Building FIDO2 server
in Go
Go Conference 2019 Spring
Kanmu, Inc Yuki Ito
Slide 2
Slide 2 text
me
• Yuki Ito
• CTO at Kanmu, Inc.
• GitHub: @mururu
• Twitter: @mururururu
Slide 3
Slide 3 text
Agenda
• What is FIDO2 (WebAuthn)
• Implementing FIDO2 in Go
• Integrate FIDO2 with your existing API server
Slide 4
Slide 4 text
What is FIDO2(WebAuthn)
Slide 5
Slide 5 text
What is FIDO2
Hardware-based authentication built on public key
cryptography
Device (Authenticator) Server (RP)
Challenge
Challenge
Public Key, Challenge Public Key. Challenge
Create
Key Pair Store
Slide 6
Slide 6 text
What is FIDO2
Hardware-based authentication built on public key
cryptography
Private Key
in device (Authenticator)
Public Key
in server (RP)
Challenge
Challenge
Response Response
Sign
Verify
Attestation
• How can we trust authenticator?
• Authenticator can send its attestationObject
• We can verify an attestation via verification attestationObject
• There are various attestationObject formats
Slide 11
Slide 11 text
How public keys are encoded
• Pulic Keys are encoded as COSE_Key format
• COSE is CBOR version JOSE
• CBOR is like binary version of JSON
Slide 12
Slide 12 text
How to decode public keys
• Public keys can be various types (RSA, EC2 …), so decoding needs 2-step
• We can use "github.com/ugorji/go/codec"
Slide 13
Slide 13 text
How to verify signatures
• We already have attributes of ecdsa.PublicKey, so we just
need to compose ecdsa.PublicKey and verify signature
with it
Slide 14
Slide 14 text
How to verify attestations
• There are many attestation formats
• Packed, TPM, Android Key, Android SafetyNet…
• We have to implement each attestation formats
Slide 15
Slide 15 text
How to verify attestations
Slide 16
Slide 16 text
Integration of FIDO2
and your Go API server
Slide 17
Slide 17 text
Situation
• SPA + Go API Server + DB
SPA
(React, Vue…)
API Server
written in Go
DB
User Client Server
Authenticator
1. Start Authentication
2. Challenge, Options
3. Challenge
+ Options
6. Signature + Counter
5. Signature +
Counter
4. Create Key Pair
7. Verify Signature
RP
Challenge
Tasks of RP server
Slide 20
Slide 20 text
Tasks of RP server
• Endpoint for option parameters
• Endpoint for registration/assertion
• Verification of credentials
• Challenge management
• User management
Slide 21
Slide 21 text
Tasks of library
• Endpoint for option parameters
• Endpoint for registration/assertion
• Verification of credentials
• Challenge management
• User management
Slide 22
Slide 22 text
Tasks of Application
• Endpoint for option parameters
• Endpoint for registration/assertion
• Verification of credentials
• Challenge management
• User management
Slide 23
Slide 23 text
User Client Server
Authenticator
1. Start Authentication
2. Challenge, Options
3. Challenge
+ Options
6. Signature + Counter
5. Signature +
Counter
4. Create Key Pair
7. Verify Signature
RP
Tasks of Application
Challenge
Slide 24
Slide 24 text
If we have a full stack web
framework in Go…
Slide 25
Slide 25 text
Tasks of Library (maybe)
• Endpoint for option parameters (partial)
• Endpoint for registration/assertion (partial)
• Verification of credentials
• Challenge management
• User management (partial)
Slide 26
Slide 26 text
Sample Implementation
• github.com/duo-labs/webauthn
• WebAuthn (FIDO2) server library written in Go
Slide 27
Slide 27 text
Server
Slide 28
Slide 28 text
Registration 1
Slide 29
Slide 29 text
Registration 2
Slide 30
Slide 30 text
Assertion 1
Slide 31
Slide 31 text
Assertion 2
Slide 32
Slide 32 text
Summary
• I introduced the basic concept of FIDO2
• I described how we integrate FIDO2 with API server
written in Go
• We should use a trusted implementation
Slide 33
Slide 33 text
Building FIDO2 server
in Go
Go Conference 2019 Spring
Kanmu, Inc Yuki Ito