Upgrade to Pro — share decks privately, control downloads, hide ads and more …

ChromeからMacBookのTouchIDでWebAuthenticationする

kg0r0
July 01, 2021
26

 ChromeからMacBookのTouchIDでWebAuthenticationする

#iddance Lesson 1. 技術書典とDigital Identity技術の資料です
※ slideshareからSpeaker Deckに移行しました
https://www.slideshare.net/KentoGoro/idance-vol1-148260910

kg0r0

July 01, 2021
Tweet

Transcript

  1. Registration navigator.credentials.create({ publicKey: { rp: { id: "example.com”, name: "Acme"

    }, user: { id: new Uint8Array(16), name: "[email protected]", displayName: "John P. Smith " }, pubKeyCredParams: [{ type: "public-key", alg: -7 }], attestation: "direct", timeout: 60000, // must be a cryptographically random number sent from a server challenge: new Uint8Array([ 0x8C, 0x0A, 0x26, 0xFF, 0x22, 0x91, 0xC1, 0xE9, ... ]).buffer } })
  2. AuthenticatorAttestationResponse { "rawId": "imCIoe8U_N9M1rTGeCqJ96TAu5uqSPa7YUzd ... ", "id": ” imCIoe8U_N9M1rTGeCqJ96TAu5uqSPa7YUzdh7qq ...

    ", "response": { "clientDataJSON": ”eyJjaGFsbGVuZ2UiOiJJSFdtWjFPa1MydDZLaH ... ”, "attestationObject": ”o2NmbXRoZmlkby11MmZnYXR0U3RtdKJjc2 ... " }, "getClientExtensionResults": {}, "type": "public-key” }
  3. AuthenticatorAttestationResponse { "rawId": "imCIoe8U_N9M1rTGeCqJ96TAu5uqSPa7YUzd ... ", "id": ” imCIoe8U_N9M1rTGeCqJ96TAu5uqSPa7YUzdh7qq ...

    ", "response": { "clientDataJSON": ”eyJjaGFsbGVuZ2UiOiJJSFdtWjFPa1MydDZLaH ... ”, "attestationObject": ”o2NmbXRoZmlkby11MmZnYXR0U3RtdKJjc2 ... " }, "getClientExtensionResults": {}, "type": "public-key” }
  4. { fmt: 'packed', attStmt: { alg: -7, sig: <Buffer 30

    46 02 21 00 f3 c8 07 b7 2d ce 45 7d 45 94 30 44 89 2c 85 36 c8 e1 1e 20 64 a2 6b 4d cc 74 ab 86 16 cd 53 c3 02 21 00 c1 77 e6 45 96 c9 ff 55 12 1c ... 22 more bytes> }, authData: <Buffer 49 96 0d e5 88 0e 8c 68 74 34 17 0f 64 76 60 5b 8f e4 ae b9 a2 86 32 c7 99 5c f3 ba 83 1d 97 63 45 5c 7d 17 d1 ad ce 00 02 35 bc c6 0a 64 8b 0b 25 f1 ... 150 more bytes> } Attestation Object CBORΤϯίʔυ͞Εͨެ։伴ͳͲΛؚΉσʔλ .BD#PPL5PVDI*%
  5. { fmt: 'packed', attStmt: { alg: -7, sig: <Buffer 30

    46 02 21 00 be 80 1a 66 cb 2b 11 d3 ba c6 94 10 17 05 56 ee 72 e1 75 ff 0d ec c1 46 17 96 7d 11 10 5f 1d 5c 02 21 00 fe e4 f7 09 64 97 4d f5 bd 3d ... 22 more bytes>, x5c: [ <Buffer 30 82 02 be 30 82 01 a6 a0 03 02 01 02 02 04 74 86 fd c2 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 30 2e 31 2c 30 2a 06 03 55 04 03 13 23 59 75 62 ... 656 more bytes> ] }, authData: <Buffer 49 96 0d e5 88 0e 8c 68 74 34 17 0f 64 76 60 5b 8f e4 ae b9 a2 86 32 c7 99 5c f3 ba 83 1d 97 63 41 00 00 01 58 f8 a0 11 f3 8c 0a 4d 15 80 06 17 11 1f ... 146 more bytes> } Attestation Statement Attestationͷݕূʹඞཁͳ৘ใͳͲ :VCJDP4FDVSJUZ,FZ
  6. { fmt: 'packed', attStmt: { alg: -7, sig: <Buffer 30

    46 02 21 00 f3 c8 07 b7 2d ce 45 7d 45 94 30 44 89 2c 85 36 c8 e1 1e 20 64 a2 6b 4d cc 74 ab 86 16 cd 53 c3 02 21 00 c1 77 e6 45 96 c9 ff 55 12 1c ... 22 more bytes> }, authData: <Buffer 49 96 0d e5 88 0e 8c 68 74 34 17 0f 64 76 60 5b 8f e4 ae b9 a2 86 32 c7 99 5c f3 ba 83 1d 97 63 45 5c 7d 17 d1 ad ce 00 02 35 bc c6 0a 64 8b 0b 25 f1 ... 150 more bytes> } Attestation Statement Attestationͷݕূʹඞཁͳ৘ใͳͲ .BD#PPL5PVDI*%
  7. ·ͱΊ • Touch IDΛೝূثͱͨ͠৔߹ͷAttestation Format͸ packed SELF Attestation • ূ໌ॻ͔Βऔಘͨ͠ެ։伴Ͱ͸ͳ͘Authenticator

    Data ͔Βऔಘͨ͠ެ։伴Ͱݕূ • ೝূ࣌͸ͦͷଞϑΥʔϚοτͱಉ͡ (transportsͷࢦఆ ͸஫ҙ)
  8. Authentication navigator.credentials.get({ publicKey: { timeout: 60000, challenge: new Uint8Array([ 0x79,

    0x50, 0x68, 0x71, 0xDA, 0xEE, 0xEE, 0xB9, 0x94, 0xC3, 0xC2, ... ]).buffer, allowCredentials: [{ id: cred.rawId, type: "public-key" }] }, }) USBOTQPSUT ௨৴खஈ ͷࢦఆʹ஫ҙ
  9. AuthenticatorAssertionResponse { "rawId": "imCIoe8U_N9M1rTGeCqJ96TAu5uqSPa7YUzd ... " , "id": "imCIoe8U_N9M1rTGeCqJ96TAu5uqSPa7YUzdh7qq ...

    ", "response": { "authenticatorData": "SZYN5YgOjGh0NBcPZHZgW4_krrmihjLHmVzzuoMdl2MBAAAALQ", "signature": "MEUCIQCFOqnsAFZLQmcPt2qSjnCb403SisGEASSjT3fOPuD5JgIgF ...", "userHandle": "", "clientDataJSON": "eyJjaGFsbGVuZ2UiOiJDUXF5aUlrQ00yWEtvaHVSdlNqTEFoN ...” }, "getClientExtensionResults": {}, "type": "public-key” }
  10. AuthenticatorAssertionResponse { "rawId": "imCIoe8U_N9M1rTGeCqJ96TAu5uqSPa7YUzd ... " , "id": "imCIoe8U_N9M1rTGeCqJ96TAu5uqSPa7YUzdh7qq ...

    ", "response": { "authenticatorData": "SZYN5YgOjGh0NBcPZHZgW4_krrmihjLHmVzzuoMdl2MBAAAALQ", "signature": "MEUCIQCFOqnsAFZLQmcPt2qSjnCb403SisGEASSjT3fOPuD5JgIgF ...", "userHandle": "", "clientDataJSON": "eyJjaGFsbGVuZ2UiOiJDUXF5aUlrQ00yWEtvaHVSdlNqTEFoN ...” }, "getClientExtensionResults": {}, "type": "public-key” }
  11. It can be longer than 37 bytes if extensions are

    sent (in which case the extensions bit is set in the authenticatorData flags). You are correct though, that the authenticator should not send attestedCredentialData for a GetAssertion operation. Ҿ༻ݩIUUQTCVHTDISPNJVNPSHQDISPNJVNJTTVFTEFUBJM JE
  12. Should be in Chrome 75. If you assume that we

    hit our six week cadence then Chrome 75 would be ~mid June. Ҿ༻ݩIUUQTCVHTDISPNJVNPSHQDISPNJVNJTTVFTEFUBJM JE
  13. ࢀߟ • Web Authentication: An API for accessing Public Key

    Credentials https://www.w3.org/TR/webauthn/ • FIDO2 attestation formatͷ঺հ https://techblog.yahoo.co.jp/advent-calendar-2018/webauthn-attestation-packed/ • FIDO2ʹΑΔChromeͱMacBook Proͷtouch idΛར༻ͨ͠ύεϫʔυϨεϩάΠϯͷ࣮૷ https://qiita.com/ifsec_56/items/0cc5f1d73e7d2e3029ad • Issue 946993: Touch ID authenticator returns attestedCredentialData in GetAssertion response http://kent056-n.hatenablog.com/entry/2019/03/31/140910 • WebAuthn/FIDO2: Verifying Packed Attestation ɹhttps://medium.com/@herrjemand/verifying-fido2-packed-attestation-a067a9b2facd