1. U2F Case Study Examining the U2F paradox 3 What is Universal 2 nd Factor (U2F)?
-
Upload
adrian-cunningham -
Category
Documents
-
view
222 -
download
0
Transcript of 1. U2F Case Study Examining the U2F paradox 3 What is Universal 2 nd Factor (U2F)?
![Page 1: 1. U2F Case Study Examining the U2F paradox 3 What is Universal 2 nd Factor (U2F)?](https://reader035.fdocuments.net/reader035/viewer/2022062322/5697bfad1a28abf838c9bcf5/html5/thumbnails/1.jpg)
1
![Page 2: 1. U2F Case Study Examining the U2F paradox 3 What is Universal 2 nd Factor (U2F)?](https://reader035.fdocuments.net/reader035/viewer/2022062322/5697bfad1a28abf838c9bcf5/html5/thumbnails/2.jpg)
U2F Case StudyExamining the U2F paradox
![Page 3: 1. U2F Case Study Examining the U2F paradox 3 What is Universal 2 nd Factor (U2F)?](https://reader035.fdocuments.net/reader035/viewer/2022062322/5697bfad1a28abf838c9bcf5/html5/thumbnails/3.jpg)
3
What is Universal 2nd Factor (U2F)?
![Page 4: 1. U2F Case Study Examining the U2F paradox 3 What is Universal 2 nd Factor (U2F)?](https://reader035.fdocuments.net/reader035/viewer/2022062322/5697bfad1a28abf838c9bcf5/html5/thumbnails/4.jpg)
4
Simple, Secure, Scalable 2FA
![Page 5: 1. U2F Case Study Examining the U2F paradox 3 What is Universal 2 nd Factor (U2F)?](https://reader035.fdocuments.net/reader035/viewer/2022062322/5697bfad1a28abf838c9bcf5/html5/thumbnails/5.jpg)
5
Didn’t We Solve This Already?
SMS OTP DevicesCoverageDelayCostBatteryPolicy
One per siteProvisioning costsBattery
Smart CardsReaders/driversMiddlewareCost
![Page 6: 1. U2F Case Study Examining the U2F paradox 3 What is Universal 2 nd Factor (U2F)?](https://reader035.fdocuments.net/reader035/viewer/2022062322/5697bfad1a28abf838c9bcf5/html5/thumbnails/6.jpg)
6
Bad User experience Still phishable
Users find it hard to use Successful attacks carried out today
MitM
Successful attacks carried out today
And...
![Page 7: 1. U2F Case Study Examining the U2F paradox 3 What is Universal 2 nd Factor (U2F)?](https://reader035.fdocuments.net/reader035/viewer/2022062322/5697bfad1a28abf838c9bcf5/html5/thumbnails/7.jpg)
7
Why U2F?• Simple
– To register and authenticate -- a simple touch!– No drivers or client software to install
• Secure– Public key cryptography– Protects against phishing and man-in-the-middle
•Scalable– One U2F device, many services
• Protects Privacy – No secrets shared between service providers
![Page 8: 1. U2F Case Study Examining the U2F paradox 3 What is Universal 2 nd Factor (U2F)?](https://reader035.fdocuments.net/reader035/viewer/2022062322/5697bfad1a28abf838c9bcf5/html5/thumbnails/8.jpg)
8
1. Enter username/pwd 2. Insert U2F Key 3. Touch device
Google Login With U2F
![Page 9: 1. U2F Case Study Examining the U2F paradox 3 What is Universal 2 nd Factor (U2F)?](https://reader035.fdocuments.net/reader035/viewer/2022062322/5697bfad1a28abf838c9bcf5/html5/thumbnails/9.jpg)
9
1. Enter username/pwd 2. Insert U2F Key 3. Touch device
Dropbox Login With U2F
![Page 10: 1. U2F Case Study Examining the U2F paradox 3 What is Universal 2 nd Factor (U2F)?](https://reader035.fdocuments.net/reader035/viewer/2022062322/5697bfad1a28abf838c9bcf5/html5/thumbnails/10.jpg)
10
1. Enter username/pwd 2. Insert U2F Key 3. Touch device
GitHub Login With U2F
![Page 11: 1. U2F Case Study Examining the U2F paradox 3 What is Universal 2 nd Factor (U2F)?](https://reader035.fdocuments.net/reader035/viewer/2022062322/5697bfad1a28abf838c9bcf5/html5/thumbnails/11.jpg)
11
1. Enter username/pwd 2. Insert U2F Key 3. Touch device
Your Login With U2F
![Page 12: 1. U2F Case Study Examining the U2F paradox 3 What is Universal 2 nd Factor (U2F)?](https://reader035.fdocuments.net/reader035/viewer/2022062322/5697bfad1a28abf838c9bcf5/html5/thumbnails/12.jpg)
12
1. Enter username/pwd 2. Insert U2F Key 3. Touch device
Your Login With U2F
![Page 13: 1. U2F Case Study Examining the U2F paradox 3 What is Universal 2 nd Factor (U2F)?](https://reader035.fdocuments.net/reader035/viewer/2022062322/5697bfad1a28abf838c9bcf5/html5/thumbnails/13.jpg)
13
1. Enter username/pwd 2. Insert U2F Key 3. Touch device
Your Login With U2F
![Page 14: 1. U2F Case Study Examining the U2F paradox 3 What is Universal 2 nd Factor (U2F)?](https://reader035.fdocuments.net/reader035/viewer/2022062322/5697bfad1a28abf838c9bcf5/html5/thumbnails/14.jpg)
14
Protocol Overview
![Page 15: 1. U2F Case Study Examining the U2F paradox 3 What is Universal 2 nd Factor (U2F)?](https://reader035.fdocuments.net/reader035/viewer/2022062322/5697bfad1a28abf838c9bcf5/html5/thumbnails/15.jpg)
Server sends challenge1
Server receives and verifies device signature using attestation cert
5
Key handle and public key are stored in database6
Device generates key pair2Device creates key handle3Device signs challenge + client info4
Registration
Server sends challenge + key handle 1
Server receives and verifies using stored public key 4
Device unwraps/derives private key from key handle
2
Device signs challenge + client info 3
Authentication
Indi
vidu
al w
ith U
2F D
evic
e, Relying Party
![Page 16: 1. U2F Case Study Examining the U2F paradox 3 What is Universal 2 nd Factor (U2F)?](https://reader035.fdocuments.net/reader035/viewer/2022062322/5697bfad1a28abf838c9bcf5/html5/thumbnails/16.jpg)
16
Protocol DesignStep-By-Step
![Page 17: 1. U2F Case Study Examining the U2F paradox 3 What is Universal 2 nd Factor (U2F)?](https://reader035.fdocuments.net/reader035/viewer/2022062322/5697bfad1a28abf838c9bcf5/html5/thumbnails/17.jpg)
17
U2F Device Client
Relying Party
challenge
challenge
Sign
with kpriv signature(challenge)
s
Checksignature (s)
using kpub
s
Lookup
kpub
Authentication
![Page 18: 1. U2F Case Study Examining the U2F paradox 3 What is Universal 2 nd Factor (U2F)?](https://reader035.fdocuments.net/reader035/viewer/2022062322/5697bfad1a28abf838c9bcf5/html5/thumbnails/18.jpg)
18
U2F Device Client
Relying Party
challenge
challenge, origin, channel id
Sign
with kpriv signature(c)
c, s
Check s
using kpub
Verify origin & channel id
s
Lookup
kpub
Phishing/MitM Protection
![Page 19: 1. U2F Case Study Examining the U2F paradox 3 What is Universal 2 nd Factor (U2F)?](https://reader035.fdocuments.net/reader035/viewer/2022062322/5697bfad1a28abf838c9bcf5/html5/thumbnails/19.jpg)
19
U2F Device Client
Relying Party
handle, app id, challenge
h, a; challenge, origin, channel id, etc.
c
aCheckapp id
Lookup
the kpriv
associated with h
Sign
with kpriv
signature(a,c)
c, sCheck s
using kpub
Verify origin & channel id
s
h
Lookup
the kpub
associated with h
Application-Specific Keys
![Page 20: 1. U2F Case Study Examining the U2F paradox 3 What is Universal 2 nd Factor (U2F)?](https://reader035.fdocuments.net/reader035/viewer/2022062322/5697bfad1a28abf838c9bcf5/html5/thumbnails/20.jpg)
20
U2F Device Client
Relying Party
handle, app id, challenge
h, a; challenge, origin, channel id, etc.
c
aCheckapp id
Lookup
the kpriv
associated with h
Sign
with kpriv
counter++
counter, signature(a,c, counter)
counter, c, sCheck s
using kpub
Verify origin, channel id & counter
s
h
Lookup
the kpub
associated with h
Device Cloning
![Page 21: 1. U2F Case Study Examining the U2F paradox 3 What is Universal 2 nd Factor (U2F)?](https://reader035.fdocuments.net/reader035/viewer/2022062322/5697bfad1a28abf838c9bcf5/html5/thumbnails/21.jpg)
21
U2F Device Client
Relying Party
app id, challenge
a; challenge, origin, channel id, etc.
c
aCheckapp id
Generate:
kpub
kpriv
handle h kpub, h, attestation cert, signature(a,c,kpub,h)
c, kpub, h, attestation cert, s
Associate
kpub with
handle hfor user
s
Registration + Device Attestation
![Page 22: 1. U2F Case Study Examining the U2F paradox 3 What is Universal 2 nd Factor (U2F)?](https://reader035.fdocuments.net/reader035/viewer/2022062322/5697bfad1a28abf838c9bcf5/html5/thumbnails/22.jpg)
22
Bad User Experience
StillPhishable
MitM
x xxSo How Did We Do?
![Page 23: 1. U2F Case Study Examining the U2F paradox 3 What is Universal 2 nd Factor (U2F)?](https://reader035.fdocuments.net/reader035/viewer/2022062322/5697bfad1a28abf838c9bcf5/html5/thumbnails/23.jpg)
23
ResourcesStrengthen 2 step verification with Security Key
Yubico Security Key
Yubico Libraries, Plugins, Sample Code, Documentation
FIDO U2F Protocol Specification
Yubico Demo Server - Test U2F
Yubico Demo Server - Test Yubico OTP
Google security blog
yubico.com/security-key
developers.yubico.com
fidoalliance.org/specifications
demo.yubico.com/u2f
demo.yubico.com
![Page 25: 1. U2F Case Study Examining the U2F paradox 3 What is Universal 2 nd Factor (U2F)?](https://reader035.fdocuments.net/reader035/viewer/2022062322/5697bfad1a28abf838c9bcf5/html5/thumbnails/25.jpg)