Internal (Platform) authenticator implementation

108 views
Skip to first unread message

Praveen PPT

unread,
Oct 27, 2024, 11:52:37 PMOct 27
to FIDO Dev (fido-dev)
Hello All,

We have FIDO application complaint to CTAP2.1 specification as Javacard applet available on a secure element which works as roaming authenticator.

However, if we want to embedded the secure element as part of a device (Laptop) and make the application behave like internal authenticator.

1. Since the transport is internal, what protocol is used by the device (laptop) to communicate to the FIDO application? Do we have any details or reference available?

2. Do we have any details on how can an embedded device register itself on the Windows OS as FIDO authenticator?

3. How can we test our implementation?

I feel there should be some middleware which receives data from the Windows and convert it into APDU format so that the secure element can process the request. But without the information on how will windows (Or any client device on which the secure element is embedded) it is becoming difficult to imagine the solution.


Kind Regards,
Praveen P T
 

Arshad Noor

unread,
Oct 28, 2024, 1:02:41 AMOct 28
to fido...@fidoalliance.org
Praveen,

Many business-class laptops/desktops have had a secure element (SE) on
their motherboards since 2010: the Trusted Platform Module (TPM). Most
server-class machines include a TPM as a standard component. Windows 11
made the TPM mandatory for its use a couple years ago.

The TPM is a general cryptographic device; you can create & use almost
any application-specific cryptographic protocol using its low-level API
- that is what we did to use it as an inexpensive FIPS 140-2 Level-2
certified cryptographic hardware module for managing tens of millions of
cryptographic keys within the (Linux-based) StrongKey Tellaro appliance.
Microsoft uses the TPM for FIDO operations as well as other use-cases.

Since we don't write software for Windows, I can't tell you if there is
anything of value you can add to Microsoft's implementation of CTAP with
the TPM. But, if you are interested in simply learning about leveraging
the TPM for other application-specific use-cases, you are better off
studying the Trusted Computing Group (TCG)'s documentation as well as
open-source software that support the TPM:

https://duckduckgo.com/?q=trousers+documentation+%252Btpm

and then studying what Microsoft enables with its APIs leveraging the TPM.

Arshad Noor
StrongKey
> --
> You received this message because you are subscribed to the Google
> Groups "FIDO Dev (fido-dev)" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to fido-dev+u...@fidoalliance.org
> <mailto:fido-dev+u...@fidoalliance.org>.
> To view this discussion visit
> https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/4d04aa50-0484-4323-92d2-0ee60afa5e95n%40fidoalliance.org <https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/4d04aa50-0484-4323-92d2-0ee60afa5e95n%40fidoalliance.org?utm_medium=email&utm_source=footer>.

Praveen PPT

unread,
Oct 29, 2024, 12:06:22 AMOct 29
to FIDO Dev (fido-dev), Arshad Noor
Thank you Arshad.

What is we want to implement a new solution without the TPM?
Because if we configure the FIDO application as transport=internal, we are not sure of the protocol used by device specific client and wondering how can the data be shared/passed on to the secure element.

Tim Cappalli

unread,
Oct 29, 2024, 12:25:04 AMOct 29
to Praveen PPT, FIDO Dev (fido-dev), Arshad Noor
You'll need to use the Windows passkey provider APIs. I don't believe they're publicly documented yet, so you'll need to work with your Microsoft BD contacts. 

tim

To unsubscribe from this group and stop receiving emails from it, send an email to fido-dev+u...@fidoalliance.org.
To view this discussion visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/56e8498c-2de6-4de6-ac49-0a6f2cf18f4fn%40fidoalliance.org.

Arshad Noor

unread,
Oct 29, 2024, 9:10:12 AMOct 29
to Praveen PPT, FIDO Dev (fido-dev)
Every platform device manufacturer has their own implementation -
Android, iOS/OS-X and Windows. They all have their quirks and
proprietary features embedded in them. From a security and privacy pov,
pay attention to what is going on with the current wave of 'synced
passkeys' [1] and figure out what you want to do. After that, you'll
have to study the individual platform APIs and write your code to them.

However, since each of the platform high-level FIDO APIs have to use
low-level cryptographic APIs to implement the capability, there is a way
to bypass the privacy denigrating features by writing your own
implementations to enable FIDO with the desired level of security and
privacy.

Take a look at our open-source Android implementation at [2] that was
designed to work with our open-source FIDO Certified server (at the same
sourceforge.net project); you'll see one implementation that does not
require Google APIs. However, you are unlikely to find similar benefits
as the AOSP on Apple/Microsoft platforms.

Arshad

[1]
https://www.linkedin.com/pulse/would-you-trust-your-bank-both-keys-safe-deposit-box-arshad-noor/

[2]
https://sourceforge.net/projects/strongkeyfido/files/v4.13.0/sampleapps/java/sacl/
> https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/4d04aa50-0484-4323-92d2-0ee60afa5e95n%40fidoalliance.org <https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/4d04aa50-0484-4323-92d2-0ee60afa5e95n%40fidoalliance.org> <https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/4d04aa50-0484-4323-92d2-0ee60afa5e95n%40fidoalliance.org?utm_medium=email&utm_source=footer <https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/4d04aa50-0484-4323-92d2-0ee60afa5e95n%40fidoalliance.org?utm_medium=email&utm_source=footer>>.
>

Praveen PPT

unread,
Oct 30, 2024, 8:48:22 AMOct 30
to FIDO Dev (fido-dev), Arshad Noor, Praveen PPT
Thank you Tim and Arshad :) 
Reply all
Reply to author
Forward
0 new messages