Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Open source contribution Starting with LINE FIDO2 Server

Open source contribution Starting with LINE FIDO2 Server


November 11, 2021

More Decks by LINE DEVDAY 2021

Other Decks in Technology


  1. None
  2. Who Am I? - Working on FIDO2, UAF since 2015

     - Security Engineer
  3. Agenda - What’s FIDO? - History of FIDO works and

    activities - Details of LINE FIDO2 Server - How to contribute? - Future works 
  4. What’s FIDO? 

  5. Fast IDentity Online 

  6. Passwords are Risky!  Rainbow table Key logging Phishing Social

    engineering A A
  7. FIDO is the Future of Logins More Secure Easier Safer

  8. How does FIDO work? It’s based on the public key

    cryptography It’s based on the public key cryptography  Challenge (random number) Response (signature) Success or fail User gesture Prompt user gesture User verification FIDO Protocol Unlock private key Verify signature(/w public key)
  9. History of FIDO works and activities 

  10. FIDO Alliance Board member Our Journey with FIDO 2020 LINE

    BK LINE Passwordless 2018 FIDO Universal Server Certification 2021 FIDO Developer Challenge Open source release 2019 FIDO Hackathon LINE Pay 2017 
  11. Board Member X  May, 2017

  12. FIDO Working Group Korea Working Group Japan Working Group -

    Vice Chair  2017 - 2021 APAC Marketing Forum
  13. Universal Server Certification  Dec, 2018

  14. FIDO Hackathon in Korea https://fidoalliance.org/fido-authentication-developer-support-program-fido-hackathon-in-korea/  April - Dec, 2019

  15. FIDO Hackathon in Korea  April - Dec, 2019

  16. LINE Pay X FIDO  Sep, 2019

  17. LINE BK X FIDO  Oct, 2020

  18. Passwordless LINE X FIDO Login Push Success Authentication iOS Android

    Primary LINE App Secondary LINE App iPad Mac Windows  Nov, 2020
  19. FIDO Developer Challenge Judgement https://fidoalliance.org/fido-developer-challenge/  Jul - Oct, 2021

  20. Release to Open source  Aug, 2021

  21. LINE DEVELOPER DAY 2019  https://linedevday.linecorp.com/jp/2019/sessions/D1-1 Strong Customer Authentication &

    Biometrics Using FIDO
  22. LINE DEVELOPER DAY 2020  Secure LINE login with biometrics

    key replacing password https://linedevday.linecorp.com/2020/en/sessions/7365
  23. LINE DEVELOPER DAY 2020  https://linedevday.linecorp.com/2020/en/sessions/8802 Cross-platform Mobile Security at

  24. LINE Engineering Blog  https://engineering.linecorp.com/en/blog/fido-at-line/ https://engineering.linecorp.com/en/blog/fido-at-line-fido2-server-opensource/

  25. Details of LINE FIDO2 Server 

  26. Three Standards of FIDO UAF (Since 2014 - ) Mobile

    Support Android/iOS U2F (2014 - ) Using Hardware Key FIDO2 (2018 - ) Mobile/Desktop/Web Support  Passwordless Login 2FA Passwordless Login + 2FA
  27. Features of FIDO2 Standard  - Consists of two specifications

    (CTAP + WebAuthn)
  28. FIDO2 is the Newest set of Specifications FIDO2 FIDO2 CTAP

    W3C WebAuthn Platform proprietary Server Client Platform Authenticator External Authenticator USB/NFC/Bluetooth
  29. Features of FIDO2 Standard - Major browser support  -

    Consists of two specifications (CTAP + WebAuthn)
  30.  https://fidoalliance.org/fido2/fido2-web-authentication-webauthn Platform/Browser Support Updated Jun, 2020

  31. Features of FIDO2 Standard - Major browser support - Native

    API support - Windows10, Android  - Backward compatibility for U2F - Consists of two specifications (CTAP + WebAuthn)
  32. LINE FIDO2 Server & Client Overview LINE FIDO2 Combo (Android,iOS)

    Relying Party LINE FIDO2 Server Client Server
  33. LINE FIDO2 Server & Client Overview Open source LINE FIDO2

    Combo (Android,iOS) Relying Party LINE FIDO2 Server Client Server
  34. Open sourced Server Modules server FIDO2 Server application  spring-boot-starter

    FIDO2 Server wrapped in a Spring boot starter rp-server Simple RP Implementation with Web page for Test common FIDO2 Common Message classes
  35. Server stack LINE FIDO2 Server is built on top of

    Spring Boot Crypto COSE JWT BouncyCastle Security Storage MySQL Redis H2 Jackson Lombok Swagger Utilities/Helpers CBOR Retrofit2 Services Spring Boot Data-Jpa Data-Redis Web Logging Validation JDBC Test Challenge Response Attestation Metadata UserKey Session Mds v2 X.509
  36. Attestation features Attestation types Basic Self Attestation CA None Anonymization

    CA Attestation formats Packed TPM Android Key Attestation Android SafetyNet FIDO U2F None Apple Anonymous 
  37. Attestation features Attestation types Basic Self Attestation CA None Anonymization

    CA Attestation formats Packed TPM Android Key Attestation Android SafetyNet FIDO U2F None Apple Anonymous 
  38. Quickstart Guide - Run rpserver and server or line-fido2-spring-boot-demo -

    Connect to http://localhost:8080/ 
  39. Quickstart Guide - You can Register, Authenticate and check the

    result. - Username and display name are required when starting registration - You can also test various additional functions by selecting several options. 
  40. Quickstart Guide External Properties - rpserver spring: profiles: active: local

    config: use-legacy-processing: true server: port: 8080 logbook: write: level: INFO obfuscate: headers: - host - origin - referer - user-agent - accept-encoding exclude: - /health fido2-server: scheme: http host: localhost port: 8081 endpoint: get-reg-challenge: /fido2/reg/challenge get-auth-challenge: /fido2/auth/challenge send-reg-response: /fido2/reg/response send-auth-response: /fido2/auth/response get-delete-credentials: /fido2/credentials spring: profiles: active: local resources: chain: cache: false fido2: rp: id: localhost origin: localhost port: 8080 conformance: url: http://localhost:8080 logging: level: org.springframework.web: DEBUG org.hibernate: DEBUG com.linecorp.line: DEBUG  rpserver/../resources/application.yaml rpserver/../resources/application-local.yaml
  41. Quickstart Guide External Properties - FIDO2 server … server: port:

    8081 fido: … fido2: session-ttl-millis: 180000 accept-unregistered-authenticators: true logbook: write: level: INFO category: http.wire-log obfuscate: headers: … exclude: - /health mds: enable-mds : false sources: # if you want to use mds service please see below # https://fidoalliance.org/metadata/ - name: fido-mds-v2 enabled: true endpoint: https://mds2.fidoalliance.org/ access-token: xxx root-certificates: - xxx spring: profiles: active: local server: port: 8081 redis: host: localhost port: 6379 password: logging: level: com.linecorp.line: DEBUG org.springframework.web: DEBUG org.hibernate: DEBUG h2: console: enabled: true settings: web-allow-others: true  server/../resources/application.yaml server/../resources/application-local.yaml
  42. Quickstart Guide data.sql -- test rp insert into rp (id,

    name, description) values('localhost', 'example1', 'example1');  server/../resources/data.sql
  43. Demo  Registration

  44. Demo  Registration

  45. Demo  Authentication

  46. Demo  Authentication

  47. FIDO Play service Client architecture  FIDO2 GMS Core LINE

    Authenticator LTSM Native Authenticator External Authenticator LINE FIDO2 Glue Layer (Abstraction) RP App (Activity) RP App (View) LINE FIDO2 Combo (FIDO2 Client, Authenticator Logic) LTSM (LINE Trusted Security Module) KAL (KeyChain Abstraction Layer) WAL (Whitebox Abstraction Layer) Abstraction layer supporting both Android native authenticator and LINE authenticator Uses Touch ID and Face ID as UV and leverages WBC (Whitebox cryptography) for attestation CTAP2 Single API entry point iOS Android
  48. How to contribute? 

  49. https://github.com/line/line-fido2-server 


  51. Wiki 

  52. Find or Create an issues to contribute 

  53. Sign CLA 

  54. PR Review and Merge 

  55. Future Works 

  56. Roadmap As an open source project More Features Tech documents

     Library Distribution
  57. Roadmap Inside LINE More LINE services Other Platforms  Sharing