Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Building FIDO2 server in Go

Building FIDO2 server in Go

FIDO2 (WebAuthn) is an authentication standard which enables passwordless authentication. I’ll introduce the mechanism of FIDO2 and how we can implement its server-side processing, especially the signature algorithm, in Go. I’ll also mention its integration with existing API servers written in Go.

mururu

May 18, 2019
Tweet

More Decks by mururu

Other Decks in Technology

Transcript

  1. me • Yuki Ito • CTO at Kanmu, Inc. •

    GitHub: @mururu • Twitter: @mururururu
  2. Agenda • What is FIDO2 (WebAuthn) • Implementing FIDO2 in

    Go • Integrate FIDO2 with your existing API server
  3. What is FIDO2 Hardware-based authentication built on public key cryptography

    Device (Authenticator) Server (RP) Challenge Challenge Public Key, Challenge Public Key. Challenge Create
 Key Pair Store
  4. What is FIDO2 Hardware-based authentication built on public key cryptography

    Private Key in device (Authenticator) Public Key in server (RP) Challenge Challenge Response Response Sign Verify
  5. Registration Flow User Client Server Authenticator 1. Start Registration 2.

    Challenge, Options 3. Challenge 6. PubKey + Challenge 5. PubKey +
 Challenge 4. Create Key Pair (7. Verify attestation) 8. Store PubKey
  6. Authentication Flow User Client Server Authenticator 1. Start Authentication 2.

    Challenge, Options 3. Challenge
 + Options 6. Signature 5. Signature 4. Create Key Pair 7. Verify Signature
  7. Attestation • How can we trust authenticator? • Authenticator can

    send its attestationObject • We can verify an attestation via verification attestationObject • There are various attestationObject formats
  8. How public keys are encoded • Pulic Keys are encoded

    as COSE_Key format • COSE is CBOR version JOSE • CBOR is like binary version of JSON
  9. How to decode public keys • Public keys can be

    various types (RSA, EC2 …), so decoding needs 2-step • We can use "github.com/ugorji/go/codec"
  10. How to verify signatures • We already have attributes of

    ecdsa.PublicKey, so we just need to compose ecdsa.PublicKey and verify signature with it
  11. How to verify attestations • There are many attestation formats

    • Packed, TPM, Android Key, Android SafetyNet… • We have to implement each attestation formats
  12. Situation • SPA + Go API Server + DB SPA


    (React, Vue…) API Server
 written in Go DB
  13. Authentication Flow User Client Server Authenticator 1. Start Authentication 2.

    Challenge, Options 3. Challenge
 + Options 6. Signature + Counter 5. Signature +
 Counter 4. Create Key Pair 7. Verify Signature
  14. User Client Server Authenticator 1. Start Authentication 2. Challenge, Options

    3. Challenge
 + Options 6. Signature + Counter 5. Signature +
 Counter 4. Create Key Pair 7. Verify Signature RP Challenge Tasks of RP server
  15. Tasks of RP server • Endpoint for option parameters •

    Endpoint for registration/assertion • Verification of credentials • Challenge management • User management
  16. Tasks of library • Endpoint for option parameters • Endpoint

    for registration/assertion • Verification of credentials • Challenge management • User management
  17. Tasks of Application • Endpoint for option parameters • Endpoint

    for registration/assertion • Verification of credentials • Challenge management • User management
  18. User Client Server Authenticator 1. Start Authentication 2. Challenge, Options

    3. Challenge
 + Options 6. Signature + Counter 5. Signature +
 Counter 4. Create Key Pair 7. Verify Signature RP Tasks of Application Challenge
  19. Tasks of Library (maybe) • Endpoint for option parameters (partial)

    • Endpoint for registration/assertion (partial) • Verification of credentials • Challenge management • User management (partial)
  20. Summary • I introduced the basic concept of FIDO2 •

    I described how we integrate FIDO2 with API server written in Go • We should use a trusted implementation