FIDO FIDO Authentication and Its Technology: Technical Specifications and Standardization Activities Hidehito GOMI Wataru OOGAMI FIDO Fast IDentity Online FIDO FIDO FIDO UAF U2F FIDO2 Web CTAP Abstract This paper describes the technical specifications and standardization activities of FIDO (Fast IDentity Online), which promotes simpler, stronger authentication using public-key cryptography and enhances privacy preservation and cross-platform support to expand its ecosystem. Key words FIDO Authentication UAF U2F FIDO2 Web Authentication CTAP Biometric Authentication 1. FIDO (Fast IDentity Online ) FIDO 2. FIDO FIDO 1 2012 2018 6 NTT LINE DDS ISR JCB KDDI UFJ NEC NTT E-mail hgomi@yahoo-corp.jp E-mail wogami@yahoo-corp.jp Hidehito GOMI, Member (Yahoo Japan Corporation, Tokyo, 102-8282 Japan), Wataru OOGAMI, Nonmember (Yahoo Japan Corporation, Tokyo, 102-8282 Japan). Fundamentals Review Vol.12 No.2 pp.115 125 2018 10 c 2018 FIDO Identity FIDO FIDO FIDO ComplianceInteroperability FIDO FIDO FIDO FIDO 2016 5 FIDO 1 https://fidoalliance.org/ IEICE Fundamentals Review Vol.12 No.2 115
2 ( ) ID 1 FIDO (FIDO ). 3 FIDO WG Working Group FIDO Japan WG 2 FIDO 3 3. FIDO ID (Identifier ) ID FIDO 1 FIDO ID ID 2 2 https://www.slideshare.net/fidoalliance/fido-japan-workinggroup-84110650 3 FIDO FIDO Japan WG WG 1 ID ( ) ID ID ID FIDO (Authenticator) ( 3) FIDO FIDO FIDO FIDO FIDO ID TEE Trusted Execution Environment FIDO FIDO FIDO 116 IEICE Fundamentals Review Vol.12 No.2
FIDO FIDO 2018 5 GDPR (General Data Protection Regulation) FIDO 2 FIDO FIDO FIDO FIDO FIDO 4. FIDO FIDO 3. FIDO FIDO FIDO FIDO 3 4 FIDO ( )FIDO ( ) FIDO 4 FIDO FIDO PIN USB FIDO (something you have) PIN (something you know/something you are) 4 FIDO 5. FIDO FIDO 5. 1 FIDO UAF U2F FIDO FIDO UAF (Universal Authentication Framework) 3 U2F (Universal 2nd Factor) 4 4 vendor lock-in (Wikipedia https://ja.wikipedia.org/wiki/) IEICE Fundamentals Review Vol.12 No.2 117
5 FIDO UAF U2F FIDO 52014 12 1.0 2016 12 1.1 FIDO 5 3. FIDO FIDO FIDO SAML 5 OpenID Connect 6 78 FIDO UAF NTT 6 Bank of America 10 6 FIDO UAF FIDO UAF MITM Man-In-The-Middle FIDO UAF 1.1 Android OS 8.0 Key Attestation 7 5 https://fidoalliance.org/download/ 6 2015 5 FIDO 9 2018 5 Android OS 7 48 ios FIDO 7 https://developer.android.com/training/articles/security -key-attestation?hl=ja 6 FIDO UAF FIDO 7 FIDO U2F FIDO UAF Android 8 FIDO U2F PC Web FIDO FIDO U2F 7 (PC) USB FIDO U2F USB BLE Bluetooth Low Energy NFC Near Field Communication Google Dropbox GitHub Facebook 5. 2 FIDO FIDO FIDO 8 https://www.slideshare.net/fidoalliance/fido-seminar-tokyo 118 IEICE Fundamentals Review Vol.12 No.2
FIDO Attestation Basic Attestation TEE 10 FIDO PKI (Public Key Infrastructure) PKI 5. 3 FIDO MetadataFIDO MDS Metadata Service 11 9 MDS MDS MDS CA root of trust MDS FIDO FIDO 5. 4 UAF U2F PC FIDO FIDO / 9 2018 5 FIDO MDSv2 https://mds2.fidoalliance.org/tokens/ 8 FIDO UAF 5. 5 FIDO FIDO Registration FIDO FIDO Authentication FIDO Deregistration UAF 5. 5. 1 UAF 8 FIDO UAF FIDO RP: Relying Party FIDO FIDO FIDO Web Web RP Web FIDO 1 RP 2 RP FIDO 3 FIDO RP 4 RP FIDO IEICE Fundamentals Review Vol.12 No.2 119
5 FIDO 6 FIDO 7 PIN 8 9 RP FIDO 10 RP FIDO 11 FIDO 12 ID 13 FIDO 45 FIDO RP 5. 5. 2 UAF FIDO UAF 9 1 RP 2 RP FIDO 3 FIDO RP 4 RP FIDO 5 FIDO 9 FIDO UAF 6 FIDO 7 ( PIN ) 8 9 10 RP FIDO 11 FIDO 12 RP FIDO 6. FIDO FIDO FIDO FIDO FIDO 10 FIDO 120 IEICE Fundamentals Review Vol.12 No.2
10 FIDO 12 FIDO UAF/U2F FIDO2 FIDO 11 FIDO 11 Security Evaluation Authenticator Certification 2018 8 1 2 2 1 FIDO 2 TEE FIDO 1 2 2018 11 Functional Certification 1 2 7. FIDO2 FIDO FIDO UAF U2F FIDO FIDO2 FIDO2 Web Web Authentication 12 Web W3C World Wide Web Consortium Web WG 10 FIDO FIDO UAF U2F 2015 11 W3C 2018 5 CR (Candidate Recommendation) CTAP Client To Authenticator Protocol 13 Web FIDO FIDO 12 FIDO FIDO UAF U2F W3C Web CTAP Web CTAP FIDO 10 https://www.w3.org/tr/webauthn/ IEICE Fundamentals Review Vol.12 No.2 121
13 Web 7. 1 Web Web Web OS Web FIDO Chrome Edge Firefox Web FIDO UAF U2F FIDO 13 Web Web Web Web API Web JavaScript FIDO FIDO Web FIDO 7. 2 CTAP CTAP PC Web PC BLE NFC Web FIDO U2F PC USB FIDO 14 14 FIDO 15 FIDO2 USB BLE NFC CTAP CTAP FIDO FIDO2 RP FIDO UAF Android FIDO2 FIDO2 11 15 FIDO2 UAF MDS FIDO2 PC FIDO 1 PC RP URL 2 11 https://fidoalliance.org/fido-alliance-and-w3c-achievemajor-standards-milestone-in-global-effort-towards-simplerstronger-authentication-on-the-web/ 122 IEICE Fundamentals Review Vol.12 No.2
3 RP FIDO FIDO 4 FIDO RP 5 RP UAF JavaScript 6 PC Bluetooth RP JavaScript PC makecredential() 7 8 9 RP 10 RP FIDO 11 FIDO 12 FIDO UAF UAF 7 makecredential() JavaScript Web 12, 12 // Web if (!window.publickeycredential) { // } // var publickey = { // 32 FIDO challenge: new Uint8Array([21,31,105,... ]), rp: { name: "Example Corporation" // RP }, // user: { id: Uint8Array.from( window.atob("mii.="), c=>c.charcodeat(0)), name: "alex.p.mueller@example.com", displayname: "Alex P. Müller", icon: "https://pics.example.com/00/p/abjjjpqpb.png" }, // // ES256 RS256 16 FIDO2 // ES256 pubkeycredparams: [ { type: "public -key", alg: -7 // "ES256" }, { type: "public -key", alg: -257 // "RS256" } ], timeout: 60000, // 1 excludecredentials: [], // extensions: {"loc": true} }; // makecredential() // // RP navigator.credentials.create({ publickey }).then(function (newcredentialinfo) { // // // }).catch(function (err) { // // }); USB JSON (JavaScript Object Notation) 14 CTAP CBOR (Concise Binary Object Representation) 15 16 FIDO2 UAF RP FIDO 6 getassertion() Web 12, 12 // Web if (!window.publickeycredential) {} IEICE Fundamentals Review Vol.12 No.2 123
var encoder = new TextEncoder(); var acceptablecredential1 = { type: "public -key", // " " id: encoder.encode("!!!!!!!hi there!!!!!!!\n") }; var acceptablecredential2 = { type: "public -key", id: encoder.encode("roses are red, violets are blue\n") }; var options = { // FIDO challenge: new Uint8Array([8,18,33,...]), timeout: 60000, // 1 allowcredentials: [acceptablecredential1, acceptablecredential2], // extensions: { txauthsimple : "Wave your hands in the air like you just don t care" } }; // getassertion() // navigator.credentials.get({ "publickey": options }).then(function (assertion) { // }).catch(function (err) { // }); RP FIDO RP FIDO FIDO Universal Server 12 8. FIDO FIDO FIDO Web NTT FIDO Japan WG 1 FIDO Japan Technology Sub WG, FIDO 2017, https://www.slideshare.net/fidoalliance/ fido-83445442 2 FIDO Alliance, FIDO authentication and the general data protection regulation (GDPR), May 2018, https://fidoalliance.org/wp-content/uploads/fido Authentication and GDPR White Paper May2018-1. pdf 3 FIDO Alliance, FIDO UAF architectual overview, Proposed Standard, Feb. 2017, https://fidoalliance.org/download/ 4 FIDO Alliance, Universal 2nd factor (U2F) overview, Proposed Standard, April 2017, https://fidoalliance.org/download/ 5 OASIS, Assertions and protocol for the OASIS security assertion markup language (SAML) V2.0, OASIS Standard, March 2005. 6 OpenID Foundation, OpenID connect core 1.0 incorporating errata set 1, 2014. 7 FIDO FIDO Dec. 2016 https://fidoalliance.org/wp-content/uploads/ FIDOTokyo-gomi-120816-ja.pdf 8 FIDO Alliance, Enterprise adoption best practices, Dec. 2017, https://fidoalliance.org/wp-content/ uploads/enterprise Adoption Best Practices Federation FIDO Alliance.pdf 9 NTT FIDO d vol.80, pp.763 772, Jan. 2017, https://www.tta.or.jp/book/1051/ 10 FIDO FinTech 2018-2019 pp.763 772, BP 2018, http://coin.nikkeibp.co.jp/coin/nft/ 11 FIDO Alliance, FIDO metadata service, Proposed Standard, Feb. 2017, https://fidoalliance.org/download/ 12 W3C, Web authentication: An API for accessing public key credentials level 1, W3C Candidate Recommendation, March 2018, https://www.w3.org/tr/webauthn/ 13 FIDO Alliance, Client to authenticator protocol, Proposed Standard, Sept. 2017, https://fidoalliance. org/specs/fido-v2.0-ps-20170927/fido-client-toauthenticator-protocol-v2.0-ps-20170927.html 14 T. Bray, The JavaScript object notation (JSON) data interchange format, RFC 8259, Dec. 2017. 15 C. Bormann and P. Hoffman, Concise binary object representation (CBOR), RFC 7049, Oct. 2013. BioX 30 7 4 12 https://fidoalliance.org/fido-alliance-and-w3c-achievemajor-standards-milestone-in-global-effort-towards-simpler-strongerauthentication-on-the-web/ 124 IEICE Fundamentals Review Vol.12 No.2
五味秀仁 正員 1996 京大大学院工学研究科応用システム科学専攻 了 同年 日本電気株式会社入社 中央研究所配属 2001 2003 スタンフォード大客員研究員 2007 か ら ヤフー株式会社 Yahoo! JAPAN 研究所にて セキュリティ プライバシー アイデンティティ管 理技術の研究開発に従事 現在 同研究所上席研究 員 IEEE ACM 情報処理学会各会員 博士 (情 報学) FIDO アライアンス Japan WG 技術リード 大神 渉 2012 京大大学院情報学研究科知能情報学専攻修 士課程了 同年からヤフー株式会社 アイデンティ ティ管理やアクセス制御を通じてユーザビリティと セキュリティに関するコンテキストアウェア技術の 研究開発に従事 IEICE Fundamentals Review Vol.12 No.2 125