FIDO(Fast IDentity Online) Alliance proposed a set of standard in 2014 for change the nature of online authentication. By now, it has drawn attention from many companies, including Google, VISA, Intel etc. In this pap...FIDO(Fast IDentity Online) Alliance proposed a set of standard in 2014 for change the nature of online authentication. By now, it has drawn attention from many companies, including Google, VISA, Intel etc. In this paper, we analyze the FIDO UAF(Universal Authentication Framework) Protocol, one of the two sets of specifications in the standard. We first present protocols' cryptographic abstractions for the registration and authentication protocols of the FIDO UAF. According to the abstractions, we discuss on selected security goals presented in the standard to study UAF security properties. We also propose three attacks, which the first two are based on an assumption that an attacker can corrupt the software installed on the user device, and the third is based on two users sharing a FIDO roaming authenticator. The results of the attacks are to impersonate the legitimate user to pass the online authentication.展开更多
文摘FIDO(Fast IDentity Online) Alliance proposed a set of standard in 2014 for change the nature of online authentication. By now, it has drawn attention from many companies, including Google, VISA, Intel etc. In this paper, we analyze the FIDO UAF(Universal Authentication Framework) Protocol, one of the two sets of specifications in the standard. We first present protocols' cryptographic abstractions for the registration and authentication protocols of the FIDO UAF. According to the abstractions, we discuss on selected security goals presented in the standard to study UAF security properties. We also propose three attacks, which the first two are based on an assumption that an attacker can corrupt the software installed on the user device, and the third is based on two users sharing a FIDO roaming authenticator. The results of the attacks are to impersonate the legitimate user to pass the online authentication.
