Building FIDO2 server in Go

by mururu

Slide 1

Slide 1 text

Building FIDO2 server in Go Go Conference 2019 Spring Kanmu, Inc Yuki Ito

Slide 2

Slide 2 text

me • Yuki Ito • CTO at Kanmu, Inc. • GitHub: @mururu • Twitter: @mururururu

Slide 3

Slide 3 text

Agenda • What is FIDO2 (WebAuthn) • Implementing FIDO2 in Go • Integrate FIDO2 with your existing API server

Slide 4

Slide 4 text

What is FIDO2(WebAuthn)

Slide 5

Slide 5 text

What is FIDO2 Hardware-based authentication built on public key cryptography Device (Authenticator) Server (RP) Challenge Challenge Public Key, Challenge Public Key. Challenge Create  Key Pair Store

Slide 6

Slide 6 text

What is FIDO2 Hardware-based authentication built on public key cryptography Private Key in device (Authenticator) Public Key in server (RP) Challenge Challenge Response Response Sign Verify

Slide 7

Slide 7 text

Implementing FIDO2 server in Go

Slide 8

Slide 8 text

Registration Flow User Client Server Authenticator 1. Start Registration 2. Challenge, Options 3. Challenge 6. PubKey + Challenge 5. PubKey +  Challenge 4. Create Key Pair (7. Verify attestation) 8. Store PubKey

Slide 9

Slide 9 text

Authentication Flow User Client Server Authenticator 1. Start Authentication 2. Challenge, Options 3. Challenge  + Options 6. Signature 5. Signature 4. Create Key Pair 7. Verify Signature

Slide 10

Slide 10 text

Attestation • How can we trust authenticator? • Authenticator can send its attestationObject • We can verify an attestation via veriﬁcation attestationObject • There are various attestationObject formats

Slide 11

Slide 11 text

How public keys are encoded • Pulic Keys are encoded as COSE_Key format • COSE is CBOR version JOSE • CBOR is like binary version of JSON

Slide 12

Slide 12 text

How to decode public keys • Public keys can be various types (RSA, EC2 …), so decoding needs 2-step • We can use "github.com/ugorji/go/codec"

Slide 13

Slide 13 text

How to verify signatures • We already have attributes of ecdsa.PublicKey, so we just need to compose ecdsa.PublicKey and verify signature with it

Slide 14

Slide 14 text

How to verify attestations • There are many attestation formats • Packed, TPM, Android Key, Android SafetyNet… • We have to implement each attestation formats

Slide 15

Slide 15 text

How to verify attestations

Slide 16

Slide 16 text

Integration of FIDO2  and your Go API server

Slide 17

Slide 17 text

Situation • SPA + Go API Server + DB SPA  (React, Vue…) API Server  written in Go DB

Slide 18

Slide 18 text

Authentication Flow User Client Server Authenticator 1. Start Authentication 2. Challenge, Options 3. Challenge  + Options 6. Signature + Counter 5. Signature +  Counter 4. Create Key Pair 7. Verify Signature

Slide 19

Slide 19 text

User Client Server Authenticator 1. Start Authentication 2. Challenge, Options 3. Challenge  + Options 6. Signature + Counter 5. Signature +  Counter 4. Create Key Pair 7. Verify Signature RP Challenge Tasks of RP server

Slide 20

Slide 20 text

Tasks of RP server • Endpoint for option parameters • Endpoint for registration/assertion • Veriﬁcation of credentials • Challenge management • User management

Slide 21

Slide 21 text

Tasks of library • Endpoint for option parameters • Endpoint for registration/assertion • Veriﬁcation of credentials • Challenge management • User management

Slide 22

Slide 22 text

Tasks of Application • Endpoint for option parameters • Endpoint for registration/assertion • Veriﬁcation of credentials • Challenge management • User management

Slide 23

Slide 23 text

Slide 24

Slide 24 text

If we have a full stack web framework in Go…

Slide 25

Slide 25 text

Tasks of Library (maybe) • Endpoint for option parameters (partial) • Endpoint for registration/assertion (partial) • Veriﬁcation of credentials • Challenge management • User management (partial)

Slide 26

Slide 26 text

Sample Implementation • github.com/duo-labs/webauthn • WebAuthn (FIDO2) server library written in Go

Slide 27

Slide 27 text

Server

Slide 28

Slide 28 text

Registration 1

Slide 29

Slide 29 text

Registration 2

Slide 30

Slide 30 text

Assertion 1

Slide 31

Slide 31 text

Assertion 2

Slide 32

Slide 32 text

Summary • I introduced the basic concept of FIDO2 • I described how we integrate FIDO2 with API server written in Go • We should use a trusted implementation

Slide 33

Slide 33 text

Building FIDO2 server in Go Go Conference 2019 Spring Kanmu, Inc Yuki Ito