U2F & UAF Tutorial

How Secure is Authentication?

2014 1.2bn?

2013 397m

Dec. 2013 145m

Oct. 2013 130m

May 2013 22m

April 2013 50m

March 2013 50m

Cloud Authentication
 Password Issues
1 2
Password might be Password could be stolen
entered into untrusted from the server
App / Web-site
(“phishing”)

4
Inconvenient to type
password on phone

3
Too many passwords to
remember
à re-use / cart
abandonment
 OTP Issues
1
OTP vulnerable to real-
time MITM and MITB
attacks

4
Inconvenient to type OTP
on phone

3
OTP HW tokens are
expensive and people
don’t want another device
2
SMS security questionable,
especially when Device is the
phone
 Implementation Challenge
A Plumbing Problem

User Verification Methods Applications Organizations

Silo 1

App 1
Silo 2

Silo 3
App 2

Silo N
? ? New
App
 Authentication Needs

Do you want to login?

Do you want to transfer $100 to Frank?

Do you want to ship to a new address?

Do you want to delete all of your emails?

Do you want to share your dental record?

Authentication today:
Ask user for a password
(and perhaps a one time code)
Authentication & Risk Engines

Purpose Geolocation …
(from IP addr.)

Explicit Authentication

Authentication Risk Engine

Server
 Summary

1.  Passwords are insecure and inconvenient

especially on mobile devices
2.  Alternative authentication methods are silos
and hence don‘t scale to large scale user
populations
3.  The required security level of the
authentication depends on the use
4.  Risk engines need information about the
explicit authentication security for good
decision
How does FIDO work?

Device
 FIDO Experiences
ONLINE AUTH REQUEST Local USER Verification SUCCESS

PASSWORDLESS EXPERIENCE (UAF standards)

Transaction Detail Show a biometric or PIN Done

SECOND FACTOR EXPERIENCE (U2F standards)

Login & Password Insert Dongle, Press button Done

FIDO Universal 2nd Factor (U2F)
How does FIDO U2F work?

Verify user …
presence
How does FIDO U2F work?

Is a user Same Authenticator

present? as registered before?

Can verify user

presence
How does FIDO UAF work?
Identity binding to be
done outside FIDO:
This this “John Doe
with customer ID X”.

Same Authenticator
Same User as as registered before?
enrolled before?

Can recognize the

user (i.e. user
verification), but
doesn’t have an
identity proof of
the user.
How does FIDO U2F work?

How is the key protected?

Verify user …
presence
 U2F Protocol
•  Core idea: Standard public key cryptography:
o  User's device mints new key pair, gives public key to server
o  Server asks user's device to sign data to verify the user.
o  One device, many services, "bring your own device" enabled
•  Lots of refinement for this to be consumer facing:
o  Privacy: Site specific keys, No unique ID per device
o  Security: No phishing, man-in-the-middles
o  Trust: Verify who made the device
o  Pragmatics: Affordable today, ride hardware cost curve down
o  Speed for user: Fast crypto in device (Elliptic Curve)

Think "Smartcard re-designed for modern consumer

web"
 U2F Registration
FIDO Client / Relying
U2F Authenticator Browser Party
AppID, challenge

check AppID a

a; challenge, origin, channel id, etc.

generate:
key kpub
fc
key kpriv
handle h

kpub, h, attestation cert, signature(a,fc,kpub,h)

s fc, kpub, h, attestation cert, s

cookie store:
key kpub
handle h
 U2F Authentication
FIDO Client / Relying
U2F Authenticator Browser Party
handle, AppID, challenge

check AppID h a

h, a; challenge, origin, channel id, etc.

retrieve
retrieve: key kpub
key kpriv fc from
from handle h
handle h;
cntr++
cntr, signature(a,fc,cntr)

s cntr, fc, s

check
signature
using
key kpub
set cookie
 User Presence API: Registration
{"typ":"register",  
 "challenge":"KSDJsdASAS-­‐AIS_AsS",  
   "cid_pubkey":  {  
       "kty":"EC",  
         "crv":"P-­‐256",  
         "x":"HzQwlfXX7Q4S5MtCRMzPO9tOyWjBqRl4tJ8",  
       "y":"XVguGFLIZx1fXg375hi4-­‐7-­‐BxhMljw42Ht4"  
 },  
navigator.handleRegistrationRequest({  
 "origin":"https://accounts.google.com"  
}    ‘challenge’:  ‘KSDJsdASAS-­‐AIS_AsS’,  

 ‘app_id’:  ‘https://www.google.com/facets.json’},  
 callback);  
 
callback  =  function(response)  {  
 sendToServer(  
         response[‘clientData’],  
         response[‘tokenData’]);  
};  
 User Presence API: Auth.
{  
 "typ":"authenticate",  
   "challenge":"KSDJsdASAS-­‐AIS_AsS",  
 "cid_pubkey":  {  
         "kty":"EC",  
       "crv":"P-­‐256",  
navigator.handleAuthenticationRequest({  
       "x":"HzQwlfXX7Q4S5MtCRMzPO9tOyWjBqRl4tJ8",  
       "y":"XVguGFLIZx1fXg375hi4-­‐7-­‐BxhMljw42Ht4"  
 ‘challenge’:  ‘KSDJsdASAS-­‐AIS_AsS’,  
 },  
 ‘app_id’:  ‘https://www.google.com/facets.json’,  
 "origin":"https://accounts.google.com"  
}  
 ‘key_handle’:  ‘JkjhdsfkjSDFKJ_ld-­‐sadsAJDKLSAD’},  
 callback);  
 
callback  =  function(response)  {  
 sendToServer(  
         response[‘clientData’],  
         response[‘tokenData’]);  
};  
Authentication Example
Authentication Example
Authentication Example
Authentication Example
FIDO Universal Authentication
Framework (UAF)
 FIDO Experiences
ONLINE AUTH REQUEST Local USER Verification SUCCESS

PASSWORDLESS EXPERIENCE (UAF standards)

Transaction Detail Show a biometric or PIN Done

SECOND FACTOR EXPERIENCE (U2F standards)

Login & Password Insert Dongle, Press button Done

How does FIDO UAF work?

… …
SE
How does FIDO UAF work?

Same Authenticator
Same User as as registered before?
enrolled before?

Can recognize the

user (i.e. user
verification), but
doesn’t have an
identity proof of
the user.
How does FIDO UAF work?
Identity binding to be
done outside FIDO:
This this “John Doe
with customer ID X”.

Same Authenticator
Same User as as registered before?
enrolled before?

Can recognize the

user (i.e. user
verification), but
doesn’t have an
identity proof of
the user.
How does FIDO UAF work?
How is the key protected
(TPM, SE, TEE, …)?
What user verification
method is used?

… …
SE
 Attestation & Metadata

FIDO  AUTHENTICATOR   FIDO  SERVER  

Signed Attestation Object

Verify using trust anchor

included in Metadata

Understand Authenticator
security characteristic
by looking into Metadata
(and potentially other sources) Metadata
 UAF Registration
Device Relying Party
FIDO App Web FIDO
Authenticator App Server
0 Prepare
 UAF Registration

FIDO App Web FIDO

Authenticator App Server
0 Prepare
 UAF Registration

FIDO App Web FIDO

Authenticator App Server
0 Prepare
 UAF Registration

FIDO App Web FIDO

Authenticator App Server
0 Prepare
Legacy Auth +
1
Initiate Reg.
 UAF Registration

FIDO App Web FIDO

Authenticator App Server
0 Prepare
Legacy Auth +
1
Initiate Reg.
 UAF Registration

FIDO App Web FIDO

Authenticator App Server
0 Prepare
Legacy Auth +
1
Initiate Reg.
Reg. Request
2
+ Policy

 UAF Registration
Pat Johnson
[email protected] FIDO App Web FIDO
Authenticator App Server
Link your fingerprint
0 Prepare
Legacy Auth +
1
Initiate Reg.
Reg. Request
2
+ Policy

 UAF Registration
Pat Johnson
[email protected] FIDO App Web FIDO
Authenticator App Server
Link your fingerprint
0 Prepare
Legacy Auth +
1
Initiate Reg.
Reg. Request
2
+ Policy

 UAF Registration
Pat Johnson
[email protected] FIDO App Web FIDO
Authenticator App Server
Link your fingerprint
0 Prepare
Legacy Auth +
1
Initiate Reg.
Reg. Request
2
+ Policy

3
Verify User &
Generate New
Key Pair
(specific to RP Webapp)
 UAF Registration
Pat Johnson
[email protected] FIDO App Web FIDO
Authenticator App Server
Link your fingerprint
0 Prepare
Legacy Auth +
1
Initiate Reg.
Reg. Request
2
+ Policy
Reg.

4
Response

3
Verify User &
Generate New
Key Pair
(specific to RP Webapp)
 UAF Registration
Pat Johnson
[email protected] FIDO App Web FIDO
Authenticator App Server
Link your fingerprint
0 Prepare
Key Registration Data:
•  Hash(FinalChallenge) Legacy Auth +
1
•  AAID Initiate Reg.
•  Public key Reg. Request
2
•  KeyID + Policy
•  Registration Counter Reg.

4
•  Signature Counter Response
•  Signature (attestation key)

FinalChallenge=Hash(AppID | FacetID
| tlsData | challenge) 3
Verify User &
Generate New
Key Pair
(specific to RP Webapp)
 UAF Registration
Pat Johnson
[email protected] FIDO App Web FIDO
Authenticator App Server
0 Prepare
Legacy Auth +
1
Initiate Reg.
Reg. Request
2
+ Policy
Reg.

4
Response
5
Success

3
Verify User &
Generate New
Key Pair
(specific to RP Webapp)
 FIDO Building Blocks
FIDO USER DEVICE TLS Server Key RELYING PARTY

BROWSER / APP UAF Protocol

  WEB SERVER

FIDO CLIENT
Cryptographic FIDO SERVER
authentication key
reference DB

ASM Authentication
keys

FIDO AUTHENTICATOR
Attestation key

Update
Authenticator
Metadata &
attestation trust
store Metadata Service
 AAID & Attestation
FIDO Authenticator

Using HW based crypto AAID 1

Based on FP Sensor X

Attestation Key 1

FIDO Authenticator

Pure SW based implementation AAID 2

Based on Face Recognition alg. Y

Attestation Key 2

AAID: Authenticator Attestation ID (=model name)

 Privacy & Attestation
FIDO SERVER RP1

Model A

Bob’s FIDO Authenticator

Using HW based crypto Serial #

Model A
Based on FP Sensor X
FIDO SERVER RP2
Model A
 Attestation & Metadata

FIDO  AUTHENTICATOR   FIDO  SERVER  

Signed Attestation Object

Verify using trust anchor

included in Metadata

Understand Authenticator
security characteristic
by looking into Metadata
(and potentially other sources) Metadata
Facet ID / AppID
UAF Authentication

FIDO App Web FIDO

Authenticator App Server
0 Prepare
UAF Authentication

FIDO App Web FIDO

Authenticator App Server
0 Prepare
UAF Authentication

FIDO App Web FIDO

Authenticator App Server
0 Prepare
UAF Authentication

FIDO App Web FIDO

Authenticator App Server
0 Prepare
UAF Authentication

FIDO App Web FIDO

Authenticator App Server
0 Prepare
Initiate
1
Authentication
UAF Authentication

FIDO App Web FIDO

Authenticator App Server
0 Prepare
Initiate
1
Authentication
Auth. Request
2
with Challenge

 UAF Authentication

FIDO App Web FIDO

Authenticator App Server
0 Prepare
Initiate
1
Authentication
Auth. Request
2
with Challenge
Just a sec – our
secure payment

technology is
working its magic.
 UAF Authentication

FIDO App Web FIDO

Pat Johnson Authenticator App Server
[email protected] 0 Prepare
Initiate
1
Authentication
Auth. Request
2
with Challenge

Verify User &

Sign Challenge
(Key specific to RP
Webapp)
 UAF Authentication

FIDO App Web FIDO

Authenticator App Server
0 Prepare
Initiate
1
Authentication
Auth. Request
2
with Challenge
Pat Johnson
650 Castro Street Auth.

4
Response
Mountain View, CA 94041
United States

Verify User &

Sign Challenge
(Key specific to RP
Webapp)
 UAF Authentication

FIDO App Web FIDO

Authenticator App Server
0 Prepare
SignedData: Initiate
1
•  SignatureAlg Authentication
•  Hash(FinalChallenge) Auth. Request
2
•  Authenticator random with Challenge
• Castro
Signature
Pat Johnson
650 Street Counter Auth.

4
•  States
Signature
Mountain View, CA 94041
United Response
FinalChallenge=Hash(AppID | FacetID
| tlsData | challenge)
3

Verify User &

Sign Challenge
(Key specific to RP
Webapp)
 UAF Authentication
Pat Johnson
[email protected] FIDO App Web FIDO
Authenticator App Server
0 Prepare
Initiate
1
Authentication
Auth. Request
Payment complete! 2
with Challenge
Return to the merchant’s web site to Auth.

continue shopping 4
Response
5
Return to the merchant Success

3

Verify User &

Sign Challenge
(Key specific to RP
Webapp)
 Transaction Confirmation
Device Relying Party
FIDO Browser Web FIDO
Authenticator or Native App Server
App 1 Initiate Transaction

Authentication Request
2
+ Transaction Text

4
Authentication Response
+ Text Hash,
signed by User’s private key 5

3 Validate
Display Text, Verify Response &
User & Unlock Text Hash
Private Key using User’s Public
(specific to User + RP Webapp) Key

 Transaction Confirmation
Device Relying Party
FIDO Browser Web FIDO
Authenticator or Native App Server
App 1 Initiate Transaction

SignedData:
•  SignatureAlg Authentication Request
2
•  Hash(FinalChallenge) + Transaction Text
•  Authenticator random
•  Signature Counter
•  Hash(Transaction
4 Text) Authentication Response
•  Signature + Text Hash,
signed by User’s private key 5
FinalChallenge=Hash(AppID | FacetID
3 Validate
| tlsData | challenge)
Display Text, Verify Response &
User & Unlock Text Hash
Private Key using User’s Public
(specific to User + RP Webapp) Key

The FIDO Authenticator Concept
Injected at
manufacturing,
doesn’t change

FIDO Authenticator

User
Verification /
Attestation Key
Presence

Transaction
Confirmation Authentication Key(s)
Display

Optional Generated at
Components runtime (on
Registration)
Using Secure Hardware

FIDO Authenticator in SIM Card

SIM Card
User Verification
(PIN) Attestation Key

Authentication Key(s)
Client Side Biometrics

Trusted Execution Environment (TEE)

FIDO Authenticator as Trusted Application (TA)

User Verification / Presence

Attestation Key

Store at Enrollment

Authentication Key(s)

Compare at Authentication
Unlock after comparison
 Combining TEE and SE

Trusted Execution Environment (TEE)

FIDO Authenticator as Trusted Application (TA)

User Secure Element

Verification /
Attestation Key
Presence
e.g. GlobalPlatform
Trusted UI
Transaction
Confirmation Authentication Key(s)
Display
UAF Specifications
FIDO & Federation
Source: Paul Madsen, FIDO Seminar, May 2014
Source: Paul Madsen, FIDO Seminar, May 2014
 Complementary

•  FIDO •  Federation
o  Insulates o  Insulates applications
authentication server from identity providers
from specific
authenticators o  Does not address
o  Focused solely on primary authentication
primary authentication o  Does enable secondary
o  Does not support authentication &
attribute sharing attribute sharing
o  Can communicate
o  Can communicate details of authentication
details of from IdP to SP
authentication to
server

Source: Paul Madsen, FIDO Seminar, May 2014

 FIDO & Federation
First Mile Second Mile

FIDO USER DEVICE IdP Service Provider

BROWSER / APP UAF Protocol

  FEDERATION SERVER Federation
 
FIDO CLIENT

Id DB

FIDO
AUTHENTICATOR FIDO SERVER

Knows details about the

Knows details about the Identity and its verification
Authentication strength
strength.
 FIDO & Federation
High

SSO slide
Assurance

federatio
n No more
‘Password123‘
bump
status
quo
Low

High Frequency of login Low

Source: Paul Madsen, FIDO Seminar, May 2014
 FIDO & Federation
High
Assurance

FIDO Continuum

federatio
n

status
quo
Low

High Frequency of login Low

Source: Paul Madsen, FIDO Seminar, May 2014
 FIDO & Federation
High

FIDO +
Assurance

FIDO federatio
n

federatio
n

status
quo
Low

High Frequency of login Low

Source: Paul Madsen, FIDO Seminar, May 2014
FIDO at Industry Event – Readiness
SIM as Secure Element

Fingerprint, TEE, Mobile

Speaker Recognition

Mobile via NFC

PIN + MicroSD

USB
 FIDO ReadyTM Products Shipping today

OEM Enabled: Samsung Galaxy S5 smartphone & Galaxy Tab S OEM Enabled: Lenovo ThinkPads with
tablets Fingerprint Sensors

Clients available for these operating systems:

Software Authenticator Examples: Aftermarket Hardware Authenticator Examples:

Speaker/Face recognition, PIN, QR Code, etc. USB fingerprint scanner, MicroSD Secure Element
FIDO is used Today
 Conclusion
•  Different authentication use-cases lead to different
authentication requirements
•  Today, we have authentication silos
•  FIDO separates user verification from authentication
protocol and hence supports all user verification
methods
•  FIDO supports scalable security and convenience
•  User verification data is known to Authenticator only
•  FIDO complements federation
è Consider developing or piloting FIDO-based
authentication solutions
Dr. Rolf Lindemann, Nok Nok Labs, [email protected]