RPで受け入れる認証器を選択する~Idance lesson 2~

Transcript

1. RPで受け⼊れる 認証器を選択する #iddance Lesson 2.Digital Identityの秋 @kg0r0

2. ⽬次 • はじめに • FIDO2 登録概要 • 認証器のモデル・製品の特定 • MDSの利⽤

   • WebAuthnの拡張 • まとめ

3. はじめに

4. ⾃⼰紹介 • 合路 健⼈ • 社会⼈3年⽬ • 認証をやってます • Twitter:

   @kg0r0

5. 認証器選択の動機 • セキュリティポリシーの観点 – 脆弱な認証器を受け⼊れない – 意図していない認証器を受け⼊れない – 利⽤する認証器のセキュリティレベル統⼀

6. 登録時にできるとよい︖こと • 認証器の製品・モデルを特定 • 認証器に関する情報を取得 • 認証に利⽤した要素の判定

7. FIDO2 登録概要

8. Registration（Overview） Authenticator Client Relying Party [2] challenge, user info, relying

   party info [1] user info [4] relying party id, user info, relying party info, clientDataHash [5] user verification, new keypair, attestation [6] new public key, credential id, attestation [7] clientDataJSON, attestationObject [8] server validation [9] result [3] navigator.credentials.create()

9. Registration（Overview） Authenticator Client Relying Party [2] challenge, user info, relying

   party info [1] user info [4] relying party id, user info, relying party info, clientDataHash [5] user verification, new keypair, attestation [6] new public key, credential id, attestation [7] clientDataJSON, attestationObject [8] server validation [9] result [3] navigator.credentials.create()

10. Registration（Overview） Authenticator Client Relying Party [2] challenge, user info, relying

    party info [1] user info [4] relying party id, user info, relying party info, clientDataHash [5] user verification, new keypair, attestation [6] new public key, credential id, attestation [7] clientDataJSON, attestationObject [8] server validation [9] result [3] navigator.credentials.create()

11. Registration（Overview） Authenticator Client Relying Party [2] challenge, user info, relying

    party info [1] user info [4] relying party id, user info, relying party info, clientDataHash [5] user verification, new keypair, attestation [6] new public key, credential id, attestation [7] clientDataJSON, attestationObject [8] server validation [9] result [3] navigator.credentials.create()

12. Registration（Overview） Authenticator Client Relying Party [2] challenge, user info, relying

    party info [1] user info [4] relying party id, user info, relying party info, clientDataHash [5] user verification, new keypair, attestation [6] new public key, credential id, attestation [7] clientDataJSON, attestationObject [8] server validation [9] result [3] navigator.credentials.create()

13. Registration（Overview） Authenticator Client Relying Party [2] challenge, user info, relying

    party info [1] user info [4] relying party id, user info, relying party info, clientDataHash [5] user verification, new keypair, attestation [6] new public key, credential id, attestation [7] clientDataJSON, attestationObject [8] server validation [9] result [3] navigator.credentials.create()

14. Registration（Overview） Authenticator Client Relying Party [2] challenge, user info, relying

    party info [1] user info [4] relying party id, user info, relying party info, clientDataHash [5] user verification, new keypair, attestation [6] new public key, credential id, attestation [7] clientDataJSON, attestationObject [8] server validation [9] result [3] navigator.credentials.create()

15. Registration（Overview） Authenticator Client Relying Party [2] challenge, user info, relying

    party info [1] user info [4] relying party id, user info, relying party info, clientDataHash [5] user verification, new keypair, attestation [6] new public key, credential id, attestation [7] clientDataJSON, attestationObject [8] server validation [9] result [3] navigator.credentials.create()

16. Registration（Overview） Authenticator Client Relying Party [2] challenge, user info, relying

    party info [1] user info [4] relying party id, user info, relying party info, clientDataHash [5] user verification, new keypair, attestation [6] new public key, credential id, attestation [7] clientDataJSON, attestationObject [8] server validation [9] result [3] navigator.credentials.create()

17. Attestation Object 引用元: https://www.w3.org/TR/webauthn/

18. Attestation Object 引用元: https://www.w3.org/TR/webauthn/

19. Attestation Object 引用元: https://www.w3.org/TR/webauthn/

20. AUTHENTICATOR DATA • RP ID HASH – RP IDのハッシュ値 •

    FLAGS – User Verification (UV)、User Presence (UP) の結果 • COUNTER – 認証器での認証回数 • ATTESTED CRED DATA – 認証器の情報や公開鍵情報を含むデータ

21. AUTHENTICATOR DATA • RP ID HASH – RP IDのハッシュ値 •

    FLAGS – User Verification (UV)、User Presence (UP) の結果 • COUNTER – 認証器での認証回数 • ATTESTED CRED DATA – 認証器の情報や公開鍵情報を含むデータ

22. AUTHENTICATOR DATA • RP ID HASH – RP IDのハッシュ値 •

    FLAGS – User Verification (UV)、User Presence (UP) の結果 • COUNTER – 認証器での認証回数 • ATTESTED CRED DATA – 認証器の情報や公開鍵情報を含むデータ

23. AUTHENTICATOR DATA • RP ID HASH – RP IDのハッシュ値 •

    FLAGS – User Verification (UV)、User Presence (UP) の結果 • COUNTER – 認証器での認証回数 • ATTESTED CRED DATA – 認証器の情報や公開鍵情報を含むデータ

24. ATTESTED CRED DATA • AAGUID – 認証器のモデル・製品ごとの識別⼦ • L –

    CREDENTIAL IDの⻑さ • CREDENTIAL ID – 公開鍵ごとに⼀意の識別⼦ • CREDENTIAL PUBLIC KEY – COSE_Keyフォーマットでエンコードされた公開鍵

25. 認証器のモデル・製品の特定

26. AAGUID • ATTESTED CRED DATAに含まれる16バイトのデータ • モデルまたは製品ごとに⼀意 • FIDO U2F

    Attestationの時は0になるので注意 – 別の⽅法により特定する必要がある • RFC4122 – https://tools.ietf.org/html/rfc4122

27. 認証器のモデル特定 例）Yubico製品 引用元: https://demo.yubico.com/webauthn-technical/registration

28. 認証器の詳細情報を取得 • さらに認証器に関する情報を取得 • FIDO MDS (Metadata Service) を利⽤ •

    AAGUIDからメタデータを検索

29. MDSの利⽤

30. MDS (Metadata Service) 認証器に関する情報を提供 引用元: https://fidoalliance.org/specs/fido-v2.0-rd-20180702/fido-metadata-service-v2.0-rd-20180702.html

31. MDS利⽤の流れ • Access Tokenの取得 • Metadata TOC (Table of Contents)

    の取得 – metadata statementのURL – metadata statementを検証するためのデータ • Metadata Statementの取得 – 認証器に関する情報

32. Access Tokenの取得 引用元: https://mds2.fidoalliance.org/tokens/

33. Metadata TOCの取得・検証 • Metadata TOC (JWT) の取得 – https://mds2.fidoalliance.org/?token=your- access-token-string

    • FIDO AllianceからRoot証明書の取得 • Root証明書の検証 • TOCの検証 参考: https://fidoalliance.org/metadata/

34. Metadata TOC Payload dictionary dictionary MetadataTOCPayload { DOMString legalHeader; required

    Number no; required DOMString nextUpdate; required MetadataTOCPayloadEntry[] entries; }; 引用元: https://fidoalliance.org/specs/fido-v2.0-rd-20180702/fido-metadata-service-v2.0-rd-20180702.html

35. MetadataTOCPayloadEntry dictionary MetadataTOCPayloadEntry { AAID aaid; AAGUID aaguid; // 認証器に対応するAAGUID

    DOMString[] attestationCertificateKeyIdentifiers; DOMString hash; DOMString url; // metadata statementのURL BiometricStatusReport[] biometricStatusReports; required StatusReport[] statusReports; required DOMString timeOfLastStatusChange; DOMString rogueListURL; DOMString rogueListHash; }; 引用元: https://fidoalliance.org/specs/fido-v2.0-rd-20180702/fido-metadata-service-v2.0-rd-20180702.html

36. MetadataTOCPayloadEntry (⼀部) • biometricStatusReports – 認証器の⽣体認証要素のFIDO Biometric Certificationのステー タス •

    statusReports – 認証器のステータス – e.g. NOT_FIDO_CERTIFIED, FIDO_CERTIFIED REVOKED, USER_VERIFICATION_BYPASS • timeOfLastStatusChange – status reposrtの値がセットされた⽇付 • rogueListURL – 信頼できない認証器のリストのURL

37. Metadata Statementの取得 • Metadata Statementの取得 https://mds2.fidoalliance.org/metadata/4e4e%23 4005/?token=your-access-token-string • Metadata StatemntのBase64デコード

    参考: https://fidoalliance.org/metadata/

38. Metadata Statement dictionary MetadataStatement { DOMString legalHeader; AAID aaid; AAGUID

    aaguid; DOMString[] attestationCertificateKeyIdentifiers; required DOMString description; AlternativeDescriptions alternativeDescriptions; required unsigned short authenticatorVersion; DOMString protocolFamily; required Version[] upv; required DOMString assertionScheme; required unsigned short authenticationAlgorithm; unsigned short[] authenticationAlgorithms; required unsigned short publicKeyAlgAndEncoding; unsigned short[] publicKeyAlgAndEncodings; required unsigned short[] attestationTypes; required VerificationMethodANDCombinations[] userVerificationDetails; required unsigned short keyProtection; boolean isKeyRestricted; boolean isFreshUserVerificationRequired; required unsigned short matcherProtection; unsigned short cryptoStrength; DOMString operatingEnv; required unsigned long attachmentHint; required boolean isSecondFactorOnly; required unsigned short tcDisplay; DOMString tcDisplayContentType; DisplayPNGCharacteristicsDescriptor[] tcDisplayPNGCharacteristics; required DOMString[] attestationRootCertificates; EcdaaTrustAnchor[] ecdaaTrustAnchors; DOMString icon; ExtensionDescriptor supportedExtensions[]; }; 引用元: https://fidoalliance.org/specs/fido-v2.0-id-20180227/fido-metadata-statement-v2.0-id-20180227.html

39. Metadata Statement dictionary MetadataStatement { DOMString legalHeader; AAID aaid; AAGUID

    aaguid; DOMString[] attestationCertificateKeyIdentifiers; required DOMString description; AlternativeDescriptions alternativeDescriptions; required unsigned short authenticatorVersion; DOMString protocolFamily; required Version[] upv; required DOMString assertionScheme; required unsigned short authenticationAlgorithm; unsigned short[] authenticationAlgorithms; required unsigned short publicKeyAlgAndEncoding; unsigned short[] publicKeyAlgAndEncodings; required unsigned short[] attestationTypes; required VerificationMethodANDCombinations[] userVerificationDetails; required unsigned short keyProtection; boolean isKeyRestricted; boolean isFreshUserVerificationRequired; required unsigned short matcherProtection; unsigned short cryptoStrength; DOMString operatingEnv; required unsigned long attachmentHint; required boolean isSecondFactorOnly; required unsigned short tcDisplay; DOMString tcDisplayContentType; DisplayPNGCharacteristicsDescriptor[] tcDisplayPNGCharacteristics; required DOMString[] attestationRootCertificates; EcdaaTrustAnchor[] ecdaaTrustAnchors; DOMString icon; ExtensionDescriptor supportedExtensions[]; }; 引用元: https://fidoalliance.org/specs/fido-v2.0-id-20180227/fido-metadata-statement-v2.0-id-20180227.html // 認証器に対応するAAGUID

40. Metadata Statement (⼀部) • Key Protection: 秘密鍵の保護⽅法 – KEY_PROTECTION_SOFTWARE 0x0001

    – KEY_PROTECTION_HARDWARE 0x0002 – KEY_PROTECTION_TEE 0x0004 – KEY_PROTECTION_SECURE_ELEMENT 0x0008 – KEY_PROTECTION_REMOTE_HANDLE 0x0010 • Matcher Protection Types: ユーザー認証を実⾏するマッチャーの保護⽅法 – MATCHER_PROTECTION_SOFTWARE 0x0001 – MATCHER_PROTECTION_TEE 0x0002 – MATCHER_PROTECTION_ON_CHIP 0x0004 • AttachmentHint: 認証器の接続⽅法 – ATTACHMENT_HINT_INTERNAL 0x0001 – ATTACHMENT_HINT_EXTERNAL 0x0002 – ATTACHMENT_HINT_WIRED 0x0004 – ATTACHMENT_HINT_WIRELESS 0x0008 – ATTACHMENT_HINT_NFC 0x0010 – ATTACHMENT_HINT_BLUETOOTH 0x0020 – ATTACHMENT_HINT_NETWORK 0x0040 – ATTACHMENT_HINT_READY 0x0080 引用元: https://fidoalliance.org/specs/fido-v2.0-id-20180227/fido-registry-v2.0-id-20180227.html

41. Metadata Statement (⼀部) • Transaction Confirmation Display Types: トランザクションの確認に 関する性能

    – KEY_PROTECTION_SOFTWARE 0x0001 – TRANSACTION_CONFIRMATION_DISPLAY_ANY 0x0001 – TRANSACTION_CONFIRMATION_DISPLAY_PRIVILEGED_SOFTWARE 0x0002 – TRANSACTION_CONFIRMATION_DISPLAY_TEE 0x0004 – TRANSACTION_CONFIRMATION_DISPLAY_HARDWARE 0x0008 – TRANSACTION_CONFIRMATION_DISPLAY_REMOTE 0x0010 • User Verification Methods: ユーザーを認証する⽅法 – USER_VERIFY_PRESENCE 0x00000001 – USER_VERIFY_FINGERPRINT 0x00000002 – USER_VERIFY_PASSCODE 0x00000004 – USER_VERIFY_VOICEPRINT 0x00000008 – USER_VERIFY_FACEPRINT 0x00000010 – USER_VERIFY_LOCATION 0x00000020 – USER_VERIFY_EYEPRINT 0x00000040 – USER_VERIFY_PATTERN 0x00000080 – USER_VERIFY_HANDPRINT 0x00000100 – USER_VERIFY_NONE 0x00000200 – USER_VERIFY_ALL 0x00000400 引用元: https://fidoalliance.org/specs/fido-v2.0-id-20180227/fido-registry-v2.0-id-20180227.html

42. Registration（Overview） Authenticator Client Relying Party [1] access token MDS [4]

    metadata statement [3] access token [2] metadata TOC [5] user info [6] challenge, user info, relying party info [7] relying party id, user info, relying party info, clientDataHash [8] user verification, new keypair, attestation [9] new public key, credential id, attestation [10]clientDataJSON, attestationObject (AAGUID) [11] server validation (check AAGUID) [12] result

43. WebAuthnの拡張

44. WebAuthenticationの拡張 • WebAuthenticationの仕様の中に認証器の受け ⼊れに利⽤できそうな拡張がいくつか存在する • ただし多くの仕様がブラウザで未実装のはず • 実際に利⽤してみたわけではないので⼀部想像 • 今後利⽤できるかもしれない︖

45. Defined Extensions • FIDO AppID Extension (appid) • Simple Transaction

    Authorization Extension (txAuthSimple) • Generic Transaction Authorization Extension (txAuthGeneric) • Authenticator Selection Extension (authnSel) • Supported Extensions Extension (exts) • User Verification Index Extension (uvi) • Location Extension (loc) • User Verification Method Extension (uvm) • Biometric Authenticator Performance Bounds Extension (biometricPerfBounds) 引用元: https://www.w3.org/TR/webauthn/#sctn-defined-extensions

46. Operation applicability (Registration) • FIDO AppID Extension (appid) • Simple

    Transaction Authorization Extension (txAuthSimple) • Generic Transaction Authorization Extension (txAuthGeneric) • Authenticator Selection Extension (authnSel) • Supported Extensions Extension (exts) • User Verification Index Extension (uvi) • Location Extension (loc) • User Verification Method Extension (uvm) • Biometric Authenticator Performance Bounds Extension (biometricPerfBounds) 引用元: https://www.w3.org/TR/webauthn/#sctn-defined-extensions

47. Authenticator Selection Extensions (authnSel) RPが受け⼊れ可能な認証器の選択に利⽤ IN : AAGUIDのリスト OUT :

    拡張が利⽤されかどうか

48. Location Extension (loc) 登録・認証時の位置情報取得に利⽤ IN : RPに拡張の利⽤を要求されたかどうか OUT : 位置情報のオブジェクト(Geolocation-APIで定義)

49. User Verification Method Extension (uvm) 登録・認証時の認証⽅法の選択に利⽤ IN : RPが拡張の利⽤を要求したかどうか OUT

    : 認証⽅法の情報を含むJSON array

50. Biometric Authenticator Performance Bounds Extension (biometricPerfBounds) 登録時に受け⼊れる⽣体認証器の性能 IN : ⽣体認証の性能限界

    • FAR (maximum false acceptance rate) • FRR (maximum false rejection rate)

51. おわりに

52. RPができること • FIDO2で利⽤可能な認証器であることの確認 – Attestationの検証 • 認証が⾏われたことの確認 – FLAGSの検証 •

    認証器のモデル・製品情報の確認 – AAGUIDの突合 – MDSの利⽤

53. 参考 • Web Authentication: An API for accessing Public Key

    Credentials Level 1 https://www.w3.org/TR/webauthn/ • FIDO Registry of Predefined Values https://fidoalliance.org/specs/fido-v2.0-id-20180227/fido-registry-v2.0-id- 20180227.html • Test your YubiKey with WebAuthn https://demo.yubico.com/webauthn-technical/registration • FIDO Metadata Service https://fidoalliance.org/specs/fido-v2.0-rd-20180702/fido-metadata-service- v2.0-rd-20180702.html • FIDO Metadata Statements https://fidoalliance.org/specs/fido-v2.0-id-20180227/fido-metadata-statement- v2.0-id-20180227.html