On 29.10.24 15:36, Alan DeKok wrote:
On Oct 29, 2024, at 4:03 AM, Yukiko MINAMIE <mina...@stellar.co.jp> wrote:Perhaps one option would be to allow the challenge to be created by the FIDO2 server, but add an exchange specific to the EAP-FIDO protocol, which would do the cryptographic binding. That exchange could stay inside of EAP-FIDO, and wouldn't have to affect any FIDO exchanges.Thank you for this suggestion. I was also thinking that it would be helpful if a similar approach could be implemented.I believe that if the challenge is created by the server, then I think the crypto binding issues aren't relevant. i.e. the client can just use the servers challenge.
The problem I have with this approach: This could make cross-protocol attacks possible.I think/suspect that the available FIDO servers are fixed on the clientData structure expected from WebAuthn (JSON-like structure with static strings "webauthn.get" or "webauthn.create", base64-encoded challenges, etc) If we would allow the use of FIDO servers without including the protocol context, attacks could be possible where a wifi authentication could be intercepted and used for web authentication or vice versa.
The precondition for an attack would be:either one of the parties involved is acting malicious (i.e. forwarding things only intended for itself via a different protocol)
or an attacker is able to gain access to the data sent through the TLS tunnel.If we choose to work under the assumption that the TLS tunnel is secure and cannot be broken, then we can simply get a challenge from the FIDO server, send the challenge over to the EAP client and have them sign it.
That's just my thoughts as they come into my head, I don't have a good sense on the best course of action right now.
If people with more experience in WebAuthn/FIDO/... want to weigh in: please feel free. I'm open to suggestions.
Cheers, Janfred -- Herr Jan-Frederik Rieckers Security, Trust & Identity Services E-Mail: rieck...@dfn.de | Fon: +49 30884299-339 | Fax: +49 30884299-370 Pronomen: er/sein | Pronouns: he/him __________________________________________________________________________________DFN - Deutsches Forschungsnetz | German National Research and Education Network
Verein zur Förderung eines Deutschen Forschungsnetzes e.V. Alexanderplatz 1 | 10178 Berlin https://www.dfn.deVorstand: Prof. Dr.-Ing. Stefan Wesner | Prof. Dr. Helmut Reiser | Christian Zens
Geschäftsführung: Dr. Christian Grimm | Jochem Pattloch VR AG Charlottenburg 7729B | USt.-ID. DE 136623822
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Emu mailing list -- emu@ietf.org To unsubscribe send an email to emu-le...@ietf.org
