FIDO-UAF协议详解：构建强大的用户认证框架

FIDO

需积分: 38 120 浏览量更新于2024-07-17 1 收藏 5.14MB PDF 举报

身份认证购VIP最低享 7 折!

领优惠券(最高得80元）

"FIDO-UAF协议是FIDO联盟提出的一种强认证框架，旨在让在线服务和网站能够利用用户计算设备的内置安全特性进行强大的用户身份验证，减少创建和记忆多个在线凭证的问题。此协议标准由FIDO联盟成员如RSA、Google、PayPal等公司的专家编辑。FIDO-UAF协议的主要目标是提供一种安全、便捷的身份验证机制，以替代传统的用户名和密码系统，提升网络安全水平。" FIDO（Fast IDentity Online）联盟推出UAF（User Authentication Framework）协议，是为了应对日益严重的网络钓鱼、凭证盗窃等安全挑战。该协议的核心理念是利用现代智能设备（如智能手机、平板电脑和PC）的硬件安全模块，如生物识别技术（指纹、面部识别、声纹等），来实现用户身份的无密码验证。 FIDO-UAF协议架构概述了以下几个关键组件和协议： 1. **注册（Registration）**：在这个阶段，用户在设备上设置一个或多个认证方法，例如指纹或面部识别。这些认证数据被安全地存储在设备的Secure Element（SE）或Trust Service Provider（TSP）中，不会在网络上传输。 2. **认证（Authentication）**：当用户尝试访问受保护的服务时，设备会使用在注册过程中创建的凭据进行本地身份验证。验证成功后，设备生成一个一次性密钥（通常为公钥加密的挑战响应），并将其发送到服务器进行确认。 3. **服务器端（Server-side）**：服务器负责接收和验证来自设备的一次性密钥，并确认用户身份。服务器通常与FIDO服务器组件交互，以处理注册和验证请求。 4. **应用接口（Application Interface）**：FIDO-UAF定义了一套API，允许开发者将FIDO认证集成到他们的应用和服务中。这些API遵循特定的协议消息交换，确保与各种FIDO兼容的设备兼容。 5. **安全考虑（Security Considerations）**：FIDO-UAF协议强调安全设计，包括保护用户的隐私，防止中间人攻击，以及确保即使设备丢失，也不能轻易地重用注册的认证数据。 6. **信任模型（Trust Model）**：FIDO-UAF协议依赖于信任锚点，如证书或预置的公钥，来建立设备、应用和服务器之间的信任关系。这使得只有经过认证的组件才能参与身份验证流程。 7. **可扩展性（Extensibility）**：FIDO-UAF协议的设计允许添加新的认证技术和安全特性，以适应技术的发展。 FIDO-UAF协议通过将认证过程本地化并利用设备的硬件安全功能，极大地增强了在线身份验证的安全性，同时减少了用户管理复杂密码的负担。随着移动设备和物联网设备的普及，FIDO-UAF有望成为未来认证的标准之一。

资源详情

资源推荐

As the UTF-8 representation has variable length, the maximum byte length of string[5] is string[4*5].
All strings are case-sensitive unless stated otherwise.
This document uses WebIDL [
WebIDL-ED] to define UAF protocol messages.
Implementations 
must serialize the UAF protocol messages for transmission using UTF-8 encoded JSON [RFC4627].
3.1 Shared Structures and Types
This section defines types and structures shared by various operations.
3.1.1 Version Interface
Represents a generic version with major and minor fields.
WebIDL
interface Version {
    readonly    attribute 
unsigned short major;
    readonly    attribute 
unsigned short minor;
};
3.1.1.1 Attributes
major of type unsigned short, readonly
Major version.
minor of type unsigned short, readonly
Minor version.
3.1.2 Operation enumeration
Describes the operation type of a UAF message or request for a message.
WebIDL
enum Operation {
    "
Reg",
    "
Auth",
    "
Dereg"
};
Enumeration description
Reg Registration
Auth
Authentication or Transaction
Confirmation
Dereg Deregistration
3.1.3 OperationHeader dictionary
Represents a UAF message Request and Response header
WebIDL
dictionary OperationHeader {
    
required Version   upv;
    
required Operation op;
    
DOMString          appID;
    
DOMString          serverData;
    
Extension[]        exts;
};
3.1.3.1 Dictionary 
OperationHeader Members
upv of type required Version
UAF protocol version (upv). To conform with this version of the UAF spec set, the major value must be 1 and the minor value must be
1.
op of type required Operation
Name of FIDO operation (op) this message relates to.
appID of type DOMString
string[0..512].
The application identifier that the relying party would like to assert.
There are three ways to set the 
AppID [FIDOAppIDAndFacets]:
1.  If the element is missing or empty in the request, the FIDO UAF Client must set it to the FacetID of the caller.
NOTE
"Auth" is used for both authentication and transaction confirmation.

2. If the appID present in the message is identical to the FacetID of the caller, the FIDO UAF Client must accept it.

3. If it is an URI with HTTPS protocol scheme, the FIDO UAF Client must use it to load the list of trusted facet identifiers from the

specified URI. The FIDO UAF Client

must only accept the request, if the facet identifier of the caller matches one of the trusted

facet identifiers in the list returned from dereferencing this URI.

serverData of type DOMString

string[1..1536].

A session identifier created by the relying party.

exts of type array of Extension

List of UAF Message Extensions.

3.1.4 Authenticator Attestation ID (AAID) typedef

WebIDL

typedef DOMString AAID;

string[9]

Each authenticator must have an AAID to identify UAF enabled authenticator models globally. The AAID must uniquely identify a specific

authenticator model within the range of all UAF-enabled authenticator models made by all authenticator vendors, where authenticators of a

specific model must share identical security characteristics within the model (see

Security Considerations).

The

AAID is a string with format "V#M", where

"#" is a separator

"V" indicates the authenticator Vendor Code. This code consists of 4 hexadecimal digits.

"M" indicates the authenticator Model Code. This code consists of 4 hexadecimal digits.

The Augmented BNF [

ABNF] for the AAID is:

AAID = 4(HEXDIG) "#" 4(HEXDIG)

The FIDO Alliance is responsible for assigning authenticator vendor Codes.

Authenticator vendors are responsible for assigning authenticator model codes to their authenticators. Authenticator vendors

must assign

unique

AAIDs to authenticators with different security characteristics.

AAIDs are unique and each of them must relate to a distinct authentication metadata file ([

FIDOMetadataStatement])

3.1.5 KeyID typedef

WebIDL

typedef DOMString KeyID;

base64url(byte[32...2048])

KeyID is a unique identifier (within the scope of an AAID) used to refer to a specific UAuth.Key. It is generated by the authenticator and registered

with a FIDO Server.

The (

AAID, KeyID ) tuple must uniquely identify an authenticator's registration for a relying party. Whenever a FIDO Server wants to provide

specific information to a particular authenticator it

must use the (AAID, KeyID) tuple.

NOTE

The new key pair that the authenticator generates will be associated with this application identifier.

Security Relevance: The application identifier is used by the FIDO UAF Client to verify the eligibility of an application to trigger

the use of a specific

UAuth.Key. See [FIDOAppIDAndFacets]

NOTE

The relying party can opaquely store things like expiration times for the registration session, protocol version used and other

useful information in

serverData. This data is opaque to FIDO UAF Clients. FIDO Servers may reject a response that is

lacking this data or is containing unauthorized modifications to it.

Servers that depend on the integrity of

serverData should apply appropriate security measures, as described in Registration

Request Generation Rules for FIDO Server and section ServerData and KeyHandle.

NOTE

HEXDIG is case insensitive, i.e. "03EF" and "03ef" are identical.

NOTE

Adding new firmware/software features, or changing the underlying hardware protection mechanisms will typically change the security

characteristics of an authenticator and hence would require a new

AAID to be used. Refer to ([FIDOMetadataStatement]) for more details.

KeyID must be base64url encoded within the UAF message (see above).
During step-up authentication and deregistration operations, the FIDO Server 
should provide the KeyID back to the authenticator for the latter
to locate the appropriate user authentication key, and perform the necessary operation with it.
Roaming authenticators which don't have internal storage for, and cannot rely on any ASM to store, generated key handles 
should provide the
key handle as part of the 
AuthenticatorRegistrationAssertion.assertion.KeyID during the registration operation (see also section ServerData
and KeyHandle) and get the key handle back from the FIDO Server during the step-up authentication (in the MatchCriteria dictionary which is
part of the 
policy) or deregistration operations (see [UAFAuthnrCommands] for more details).
3.1.6 ServerChallenge typedef
WebIDL
typedef DOMString ServerChallenge;
base64url(byte[8...64])
ServerChallenge
 is a server-provided random challenge. Security Relevance: The challenge is used by the FIDO Server to verify whether an
incoming response is new, or has already been processed. See section 
Replay Attack Protection for more details.
The 
ServerChallenge should be mixed into the entropy pool of the authenticator. Security Relevance: The FIDO Server should provide a
challenge containing strong cryptographic randomness whenever possible. See section 
Server Challenge and Random Numbers.
3.1.7 FinalChallengeParams dictionary
WebIDL
dictionary FinalChallengeParams {
    
required DOMString       appID;
    
required ServerChallenge challenge;
    
required DOMString       facetID;
    
required ChannelBinding  channelBinding;
};
3.1.7.1 Dictionary 
FinalChallengeParams Members
appID of type required DOMString
string[1..512]
The value must be taken from the appID field of the OperationHeader
challenge of type required ServerChallenge
The value must be taken from the challenge field of the request (e.g. RegistrationRequest.challenge,
AuthenticationRequest.challenge).
facetID of type required DOMString
string[1..512]
The value is determined by the FIDO UAF Client and it depends on the calling application. See [FIDOAppIDAndFacets] for more
details. Security Relevance: The 
facetID is determined by the FIDO UAF Client and verified against the list of trusted facets retrieved
by dereferencing the 
appID of the calling application.
channelBinding of type required ChannelBinding
Contains the TLS information to be sent by the FIDO Client to the FIDO Server, binding the TLS channel to the FIDO operation.
3.1.8 TLS ChannelBinding dictionary
ChannelBinding contains channel binding information [RFC5056].
NOTE
The exact structure and content of a KeyID is specific to the authenticator implementation.
NOTE
The minimum challenge length of 8 bytes follows the requirement in [SP800-63] and is equivalent to the 20 decimal digits as required in
[
RFC6287].
NOTE
The maximum length has been defined such that SHA-512 output can be used without truncation.
NOTE
The mixing of multiple sources of randomness is recommended to improve the quality of the random numbers generated by the
authenticator, as described in [
RFC4086].
NOTE

Further requirements:
1.  If data related to any of the channel binding methods, described here, is available to the FIDO UAF Client (i.e. included in this dictionary),
it 
must be used according to the relevant specification .
2.  All channel binding methods described here 
must be supported by the FIDO Server. The FIDO Server may reject operations if the
channel binding cannot be verified successfully.
WebIDL
dictionary ChannelBinding {
    
DOMString serverEndPoint;
    
DOMString tlsServerCertificate;
    
DOMString tlsUnique;
    
DOMString cid_pubkey;
};
3.1.8.1 Dictionary 
ChannelBinding Members
serverEndPoint of type DOMString
The field serverEndPoint must be set to the base64url-encoded hash of the TLS server certificate if this is available. The hash
function 
must be selected as follows:
1.  if the certificate's 
signatureAlgorithm uses a single hash function and that hash function is either MD5 [RFC1321] or SHA-1
[
RFC6234], then use SHA-256 [FIPS180-4];
2.  if the certificate's 
signatureAlgorithm uses a single hash function and that hash function is neither MD5 nor SHA-1, then use
the hash function associated with the certificate's
signatureAlgorithm;
3.  if the certificate's 
signatureAlgorithm uses no hash functions, or uses multiple hash functions, then this channel binding type's
channel bindings are undefined at this time (updates to this channel binding type may occur to address this issue if it ever
arises)
This field 
must be absent if the TLS server certificate is not available to the processing entity (e.g., the FIDO UAF Client) or the hash
function cannot be determined as described.
tlsServerCertificate of type DOMString
This field must be absent if the TLS server certificate is not available to the FIDO UAF Client.
This field 
must be set to the base64url-encoded, DER-encoded TLS server certificate, if this data is available to the FIDO UAF
Client.
tlsUnique of type DOMString
must be set to the base64url-encoded TLS channel Finished structure. It must, however, be absent, if this data is not available to the
FIDO UAF Client [
RFC5929].
The use of the tlsUnique is deprecated as the security of the 
tls-unqiue channel binding type [RFC5929] is broken, see [TLSAUTH].
cid_pubkey of type DOMString
must be absent if the client TLS stack doesn't provide TLS ChannelID [ChannelID] information to the processing entity (e.g., the web
browser or client application).
must be set to "unused" if TLS ChannelID information is supported by the client-side TLS stack but has not been signaled by the
TLS (web) server.
Otherwise, it 
must be set to the base64url-encoded serialized [RFC4627] JwkKey structure using UTF-8 encoding.
3.1.9 JwkKey dictionary
JwkKey is a dictionary representing a JSON Web Key encoding of an elliptic curve public key [JWK].
This public key is the ChannelID public key minted by the client TLS stack for the particular relying party. [
ChannelID] stipulates using only a
particular elliptic curve, and the particular coordinate type.
WebIDL
dictionary JwkKey {
    
required DOMString kty = "EC";
    
required DOMString crv = "P-256";
    
required DOMString x;
Security Relevance:The channel binding may be verified by the FIDO Server in order to detect and prevent MITM attacks.
At this time, the following channel binding methods are supported:
TLS ChannelID (cid_pubkey) [ChannelID]
serverEndPoint [RFC5929]
tlsServerCertificate
tlsUnique [RFC5929]
NOTE
If channel binding data is accessible to the web browser or client application, it must be relayed to the FIDO UAF Client in order to
follow the assumptions made in [
FIDOSecRef].
If channel binding data is accessible to the web server, it must be relayed to the FIDO Server in order to follow the assumptions
made in [
FIDOSecRef]. The FIDO Server relies on the web server to provide accurate channel binding information.

    required DOMString y;
};
3.1.9.1 Dictionary 
JwkKey Members
kty of type required DOMString, defaulting to "EC"
Denotes the key type used for Channel ID. At this time only elliptic curve is supported by [
ChannelID], so it must be set to "EC"
[
JWA].
crv of type required DOMString, defaulting to "P-256"
Denotes the elliptic curve on which this public key is defined. At this time only the NIST curve 
secp256r1 is supported by [ChannelID],
so the 
crv parameter must be set to "P-256".
x of type required DOMString
Contains the base64url-encoding of the x coordinate of the public key (big-endian, 32-byte value).
y of type required DOMString
Contains the base64url-encoding of the y coordinate of the public key (big-endian, 32-byte value).
3.1.10 Extension dictionary
FIDO extensions can appear in several places, including the UAF protocol messages, authenticator commands, or in the assertion signed by
the authenticator.
Each extension has an identifier, and the namespace for extension identifiers is FIDO UAF global (i.e. doesn't depend on the message where
the extension is present).
Extensions can be defined in a way such that a processing entity which doesn't understand the meaning of a specific extension 
must abort
processing, or they can be specified in a way that unknown extension can (safely) be ignored.
Extension processing rules are defined in each section where extensions are allowed.
Generic extensions used in various operations.
WebIDL
dictionary Extension {
    
required DOMString id;
    
required DOMString data;
    
required boolean   fail_if_unknown;
};
3.1.10.1 Dictionary 
Extension Members
id of type required DOMString
string[1..32].
Identifies the extension.
data of type required DOMString
Contains arbitrary data with a semantics agreed between server and client. Binary data is base64url-encoded.
This field 
may be empty.
fail_if_unknown of type required boolean
Indicates whether unknown extensions must be ignored (false) or must lead to an error (true).
A value of false indicates that unknown extensions must be ignored
A value of true indicates that unknown extensions must result in an error.
3.1.11 MatchCriteria dictionary
Represents the matching criteria to be used in the server policy.
NOTE
The FIDO UAF Client might (a) process an extension or (b) pass the extension through to the ASM. Unknown extensions must be
passed through.
The ASM might (a) process an extension or (b) pass the extension through to the FIDO authenticator. Unknown extensions must be
passed through.
The FIDO authenticator must handle the extension or ignore it (only if it doesn't know how to handle it and 
fail_if_unknown is not set). If
the FIDO authenticator doesn't understand the meaning of the extension and 
fail_if_unknown is set, it must generate an error (see
definition of 
fail_if_unknown above).
When passing through an extension to the next entity, the 
fail_if_unknown flag must be preserved (see [UAFASM]
[
UAFAuthnrCommands]).
FIDO protocol messages are not signed. If the security depends on an extension being known or processed, then such extension should
be accompanied by a related (and signed) extension in the authenticator assertion (e.g. 
TAG_UAFV1_REG_ASSERTION,
TAG_UAFV1_AUTH_ASSERTION). If the security has been increased (e.g. the FIDO authenticator according to the description in the metadata
statement accepts multiple fingers but in this specific case indicates that the finger used at registration was also used for authentication)
there is no need to mark the extension as 
fail_if_unknown (i.e. tag 0x3E12 should be used [UAFAuthnrCommands]). If the security has
been degraded (e.g. the FIDO authenticator according to the description in the metadata statement accepts only the finger used at
registration for authentication but in this specific case indicates that a different finger was used for authentication) the extension must be
marked as 
fail_if_unknown (i.e. tag 0x3E11 must be used [UAFAuthnrCommands]).