey sign to App ID, Challenge(ClientData), Credential ID, Application public Key with Device Secret
Attestation Certificate (Attestation Certificate) is pair of Device secret.
Attestation Certificate is signed by Yubico Root CA.
Attestation Statement
FIDO U2F statement is defined in W3C WebAuthentication API
FIDO U2F statement include signature and certificate
YubiKey sign to App ID, Challenge(ClientData), Credential ID, Application public Key with Device Secret
Attestation Certificate (Attestation Certificate) is pair of Device secret.
Attestation Certificate is signed by Yubico Root CA.
Attestation Statement
FIDO U2F statement is defined in W3C WebAuthentication API
FIDO U2F statement include signature and certificate
YubiKey sign to App ID, Challenge(ClientData), Credential ID, Application public Key with Device Secret
Attestation Certificate (Attestation Certificate) is pair of Device secret.
Attestation Certificate is signed by Yubico Root CA.
Attestation Statement
FIDO U2F statement is defined in W3C WebAuthentication API
FIDO U2F statement include signature and certificate
YubiKey sign to App ID, Challenge(ClientData), Credential ID, Application public Key with Device Secret
Attestation Certificate (Attestation Certificate) is pair of Device secret.
Attestation Certificate is signed by Yubico Root CA.
Authentication
Credential ID include Nonce and HMAC
Calculate HMAC from AppID and Nonce using Device Secret. It is Application Private Key
Authentication
Credential ID include Nonce and HMAC
Calculate HMAC from AppID and Nonce using Device Secret. It is Application Private Key
Authentication
Credential ID include Nonce and HMAC
Calculate HMAC from AppID and Nonce using Device Secret. It is Application Private Key
Verify Private Key is generated on this device
Calculate HMAC form Application Private Key and Nonce.
If generated HMAC equals to HMAC from RP, It has been verified the private key was generated on this device.
Verify Private Key is generated on this device
Calculate HMAC form Application Private Key and Nonce.
If generated HMAC equals to HMAC from RP, It has been verified the private key was generated on this device.
Verify Private Key is generated on this device
Calculate HMAC form Application Private Key and Nonce.
If generated HMAC equals to HMAC from RP, It has been verified the private key was generated on this device.
And AppID is correct!
Calculate a
U2F support only UP flag.
UP: User Info Presence
I don’t know about it...
- Resident Key store AppID
- Resident Key store AppID
- Resident Key store AppID
- Resident Key store AppID
- Resident Key store AppID
- Resident Key store AppID
- Resident Key store AppID
- Authenticate
- Authenticate
DEMO
https://youtu.be/XjfR9cVmqJE
Application Private Key can be re-generate from credential ID.
Authenticator return signature and “User Info Handle” which identifier the RP’s User Info.
Application Private Key can be re-generate from credential ID.
Authenticator return signature and “User Info Handle” which identifier the RP’s User Info.