Deep Dive to "com.google.android.gms.fido.fido2"

Deep Dive to FIDO.FIDO2 2018/11/4 @ken5scal

1. Motivation 2. Overview of FIDO 3. Implementing FIDO2 in
Android 4. Attestation in Android 5. Assertion in Android Outline

Motivation

ʮಥવͰ͕͢…ʯΈ͍ͨͳ ஫ҙऒ͖͚͍ͭͨͱ͖࢖͏

8FC"VUIO CFDPNFT XDQSPQPTFE SFDDFPNFOEBUJPO HNTpEPpEP 'FC 'FC +BO 8FC"VUIO CFDPNFT
XDQSPQPTFE SFDDFPNFOEBUJPO .BSDI .BZ 8FC"VUIO XDDBOEJEBUF SFDDFPNFOEBUJPO 8FC"VUIO XDQSPQPTFE SFDDFPNFOEBUJPO +VOF

'FC 'FC +BO 8FC"VUIO CFDPNFT XDQSPQPTFE SFDDFPNFOEBUJPO 8FC"VUIO CFDPNFT XDQSPQPTFE
SFDDFPNFOEBUJPO .BSDI .BZ 8FC"VUIO XDDBOEJEBUF SFDDFPNFOEBUJPO 8FC"VUIO XDQSPQPTFE SFDDFPNFOEBUJPO HNTpEPpEP +VOF HNTpEPpEP

- Understand general idea of FIDO - Understand FIDO v2
in Android The Goal

Overview of FIDO

- Fast IDentity Online - Alliance - Authentication Protocol What
is FIDO

- Scalable - Inter-Operable - anti-Phishing - Secure User Privacy
What FIDO is trying to achieve?

- Scalable - Inter-Operable - Kill Phishing - Protect User
Privacy - Elimination Password as Credential What FIDO is trying to achieve?

Why eliminating Password

IUUQTXXXEBSLSFBEJOHDPNJOGPSNBUJPOXFFLIPNFQBTTXPSESFVTFBCPVOETOFXTVSWFZTIPXTEEJE

*%1BTT *%1BTT Where does ﬁre come from? 4UPSF
7FSJGZ *EFOUJGZ

*%1BTT *%1BTT Physhing

*%1BTT *%1BTT Interception

3FVTFE1BTT *%1BTT *%1BTT Credential re-used

3FQMBZ Even 2FA is not entirely safe 1BTT 5051 1VTI/PUJpDBUJPO

IUUQTNFEJVNDPNNFUBDFSUDSZQUPDVSSFODZTDBNNFSTUBSHFUCJOBODFVTFSTTFFLJOHHPPHMFBVUIFOUJDBUPSCBDLVQDPEFTBCDCC

IUUQTXXXHSPPWZQPTUDPNVOQMVHHFEQIJTIFSIBDLFEHNBJMGBDUPSBVUIFOUJDBUJPO

As long as human involves, There is a vulnerability.

- Break down AuthN responsibility - bounding credentials to origin
- customize challenge-response to make 2FA by default How FIDO2 addresses problems?

General FIDO Model

*%1BTT *%1BTT Current Authentication Model WFSJGZ JEFOUJGZ
TUPSF

"VUIFOUJDBUPS $MJFOU 3FMZJOH 1BSUZ 3FMZJOH 1BSUZ $SFEFOUJBM,FZ ,FZ1BJS ,FZ1BJS
$SFEFOUJBM,FZ ,FZ1BJS

7FSJGZ6TFS 4UPSF$SFET $MJFOU ,FZ1BJS 7FSJGZ3FVTMU

"VUIFOUJDBUPS $MJFOU 3FMZJOH 1BSUZ 3FMZJOH 1BSUZ $SFEFOUJBM,FZ ,FZ1BJS ,FZ1BJS
$SFEFOUJBM,FZ ,FZ1BJS 5IJTLFZJTCPVOEUP0SJHJO *UBDUVBMMIBTBOJE

Registration

Registration Attestation

ᶄ3FRVFTU $SFEFOUJBM ᶃ4FOEDIBMMFOHFX DSFEFOUJBMPQUJPOT

ᶄ1BTT $SFEFOUJBM ᶅ$SFBUF $SFEFOUJBM $SFEFOUJBM ,FZ1BJS "TTFSUJPO,FZT

ᶆ4FOEQVCLFZ XDIBMMFOHFSFTQPOTF 4UPSF1SJWBUF ,FZJO4FDVSF4UPSBHF

ᶇ 7FSJGZ$SFE*OGP 4UPSF1VC,FZ

Authentication

Authentication Attestation

ᶄ3FRVFTU $SFEFOUJBM ᶃ4FOEDIBMMFOHFX BVUI/PQUJPOT

ᶄ1BTT $SFEFOUJBM ᶅ7FSJGZ $SFEFOUJBM

ᶆ4JHO3FTVMUT X$SFEFOUJBM*OGP CZ1SJW,FZ

ᶇ$IFDL4JHOBUVSF BOE7FSJGZ"VUI/ 3FTVMU

But there is more

)PXXPVME*LOPX UIFBTTFSUJPOLFZJT UIFl$PSSFDUPOFz

- “attestation is a statement serving to bear witness, conﬁrm,
or authenticate” - “attest to the provenance of an authenticator and the data it emits; including, for example: credential IDs, credential key pairs, signature counters, etc. An attestation statement is conveyed in an attestation object during registration What is Attestation? https://www.w3.org/TR/webauthn

Android Key Attestation (FOFSBUF "UUFTUBUJPO,FZ1BJS ᶅ4IJQ #VSOLFZTUP EFWJDFEVSJOH NBOVGBDUVSJOH 4JHO
BTTFSUJPOQVCLFZ CZ"UUTUQSJWLFZ

val params = KeyGenParameterSpec .Builder(storeAlias,KeyProperties.PURPOSE_SIGN) .setAlgorithmParameterSpec(ECGenParameterSpec(“secp256r1")) .setDigests(KeyProperties.DIGEST_SHA256, KeyProperties.DIGEST_SHA384, KeyProperties.DIGEST_SHA512) .setAttestationChallenge(challenge.toByteArray())
val keyPairGenerator = KeyPairGenerator.getInstance(KeyProperties.KEY_ALGORITHM_EC, provider) keyPairGenerator.initialize(params) val pair : KeyPair = keyPairGenerator.generateKeyPair()

val certs = keyStore.getCertificateChain(keyStoreAlias) val x509Certs: Array<ByteArray?> = arrayOfNulls(certs.size) certs.forEachIndexed
{ index, certificate -> x509Certs[index] = certificate.encoded } // key attestation -> x509Certs[0]

Certificate: Data: Version: 3 (0x2) Serial Number: 1 (0x1) Signature
Algorithm: ecdsa-with-SHA256 Issuer: serialNumber=0fccf0d5489ba04c/title=TEE Validity Not Before: Jan 1 00:00:00 1970 GMT Not After : Feb 7 06:28:15 2106 GMT Subject: CN=Android Keystore Key X509v3 extensions: X509v3 Key Usage: critical Digital Signature 1.3.6.1.4.1.11129.2.1.17:

- Check device integrity by collecting from HW/SW and testing
against Android Compatibility Test Suite (CTS) - Send result in JWS - contains pub key SafetyNet Attestation API

type AndroidSafetyNetAttestationResponse struct { Nonce string `json:"nonce"` TimestampMs int64 `json:"timestampMs"`
ApkPackageName string `json:"apkPackageName"` ApkCertificateDigestSha256 []string `json:"apkCertificateDigestSha256"` ApkDigestSha256 string `json:"apkDigestSha256"` CtsProfileMatch bool `json:”ctsProfileMatch”` BasicIntegrity bool `json:"basicIntegrity"` Error string `json:"error"` }

- It only checks Device Integrity - So not really
Attesting it - Requires unnecessary(?) access to Google Backend - Logic verifying device proﬁle completely up to Google - Device Proﬁle requires out of scope contects - FIDO cares about privacy - FIDO is authN protocol, so if it does not need it, then it is desire to not collect unnecessary data - 10,000 requests per day for each API key Drawback in SafetyNet Attestation API

Better use Android Key Attestation over SafetyNet Attesation

Implementing FIDO2 in Android

- .ﬁdo - .common - .u2f (out of scope) -
.ﬁdo2 - .api.common. - .ui (internal) - .AuthenticateActivity - .Fido2FullScreenActivity - .PolluxActivity - .GenericActivity - .pollux (internal) - .GcmReceiverService - .CableAuthenticatorService com.google.android.gms packages "QQ "DUJWJUZ pEP "DUJWJ UZ 3FTVMU *OUFSOBM VJ QPMMV Y

Attestation in Android

- Params to create credential Get Option "QQ "DUJWJUZ pEP
"DUJWJUZ 3FTVMU *OUFSOBM VJ QPMMVY

Generate Credential "QQ "DUJWJUZ pEP "DUJWJUZ 3FTVMU *OUFSOBM VJ QPMMVY

Register "QQ "DUJWJUZ pEP "DUJWJUZ 3FTVMU *OUFSOBM VJ QPMMVY

How to see slides

EJDUJPOBSZ4FSWFS1VCMJD,FZ$SFEFOUJBM$SFBUJPO0QUJPOT3FRVFTU\ SFRVJSFE%0.4USJOHVTFSOBNF SFRVJSFE%0.4USJOHEJTQMBZ/BNF "VUIFOUJDBUPS4FMFDUJPO$SJUFSJBBVUIFOUJDBUPS4FMFDUJPO "UUFTUBUJPO$POWFZBODF1SFGFSFODFBUUFTUBUJPOOPOF ^ data class ServerPublicKeyCredentialCreationOptionsRequest( val
username: String, val displayName: String, val authenticatorSelection: AuthenticatorSelectionCriter val attestation: AttestationConveyancePreference) Specs(FIDO2, Webauthn) Android Implementation

- Params to create credential Get Option "QQ "DUJWJUZ pEP

data class ServerPublicKeyCredentialCreationOptionsRequest( val username: String, val displayName: String, val
authenticatorSelection: AuthenticatorSelectionCriter val attestation: AttestationConveyancePreference) EJDUJPOBSZ4FSWFS1VCMJD,FZ$SFEFOUJBM$SFBUJPO0QUJPOT3FRVFTU\ SFRVJSFE%0.4USJOHVTFSOBNF SFRVJSFE%0.4USJOHEJTQMBZ/BNF "VUIFOUJDBUPS4FMFDUJPO$SJUFSJBBVUIFOUJDBUPS4FMFDUJPO "UUFTUBUJPO$POWFZBODF1SFGFSFODFBUUFTUBUJPOOPOF ^ https://fidoalliance.org/specs/fido-v2.0-rd-20180702/fido-server-v2.0- rd-20180702.html#serverpublickeycredentialcreationoptionsrequest

val criteria = AuthenticatorSelectionCriteria.Builder() .setAttachment(Attachment.PLATFORM) //or .CROSS-PLATFORM //.setResidentKey(true) // No
method exists //.setUserVerification() // No method exists .build() EJDUJPOBSZ"VUIFOUJDBUPS4FMFDUJPO$SJUFSJB\ "VUIFOUJDBUPS"UUBDINFOUBVUIFOUJDBUPS"UUBDINFOU CPPMFBOSFRVJSF3FTJEFOU,FZGBMTF 6TFS7FSJpDBUJPO3FRVJSFNFOUVTFS7FSJpDBUJPOQSFGFSSFE ^ https://w3c.github.io/webauthn/#authenticatorSelection

FOVN"UUFTUBUJPO$POWFZBODF1SFGFSFODF\ OPOF %POPUSFRVJSFBVUIFOUJDBUPSUPSFUVSO"UUFTUBUJPOTUNU JOEJSFDU $MJFOUDBODPOUSPMT'PSFYBNQMF DMJFOUDBOTFMGEFpOFTUNU EJSFDU3FRVJSFUPQBTTBUUFTUBUJPOTUNUBT"VUIFOUJDBUPSHFOFSBUFE ^ https://w3c.github.io/webauthn/#attestation-conveyance AttestationConveryancePreference.NONE
//Direct //Indirect

EJDUJPOBSZ4FSWFS1VCMJD,FZ$SFEFOUJBM$SFBUJPO0QUJPOT3FRVFTU\ SFRVJSFE%0.4USJOHVTFSOBNF SFRVJSFE%0.4USJOHEJTQMBZ/BNF "VUIFOUJDBUPS4FMFDUJPO$SJUFSJBBVUIFOUJDBUPS4FMFDUJPO "UUFTUBUJPO$POWFZBODF1SFGFSFODFBUUFTUBUJPOOPOF ^ https://fidoalliance.org/specs/fido-v2.0-rd-20180702/fido-server-v2.0- rd-20180702.html#serverpublickeycredentialcreationoptionsrequest data class
ServerPublicKeyCredentialCreationOptionsRequest( val username: String, val displayName: String, val authenticatorSelection: AuthenticatorSelectionCriter val attestation: AttestationConveyancePreference)

Generate Credential "QQ "DUJWJUZ pEP "DUJWJUZ 3FTVMU *OUFSOBM VJ QPMMVY

EJDUJPOBSZ4FSWFS1VCMJD,FZ$SFEFOUJBM$SFBUJPO0QUJPOT3FTQPOTF\ SFRVJSFE4UBUVTTUBUVT SFRVJSFE%0.4USJOHFSSPS.FTTBHFl SFRVJSFE1VCMJD,FZ$SFEFOUJBM3Q&OUJUZSQ SFRVJSFE4FSWFS1VCMJD,FZ$SFEFOUJBM6TFS&OUJUZVTFS SFRVJSFE%0.4USJOHDIBMMFOHF SFRVJSFETFRVFODF1VCMJD,FZ$SFEFOUJBM1BSBNFUFSTQVC,FZ$SFE1BSBNT VOTJHOFEMPOHUJNFPVU TFRVFODF4FSWFS1VCMJD,FZ$SFEFOUJBM%FTDSJQUPSFYDMVEF$SFEFOUJBMT<> "VUIFOUJDBUPS4FMFDUJPO$SJUFSJBBVUIFOUJDBUPS4FMFDUJPO
"UUFTUBUJPO$POWFZBODF1SFGFSFODFBUUFTUBUJPOOPOF "VUIFOUJDBUJPO&YUFOTJPOT$MJFOU*OQVUTFYUFOTJPOT ^ https://fidoalliance.org/specs/fido-v2.0-rd-20180702/fido-server-v2.0-rd- 20180702.html#serverpublickeycredentialcreationoptionsresponse

val options = PublicKeyCredentialCreationOptions.Builder() .setRp(rp) .setUser(user) .setChallenge("challenge".toByteArray()) .setParameters(pubKeyParams) .setTimeoutSeconds(3600.toDouble()) .setExcludeList(exclusionList)
.setAuthenticatorSelection(criteria) .setAttestationConveyancePreference(AttestationConveyancePreference.DIR .build() val client = Fido.getFido2ApiClient(this.applicationContext) val clientTask = client.getRegisterIntent(options) clientTask.addOnSuccessListener { it.launchPendingIntent(this, REGISTER_RESULT_CODE) }

val options = PublicKeyCredentialCreationOptions.Builder() .setRp(rp) // required .setUser(user) // required
.setChallenge("challenge".toByteArray()) // required .setParameters(pubKeyParams) // required .setTimeoutSeconds(3600.toDouble()) .setExcludeList(exclusionList) .setAuthenticatorSelection(criteria) .setAttestationConveyancePreference(AttestationConveyancePreference.DIR .build() val client = Fido.getFido2ApiClient(this.applicationContext) val clientTask = client.getRegisterIntent(options) clientTask.addOnSuccessListener { it.launchPendingIntent(this, REGISTER_RESULT_CODE) }

val rp = PublicKeyCredentialRpEntity( "login.example.com", "Example Company", “https://ex.com/icon.svg“) EJDUJPOBSZ1VCMJD,FZ$SFEFOUJBM3Q&OUJUZ1VCMJD,FZ$SFEFOUJBM&OUJUZ\ %0.4USJOHJE
^ EJDUJPOBSZ1VCMJD,FZ$SFEFOUJBM&OUJUZ\ SFRVJSFE%0.4USJOHOBNF 6474USJOHJDPO ^ https://w3c.github.io/webauthn/#sctn-rp-credential-params

val options = PublicKeyCredentialCreationOptions.Builder() .setRp(rp) .setUser(user) .setChallenge(“challenge".toByteArray()) .setTimeoutSeconds(3600.toDouble()) .setParameters(pubKeyParams) .setExcludeList(exclusionList)

val user = PublicKeyCredentialUserEntity( "user-id-like-uuid".toByteArray(), "ken5scal", "https://gravata.com/ken5scal", "Kengo Suzuki") EJDUJPOBSZ1VCMJD,FZ$SFEFOUJBM6TFS&OUJUZ1VCMJD,FZ$SFEFOUJBM&OUJUZ\
SFRVJSFE#V⒎FS4PVSDFJE SFRVJSFE%0.4USJOHEJTQMBZ/BNF ^ EJDUJPOBSZ1VCMJD,FZ$SFEFOUJBM&OUJUZ\ SFRVJSFE%0.4USJOHOBNF 6474USJOHJDPO ^ https://w3c.github.io/webauthn/#sctn-user-credential-params

.setAuthenticatorSelection(criteria) .setAttestationConveyancePreference(AttestationConveyancePreference .DIRECT) .build() val client = Fido.getFido2ApiClient(this.applicationContext) val clientTask = client.getRegisterIntent(options) clientTask.addOnSuccessListener { it.launchPendingIntent(this, REGISTER_RESULT_CODE) }

val pubKeyParam = PublicKeyCredentialParameters( // Essentially, only “public-key” can be
chosen PublicKeyCredentialType.PUBLIC_KEY.toString(), //“public-key EC2Algorithm.ES512.algoValue ɹɹɹ// Recommended // EC2Algorithm.ES256.algoValue // Recommended // RSAAlgorithm.PS*.algoValue // RSAAlgorithm.RS*.algoValue ) EJDUJPOBSZ1VCMJD,FZ$SFEFOUJBM1BSBNFUFST\ SFRVJSFE1VCMJD,FZ$SFEFOUJBM5ZQFUZQF SFRVJSFE$04&"MHPSJUIN*EFOUJpFSBMH ^ https://w3c.github.io/webauthn/#credential-params

val excludedCredOne = PublicKeyCredentialDescriptor( PublicKeyCredentialType.PUBLIC_KEY.toString(),//“public-key” "base64url-credential-id".toByteArray()) val exclusionList = listOf(excludedCredOne)
//, excludedCredTwo EJDUJPOBSZ4FSWFS1VCMJD,FZ$SFEFOUJBM%FTDSJQUPS\ SFRVJSFE1VCMJD,FZ$SFEFOUJBM5ZQFUZQF SFRVJSFE%0.4USJOHJE TFRVFODF"VUIFOUJDBUPS5SBOTQPSUUSBOTQPSUT ^ https://fidoalliance.org/specs/fido-v2.0-rd-20180702/fido-server-v2.0-rd-20180702.html#serverpublickeycredentialdescriptor

val criteria = AuthenticatorSelectionCriteria.Builder() .setAttachment(Attachment.PLATFORM) //.setResidentKey(true) // No method exists
//.setUserVerification() // No method exists .build() EJDUJPOBSZ"VUIFOUJDBUPS4FMFDUJPO$SJUFSJB\ "VUIFOUJDBUPS"UUBDINFOUBVUIFOUJDBUPS"UUBDINFOU CPPMFBOSFRVJSF3FTJEFOU,FZGBMTF 6TFS7FSJpDBUJPO3FRVJSFNFOUVTFS7FSJpDBUJPOQSFGFSSFE ^ https://w3c.github.io/webauthn/#authenticatorSelection

.setAuthenticatorSelection(criteria) .setAttestationConveyancePreference( AttestationConveyancePreference.DIRECT) .build() val client = Fido.getFido2ApiClient(this.applicationContext) val clientTask = client.getRegisterIntent(options) clientTask.addOnSuccessListener { it.launchPendingIntent(this, REGISTER_RESULT_CODE) }

"QQ "DUJWJUZ pEP "DUJWJUZ 3FTVMU *OUFSOBM VJ QPMMVY - .ﬁdo
- .common - .u2f (out of scope) - .ﬁdo2 - .api.common. - .ui (internal) - .AuthenticateActivity - .Fido2FullScreenActivity - .PolluxActivity - .GenericActivity - .pollux (internal) - .GcmReceiverService - .CableAuthenticatorService

.setAuthenticatorSelection(criteria) .setAttestationConveyancePreference(AttestationConveyancePreference. DIRECT) .build() val client = Fido.getFido2ApiClient(this.Context) val clientTask = client.getRegisterIntent(options) clientTask.addOnSuccessListener { it.launchPendingIntent(this, REGISTER_RESULT_CODE)} }

Register "QQ "DUJWJUZ pEP "DUJWJUZ 3FTVMU *OUFSOBM VJ QPMMVY

val attestedResponse = intent? .getParcelableExtra<AuthenticatorAttestationResponse>( Fido.FIDO2_KEY_RESPONSE_EXTRA)

val clientDataJSON = Base64.getUrlEncoder().encodeToString(attestedData?.clientDataJSON) val ao = Cbor.plain.dumps(AttestationObject(attestedData?.attestationObject)) val attstObject
= Base64.getUrlEncoder.encode(ao.toByteArray()) EJDUJPOBSZ4FSWFS"VUIFOUJDBUPS"UUFTUBUJPO3FTQPOTF 4FSWFS"VUIFOUJDBUPS3FTQPOTF\ SFRVJSFE%0.4USJOHDMJFOU%BUB+40/ SFRVJSFE%0.4USJOHBUUFTUBUJPO0CKFDU ^ https://fidoalliance.org/specs/fido-v2.0-rd-20180702/fido-server-v2.0-rd-20180702.html#serverauthenticatorattestationresponse

EJDUJPOBSZ4FSWFS"VUIFOUJDBUPS"UUFTUBUJPO3FTQPOTF 4FSWFS"VUIFOUJDBUPS3FTQPOTF\ SFRVJSFE%0.4USJOHDMJFOU%BUB+40/ SFRVJSFE%0.4USJOHBUUFTUBUJPO0CKFDU ^ https://fidoalliance.org/specs/fido-v2.0-rd-20180702/fido-server-v2.0-rd-20180702.html#serverauthenticatorattestationresponse val clientDataJSON = Base64.getUrlEncoder().encodeToString(attestedData?.clientDataJSON)
val ao = Cbor.plain.dumps(AttestationObject(attestedData?.attestationObject)) val attstObject = Base64.getUrlEncoder.encode(ao.toByteArray())

EJDUJPOBSZ$PMMFDUFE$MJFOU%BUB\ SFRVJSFE%0.4USJOHUZQF SFRVJSFE%0.4USJOHDIBMMFOHF SFRVJSFE%0.4USJOHPSJHJO 5PLFO#JOEJOHUPLFO#JOEJOH ^ https://w3c.github.io/webauthn/#sec-client-data val clientDataJSON =
Base64.getUrlEncoder().encodeToString(attestedData?.clientDataJSON) val ao = Cbor.plain.dumps(AttestationObject(attestedData?.attestationObject)) val attstObject = Base64.getUrlEncoder.encode(ao.toByteArray())

EJDUJPOBSZ4FSWFS"VUIFOUJDBUPS"UUFTUBUJPO3FTQPOTF 4FSWFS"VUIFOUJDBUPS3FTQPOTF\ SFRVJSFE%0.4USJOHDMJFOU%BUB+40/ SFRVJSFE%0.4USJOHBUUFTUBUJPO0CKFDU ^ https://fidoalliance.org/specs/fido-v2.0-rd-20180702/fido-server-v2.0-rd-20180702.html#serverauthenticatorattestationresponse val clientDataJSON = Base64.getUrlEncoder().encodeToString(attestedData?.clientDataJSON)
val ao = Cbor.plain.dumps(AttestationObject(attestedData?.attestationObject)) val attstObject = Base64.getUrlEncoder.encode(ao.toByteArray())

Assertion in Android

- Params for identify credential Get Option "QQ "DUJWJUZ pEP

"QQ "DUJWJUZ pEP "DUJWJUZ 3FTVMU *OUFSOBM VJ QPMMVY Authenticate

Send Result "QQ "DUJWJUZ pEP "DUJWJUZ 3FTVMU *OUFSOBM VJ QPMMVY

Flow "QQ "DUJWJUZ pEP "DUJWJUZ 3FTVMU *OUFSOBM VJ QPMMVY

- Params for identify credential Get Option "QQ "DUJWJUZ pEP

EJDUJPOBSZ4FSWFS1VCMJD,FZ$SFEFOUJBM(FU0QUJPOT3FRVFTU\ SFRVJSFE%0.4USJOHVTFSOBNF 6TFS7FSJpDBUJPO3FRVJSFNFOUVTFS7FSJpDBUJPOQSFGFSSFE ^ https://fidoalliance.org/specs/fido-v2.0-rd-20180702/fido-server-v2.0- rd-20180702.html#serverpublickeycredentialgetoptionsrequest data class ServerPublicKeyCredentialGetOptionsRequest( val
username: String, val userVerificationRequirement: bool)

Get Credential "QQ "DUJWJUZ pEP "DUJWJUZ 3FTVMU *OUFSOBM VJ QPMMVY

EJDUJPOBSZ4FSWFS1VCMJD,FZ$SFEFOUJBM(FU0QUJPOT3FTQPOTF4FSWFS3FTQPOTF SFRVJSFE4UBUVTTUBUVT SFRVJSFE%0.4USJOHFSSPS.FTTBHFl SFRVJSFE%0.4USJOHDIBMMFOHF VOTJHOFEMPOHUJNFPVU 6474USJOHSQ*E TFRVFODF4FSWFS1VCMJD,FZ$SFEFOUJBM%FTDSJQUPSBMMPX$SFEFOUJBMT<> 6TFS7FSJpDBUJPO3FRVJSFNFOUVTFS7FSJpDBUJPOQSFGFSSFE "VUIFOUJDBUJPO&YUFOTJPOT$MJFOU*OQVUTFYUFOTJPOT ^
https://fidoalliance.org/specs/fido-v2.0-rd-20180702/fido-server-v2.0-rd- 20180702.html#serverpublickeycredentialcreationoptionsresponse

val getOptions = PublicKeyCredentialRequestOptions.Builder() .setChallenge(“challenge".toByteArray()) //required .setTimeoutSeconds(3600.toDouble()) .setRpId("login.example.com") .setAllowList(allowList) .setAuthenticationExtensions(extensions)
.build() val client = Fido.getFido2ApiClient(this.applicationContext) val clientTask = client.getRegisterIntent(options) clientTask.addOnSuccessListener { if (it.hasPendingIntent()) { it.launchPendingIntent(this, AUTHN_RESULT_CODE)} }

val getOptions = PublicKeyCredentialRequestOptions.Builder() .setChallenge(“challenge".toByteArray()) .setTimeoutSeconds(3600.toDouble()) .setRpId("login.example.com") .setAllowList(allowList) .setAuthenticationExtensions(extensions) .build()
val client = Fido.getFido2ApiClient(this.applicationContext) val clientTask = client.getRegisterIntent(options) clientTask.addOnSuccessListener { if (it.hasPendingIntent()) { it.launchPendingIntent(this, AUTHN_RESULT_CODE)} }

val getOptions = PublicKeyCredentialRequestOptions.Builder() .setChallenge("challenge".toByteArray()) .setTimeoutSeconds(3600.toDouble()) .setRpId("login.example.com") .setAllowList(allowList) .setAuthenticationExtensions(extensions) .build()
val client = Fido.getFido2ApiClient(this.applicationCont val clientTask = client.getRegisterIntent(options) clientTask.addOnSuccessListener { if (it.hasPendingIntent()) { it.launchPendingIntent(this, AUTHN_RESULT_CODE)} }

val allowedCred = PublicKeyCredentialDescriptor( PublicKeyCredentialType.PUBLIC_KEY.toString(), "base64url-credential-id".toByteArray()) val allowList = listOf(allowedCred)
EJDUJPOBSZ4FSWFS1VCMJD,FZ$SFEFOUJBM%FTDSJQUPS\ SFRVJSFE1VCMJD,FZ$SFEFOUJBM5ZQFUZQF SFRVJSFE%0.4USJOHJE TFRVFODF"VUIFOUJDBUPS5SBOTQPSUUSBOTQPSUT ^ https://fidoalliance.org/specs/fido-v2.0-rd-20180702/fido-server-v2.0-rd-20180702.html#serverpublickeycredentialdescriptor

EJDUJPOBSZ4FSWFS1VCMJD,FZ$SFEFOUJBM(FU0QUJPOT3FTQPOTF4FSWFS3FTQPOTF SFRVJSFE4UBUVTTUBUVT SFRVJSFE%0.4USJOHFSSPS.FTTBHFl SFRVJSFE%0.4USJOHDIBMMFOHF VOTJHOFEMPOHUJNFPVU 6474USJOHSQ*E TFRVFODF4FSWFS1VCMJD,FZ$SFEFOUJBM%FTDSJQUPSBMMPX$SFEFOUJBMT<> 6TFS7FSJpDBUJPO3FRVJSFNFOUVTFS7FSJpDBUJPOQSFGFSSFE "VUIFOUJDBUJPO&YUFOTJPOT$MJFOU*OQVUTFYUFOTJPOT ^
https://fidoalliance.org/specs/fido-v2.0-rd-20180702/fido-server-v2.0-rd- 20180702.html#serverpublickeycredentialcreationoptionsresponse 5IJTpFMEJTNJTTJOHGSPN'*%0QBDLBHF :PVDBOOPUDIPPTFUPSFRVJSFVTFSWFSJpDBUJPO 67

Send Result "QQ "DUJWJUZ pEP "DUJWJUZ 3FTVMU *OUFSOBM VJ QPMMVY

val signedData = data?.getParcelableExtra<AuthenticatorAssertionResponse> (Fido.FIDO2_KEY_RESPONSE_EXTRA)

EJDUJPOBSZ4FSWFS"VUIFOUJDBUPS"TTFSUJPO3FTQPOTF 4FSWFS"VUIFOUJDBUPS3FTQPOTF\ SFRVJSFE%0.4USJOHDMJFOU%BUB+40/ SFRVJSFE%0.4USJOHBVUIFOUJDBUPS%BUB SFRVJSFE%0.4USJOHTJHOBUVSF SFRVJSFE%0.4USJOHVTFS)BOEMF ^ https://fidoalliance.org/specs/fido-v2.0-rd-20180702/fido-server-v2.0-rd-20180702.html#serverauthenticatorattestationresponse val cd
= Base64.getUrlEncoder().encodeToString(signedData?.clientDataJ SON) val ad = Base64.getUrlEncoder().encodeToString(signedData?.authenticat orData) // Do same for signature and userHandle (got too lazy)

https://w3c.github.io/webauthn/#attestation-object

EJDUJPOBSZ4FSWFS"VUIFOUJDBUPS"UUFTUBUJPO3FTQPOTF 4FSWFS"VUIFOUJDBUPS3FTQPOTF\ SFRVJSFE%0.4USJOHDMJFOU%BUB+40/ SFRVJSFE%0.4USJOHBVUIFOUJDBUPS%BUB SFRVJSFE%0.4USJOHTJHOBUVSF SFRVJSFE%0.4USJOHVTFS)BOEMF ^ https://fidoalliance.org/specs/fido-v2.0-rd-20180702/fido-server-v2.0-rd-20180702.html#serverauthenticatorattestationresponse val cd
= Base64.getUrlEncoder().encodeToString(signedData?.clientDataJ SON) val ad = Base64.getUrlEncoder().encodeToString(signedData?.authenticat orData) // Do same for signature and userHandle (got too lazy)

function LiftUp (someone) { alert("Hello" + someone) } LiftUp("Me");

That’s it

Android 4. Attestation in Android 5. Assertion in Android What we have covered

Future of FIDO2 (for developers)

- Avoid reinventing the wheel - Instead focus on each
params and patters - Be prepared to communicate with other departments - For example, you should cooperate with CS in case of device lose Things we should care

Conclusion

- FIDO2 may solve current pain in Password-centric Authentication -
Android has nice and thorough package - Be prepared to inconvenient environment without password Conclusion

@ken5scal Thank you!

Deep Dive to "com.google.android.gms.fido.fido2"

Deep Dive to "com.google.android.gms.fido.fido2"

More Decks by Kengo Suzuki

Other Decks in Technology

Featured

Transcript