Can the attestationObject be modified? The idea is that after the authentication device creates the attestationObject, can an attacker decode the attestationObject and modify or create a cloned attestationObject with altered information such as rpId...?
--
You received this message because you are subscribed to the Google Groups "FIDO Dev (fido-dev)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to fido-dev+u...@fidoalliance.org.
To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/1afbe907-9d52-4112-8782-7d8549f4281en%40fidoalliance.org.
To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/CACHSkNpEn4pcLtFgngdicHbHE9ebD5Pk7OcymMFEfPeELes4Nw%40mail.gmail.com.
one thing that I am actually surprised about is that on attestation none, not even the credential key signs the registration, so the authenticator data inside the attestation object is basically free to modify as you see fit.
the none attestation should in my opinion at the very least have contained a signature over the Authdata using the credential pubkey
To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/CACHSkNpEn4pcLtFgngdicHbHE9ebD5Pk7OcymMFEfPeELes4Nw%40mail.gmail.com.
The reason it is not signed by the authentication key is that none was something the browsers came up with to insert after they strip an attestation.Attestation is not optional in ctap 1, 2.0 or 2.1. The attestation key always signs. Browsers/Platforms were concerned about possible correlation and discrimination by exposing the AAGUID to the RP, and opted to strip the attestation or insert a self signed one on some platforms if the rp diden’t explicitly ask for an attestation in the request and the user consent to releasing adicional info.We did add none to ctap 2.2 but it is too late to change the format. We could develop some new format that could be post quantum safe or zero knowledge etc. That was why we added passing the attestation formats supported by the verifier to CTAP2.2
Sent from my iPhone
On Mar 15, 2024, at 6:37 AM, My1 <teamhyd...@gmail.com> wrote:if you have an actual attestation (meaning that it isnt using the "none" format) not really, stuff is signed in there, especially the AuthenticatorData, which contains challenge, RPID etc. possibly even twice (once by the attestation cert private key, once by the credential private key).one thing that I am actually surprised about is that on attestation none, not even the credential key signs the registration, so the authenticator data inside the attestation object is basically free to modify as you see fit.the none attestation should in my opinion at the very least have contained a signature over the Authdata using the credential pubkey, or be a separate object similar to assertion so that attestation signs the authdataOn the other hand, changing the RPID would not really help anyway as the keys on authenticators are origin bound and on assertion (aka logging in) while you don't have attestation data anymore, you DO have an assertion signature using the credential pubkey.Regards--Am Fr., 15. März 2024 um 09:55 Uhr schrieb Việt NB <vietl...@gmail.com>:Can the attestationObject be modified? The idea is that after the authentication device creates the attestationObject, can an attacker decode the attestationObject and modify or create a cloned attestationObject with altered information such as rpId...?
--
You received this message because you are subscribed to the Google Groups "FIDO Dev (fido-dev)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to fido-dev+u...@fidoalliance.org.
To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/1afbe907-9d52-4112-8782-7d8549f4281en%40fidoalliance.org.
You received this message because you are subscribed to the Google Groups "FIDO Dev (fido-dev)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to fido-dev+u...@fidoalliance.org.
To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/CACHSkNpEn4pcLtFgngdicHbHE9ebD5Pk7OcymMFEfPeELes4Nw%40mail.gmail.com.