New FIDO Specifications Overview -FIDO Alliance -Tokyo Seminar -Nadalin

All Rights Reserved. FIDO Alliance. Copyright 2016

NEW FIDO SPECIFICATIONS OVERVIEW- STRONG WEB

AUTHENTICATION -12/8/2016

Chief Security Architect, MicrosoftFIDO2.0 TWG Co-Chair

Anthony J Nadalin

All Rights Reserved. FIDO Alliance. Copyright 2016 2

for platforms in ubiquitous environments

FIDO


What is missing in FIDO today...

•Universal distribution of the FIDO technology •Ideally•Every major platform delivers the FIDO API and

technology •Web platforms, OS Platforms


How will platform support help?

• Accelerate mass FIDO adoption• For RP• It’s available on all devices, so incentive to adopt

• PC may have an imbedded authenticator (TPM)• For the authenticator vendors• RPs are adopting, all devices want authenticators

• Think way back to TCP/IP• Took off when Win95/MacOS integrated it• Compatible browsers appeared on all platforms


So what FIDO is doing NOW?

• Crafting standards which in future will come built-in in all platforms.

• The web platform is special, and the future API needs to be standardized in W3C, hence FIDO liaison with W3C.

• The Web API is the first one we standardize and use it to drive other platform (native) specific APIs


GoalsSupport for Major Platforms (Browsers, OSs)

ChromeIE/EdgeFirefoxSafarietc.

Browsers

WindowsAndroidMacOSiOSetc.

Web Authentication ServerWeb Authentication Clients/Authenticators

OSs


Specifications

• Web API • Key Attestation Format• Signature Format

These are submitted to W3C, the international standards organization for the World Wide Web.

• CTAP (Client to Authenticator Protocol)

Web Platform API specs:

Client to Authenticator Protocol:

Abstract API calls (in/out) and messages

Communication between client and external authenticator

*API: Application Programming Interface


Overview

User Device

OS/Browser(FIDO Client)

RP ServerRP App

Formats - Signature - Key Attestation

W3C Web API FIDO Server

Client to Authenticator Protocol

Server

Authenticator

Authenticator

*RP: Relying Party

OS Platform API

OS Platform API


Web API for Accessing FIDO 2.0 Technology

Specifies an API that enables web pages to access FIDO 2.0 compliant strong cryptographic technology through Javascript.

(1) service request(2) authentication requestJava script calls

credential API

(3) Request for cryptographic operation

Scoped Credential information required for authentication (private key) (instead of password)

Authenticator

(5) Response with cryptographic proof

(4) User gesture allows cryptographic operations

Browser Server

User


Use Case for Web API (1)

(2) registration request

(3) Request for Scoped Credential creation

(5) Response with Scoped Credential information　　 (public key, attestation, 　　 client data (with signature), etc.)

(4) Scoped Credential creation

Registration of authenticator

Java script calls credential API

“Do you want to register this device (authenticator) with server?” - User gesture - Authorize creating a key pair

(1) service request

Authenticator

Private key

ServerBrowser

Userpublic key


“Do you want to authenticate using this device (authenticator)?” - User gesture - Authorize using an existing credential

Use Case for Web API (2)

(1) service request(2) authentication request

(5) Response with assertion (signed challenge + other data)

(4) Credential discoveryPrivate key

Authentication using registered authenticator

Java script calls credential API

(3) Request for authentication

(1) service request

Authenticator

Private key

Public key

ServerBrowser

User


Browser Responsibilities • Compose messages for operations• Provide origin and RP IDs• Compute client data hashes

• Process extensions• Provide UI for authenticators that lack the ability • Error handling / housekeeping


Authenticator Responsibilities • Perform operations• Obtain user gesture if needed: consent button, password, PIN,

a biometric...• Process extensions• e.g. show and sign message for transaction auth

• Provide Attestation(s)


API Details• makeCredential: key generation with attestation• used to register new keypair with RP

• getAssertion: authentication• mixes in state like facet id, token-binding id• also: key discovery (for “typeless” authentication)


Key Attestation Format• Defines generic data structures that cover the

semantics of FIDO various authenticator attestation formats.• Authenticator asserts the trust of a private key that it

maintains.• Provides profiles such as TPM, Android, etc.


Signature Format• Proves possession of a private key of a FIDO 2.0

credential and asserts contextual information about the client and authenticator that generated it.• Client data allows other information to be bound to

signature


High Level Operations


High Level Operations


Web Authentication API Example /* Verify platform is capable. Handle error if not. */ }var userAccountInformation = {rpDisplayName: "Acme",displayName: "John P. Smith",name: "[email protected]",id: "1098237235409872",imageURL: "https://pics.acme.com/00/p/aBjjjpqPb.png"};var cryptoParams = [{type: "ScopedCred", algorithm: "ES256"}, {type: "ScopedCred", algorithm: "RS256"}];var challenge = "Y2xpbWIgYSBtb3VudGFpbg";var timeoutSeconds = 300; // 5 minutesvar blacklist = []; // No blacklistvar extensions = {}; // No extensions// Note: The following call will cause the authenticator to display UI.window.webauthnAPI.makeCredential(userAccountInformation, cryptoParams, challenge, timeoutSeconds, blacklist, extensions).then(function (newCredentialInfo) {// Send new credential info to server for verification and registration.}).catch(function (err) {// No acceptable authenticator or user refused consent. Handle appropriately.});


Browser Operations


Authenticator Operations


Authenticator Operations


CTAP (Client to Authenticator Protocol)

Java script calls for credential

(3) Request for cryptographic operation

ExternalAuthenticator

browser

(4) credential creation/discoveryPrivate key

User device

Transport binding for USB/BLE/NFC

located outside of user device

• Describes an application layer protocol for communication between an external authenticator and another client/platform.

• Can be run over a variety of transport protocols using different physical media.

User


Use Case for CTAPExample) Authentication for an application on PC using a smartphone

Private key

BLE

User can choose an external authenticator that is used to authenticate himself for applications running on his multiple clients across devices.

Public key

Server

PC (Client)

Smartphone(external authenticator)User

FIDO Authentication


Current Timeline • W3C Web Authentication Specification• Candidate Recommendation 1Q2017

• FIDO Client to Authenticator Protocol• Implementation draft 1Q2017


Summary• FIDO authentication

• Authenticators are pluggable, using public key cryptography.• FIDO 1.X deployments have enabled FIDO ecosystem in market.

• FIDO 2.0: for platforms (Web Platform and OS Platforms) natively supporting FIDO• Web Platform APIs: submitted to W3C• CTAP enables client authentication using external authenticator.

FIDO continues to expand its ecosystem to support authentication in ubiquitous computing with FIDO 2.0.


Specification References• W3C Web Authentication Specification Latest Draft

http://www.w3.org/TR/2016/WD-webauthn-20160902/

• FIDO Client to Authenticator Protocol https://fidoalliance.org/specs/fido-v2.0-rd-20161004/fido-client-to-authenticator-protocol-v2.0-rd-20161004.pdf

http://www.w3.org/TR/2016/WD-webauthn-20160902/

https://fidoalliance.org/specs/fido-v2.0-rd-20161004/fido-client-to-authenticator-protocol-v2.0-rd-20161004.pdf

https://fidoalliance.org/specs/fido-v2.0-rd-20161004/fido-client-to-authenticator-protocol-v2.0-rd-20161004.pdf


Thank you for your attention!


Acknowledgement• Thank FIDO Alliance members especially FIDO 2.0

Technology Working Group members.• Thank W3C for the collaboration.• Thank Dr. Gomi’s and his presentation for FIDO Tokyo

Seminar 2015.


All Rights Reserved. FIDO Alliance. Copyright 2016. 31

Please Silence All Electronic Devices

Date post:	15-Apr-2017
Category:	Technology
Upload:	fido-alliance
View:	1,320 times
Download:	1 times