All Rights Reserved. FIDO Alliance. Copyright 2016
NEW FIDO SPECIFICATIONS OVERVIEW- STRONG WEB
AUTHENTICATION -12/8/2016
Chief Security Architect, MicrosoftFIDO2.0 TWG Co-Chair
Anthony J Nadalin
All Rights Reserved. FIDO Alliance. Copyright 2016 2
for platforms in ubiquitous environments
FIDO
All Rights Reserved. FIDO Alliance. Copyright 2016 3
What is missing in FIDO today...
•Universal distribution of the FIDO technology •Ideally•Every major platform delivers the FIDO API and
technology •Web platforms, OS Platforms
All Rights Reserved. FIDO Alliance. Copyright 2016 4
How will platform support help?
• Accelerate mass FIDO adoption• For RP• It’s available on all devices, so incentive to adopt
• PC may have an imbedded authenticator (TPM)• For the authenticator vendors• RPs are adopting, all devices want authenticators
• Think way back to TCP/IP• Took off when Win95/MacOS integrated it• Compatible browsers appeared on all platforms
All Rights Reserved. FIDO Alliance. Copyright 2016 5
So what FIDO is doing NOW?
• Crafting standards which in future will come built-in in all platforms.
• The web platform is special, and the future API needs to be standardized in W3C, hence FIDO liaison with W3C.
• The Web API is the first one we standardize and use it to drive other platform (native) specific APIs
All Rights Reserved. FIDO Alliance. Copyright 2016 6
GoalsSupport for Major Platforms (Browsers, OSs)
ChromeIE/EdgeFirefoxSafarietc.
Browsers
WindowsAndroidMacOSiOSetc.
Web Authentication ServerWeb Authentication Clients/Authenticators
OSs
All Rights Reserved. FIDO Alliance. Copyright 2016 7
Specifications
• Web API • Key Attestation Format• Signature Format
These are submitted to W3C, the international standards organization for the World Wide Web.
• CTAP (Client to Authenticator Protocol)
Web Platform API specs:
Client to Authenticator Protocol:
Abstract API calls (in/out) and messages
Communication between client and external authenticator
*API: Application Programming Interface
All Rights Reserved. FIDO Alliance. Copyright 2016 8
Overview
User Device
OS/Browser(FIDO Client)
RP ServerRP App
Formats - Signature - Key Attestation
W3C Web API FIDO Server
Client to Authenticator Protocol
Server
Authenticator
Authenticator
*RP: Relying Party
OS Platform API
OS Platform API
All Rights Reserved. FIDO Alliance. Copyright 2016 9
Web API for Accessing FIDO 2.0 Technology
Specifies an API that enables web pages to access FIDO 2.0 compliant strong cryptographic technology through Javascript.
(1) service request(2) authentication requestJava script calls
credential API
(3) Request for cryptographic operation
Scoped Credential information required for authentication (private key) (instead of password)
Authenticator
(5) Response with cryptographic proof
(4) User gesture allows cryptographic operations
Browser Server
User
All Rights Reserved. FIDO Alliance. Copyright 2016 10
Use Case for Web API (1)
(2) registration request
(3) Request for Scoped Credential creation
(5) Response with Scoped Credential information (public key, attestation, client data (with signature), etc.)
(4) Scoped Credential creation
Registration of authenticator
Java script calls credential API
“Do you want to register this device (authenticator) with server?” - User gesture - Authorize creating a key pair
(1) service request
Authenticator
Private key
ServerBrowser
Userpublic key
All Rights Reserved. FIDO Alliance. Copyright 2016 11
“Do you want to authenticate using this device (authenticator)?” - User gesture - Authorize using an existing credential
Use Case for Web API (2)
(1) service request(2) authentication request
(5) Response with assertion (signed challenge + other data)
(4) Credential discoveryPrivate key
Authentication using registered authenticator
Java script calls credential API
(3) Request for authentication
(1) service request
Authenticator
Private key
Public key
ServerBrowser
User
All Rights Reserved. FIDO Alliance. Copyright 2016 12
Browser Responsibilities • Compose messages for operations• Provide origin and RP IDs• Compute client data hashes
• Process extensions• Provide UI for authenticators that lack the ability • Error handling / housekeeping
All Rights Reserved. FIDO Alliance. Copyright 2016 13
Authenticator Responsibilities • Perform operations• Obtain user gesture if needed: consent button, password, PIN,
a biometric...• Process extensions• e.g. show and sign message for transaction auth
• Provide Attestation(s)
All Rights Reserved. FIDO Alliance. Copyright 2016 14
API Details• makeCredential: key generation with attestation• used to register new keypair with RP
• getAssertion: authentication• mixes in state like facet id, token-binding id• also: key discovery (for “typeless” authentication)
All Rights Reserved. FIDO Alliance. Copyright 2016 15
Key Attestation Format• Defines generic data structures that cover the
semantics of FIDO various authenticator attestation formats.• Authenticator asserts the trust of a private key that it
maintains.• Provides profiles such as TPM, Android, etc.
All Rights Reserved. FIDO Alliance. Copyright 2016 16
Signature Format• Proves possession of a private key of a FIDO 2.0
credential and asserts contextual information about the client and authenticator that generated it.• Client data allows other information to be bound to
signature
All Rights Reserved. FIDO Alliance. Copyright 2016 17
High Level Operations
All Rights Reserved. FIDO Alliance. Copyright 2016 18
High Level Operations
All Rights Reserved. FIDO Alliance. Copyright 2016 19
Web Authentication API Example /* Verify platform is capable. Handle error if not. */ }var userAccountInformation = {rpDisplayName: "Acme",displayName: "John P. Smith",name: "[email protected]",id: "1098237235409872",imageURL: "https://pics.acme.com/00/p/aBjjjpqPb.png"};var cryptoParams = [{type: "ScopedCred", algorithm: "ES256"}, {type: "ScopedCred", algorithm: "RS256"}];var challenge = "Y2xpbWIgYSBtb3VudGFpbg";var timeoutSeconds = 300; // 5 minutesvar blacklist = []; // No blacklistvar extensions = {}; // No extensions// Note: The following call will cause the authenticator to display UI.window.webauthnAPI.makeCredential(userAccountInformation, cryptoParams, challenge, timeoutSeconds, blacklist, extensions).then(function (newCredentialInfo) {// Send new credential info to server for verification and registration.}).catch(function (err) {// No acceptable authenticator or user refused consent. Handle appropriately.});
All Rights Reserved. FIDO Alliance. Copyright 2016 20
Browser Operations
All Rights Reserved. FIDO Alliance. Copyright 2016 21
Authenticator Operations
All Rights Reserved. FIDO Alliance. Copyright 2016 22
Authenticator Operations
All Rights Reserved. FIDO Alliance. Copyright 2016 23
CTAP (Client to Authenticator Protocol)
Java script calls for credential
(3) Request for cryptographic operation
ExternalAuthenticator
browser
(4) credential creation/discoveryPrivate key
User device
Transport binding for USB/BLE/NFC
located outside of user device
• Describes an application layer protocol for communication between an external authenticator and another client/platform.
• Can be run over a variety of transport protocols using different physical media.
User
All Rights Reserved. FIDO Alliance. Copyright 2016 24
Use Case for CTAPExample) Authentication for an application on PC using a smartphone
Private key
BLE
User can choose an external authenticator that is used to authenticate himself for applications running on his multiple clients across devices.
Public key
Server
PC (Client)
Smartphone(external authenticator)User
FIDO Authentication
All Rights Reserved. FIDO Alliance. Copyright 2016 25
Current Timeline • W3C Web Authentication Specification• Candidate Recommendation 1Q2017
• FIDO Client to Authenticator Protocol• Implementation draft 1Q2017
All Rights Reserved. FIDO Alliance. Copyright 2016 26
Summary• FIDO authentication
• Authenticators are pluggable, using public key cryptography.• FIDO 1.X deployments have enabled FIDO ecosystem in market.
• FIDO 2.0: for platforms (Web Platform and OS Platforms) natively supporting FIDO• Web Platform APIs: submitted to W3C• CTAP enables client authentication using external authenticator.
FIDO continues to expand its ecosystem to support authentication in ubiquitous computing with FIDO 2.0.
All Rights Reserved. FIDO Alliance. Copyright 2016 27
Specification References• W3C Web Authentication Specification Latest Draft
http://www.w3.org/TR/2016/WD-webauthn-20160902/
• FIDO Client to Authenticator Protocol https://fidoalliance.org/specs/fido-v2.0-rd-20161004/fido-client-to-authenticator-protocol-v2.0-rd-20161004.pdf
All Rights Reserved. FIDO Alliance. Copyright 2016 28
Thank you for your attention!
All Rights Reserved. FIDO Alliance. Copyright 2016 29
Acknowledgement• Thank FIDO Alliance members especially FIDO 2.0
Technology Working Group members.• Thank W3C for the collaboration.• Thank Dr. Gomi’s and his presentation for FIDO Tokyo
Seminar 2015.
All Rights Reserved. FIDO Alliance. Copyright 2016 30
All Rights Reserved. FIDO Alliance. Copyright 2016. 31
Please Silence All Electronic Devices