Using your FIDO U2F Authenticator (Token) with StrongKey ...
Fido U2F Protocol by Ather Ali
-
Upload
owasp -
Category
Technology
-
view
74 -
download
4
Transcript of Fido U2F Protocol by Ather Ali
U2F - Universal 2nd Factor
ByAther Ali
1. The FIDO (Fast IDentity Online) Alliance is a non-profit organization nominally formed in July 2012 to address the lack of interoperability among strong authentication devices as well as the problems users face with creating and remembering multiple usernames and passwords.
2. The FIDO Alliance plans to change the nature of authentication by developing specifications that define an open, scalable, interoperable set of mechanisms that supplant reliance on passwords to securely authenticate users of online services.
3. This new standard for security devices and browser plugins will allow any website or cloud application to interface with a broad variety of existing and future FIDO-enabled devices that the user has for online security.
FIDO Alliance has 2 UAF and U2F Specifications
Agenda
1. Introduction2. Threats 3. Todays Solutions4. U2F Solution5. Fido Ready Device6. Demo7. Behind the Scene8. How to implement
REUSED PHISHED KEYLOGGED
POSSIBLE THREATS
SMS USABILITYCoverage Issues - Delay - User Cost
DEVICE USABILITYOne Per Site - Expensive - Fragile
USER EXPERIENCEUsers find it hard
Today's solution: One time codes: SMS or Device
● One device, many services● Easy: Insert and press button● Safe: Un-phishable Security
The U2F solution: How it works
Core idea: Standard public key cryptography:User's device mints new key pair, gives public key to serverServer asks user's device to sign data to verify the user.One device, many services, "bring your own device" enabled
Lots of refinement for this to be consumer facing: Privacy: Site Specific Keys, No unique ID per device Security: No phishing, man-in-the-middles
Trust: Verify who made the device(Attestation Certificate)
Pragmatics: Affordable today, ride hardware cost curve down
Speed for user: Fast crypto in device (Elliptic Curve)
Think "Smartcard re-designed for modern consumer web"
U2F PROTOCOL
FIDO READY SECURITY KEY
http://www.amazon.in/gp/offer-listing/B00NLKA0D8/ref=sr_1_1_olp?ie=UTF8&qid=1434738887&sr=8-1&keywords=fido+key&condition=new
DEMO
https://demo.yubico.com/u2f?tab=login
server
PHISHER
Proof that User is there
“I promise a user is here”,“the server challenge was: 337423”, “the origin was: accounts.google.com”,“the TLS connection state was: 342384”
Signe
dproofThatUserIsThere
2. Processing
3. Verification
1. Setup
Relying Party
FIDO CLIENT
PROCESS FLOW
https://fidoalliance.org/specs/fido-u2f-v1.0-ps-20141009/fido-u2f-overview-ps-20141009.html#goal-strong-authentication-and-privacy-for-the-web
1. How it works2. How handle generated3. How it secure by Mitm, phishing , malware etc.4. Device is Genuine 5. Etc
Folllow the link
If you want to cover them in details the topics below
https://developers.yubico.com/Software_Projects/FIDO_U2F/For Developers
Thanks!E-mail: [email protected]