FIDO Conformace V1.7.0 || CTAP 2.0 || BLUETOOTH || Timeout of 60000ms error

[kishan saralaya]

Am implementing CTAP 2.0 Security Key.
Using FIDO Conformance Test Tool Version 1.7.0
Testing on Windows 10 Version 21H2 x64 Platform

Issue description

The Security Key which we are designing has four interfaces - USB, Contact (ISO7816), Contactless(ISO 14443A) and Bluetooth interface. Using FIDO Conformance Test Tool version 1.7.0 able to get PASS all the test cases except one test case which is failing only on BLE or Bluetooth Interface.
Under ClientPin1 test suite the below test case is failing to complete the full transaction with in 60000ms. Below is the snapshot of the Conformance Test Tool error:

P-3 Register a valid authenticatorMakeCred(0x01) using the valid PIN. Check that retries counter is reset and back to 8. Keep sending getPINToken with invalid pin until retries counter is 0. Send CTAP2 authenticatorClientPin(0x01) message with  getPinToken(0x01) subCommand, that contains valid pinCode, and check that authenticator returns error CTAP2_ERR_PIN_BLOCKED(0x32)

 Error: Timeout of 60000ms exceeded. For async tests and hooks, ensure "done()" is called; if returning a Promise, ensure it resolves.

BLE or Bluetooth takes little longer time compare to the USB or any other device to complete the transaction, BLE Disconnect and Connect is also part of this timeout value. So would like to know is it a must to get PASS this test case to get the FIDO Certificate for the Token. Am struck on this issue for more than 15 days not sure whom to approach. Kindly do the needful.

[Ackermann Yuriy]

Hey Kishan.

I will take a look.

In the meantime please update to 1.7.2 https://builds.fidoalliance.org/Desktop%20UAF%20FIDO2%20U2F/v1.7.2/

Yuriy Ackermann

FIDO, Identity, Standards

skype: ackermann.yuriy

github: @herrjemand

twitter: @herrjemand

medium: @herrjemand

--
You received this message because you are subscribed to the Google Groups "FIDO Dev (fido-dev)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to fido-dev+u...@fidoalliance.org.
To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/450410cd-472b-4a2c-a9eb-91a46d17049dn%40fidoalliance.org.

[kishan saralaya]

Hey Yuriy,

Thank you.

As you suggested on my side I updated the FIDO Conformance Test Tool version to 1.7.2. And the error still persists. 

Regards,

 kishan

[Neo Mthimkhulu]

Hi there,

The FIDO team, below mentioned, Me,  the scenario mentioned is similar if not refers to the actual event, an interesting persuasion to gain access from an active user.

I tried some sec enhancement at the root developer directory, I'm waiting on a new challenge...;(

Neo_M

--

[kishan saralaya]

Hi All,

Made a small change in the BLE packet size (MTU) from 20 bytes to 243 bytes. By this change there is improvement in the overall data transmit time. Now FIDO CTAP 2.0 Authenticator test is taking 571 seconds earlier this was taking  727seconds. Even after this improvement not able to clear one test case which was also failing earlier. 

So would like to know what is the average time taken by the FIDO BLE Certified Authenticator to complete the CTAP 2.0  Authenticator test in Conformance Test Tool v 1.7.2. As per my understanding we fine tuned the BLE performance of the Authenticator to the max so would like to know what am missing here.

Regards,

kishan

[kishan saralaya]

I compared Performance of our Authenticator device with the FIDO Certified FIDO2 BLE Authenticator. And from the performance perspective our product stands good so just curious to know how those authenticators able to get pass the below task 

P-3 Register a valid authenticatorMakeCred(0x01) using the valid PIN. Check that retries counter is reset and back to 8. Keep sending getPINToken with invalid pin until retries counter is 0. Send CTAP2 authenticatorClientPin(0x01) message with  getPinToken(0x01) subCommand, that contains valid pinCode, and check that authenticator returns error CTAP2_ERR_PIN_BLOCKED(0x32)

Any input on this front will be very helpful, kindly do the neeful. 

[Ackermann Yuriy]

Hey Kishan. You are running on Win or OSX?

To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/cac717f0-815a-484d-8260-3460e7abcff8n%40fidoalliance.org.

--

[Kishan Saralaya]

Hi Yuriy,

Am running it on Windows 10 OS.

To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/CALRyZMottREnsbyYkZK8FJmCQ%3DFJgHf7t9aVktJnHfu--OSsmQ%40mail.gmail.com.

[Ackermann Yuriy]

I am looking into that. Seems like some underlying BLE stack issues.

Yuriy Ackermann

FIDO, Identity, Standards

skype: ackermann.yuriy

github: @herrjemand

twitter: @herrjemand

medium: @herrjemand

[kishan saralaya]

Hi Yuriy,

 Tested the Authenticator which we designed in house along with FIDO certified BLE Token using FIDO Conformance Test tool in Windows and OS X.
System Details:   
  FIDO Conformance Test Tool Version 1.7.2 
  Windows 10 , 64 bit 
 OSX 

Bluetooth Connect and Disconnect is stable in OS X, we have not seen any glitch or delay in BLE Token re/connect. 
We also ran U2F General and Transports tests on our token as well as FIDO certified Token using BLE interface - and the resulting transaction time of our Token is lesser compared to FIDO certified Token with few ms.

And then ran the same tests using USB interface - again here also the performance of our token is on faster side. But the main difference which I observed here is that a specific test case which is taking around 430ms over USB interface is taking 2400ms over BLE interface. And this number is almost all the same on OS X and Windows OS. If the BLE transaction takes  5 times more than the USB then how the same time out value will hold good.

Regards, 

 kishan 

[Ackermann Yuriy]

Please try 1.7.3

https://builds.fidoalliance.org/Desktop%20UAF%20FIDO2%20U2F/v1.7.3/

Yuriy Ackermann

FIDO, Identity, Standards

skype: ackermann.yuriy

github: @herrjemand

twitter: @herrjemand

medium: @herrjemand

[kishan saralaya]

Hey Yuriy, 

Tried out FIDO Conformance Test Tool v 1.7.3 

 While using this tool we received error showing getInfo MUST contain FIDO_2_1 or FIDO_2_1_PRE, As per the CTAP 2.0 spec this is FIDO_2_0. 
Apart from this failure was getting two other errors while running Ext:HMAC Secret [error msg: Got CTAP2_ERR_UNSUPPORTED_ALG] and Ext:CredProtect [error msg: CTAP 2.1 conformant authenticator MUST support credprotect extension]   Please let me know how to resolve this issue. 

Regards ,

 kishan