Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Building FIDO2 server in Go

09923d8b0c79423a289b7d5dc31a59e4?s=47 mururu
May 18, 2019

Building FIDO2 server in Go

FIDO2 (WebAuthn) is an authentication standard which enables passwordless authentication. I’ll introduce the mechanism of FIDO2 and how we can implement its server-side processing, especially the signature algorithm, in Go. I’ll also mention its integration with existing API servers written in Go.

09923d8b0c79423a289b7d5dc31a59e4?s=128

mururu

May 18, 2019
Tweet

More Decks by mururu

Other Decks in Technology

Transcript

  1. Building FIDO2 server in Go Go Conference 2019 Spring Kanmu,

    Inc Yuki Ito
  2. me • Yuki Ito • CTO at Kanmu, Inc. •

    GitHub: @mururu • Twitter: @mururururu
  3. Agenda • What is FIDO2 (WebAuthn) • Implementing FIDO2 in

    Go • Integrate FIDO2 with your existing API server
  4. What is FIDO2(WebAuthn)

  5. What is FIDO2 Hardware-based authentication built on public key cryptography

    Device (Authenticator) Server (RP) Challenge Challenge Public Key, Challenge Public Key. Challenge Create
 Key Pair Store
  6. What is FIDO2 Hardware-based authentication built on public key cryptography

    Private Key in device (Authenticator) Public Key in server (RP) Challenge Challenge Response Response Sign Verify
  7. Implementing FIDO2 server in Go

  8. Registration Flow User Client Server Authenticator 1. Start Registration 2.

    Challenge, Options 3. Challenge 6. PubKey + Challenge 5. PubKey +
 Challenge 4. Create Key Pair (7. Verify attestation) 8. Store PubKey
  9. Authentication Flow User Client Server Authenticator 1. Start Authentication 2.

    Challenge, Options 3. Challenge
 + Options 6. Signature 5. Signature 4. Create Key Pair 7. Verify Signature
  10. Attestation • How can we trust authenticator? • Authenticator can

    send its attestationObject • We can verify an attestation via verification attestationObject • There are various attestationObject formats
  11. How public keys are encoded • Pulic Keys are encoded

    as COSE_Key format • COSE is CBOR version JOSE • CBOR is like binary version of JSON
  12. How to decode public keys • Public keys can be

    various types (RSA, EC2 …), so decoding needs 2-step • We can use "github.com/ugorji/go/codec"
  13. How to verify signatures • We already have attributes of

    ecdsa.PublicKey, so we just need to compose ecdsa.PublicKey and verify signature with it
  14. How to verify attestations • There are many attestation formats

    • Packed, TPM, Android Key, Android SafetyNet… • We have to implement each attestation formats
  15. How to verify attestations

  16. Integration of FIDO2
 and your Go API server

  17. Situation • SPA + Go API Server + DB SPA


    (React, Vue…) API Server
 written in Go DB
  18. Authentication Flow User Client Server Authenticator 1. Start Authentication 2.

    Challenge, Options 3. Challenge
 + Options 6. Signature + Counter 5. Signature +
 Counter 4. Create Key Pair 7. Verify Signature
  19. User Client Server Authenticator 1. Start Authentication 2. Challenge, Options

    3. Challenge
 + Options 6. Signature + Counter 5. Signature +
 Counter 4. Create Key Pair 7. Verify Signature RP Challenge Tasks of RP server
  20. Tasks of RP server • Endpoint for option parameters •

    Endpoint for registration/assertion • Verification of credentials • Challenge management • User management
  21. Tasks of library • Endpoint for option parameters • Endpoint

    for registration/assertion • Verification of credentials • Challenge management • User management
  22. Tasks of Application • Endpoint for option parameters • Endpoint

    for registration/assertion • Verification of credentials • Challenge management • User management
  23. User Client Server Authenticator 1. Start Authentication 2. Challenge, Options

    3. Challenge
 + Options 6. Signature + Counter 5. Signature +
 Counter 4. Create Key Pair 7. Verify Signature RP Tasks of Application Challenge
  24. If we have a full stack web framework in Go…

  25. Tasks of Library (maybe) • Endpoint for option parameters (partial)

    • Endpoint for registration/assertion (partial) • Verification of credentials • Challenge management • User management (partial)
  26. Sample Implementation • github.com/duo-labs/webauthn • WebAuthn (FIDO2) server library written

    in Go
  27. Server

  28. Registration 1

  29. Registration 2

  30. Assertion 1

  31. Assertion 2

  32. Summary • I introduced the basic concept of FIDO2 •

    I described how we integrate FIDO2 with API server written in Go • We should use a trusted implementation
  33. Building FIDO2 server in Go Go Conference 2019 Spring Kanmu,

    Inc Yuki Ito