How Secure is Authentication?

U2F & UAF Tutorial

How Secure is Authentication? 2014 1.2bn? 2013 397m Dec. 2013 145m Oct. 2013 130m May 2013 22m April 2013 50m March 2013 50m

Cloud Authentication

Password Issues Password might be entered into untrusted / Web-site ( phishing ) 1 Password could be stolen from the server 2 Inconvenient to type password on phone 4 Too many passwords to remember à re-use / cart abandonment 3

OTP Issues OTP vulnerable to realtime MITM and MITB attacks 1 Inconvenient to type OTP on phone 4 OTP HW tokens are expensive and people don t want another device 3 SMS security questionable, especially when Device is the phone 2

Implementation Challenge A Plumbing Problem User Verification Methods lications Organizations Silo 1 Silo 2 1 Silo 3 2? Silo N? New

Authentication Needs Do you want to login? Do you want to transfer $100 to Frank? Do you want to ship to a new address? Do you want to delete all of your emails? Do you want to share your dental record? Authentication today: Ask user for a password (and perhaps a one time code)

Authentication & Risk Engines Purpose Geolocation (from IP addr.) Explicit Authentication Authentication Server Risk Engine

Summary 1. Passwords are insecure and inconvenient especially on mobile devices 2. Alternative authentication methods are silos and hence don t scale to large scale user populations 3. The required security level of the authentication depends on the use 4. Risk engines need information about the explicit authentication security for good decision

How does work? Device

Experiences ONLINE AUTH REQUEST Local USER Verification SUCCESS PASSWORDLESS EXPERIENCE (UAF standards) Transaction Detail Show a biometric or PIN Done SECOND FACTOR EXPERIENCE (U2F standards) Login & Password Insert Dongle, Press button Done

Universal 2 nd Factor (U2F)

How does U2F work? Verify user presence

How does U2F work? Is a user present? Same Authenticator as registered before? Can verify user presence

How does UAF work? Identity binding to be done outside : This this John Doe with customer ID X. Same User as enrolled before? Same Authenticator as registered before? Can recognize the user (i.e. user verification), but doesn t have an identity proof of the user.

How does U2F work? How is the key protected? Verify user presence

U2F Protocol Core idea: Standard public key cryptography: o User's device mints new key pair, gives public key to server o Server asks user's device to sign data to verify the user. o One device, many services, "bring your own device" enabled Lots of refinement for this to be consumer facing: o Privacy: Site specific keys, No unique ID per device o Security: No phishing, man-in-the-middles o Trust: Verify who made the device o Pragmatics: Affordable today, ride hardware cost curve down o Speed for user: Fast crypto in device (Elliptic Curve) Think "Smartcard re-designed for modern consumer web"

U2F Authenticator U2F Registration Client / Browser ID, challenge Relying Party check ID a generate: key k pub key k priv handle h a; challenge, origin, channel id, etc. fc k pub, h, attestation cert, signature(a,fc,k pub,h) s fc, k pub, h, attestation cert, s cookie store: key k pub handle h

U2F Authentication U2F Authenticator Client / Browser handle, ID, challenge Relying Party check ID h a retrieve: key k priv from handle h; cntr++ h, a; challenge, origin, channel id, etc. fc cntr, signature(a,fc,cntr) retrieve key k pub from handle h s cntr, fc, s check signature using key k pub set cookie

User Presence API: Registration {"typ":"register", "challenge":"ksdjsdasas- AIS_AsS", "cid_pubkey": { "kty":"ec", "crv":"p- 256", "x":"hzqwlfxx7q4s5mtcrmzpo9toywjbqrl4tj8", "y":"xvgugflizx1fxg375hi4-7- BxhMljw42Ht4" navigator.handleregistrationrequest({ }, "origin":"https://accounts.google.com" } challenge : KSDJsdASAS- AIS_AsS, app_id : https://www.google.com/facets.json }, callback); callback = function(response) { sendtoserver( response[ clientdata ], response[ tokendata ]); };

User Presence API: Auth. { "typ":"authenticate", "challenge":"ksdjsdasas- AIS_AsS", "cid_pubkey": { "kty":"ec", "crv":"p- 256", "x":"hzqwlfxx7q4s5mtcrmzpo9toywjbqrl4tj8", "y":"xvgugflizx1fxg375hi4-7- BxhMljw42Ht4" }, "origin":"https://accounts.google.com" navigator.handleauthenticationrequest({ } challenge : KSDJsdASAS- AIS_AsS, app_id : https://www.google.com/facets.json, key_handle : JkjhdsfkjSDFKJ_ld- sadsajdklsad }, callback); callback = function(response) { sendtoserver( response[ clientdata ], response[ tokendata ]); };

Authentication Example

Authentication Example

Authentication Example

Authentication Example

Universal Authentication Framework (UAF)

Experiences ONLINE AUTH REQUEST Local USER Verification SUCCESS PASSWORDLESS EXPERIENCE (UAF standards) Transaction Detail Show a biometric or PIN Done SECOND FACTOR EXPERIENCE (U2F standards) Login & Password Insert Dongle, Press button Done

How does UAF work? SE

How does UAF work? Same User as enrolled before? Same Authenticator as registered before? Can recognize the user (i.e. user verification), but doesn t have an identity proof of the user.

How does UAF work? Identity binding to be done outside : This this John Doe with customer ID X. Same User as enrolled before? Same Authenticator as registered before? Can recognize the user (i.e. user verification), but doesn t have an identity proof of the user.

How does UAF work? How is the key protected (TPM, SE, TEE, )? What user verification method is used? SE

Attestation & Metadata AUTHENTICATOR SERVER Signed Attestation Object Verify using trust anchor included in Metadata Understand Authenticator security characteristic by looking into Metadata (and potentially other sources) Metadata

Device UAF Registration Relying Party Authenticator 0 Prepare Web Server

UAF Registration Authenticator 0 Prepare Web Server

UAF Registration Authenticator 0 Prepare Web Server

UAF Registration Authenticator 0 Prepare Web Server 1 Legacy Auth + Initiate Reg.

UAF Registration Authenticator 0 Prepare Web Server 1 Legacy Auth + Initiate Reg.

UAF Registration Authenticator 0 Prepare Web Server 1 Legacy Auth + Initiate Reg. Reg. Request + Policy 2

UAF Registration Pat Johnson pat@example.com Link your fingerprint Authenticator 0 1 Prepare Legacy Auth + Initiate Reg. Reg. Request + Policy Web Server 2

UAF Registration Pat Johnson pat@example.com Link your fingerprint Authenticator 0 1 Prepare Legacy Auth + Initiate Reg. Reg. Request + Policy Web Server 2

UAF Registration Pat Johnson pat@example.com Link your fingerprint Authenticator 0 1 Prepare Legacy Auth + Initiate Reg. Reg. Request + Policy Web Server 2 3 Verify User & Generate New Key Pair (specific to RP Webapp)

UAF Registration Pat Johnson pat@example.com Link your fingerprint Authenticator 0 1 4 Prepare Legacy Auth + Initiate Reg. Reg. Request + Policy Reg. Response Web Server 2 3 Verify User & Generate New Key Pair (specific to RP Webapp)

UAF Registration Pat Johnson pat@example.com Link your fingerprint Key Registration Data: Hash(FinalChallenge) AAID Public key KeyID Registration Counter Signature Counter Signature (attestation key) Authenticator 0 1 4 Prepare Legacy Auth + Initiate Reg. Reg. Request + Policy Reg. Response Web Server 2 FinalChallenge=Hash(ID FacetID tlsdata challenge) 3 Verify User & Generate New Key Pair (specific to RP Webapp)

UAF Registration Pat Johnson pat@example.com Authenticator 0 Prepare Web Server 1 4 Legacy Auth + Initiate Reg. Reg. Request + Policy Reg. Response 2 3 Verify User & Generate New Key Pair (specific to RP Webapp) Success 5

Building Blocks USER DEVICE TLS Server Key RELYING PARTY BROWSER / APP UAF Protocol WEB SERVER CLIENT Cryptographic authentication key reference DB SERVER ASM Authentication keys AUTHENTICATOR Attestation key Authenticator Metadata & attestation trust store Metadata Service Update

AAID & Attestation Authenticator Using HW based crypto AAID 1 Based on FP Sensor X Attestation Key 1 Authenticator Pure SW based implementation Based on Face Recognition alg. Y AAID 2 Attestation Key 2 AAID: Authenticator Attestation ID (=model name)

Privacy & Attestation SERVER RP1 Model A Bob s Authenticator Using HW based crypto Based on FP Sensor X Model A Serial # SERVER RP2 Model A

Attestation & Metadata AUTHENTICATOR SERVER Signed Attestation Object Verify using trust anchor included in Metadata Understand Authenticator security characteristic by looking into Metadata (and potentially other sources) Metadata

Facet ID / ID

UAF Authentication Authenticator 0 Prepare Web Server

UAF Authentication Authenticator 0 Prepare Web Server

UAF Authentication Authenticator 0 Prepare Web Server

UAF Authentication Authenticator 0 Prepare Web Server

UAF Authentication Authenticator 0 Prepare Web Server 1 Initiate Authentication

UAF Authentication Authenticator 0 Prepare Initiate Authentication Auth. Request with Challenge 1 Web Server 2

UAF Authentication Authenticator 0 Prepare Web Server Just a sec our secure payment technology is working its magic. Initiate Authentication Auth. Request with Challenge 1 2

UAF Authentication Pat Johnson pat@example.com Authenticator 0 Prepare Web Server Initiate Authentication Auth. Request with Challenge 1 2 3 Verify User & Sign Challenge (Key specific to RP Webapp)

UAF Authentication Authenticator 0 Prepare Web Server Pat Johnson 650 Castro Street Mountain View, CA 94041 United States Initiate Authentication Auth. Request with Challenge Auth. Response 1 4 2 3 Verify User & Sign Challenge (Key specific to RP Webapp)

UAF Authentication Authenticator 0 Prepare Web Server SignedData: SignatureAlg Hash(FinalChallenge) Authenticator random Signature Counter Pat Johnson 650 Castro Street Mountain View, CA 94041 United States Signature Initiate Authentication Auth. Request with Challenge Auth. Response 1 4 2 FinalChallenge=Hash(ID FacetID tlsdata challenge) 3 Verify User & Sign Challenge (Key specific to RP Webapp)

UAF Authentication Pat Johnson pat@example.com Payment complete! Return to the merchant s web site to continue shopping Return to the merchant Authenticator 3 0 Prepare Initiate Authentication Auth. Request with Challenge Auth. Response 1 4 Verify User & Sign Challenge (Key specific to RP Webapp) Success Web Server 2 5

Transaction Confirmation Device Relying Party Authenticator Browser or Native 1 Initiate Transaction Web Server Authentication Request + Transaction Text 2 4 Authentication Response + Text Hash, signed by User s private key 5 3 Display Text, Verify User & Unlock Private Key (specific to User + RP Webapp) Validate Response & Text Hash using User s Public Key

Transaction Confirmation Device Relying Party Authenticator Browser or Native 1 Initiate Transaction Web Server SignedData: SignatureAlg Authentication Request Hash(FinalChallenge) + Transaction Text Authenticator random Signature Counter Hash(Transaction Authentication Response 4 Text) Signature + Text Hash, signed by User s private key FinalChallenge=Hash(ID FacetID 3 tlsdata challenge) Display Text, Verify User & Unlock Private Key (specific to User + RP Webapp) 2 5 Validate Response & Text Hash using User s Public Key

The Authenticator Concept Injected at manufacturing, doesn t change Authenticator User Verification / Presence Attestation Key Transaction Confirmation Display Authentication Key(s) Optional Components Generated at runtime (on Registration)

Using Secure Hardware Authenticator in SIM Card User Verification (PIN) SIM Card Attestation Key Authentication Key(s)

Client Side Biometrics Trusted Execution Environment (TEE) Authenticator as Trusted lication (TA) User Verification / Presence Attestation Key Store at Enrollment Authentication Key(s) Compare at Authentication Unlock after comparison

Combining TEE and SE Trusted Execution Environment (TEE) Authenticator as Trusted lication (TA) e.g. GlobalPlatform Trusted UI User Verification / Presence Transaction Confirmation Display Secure Element Attestation Key Authentication Key(s)

UAF Specifications

& Federation

Source: Paul Madsen, Seminar, May 2014

Source: Paul Madsen, Seminar, May 2014

Complementary o Insulates authentication server from specific authenticators o Focused solely on primary authentication o Does not support attribute sharing o Can communicate details of authentication to server Federation o Insulates applications from identity providers o Does not address primary authentication o Does enable secondary authentication & attribute sharing o Can communicate details of authentication from IdP to SP Source: Paul Madsen, Seminar, May 2014

& Federation First Mile Second Mile USER DEVICE IdP Service Provider BROWSER / APP UAF Protocol FEDERATION SERVER Federation CLIENT Id DB AUTHENTICATOR SERVER Knows details about the Authentication strength Knows details about the Identity and its verification strength.

& Federation Assurance High SSO slide Low status quo federatio n No more Password123 bump High Frequency of login Low Source: Paul Madsen, Seminar, May 2014

& Federation High Assurance Continuum federatio n Low status quo High Frequency of login Low Source: Paul Madsen, Seminar, May 2014

& Federation High Assurance + federatio n federatio n Low status quo High Frequency of login Low Source: Paul Madsen, Seminar, May 2014

at Industry Event Readiness SIM as Secure Element Fingerprint, TEE, Mobile Speaker Recognition Mobile via NFC PIN + MicroSD USB

ReadyTM Products Shipping today OEM Enabled: Samsung Galaxy S5 smartphone & Galaxy Tab S tablets OEM Enabled: Lenovo ThinkPads with Fingerprint Sensors Clients available for these operating systems: Software Authenticator Examples: Speaker/Face recognition, PIN, QR Code, etc. Aftermarket Hardware Authenticator Examples: USB fingerprint scanner, MicroSD Secure Element

is used Today

Conclusion Different authentication use-cases lead to different authentication requirements Today, we have authentication silos separates user verification from authentication protocol and hence supports all user verification methods supports scalable security and convenience User verification data is known to Authenticator only complements federation è Consider developing or piloting -based authentication solutions Dr. Rolf Lindemann, Nok Nok Labs, rolf@noknok.com