Lab - 6 - FIDO Webauthn

Introduction

The goal of these exercises is to explore the functionalities of FIDO through a small web application that uses WebAuthn.

The exercise will follow the example application available at https://webauthn.me/

Registering a passkey

Access the webpage and input a new username (beaker?), adjust the cryptographic methods. The first part of the page allows to configure the identity of the webpage and user. Then you can configure the cryptographic methods to be used. An interesting point is that some credentials can be excluded, allowing blocking known compromised keys. Several other parameters are required, as the need for the User to be present.

Hit register and create the passkey. If you have an extension such as a password manager, it may offer to store the credential. You can also use additional tokens that you have, such as hardware keys. If nothing else is present, the devices available in the operating system will be used.

When the credentials are created, you can analyse what is sent to the server. In my case the response includes the following:

clientDataJSON: {
  "type": "webauthn.create",
  "challenge": "TPYIM77ZQi7B1k0BHW497lMmkIVNEWPfbTqKSutA55A",
  "origin": "https://webauthn.me",
  "crossOrigin": false
}

authenticatorAttachment: platform,
transports: [
  "internal"
]

attestationObject: {
  "fmt": "tpm",
  "attStmt": {
    "alg": -65535,
    "sig": "SIGNATURE CONTENT",
    "ver": "2.0",
    "x5c": PEM [ CERTIFICATE CHAIN ],
    "pubArea": {
      "type": "Buffer",
      "data": [ BUFFER CONTENT  ]
    },
    "certInfo": {
      "type": "Buffer",
      "data": [ CERTIFICATE ]
    }
  },
  "authData": {
    "rpIdHash": "f95bc73828ee210...e318766cd2e1ad",
    "flags": {
      "userPresent": true,
      "reserved1": false,
      "userVerified": true,
      "backupEligibility": false,
      "backupState": false,
      "reserved2": false,
      "attestedCredentialData": true,
      "extensionDataIncluded": false
    },
    "signCount": 0,
    "attestedCredentialData": {
      "aaguid": "9ddd1817-...-3e3dd95000a9",
      "credentialId": "49b32df0b240fde...c4a2b2fdb5a483",
      "credentialPublicKey": PEM {
        "kty": "RSA",
        "alg": "RSASSA-PKCS1-v1_5_w_SHA256",
        "n": "skFMOmzhV/eLkxCBWWrX2pSncaXeVmU+7...Jb7W9yTCvHBSanU5QDnmLw==",
        "e": "AQAB"
      }
    }
  }
},

Authenticating a user

After authentication, the response is:

signature: 521b62d7b5e15c192ae093c...2ae02ebc297a86cac19a3d91b39e87096029097f
userHandle: 37bd7923048e4b3cfe...3f57bac7958
clientDataJSON: {
  "type": "webauthn.get",
  "challenge": "WE-p0t-ztIvLKR67kauJVKpQ6XBWnz08amscUutsf3M",
  "origin": "https://webauthn.me",
  "crossOrigin": false
},
authenticatorAttachment: platform,
authenticatorData: {
  "rpIdHash": "f95bc73828ee210f9fd3b...3d0ae318766cd2e1ad",
  "flags": {
    "userPresent": true,
    "reserved1": false,
    "userVerified": true,
    "backupEligibility": false,
    "backupState": false,
    "reserved2": false,
    "attestedCredentialData": false,
    "extensionDataIncluded": false
  },
  "signCount": 1
},

One point to be considered is where are the cryptographic keys actually stored. The answer will depend on the device used for authentication. On Windows, you can search for passkeys and check the credentials already stored. The actual storage for Windows 11 is the TPM. To check the details, open a console and type: certutil -csp NGC -key -v

2024
Previous
Next

Last updated on 20 Apr 2024