Any constraints on the length of the challenge in FIDO2

[Thirumal Bandi]

Hi All,

Spec says that the "Challenges SHOULD therefore be at least 16 bytes long." 

https://www.w3.org/TR/webauthn-2/#sctn-cryptographic-challenges

Wondering if there are any constraints on the max length of the challenge that can be used.

Thanks

Thirumal Bandi

[Arshad Noor]

Thirumal,

16-bytes is a minimum; 20-bytes will be a good balance according to this
blog (https://neilmadden.blog/2018/08/30/moving-away-from-uuids/).

However, the larger you make the challenge, you create 2 problems for
yourself:

1) FIDO servers will take longer to generate and process the challenge;
2) Since Security Keys operate on very small bits of silicon with highly
constrained operating environments, you run the risk that some Security
Keys might simply fail to process the challenge.

But, if you are working with specific authenticator implementations, and
have decided on a policy that constrains use of FIDO to those
implementations, then you can pretty much work within the limits of what
they have to offer.

Arshad Noor
StrongKey

> --
> You received this message because you are subscribed to the Google
> Groups "FIDO Dev (fido-dev)" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to fido-dev+u...@fidoalliance.org
> <mailto:fido-dev+u...@fidoalliance.org>.
> To view this discussion on the web visit
> https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/6ef63362-4886-4bc6-84bf-8903f4d1ed1fn%40fidoalliance.org
> <https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/6ef63362-4886-4bc6-84bf-8903f4d1ed1fn%40fidoalliance.org?utm_medium=email&utm_source=footer>.

[John Bradley]

The challenge is part of client data and not passed directly to the authenticator.   

The platform may have a problem with unusually large challenges, but the authenticator won't. 

John B. 

To unsubscribe from this group and stop receiving emails from it, send an email to fido-dev+u...@fidoalliance.org.
To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/bf80e84d-2279-dde2-e217-7158260b224b%40strongkey.com.

[Thirumal Bandi]

Hi John,

Doesn't the challenge signing process happen inside the authenticator? If yes then the challenge is sent into the authenticator

Thirumal

[Philipp Junghannß]

yes and no.

There's this thing called client data hash, where several pieces of "client data" are aggregated and hashed together which then is part of the signature.

This means the challenge is not directly signed but as the hash is signed it is verifiable.

Regards

To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/CAKWzpDvGTPzaqeVeqMpVuS8yqL%2BcE451Ykq%3DW_3JQhvKdh8igA%40mail.gmail.com.

[DUBOUCHER Thomas]

Hi all,

 

The wording is probably not precise enough.

 

In order to prevent replay attacks, the challenges MUST contain enough entropy to make guessing them infeasible. Challenges SHOULD therefore be at least 16 bytes long.

 

It should be read as “Challenges MUST contains at least 128 bits of entropy”, which in practical terms requires to generate 16 bytes from a cryptographically secure random number generator.

 

The challenge is indeed hashed, with the client data, before being sent to the authenticator.

 

Best regards,

 

--

Thomas Duboucher

To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/CACHSkNohnCKc61SiW-om3iRr-reXnW%2B7x3moLkEyTc%3DkEpz%2BYg%40mail.gmail.com.

[Thirumal Bandi]

Philip, Thomas

Thanks for the explaination. It's clear now. 

Thirumal

[Arshad Noor]

Thanks all, for clarifying that the challenge had to be hashed by the platform (browser) before going into the authenticator - sometimes, one gets so deep into the "FIDO woods" that one forgets to see the trees.

Arshad