FIDO2 Technology

 

According to a Verizon survey, the major cyber attacks in the US in 2017 are mostly conventional and are categorized in the table below. In conclusion, more than 80% of cyber attacks are “password leaks”.

Furthermore, it has been concluded that if two-factor authentication is used instead of passwords, 99% of cyber attacks can be prevented. It can be seen that the FIDO method, which aims to login without a password, is an important proposal. In fact, the main browser, SNS, announced plans for introducing FIDO / WebAuthn in 2019.

The World Wide Web Consortium (W3C) is setting an international standard for user authentication on the Web, with the FIDO (Fast IDentity Online) Association aiming to realize a new authentication protocol without a password. The latest protocol is called FIDO2, CTAP (Client to Authenticator Protocol) that determines the method between the authenticator (Authenticator) built in the external device and the Web browser, and the browser and FIDO authentication server in March 2019 It consists of WebAuthn that determines the method between. The latter, WebAuthn, was examined by the World Wide Web Consortium (W3C), and an official recommendation was announced in March 2019.

Attacks Description
Phishing Phishing is a type of social engineering usually employed to steal user data such as credit card numbers and login credentials. It happens when an attacker, posing as a trusted individual, tricks the victim to open a text message, email, or instant message.
Malware Malware is a code that is made to stealthily affect a compromised computer system without the consent of the user. This broad definition includes many particular types of malevolent software (malware) such as spyware, ransomware, command, and control.
Web SQL injection is a kind of attack that employs malicious code to manipulate backend databases to access information that was not intended for display. Cross-site scripting (XSS) is a kind of injection breach where the attacker sends malicious scripts into content from otherwise reputable websites.
Others Distributed Denial-of-Service (DDoS) , password, snooping or sniffing, Brute-Force and Dictionary Network, Man-in-the-Middle (MITM)
FIDO2
Here is a brief explanation of how FIDO2 works. FIDO2 consists of fingerprint authentication and public key infrastructure (PKI). Fingerprint authentication is a technology that determines whether an input fingerprint is a registered fingerprint by reading the fingerprint with a fingerprint sensor and comparing its feature points with registered data. On the other hand, the public key cryptographic infrastructure allows the device side to digitally sign the document created on the server side (which is called a challenge because it is a different document for each authentication) using the private key on the device side. A technology that verifies using a public key and determines whether a signature is created on the device side. The purpose is to verify the identity of the server, so fingerprint authentication and electronic signature on the device side must be linked. For this reason, these two operations are performed in a secure area called a secure element (SE) in the device, and a digital signature is executed only when fingerprint authentication is successful. FIDO2 protocol From these principles, FIDO2 is executed as shown above. (The numbers in the figure and the following numbers match)

  1. Challenge sent from server to device
  2. Perform fingerprint authentication in the device
  3. Electronic signature with user's private key on sent challenge only if authentication is successful
  4. Send signed challenge to server
  5. The server verifies the electronic signature using the user's public key. The identity verification ends only when the verification is successful.

It will be the procedure.Since the challenge is a randomly generated random number, the data passing through the communication path is different for each authentication. As a premise, (1) a registered fingerprint is stored in the device. (2) The user's private key / public key pair is secretly generated in the device, the private key is stored in the device, and the public key that may be disclosed is sent to the server side for storage. (3) Other user names are also stored on the server side. These conditions are necessary. Therefore, before starting authentication for the first time, you will need to perform a "user registration" task. (important point) 1. The challenge includes a server name and user ID in addition to a random number. Browsers and devices check them.2. Attestation is a method by which an authentication server authenticates a device. The device creates a signature based on the Attestation private / public key pair and signature creation data, sends the public key and signature to the server, verifies the signature using the public key, and device Authenticate

Public Key Infrastructure (PKI)

The public key infrastructure uses a public / private key pair. Since the public key can be generated from the private key, it is called a public key because it does not need to be kept secret. The private key cannot be generated from the public key, so it must be kept secret. Consider a situation where you create this pair in your device during login registration, store the private key in the device, and send the public key to the server during registration.

The plaintext is sent from the server to the device, and the device encrypts the plaintext using the private key to create the ciphertext. This ciphertext is sent to the server. The server can decrypt to plaintext using the public key. Therefore, if the decrypted plaintext is the same as the plaintext created by the server, the ciphertext can be verified as encrypted by the device that owns the private key.

The server uses a random number called a challenge as plain text. Use the digest version of the challenge. The digest version is converted into a short numeric string of a certain size by applying a predetermined function called a hash function to the challenge. Encrypt it with a private key. The encrypted ciphertext is called the challenge's digital signature. You can send this challenge and electronic signature to the server to verify that the electronic signature was generated with the device's private key.

A server that receives a challenge and an electronic signature can create a digest version of the challenge with the same hash function. Also, decrypting the received electronic signature with the public key can verify that it is identical to the created digest version. In other words, you can verify that the electronic signature was created using the device's private key.

(Note) Electronic certificates are not used. When the e-certifier sends the device public key to the server, the third party (certification authority) ensures that the device public key corresponds to the device private key. The one sent with the device's public key with a digital signature is called an electronic certificate. Not used in FIDO2.

Security Assertion Markup Language (SAML)

Security Assertion Markup Language (SAML) is an open standard for exchanging authentication and authorization data between parties, in particular, between an identity provider and a service provider. SAML is an XML-based markup language for security assertions (statements that service providers use to make access-control decisions). SAML is also:

  • A set of XML-based protocol messages
  • A set of protocol message bindings
  • A set of profiles (utilizing all of the above)

The single most important use case that SAML addresses is web-browser single sign-on (SSO). Single sign-on is relatively easy to accomplish within a security domain (using cookies, for example) but extending SSO across security domains is more difficult and resulted in the proliferation of non-interoperable proprietary technologies. The SAML Web Browser SSO profile was specified and standardized to promote interoperability.[2] (For comparison, the more recent OpenID Connect protocol[3] is an alternative approach to web browser SSO.)