Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Building FIDO2 server in Go

mururu
May 18, 2019

Building FIDO2 server in Go

FIDO2 (WebAuthn) is an authentication standard which enables passwordless authentication. I’ll introduce the mechanism of FIDO2 and how we can implement its server-side processing, especially the signature algorithm, in Go. I’ll also mention its integration with existing API servers written in Go.

mururu

May 18, 2019
Tweet

More Decks by mururu

Other Decks in Technology

Transcript

  1. Building FIDO2 server
    in Go
    Go Conference 2019 Spring

    Kanmu, Inc Yuki Ito

    View full-size slide

  2. me
    • Yuki Ito

    • CTO at Kanmu, Inc.

    • GitHub: @mururu

    • Twitter: @mururururu

    View full-size slide

  3. Agenda
    • What is FIDO2 (WebAuthn)

    • Implementing FIDO2 in Go

    • Integrate FIDO2 with your existing API server

    View full-size slide

  4. What is FIDO2(WebAuthn)

    View full-size slide

  5. What is FIDO2
    Hardware-based authentication built on public key
    cryptography
    Device (Authenticator) Server (RP)
    Challenge
    Challenge
    Public Key, Challenge Public Key. Challenge
    Create

    Key Pair Store

    View full-size slide

  6. What is FIDO2
    Hardware-based authentication built on public key
    cryptography
    Private Key
    in device (Authenticator)
    Public Key
    in server (RP)
    Challenge
    Challenge
    Response Response
    Sign
    Verify

    View full-size slide

  7. Implementing FIDO2 server
    in Go

    View full-size slide

  8. Registration Flow
    User Client Server
    Authenticator
    1. Start Registration
    2. Challenge, Options
    3. Challenge
    6. PubKey + Challenge
    5. PubKey +

    Challenge
    4. Create Key Pair
    (7. Verify attestation)
    8. Store PubKey

    View full-size slide

  9. Authentication Flow
    User Client Server
    Authenticator
    1. Start Authentication
    2. Challenge, Options
    3. Challenge

    + Options
    6. Signature
    5. Signature
    4. Create Key Pair
    7. Verify Signature

    View full-size slide

  10. Attestation
    • How can we trust authenticator?

    • Authenticator can send its attestationObject

    • We can verify an attestation via verification attestationObject

    • There are various attestationObject formats

    View full-size slide

  11. How public keys are encoded
    • Pulic Keys are encoded as COSE_Key format

    • COSE is CBOR version JOSE

    • CBOR is like binary version of JSON

    View full-size slide

  12. How to decode public keys
    • Public keys can be various types (RSA, EC2 …), so decoding needs 2-step

    • We can use "github.com/ugorji/go/codec"

    View full-size slide

  13. How to verify signatures
    • We already have attributes of ecdsa.PublicKey, so we just
    need to compose ecdsa.PublicKey and verify signature
    with it

    View full-size slide

  14. How to verify attestations
    • There are many attestation formats

    • Packed, TPM, Android Key, Android SafetyNet…

    • We have to implement each attestation formats

    View full-size slide

  15. How to verify attestations

    View full-size slide

  16. Integration of FIDO2

    and your Go API server

    View full-size slide

  17. Situation
    • SPA + Go API Server + DB
    SPA

    (React, Vue…)
    API Server

    written in Go
    DB

    View full-size slide

  18. Authentication Flow
    User Client Server
    Authenticator
    1. Start Authentication
    2. Challenge, Options
    3. Challenge

    + Options
    6. Signature + Counter
    5. Signature +

    Counter
    4. Create Key Pair
    7. Verify Signature

    View full-size slide

  19. User Client Server
    Authenticator
    1. Start Authentication
    2. Challenge, Options
    3. Challenge

    + Options
    6. Signature + Counter
    5. Signature +

    Counter
    4. Create Key Pair
    7. Verify Signature
    RP
    Challenge
    Tasks of RP server

    View full-size slide

  20. Tasks of RP server
    • Endpoint for option parameters

    • Endpoint for registration/assertion

    • Verification of credentials

    • Challenge management

    • User management

    View full-size slide

  21. Tasks of library
    • Endpoint for option parameters

    • Endpoint for registration/assertion

    • Verification of credentials

    • Challenge management

    • User management

    View full-size slide

  22. Tasks of Application
    • Endpoint for option parameters

    • Endpoint for registration/assertion

    • Verification of credentials

    • Challenge management

    • User management

    View full-size slide

  23. User Client Server
    Authenticator
    1. Start Authentication
    2. Challenge, Options
    3. Challenge

    + Options
    6. Signature + Counter
    5. Signature +

    Counter
    4. Create Key Pair
    7. Verify Signature
    RP
    Tasks of Application
    Challenge

    View full-size slide

  24. If we have a full stack web
    framework in Go…

    View full-size slide

  25. Tasks of Library (maybe)
    • Endpoint for option parameters (partial)

    • Endpoint for registration/assertion (partial)

    • Verification of credentials

    • Challenge management

    • User management (partial)

    View full-size slide

  26. Sample Implementation
    • github.com/duo-labs/webauthn

    • WebAuthn (FIDO2) server library written in Go

    View full-size slide

  27. Registration 1

    View full-size slide

  28. Registration 2

    View full-size slide

  29. Summary
    • I introduced the basic concept of FIDO2

    • I described how we integrate FIDO2 with API server
    written in Go

    • We should use a trusted implementation

    View full-size slide

  30. Building FIDO2 server
    in Go
    Go Conference 2019 Spring

    Kanmu, Inc Yuki Ito

    View full-size slide