FIDO2/U2F Challenge and Response Protocol

FIDO2/U2F Key is used as a two- step verification to compensate for password vulnerabilities . Password is more than 80% causes of cyber attacks. In addition, it is so difficult to remember all the passwords, but people continue to use the passwords. It is because people do not pay for passwords. A way to solve this cost issue and ensure security is to deploy an inexpensive eSecure FIDO2/U2F Key FD200.  The key is used in 2 steps user authentication, which are password and key 2 steps and 2 factors authentication. After entering password, the users are requested to insert the key into USB terminal and to push a button on the key.  FIDO U2F is Universal Second Factor protocol in FIDO alliance.

 

This 2 steps authentication is available in Google Workspace, FacebookDashlaneGmail Dropbox and GitHub web services. You can login to login on Chrome browser to Google Workspace with the ke.y. ExcelSecu FD200 and FD202 are in compliance with  FIDO U2F and FIDO 2, so it can be used as a FIDO U2F Key for two- step verification . Moreover,  as a FIDO2 device, it can lead to password-less login to Cloud. Although it is released from the password, it is limited to use in a better security environment because it is a one-factor authentication.

 

There are many FIDO U2F Keys in many vendors. However, eSecu FD200, FD202, FD203 are relatively low prices, but keeping the high quality. There are many other two- step verification methods, but it is necessary to select the most suitable method depending on the user usage situation, such as the need for a smartphone or the vulnerability of software authentication.

Overview

The FIdo2/U2F protocol allows online services to augment the security of their existing password infrastructure by adding a strong second factor to user login. The user logs in as the first step with a username and password as before. The service can also prompt the user to present a second factor device at any time it chooses. The strong second factor allows the service to simplify its passwords such as PiN without compromising security.

1st step:  Username and Password

2nd step : Authentication with ExcelSecu FD200 /FD202 /FD203

In registration for the 2nd factor authentication, a PKI key pair of the user such as the user public key and the user private key. The user public key is sent from eSecu FIDO2/U2F key to the server, while he user private key remains in SE(secure element) inside eSecu FIDO2/U2F key or it is sent to the server. It is necessary for the server to certify that the user public key is a genuine one issued by eSecu U2F key of ExcelSecu vendor. The certificate of CA or ExcelSecu vendor for eSecu FIDO2/U2F key is used, which employ another PKI key pair as Attestation public key and Attestation private key. The Attestation certificate with its signature is sent from eSecu FIDO2/U2F key to the server. Int this process, the chain of trust is established.

During registration and authentication for eSecu FIDO2/U2F key, the user presents the second factor by simply pressing a button on a USB device or tapping over NFC. The user can use their FIDO U2F device across all online services that support the protocol leveraging built-in support in web browsers.

Fig.1 Chain of Trust

Registration Protocol

① from the server-side to eSecu FIDO2/U2F Key

  1. Random number challenge and data related to application are sent to the key from the server side.
  2. Challenge parameter includes challenge, origin (URI) and TLS channel ID. Origin  (combination of protocol, hostname and port) is to prevent phishing attack and TLs channel ID is to prevent man-in-middle attack. The latter is optional.

The browser sends a signal to ask if the user indeed wants to allow the current site to register a FIDO2/U2F key. When the white light of the key is flashing, short press the button on the key in order to activate the key. The key responds to a request to generate a user’s key pair.  In such a way, malware cannot exercise the signature when the user is not present.

② From eSecu FIDO2/U2F key to the server side

  1. eSecu FIDO2/U2F Key generates a public key and private key pairs for authentication. The public key is sent to the server side as a user public key .
  2. The key-handle is a value corresponding to the user public key for authentication, including the encrypted origin. If the key-handle contains the encrypted private key for authentication, the usage is to store the authentication private key on the server side. If the key-handle does not contain the private key for authentication, it is stored in the secure IC chip in eSecu FIDO2/U2F key. Therefore, it becomes more secure.
  3. Attestation certificate is a certificate of CA (Certificate Authority or key vendor), which certifies the true key made by eSecu vendor. The certificate is written in X.509 format, which consists of data including Attestation public key and signature with Attestation private key. The certificate data consists of Attestation public key, certificate issuance date, expired date and etc. When the server receives the certificate, the server makes the same data, calculate the hashed value from the data and encrypts the hashed value. If the result coincide with signature, the server verifies that the certificate is correctly received.

The signature is made by Attestation private key with the data consisting of challenge and application parameter, key handle and the user public key.

Fig.2 Registration

Authentication Protocol

③ from the server-side to eSecu FIDO2/U2F Key

1.random number challenge as the data from the server-side and, application data are sent to eSecu FIDO2/FIU2F key.  (key-handle is also sent)

The browser sends data down to the key that it needs to sign. . When the white light of the key is flashing, the user has to press a button on the device for example. This ensures that a signature happens only with the user's permission. In such a way, malware cannot exercise the signature when the user is not present.

④ From eSecu FIDO2/U2F key to the server side

  1. The counter value counts the number of authentications. This value detects abnormal situations unless it differs from the previous value plus 1.
  2. Signature is made by the user private key against the data, which consists of challenge, application information, counter value, and eSecu FIDO2/U2F Key presence information of the user when the button is pressed. At the server side when those data are received, the server creates the same data, calculates the specified hash compression value , and encrypts the data with the user public key. If it is the same as the received signature value, the server authenticates the user. It is a mechanism that can authenticate the validity of the key and the user.

Fig.3 Verification