Provable Security Analysis of FIDO2

We carry out the first provable security analysis of the new FIDO2 protocols, the promising FIDO Alliance’s proposal for a standard for passwordless user authentication. Our analysis covers the core components of FIDO2: the W3C’s Web Authentication (WebAuthn) specification and the new Client-to-Authenticator Protocol (CTAP2). Our analysis is modular. For WebAuthn and CTAP2, in turn, we propose appropriate security models that aim to capture their intended security goals and use the models to analyze their security. First, our proof confirms the authentication security of WebAuthn. Then, we show CTAP2 can only be proved secure in a weak sense; meanwhile we identify a series of its design flaws and provide suggestions for improvement. To withstand stronger yet realistic adversaries, we propose a generic protocol called sPACA and prove its strong security; with proper instantiations sPACA is also more efficient than CTAP2. Finally, we analyze the overall security guarantees provided by FIDO2 and WebAuthn+sPACA based on the security of its components. We expect that our models and provable security results will help clarify the security guarantees of the FIDO2 protocols. In addition, we advocate the adoption of our sPACA protocol as a substitute of CTAP2 for both stronger security and better performance.

[1]  Steve Kremer,et al.  An Extensive Formal Analysis of Multi-factor Authentication Protocols , 2018, 2018 IEEE 31st Computer Security Foundations Symposium (CSF).

[2]  Zhenfeng Zhang,et al.  Security analysis of an attractive online authentication standard: FIDO UAF protocol , 2016, China Communications.

[3]  Victor Shoup,et al.  Sequences of games: a tool for taming complexity in security proofs , 2004, IACR Cryptol. ePrint Arch..

[4]  Björn Haase,et al.  AuCPace: Efficient verifier-based PAKE protocol tailored for the IIoT , 2019, IACR Cryptol. ePrint Arch..

[5]  Mihir Bellare,et al.  New Proofs for NMAC and HMAC: Security without Collision Resistance , 2006, Journal of Cryptology.

[6]  Chanathip Namprempre,et al.  Breaking and provably repairing the SSH authenticated encryption scheme: A case study of the Encode-then-Encrypt-and-MAC paradigm , 2004, TSEC.

[7]  Tibor Jager,et al.  On the Security of the PKCS#1 v1.5 Signature Scheme , 2018, IACR Cryptol. ePrint Arch..

[8]  Christopher J. Novak,et al.  2009 Data Breach Investigations Report , 2009 .

[9]  Hugo Krawczyk,et al.  Two-Factor Authentication with End-to-End Password Security , 2018, Public Key Cryptography.

[10]  Jakob Jonsson,et al.  PKCS #1: RSA Cryptography Specifications Version 2.2 , 2016, RFC.

[11]  Dan S. Wallach,et al.  Strengthening user authentication through opportunistic cryptographic identity assertions , 2012, CCS.

[12]  Morris J. Dworkin,et al.  Recommendation for Block Cipher Modes of Operation: Methods and Techniques , 2001 .

[13]  Christoforos Ntantogian,et al.  A Security Evaluation of FIDO's UAF Protocol in Mobile and Embedded Devices , 2017, TIWDC.

[14]  Air Force Air Force Materiel Command Hq FIPS-PUB-180-1 , 1995 .

[15]  Mihir Bellare,et al.  A concrete security treatment of symmetric encryption , 1997, Proceedings 38th Annual Symposium on Foundations of Computer Science.

[16]  Hugo Krawczyk,et al.  Keying Hash Functions for Message Authentication , 1996, CRYPTO.

[17]  Margaret Salter,et al.  Fundamental Elliptic Curve Cryptography Algorithms , 2011, RFC.

[18]  Olivier Pereira,et al.  Formal Analysis of the FIDO 1.x Protocol , 2017, FPS.

[19]  Mihir Bellare,et al.  The Oracle Diffie-Hellman Assumptions and an Analysis of DHIES , 2001, CT-RSA.

[20]  Stanislaw Jarecki,et al.  Universally Composable Relaxed Password Authenticated Key Exchange , 2020, IACR Cryptol. ePrint Arch..

[21]  David Pointcheval,et al.  Simple Password-Based Encrypted Key Exchange Protocols , 2005, CT-RSA.

[22]  Mihir Bellare,et al.  Authenticated Key Exchange Secure against Dictionary Attacks , 2000, EUROCRYPT.

[23]  Manuel Barbosa,et al.  Perfect Forward Security of SPAKE2 , 2019, IACR Cryptol. ePrint Arch..

[24]  Ronald Cramer,et al.  Design and Analysis of Practical Public-Key Encryption Schemes Secure against Adaptive Chosen Ciphertext Attack , 2003, SIAM J. Comput..

[25]  Danny Dolev,et al.  On the security of public key protocols , 1981, 22nd Annual Symposium on Foundations of Computer Science (sfcs 1981).

[26]  Mihir Bellare,et al.  The Exact Security of Digital Signatures - HOw to Sign with RSA and Rabin , 1996, EUROCRYPT.

[27]  Mihir Bellare,et al.  Entity Authentication and Key Distribution , 1993, CRYPTO.

[28]  Harry Halpin,et al.  Formal verification of the W3C web authentication protocol , 2018, HotSoS.

[29]  David Pointcheval,et al.  Human Computing for Handling Strong Corruptions in Authenticated Key Exchange , 2017, 2017 IEEE 30th Computer Security Foundations Symposium (CSF).