Open source contribution Starting with LINE FIDO2 Server

Transcript

1. None

2. Who Am I? - Working on FIDO2, UAF since 2015

    - Security Engineer

3. Agenda - What’s FIDO? - History of FIDO works and

   activities - Details of LINE FIDO2 Server - How to contribute? - Future works 

4. What’s FIDO? 

5. Fast IDentity Online 

6. Passwords are Risky!  Rainbow table Key logging Phishing Social

   engineering A A

7. FIDO is the Future of Logins More Secure Easier Safer

   

8. How does FIDO work? It’s based on the public key

   cryptography It’s based on the public key cryptography  Challenge (random number) Response (signature) Success or fail User gesture Prompt user gesture User verification FIDO Protocol Unlock private key Verify signature(/w public key)

9. History of FIDO works and activities 

10. FIDO Alliance Board member Our Journey with FIDO 2020 LINE

    BK LINE Passwordless 2018 FIDO Universal Server Certification 2021 FIDO Developer Challenge Open source release 2019 FIDO Hackathon LINE Pay 2017 

11. Board Member X  May, 2017

12. FIDO Working Group Korea Working Group Japan Working Group -

    Vice Chair  2017 - 2021 APAC Marketing Forum

13. Universal Server Certification  Dec, 2018

14. FIDO Hackathon in Korea https://fidoalliance.org/fido-authentication-developer-support-program-fido-hackathon-in-korea/  April - Dec, 2019

15. FIDO Hackathon in Korea  April - Dec, 2019

16. LINE Pay X FIDO  Sep, 2019

17. LINE BK X FIDO  Oct, 2020

18. Passwordless LINE X FIDO Login Push Success Authentication iOS Android

    Primary LINE App Secondary LINE App iPad Mac Windows  Nov, 2020

19. FIDO Developer Challenge Judgement https://fidoalliance.org/fido-developer-challenge/  Jul - Oct, 2021

20. Release to Open source  Aug, 2021

21. LINE DEVELOPER DAY 2019  https://linedevday.linecorp.com/jp/2019/sessions/D1-1 Strong Customer Authentication &

    Biometrics Using FIDO

22. LINE DEVELOPER DAY 2020  Secure LINE login with biometrics

    key replacing password https://linedevday.linecorp.com/2020/en/sessions/7365

23. LINE DEVELOPER DAY 2020  https://linedevday.linecorp.com/2020/en/sessions/8802 Cross-platform Mobile Security at

    LINE

24. LINE Engineering Blog  https://engineering.linecorp.com/en/blog/fido-at-line/ https://engineering.linecorp.com/en/blog/fido-at-line-fido2-server-opensource/

25. Details of LINE FIDO2 Server 

26. Three Standards of FIDO UAF (Since 2014 - ) Mobile

    Support Android/iOS U2F (2014 - ) Using Hardware Key FIDO2 (2018 - ) Mobile/Desktop/Web Support  Passwordless Login 2FA Passwordless Login + 2FA

27. Features of FIDO2 Standard  - Consists of two specifications

    (CTAP + WebAuthn)

28. FIDO2 is the Newest set of Specifications FIDO2 FIDO2 CTAP

    W3C WebAuthn Platform proprietary Server Client Platform Authenticator External Authenticator USB/NFC/Bluetooth

29. Features of FIDO2 Standard - Major browser support  -

    Consists of two specifications (CTAP + WebAuthn)

30.  https://fidoalliance.org/fido2/fido2-web-authentication-webauthn Platform/Browser Support Updated Jun, 2020

31. Features of FIDO2 Standard - Major browser support - Native

    API support - Windows10, Android  - Backward compatibility for U2F - Consists of two specifications (CTAP + WebAuthn)

32. LINE FIDO2 Server & Client Overview LINE FIDO2 Combo (Android,iOS)

    Relying Party LINE FIDO2 Server Client Server

33. LINE FIDO2 Server & Client Overview Open source LINE FIDO2

    Combo (Android,iOS) Relying Party LINE FIDO2 Server Client Server

34. Open sourced Server Modules server FIDO2 Server application  spring-boot-starter

    FIDO2 Server wrapped in a Spring boot starter rp-server Simple RP Implementation with Web page for Test common FIDO2 Common Message classes

35. Server stack LINE FIDO2 Server is built on top of

    Spring Boot Crypto COSE JWT BouncyCastle Security Storage MySQL Redis H2 Jackson Lombok Swagger Utilities/Helpers CBOR Retrofit2 Services Spring Boot Data-Jpa Data-Redis Web Logging Validation JDBC Test Challenge Response Attestation Metadata UserKey Session Mds v2 X.509

36. Attestation features Attestation types Basic Self Attestation CA None Anonymization

    CA Attestation formats Packed TPM Android Key Attestation Android SafetyNet FIDO U2F None Apple Anonymous 

37. Attestation features Attestation types Basic Self Attestation CA None Anonymization

    CA Attestation formats Packed TPM Android Key Attestation Android SafetyNet FIDO U2F None Apple Anonymous 

38. Quickstart Guide - Run rpserver and server or line-fido2-spring-boot-demo -

    Connect to http://localhost:8080/ 

39. Quickstart Guide - You can Register, Authenticate and check the

    result. - Username and display name are required when starting registration - You can also test various additional functions by selecting several options. 

40. Quickstart Guide External Properties - rpserver spring: profiles: active: local

    config: use-legacy-processing: true server: port: 8080 logbook: write: level: INFO obfuscate: headers: - host - origin - referer - user-agent - accept-encoding exclude: - /health fido2-server: scheme: http host: localhost port: 8081 endpoint: get-reg-challenge: /fido2/reg/challenge get-auth-challenge: /fido2/auth/challenge send-reg-response: /fido2/reg/response send-auth-response: /fido2/auth/response get-delete-credentials: /fido2/credentials spring: profiles: active: local resources: chain: cache: false fido2: rp: id: localhost origin: localhost port: 8080 conformance: url: http://localhost:8080 logging: level: org.springframework.web: DEBUG org.hibernate: DEBUG com.linecorp.line: DEBUG  rpserver/../resources/application.yaml rpserver/../resources/application-local.yaml

41. Quickstart Guide External Properties - FIDO2 server … server: port:

    8081 fido: … fido2: session-ttl-millis: 180000 accept-unregistered-authenticators: true logbook: write: level: INFO category: http.wire-log obfuscate: headers: … exclude: - /health mds: enable-mds : false sources: # if you want to use mds service please see below # https://fidoalliance.org/metadata/ - name: fido-mds-v2 enabled: true endpoint: https://mds2.fidoalliance.org/ access-token: xxx root-certificates: - xxx spring: profiles: active: local server: port: 8081 redis: host: localhost port: 6379 password: logging: level: com.linecorp.line: DEBUG org.springframework.web: DEBUG org.hibernate: DEBUG h2: console: enabled: true settings: web-allow-others: true  server/../resources/application.yaml server/../resources/application-local.yaml

42. Quickstart Guide data.sql -- test rp insert into rp (id,

    name, description) values('localhost', 'example1', 'example1');  server/../resources/data.sql

43. Demo  Registration

44. Demo  Registration

45. Demo  Authentication

46. Demo  Authentication

47. FIDO Play service Client architecture  FIDO2 GMS Core LINE

    Authenticator LTSM Native Authenticator External Authenticator LINE FIDO2 Glue Layer (Abstraction) RP App (Activity) RP App (View) LINE FIDO2 Combo (FIDO2 Client, Authenticator Logic) LTSM (LINE Trusted Security Module) KAL (KeyChain Abstraction Layer) WAL (Whitebox Abstraction Layer) Abstraction layer supporting both Android native authenticator and LINE authenticator Uses Touch ID and Face ID as UV and leverages WBC (Whitebox cryptography) for attestation CTAP2 Single API entry point iOS Android

48. How to contribute? 

49. https://github.com/line/line-fido2-server 

50. README & CONTRIBUTING 

51. Wiki 

52. Find or Create an issues to contribute 

53. Sign CLA 

54. PR Review and Merge 

55. Future Works 

56. Roadmap As an open source project More Features Tech documents

     Library Distribution

57. Roadmap Inside LINE More LINE services Other Platforms  Sharing

    knowledge

58. TRY OUR OPEN SOURCE! WELCOME YOUR STAR AND LOVE!