Building FIDO2 server in Go

Building FIDO2 server in Go Go Conference 2019 Spring Kanmu,
Inc Yuki Ito

me • Yuki Ito • CTO at Kanmu, Inc. •
GitHub: @mururu • Twitter: @mururururu

Agenda • What is FIDO2 (WebAuthn) • Implementing FIDO2 in
Go • Integrate FIDO2 with your existing API server

What is FIDO2(WebAuthn)

What is FIDO2 Hardware-based authentication built on public key cryptography
Device (Authenticator) Server (RP) Challenge Challenge Public Key, Challenge Public Key. Challenge Create  Key Pair Store

What is FIDO2 Hardware-based authentication built on public key cryptography
Private Key in device (Authenticator) Public Key in server (RP) Challenge Challenge Response Response Sign Verify

Implementing FIDO2 server in Go

Registration Flow User Client Server Authenticator 1. Start Registration 2.
Challenge, Options 3. Challenge 6. PubKey + Challenge 5. PubKey +  Challenge 4. Create Key Pair (7. Verify attestation) 8. Store PubKey

Authentication Flow User Client Server Authenticator 1. Start Authentication 2.
Challenge, Options 3. Challenge  + Options 6. Signature 5. Signature 4. Create Key Pair 7. Verify Signature

Attestation • How can we trust authenticator? • Authenticator can
send its attestationObject • We can verify an attestation via veriﬁcation attestationObject • There are various attestationObject formats

How public keys are encoded • Pulic Keys are encoded
as COSE_Key format • COSE is CBOR version JOSE • CBOR is like binary version of JSON

How to decode public keys • Public keys can be
various types (RSA, EC2 …), so decoding needs 2-step • We can use "github.com/ugorji/go/codec"

How to verify signatures • We already have attributes of
ecdsa.PublicKey, so we just need to compose ecdsa.PublicKey and verify signature with it

How to verify attestations • There are many attestation formats
• Packed, TPM, Android Key, Android SafetyNet… • We have to implement each attestation formats

How to verify attestations

Integration of FIDO2  and your Go API server

Situation • SPA + Go API Server + DB SPA 
(React, Vue…) API Server  written in Go DB

Authentication Flow User Client Server Authenticator 1. Start Authentication 2.
Challenge, Options 3. Challenge  + Options 6. Signature + Counter 5. Signature +  Counter 4. Create Key Pair 7. Verify Signature

User Client Server Authenticator 1. Start Authentication 2. Challenge, Options
3. Challenge  + Options 6. Signature + Counter 5. Signature +  Counter 4. Create Key Pair 7. Verify Signature RP Challenge Tasks of RP server

Tasks of RP server • Endpoint for option parameters •
Endpoint for registration/assertion • Veriﬁcation of credentials • Challenge management • User management

Tasks of library • Endpoint for option parameters • Endpoint
for registration/assertion • Veriﬁcation of credentials • Challenge management • User management

Tasks of Application • Endpoint for option parameters • Endpoint
for registration/assertion • Veriﬁcation of credentials • Challenge management • User management

User Client Server Authenticator 1. Start Authentication 2. Challenge, Options
3. Challenge  + Options 6. Signature + Counter 5. Signature +  Counter 4. Create Key Pair 7. Verify Signature RP Tasks of Application Challenge

If we have a full stack web framework in Go…

Tasks of Library (maybe) • Endpoint for option parameters (partial)
• Endpoint for registration/assertion (partial) • Veriﬁcation of credentials • Challenge management • User management (partial)

Sample Implementation • github.com/duo-labs/webauthn • WebAuthn (FIDO2) server library written
in Go

Server

Registration 1

Registration 2

Assertion 1

Assertion 2

Summary • I introduced the basic concept of FIDO2 •
I described how we integrate FIDO2 with API server written in Go • We should use a trusted implementation

Building FIDO2 server in Go Go Conference 2019 Spring Kanmu,
Inc Yuki Ito

Building FIDO2 server in Go

Building FIDO2 server in Go

mururu

More Decks by mururu

Other Decks in Technology

Featured

Transcript