1. No category

Breaking FIDO
© 2016 Yubico
Are Exploits in There?
FIDO U2F (Universal 2nd Factor)
© 2016 Yubico
●
●
●
●
Analyzing FIDO U2F
Attack and Countermeasures
Implementation Considerations
Resources
2
User Experience
© 2016 Yubico
1. Enter username/pwd
2. Insert U2F device
3. Touch U2F device
3
Core Features & Supporting Sites
● Scalable
- Works across any number of services
- Remote provisioning
● Secure
- Protects against phishing & MitM
- Verifies user presence
© 2016 Yubico
● Simple UX
- Single gesture operation
● Open Standard
- Native platform/browser support
4
Challenge Parameter (c)
Client Data = Challenge, Origin, Channel ID
© 2016 Yubico
c = SHA-256 hash (Client Data)
5
Registration
U2F Device
Client
Server
AppID, challenge
Verify
AppID
AppID, client data
© 2016 Yubico
Generate:
private key
public key
key handle
public key, key handle, signature
Construct client
data containing
challenge, origin,
channel ID
pk, kh, sig, client data
Verify
client data
Verify sig
Store pk,
kh
6
Authentication
U2F Device
Client
Server
AppID, challenge, key handle
Verify
AppID
© 2016 Yubico
Retrieve
private key
Verify AppID
Sign client
data
counter ++
AppID, client data, key handle
counter, signature
Construct client
data containing
challenge, origin,
channel ID
Fetch
public key,
key handle
for user
counter, signature, client data
Verify
client data
Verify sig
7
Replay sessions
acme.com
Attacker
Reuse credentials
© 2016 Yubico
Password DB stolen
not_protected.com
Attacker
8
Password Reuse & Replay Attack
U2F
Device
Relying
Party
Client
challenge
challenge
Lookup
kpub
Sign
with kpriv
signature(challenge)
© 2016 Yubico
s
s
Check
signature (s)
using kpub
9
Attacker site
acm3.com
acme.com
© 2016 Yubico
Phishing (pwd,
OTP, SMS, Push)
Attacker
10
Attacker site
acm3.com
acme.com
© 2016 Yubico
Phishing
Proof of user presence
Attacker
11
Phishing Protection
U2F
Device
Relying
Party
Client
challenge
challenge, origin, channel id
© 2016 Yubico
Retrieve
private key
Verify AppID
Sign client
data
Lookup
kpub
c
signature(c)
s
c, s
Check s
using kpub
Verify origin &
channel id
12
1
MitM
(fake/stolen cert, BEAST)
2
acme.com
steal assertion
4
use cookie
© 2016 Yubico
3
Proof of user presence
Attacker
13
Hijack User Login Session
U2F Device
Client
Server
AppID, challenge, key handle
Verify
AppID
AppID, client data, key handle
© 2016 Yubico
Retrieve
private key
Verify AppID
Sign client
data
signature
Construct client
data containing
challenge, origin,
channel ID
Fetch
public key,
key handle
for user
signature, client data
steal cookie
Verify
client data
Verify sig
14
Channel ID (Token Binding)
TLS
© 2016 Yubico
Bind Token with Token Binding ID
Token Binding
(Private Key)
Token Binding ID: Hash<Public Key>
acme.com
Token Binding
(Public Key)
15
Token
Binding
acme.com server
© 2016 Yubico
Steal assertion
Proof of user presence
No assertion or
cookie reuse
Attacker
16
MitM Protection
U2F
Device
Relying
Party
Client
challenge
challenge, origin, channel id
Verify AppID
Sign client
data
c
signature(c)
s
© 2016 Yubico
Lookup
kpub
c, s
Check s
using kpub
Verify origin &
channel id
17
“I promise a user was here”
“The server challenge was: KSDJsdASc8-A17pW”
“The origin was: accounts.acme.com”
“The TLS connection state was: 3454567”
© 2016 Yubico
Sincerely, your Browser
●
Origin mismatch for key handle => MitM attack!
●
Incorrect origin name => MitM attack!
●
Channel ID mismatch => MitM attack!
18
Malware
Attacker
© 2016 Yubico
acme.com server
19
Compromised Client
U2F Device
Client
Server
AppID, challenge, key handle
Verify
AppID
AppID, client data, key handle
© 2016 Yubico
Retrieve
private key
Verify AppID
Sign client
data
signature
Construct client
data containing
challenge, origin,
channel ID
Fetch
public key,
key handle
for user
signature, client data
Verify
client data
Verify sig
20
Extract/Export
Private Key
Attacker
© 2016 Yubico
acme.com server
Proof of user presence
What are the Alternatives?
● Smart card => Scaling
● OTP/SMS => Phishing
© 2016 Yubico
● Push notification => Phishing
Google’s research paper on FIDO U2F deployment: yubico.com/google-study
22
Implementation Considerations
© 2016 Yubico
● Registration flow
- TOFU (Trust On First Use)
- Attacker enables FIDO on account first
- User sets up weak backup options
● Recovery flow
- Lowering the level of assurance
- Lost/stolen authenticator/device
- Onboarding credentials to new devices
23
How to Get Started?
Learn
Read the specifications dev.yubi.co/U2F & github.com/dainnilsson/u2f-tutorial
Go through a MiniTwit U2F tutorial MiniTwit training video
Implement
Google reference code github.com/google/u2f-ref-code
Build your own U2F server dev.yubi.co/U2F/libraries
Use Yubico standalone U2F server dev.yubi.co/u2fval
© 2016 Yubico
Test
Yubico U2F demo server demo.yubico.com/u2f
Google U2F demo server u2fdemo.appspot.com
24
Thank you!
© 2016 Yubico
Questions