CTAP2 backward compatible U2F

[Tú Trần]

Hi devs,

I am implementing CTAP2 backward compatible U2F on USB, BLE hardware security key. It work with Facebook site. But google site RpID Hash (use to login with CTAP2) and APPID(use to register with U2F) is not same.

In addition, when I use the usb security key to login google site on Google Chrome Window, after I returning CTAP2_ERR_NO_CREDENTIALS  with the CTAP2 get assertion packages, the key continues to receive the U2f package. This is the opposite of BLE key, after I return  CTAP2_ERR_NO_CREDENTIALS  with CTAP2 get assertion packets I don't get u2f packet but keep getting CTAP2 get assertion packet with payload that can't be parsing cbor.

This is packet BLE I can't be parsing cbor:

83 00 73 02 07 d8 77 dc 8c 0c 76 c6 6e a7 2b 84 d8 4b ea ec 20 52 f8 52 cb 47 83 19 96 76 c9 1f 5c 00 ac 61 cd a5 46 72 b2 22 c4 cf 95 e1 51 ed 8d 4d 3c 76 7a 6c c3 49 43 59 43 79 4e 88 4f 3d 02 3a 82 29 fd 30 c7 61 0a cd d7 0d db 4b 36 ce db ba 6c 0a b7 ae d2 0c cd 17 35 c6 51 43 5f 59 aa 65 be bf 60 aa 93 bd 30 da 33 dc 5a ed 88 d8 b9 0b 8d 59 01 5f

Has anyone encountered this situation before?

[Philipp Junghannß]

that the rpid hash and AppID is not the same is likely intentional because google uses a facet json (even if not, U2F AppIDs contain "https://" while FIDO2 rpIDs dont). however on login there should be an appid extension, which tells the browser that if the try with rpid doesnt work, to retry with the contained appid hash. I would assume it still goes for CTAP2 if it can though, as the webauthn API used will use CTAP2 by default rather than U2F which likely is more for devices that cannot do CTAP2.

for pure U2F testing you can try places like u2f.bin.coffee or whatever it was called or also if you want my little sandboxes (not pretty but do the work)

pure webauthn: https://my1.dev/wa/my1.php

pure U2F https://my1.dev/u2f/my1.php

U2F to Webauthn transition (register on U2F one above, login here with Webauthn, basically what google does): https://my1.dev/wa-u2f/my1.php

Regards.

--
You received this message because you are subscribed to the Google Groups "FIDO Dev (fido-dev)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to fido-dev+u...@fidoalliance.org.
To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/32934e98-5789-4829-af1e-3de9cc10d3c7n%40fidoalliance.org.

[Tú Trần]

Tks My1 for your reply,

I checked again but i don't get any extension field with appID in CTAP2 get assertion packet. Analyze the packet I sent above, I guess it is u2f packet but missing CLA byte. I don't know what cause it. But my BLE security key still work great with google chrome Android which send u2f BLE packet has CLA byte (0x00).

Vào lúc 11:29:11 UTC+7 ngày Thứ Bảy, 10 tháng 7, 2021, My1 đã viết:

[Philipp Junghannß]

the extension is as far as I remember a client extension, since it also applies to U2F devices in the same way. because if you webauthn a U2F/CTAP1 device it is not getting a U2F-JS like appid based hash but rather the rpid hash. it will basically just resend the extension with a new client data hash to indicate the extension was used and the rpid set to the appid.