[Cryptography] Curious about FIDO Alliance authentication scheme

Thierry Moreau thierry.moreau at connotech.com
Wed Sep 23 09:33:08 EDT 2015


Here is a quick review of the FIDO alliance authentication proposal [1]. 
After looking superficially at the specifications documentation [2], I 
came to the tentative summary below. I did not feel a need to delve into 
the companion documentation set [3].

Core cryptographic principles:

(A) The scheme uses public key crypto signatures (PK signatures) without 
security certificates, for client authentication, in client-server 

(B) Each server entity (relying party) maintains its own database of 
public keys to account identity relationships.

(C) The scheme documentation suggests a unique PK signature key pair for 
each triplet <client,server,device>.

(D) Account registration is devoid of special provisions for client 
identity verification: client device selects a PK signature key pair, 
signs a protocol-negotiation-derived context-dependent data stream and 
that's it.

Best practice security principles:

(E) The scheme documentation includes a taxonomy of mechanisms with 
which the client device may protect the activation of the device PK 
digital signature capability.

(F) In the account registration protocol exchanges, such client local 
mechanisms are negotiated.

(G) This arrangement is herein qualified as "best practice" because the 
server has no cryptographic integrity protection for client assertions 
in this account registration protocol exchange.

Scheme adoption strategy:

(H) The initial teaser is the appeal of an anti-phishing solution 
(alternative to password authentication).

(I) Levels the playing field for biometric/two-factor/tamper-processor 
authentication vendors.

(J) Not sure about browser support barrier to entry strategy.

Please use this summary with caution since it is very much of a guesstimate.

Two questions:

1) any comment about the above summary ...

2) assuming the authentication scheme turns widely deployed, what are 
the opportunities for the bad guys (those being creative, patient, and 
resourceful at attacking IT security schemes)? (Vulnerabilities in the 
client device are countless, dependent on local arrangements, and mostly 
well understood; it's the protocol vulnerabilities that would be 
relevant in view of the scheme novelty.)

Thanks in advance for feedback.

- Thierry

[1] https://fidoalliance.org/

-- FIDO Alliance Universal Authentication Framework Complete Specifications

-- FIDO Alliance Universal 2nd Factor (U2F) specs with Bluetooth and NFC 

More information about the cryptography mailing list