What is the difference between Attestation and Authentication key

[Madhusudhan B]

Hi All, 

I am new to this FIDO UAF and I am trying to understand how this works. I have some questions it would be great help if you could answer to my questions.

1) What is the difference between Attestation and Authentication key

2) Can multiple users use same client device for authentication.

3) What is metadata and how it is useful

4) once the registration is done in the subsequent login how the UAF server identifies a matching public key. I mean what is the primary key for server to fetch appropriate public key.

5) Is this FIDO UAF authenticator is inbuilt in client devices (For ex : Browsers and Android devices)

Thanks, 

Madhusudan

[Arshad Noor]

On 06/18/2018 11:34 AM, Madhusudhan B wrote:
> Hi All,
>
> I am new to this FIDO UAF and I am trying to understand how this works.
> I have some questions it would be great help if you could answer to my
> questions.
>
> 1) What is the difference between Attestation and Authentication key

An Authentication Key is the Private Key of an ECDSA key-pair that
authenticates the individual using a FIDO protocol.

The Attestation Key is the Private Key of an ECDSA (or RSA) key-pair
that attests that the Authentication key-pair was generated in a device
manufactured by the company whose name is, typically, embedded in the
X.509 digital certificate (or certificate-chain) associated with the
Attestation key-pair's Public key.

> 2) Can multiple users use same client device for authentication.

Typically, not in UAF. But, if the Authenticator device has the ability
to distinguish between different individuals uniquely, then it is
possible. This is not specified in a FIDO protocol, but is specific to
a manufacturer's implementation.

> 3) What is metadata and how it is useful

Much as a Certificate Revocation List (CRL) is "metadata" (data about
digital certificates) that may be used to identify revoked digital
certificates, FIDO Metadata Statements provide information about FIDO
Authenticators that Relying Parties (RP) - the people who create
web-applications that use FIDO protocols for strong-authentication - may
use to make decisions about whether to accept FIDO registrations and/or
authentications from users.

> 4) once the registration is done in the subsequent login how the UAF
> server identifies a matching public key. I mean what is the primary key
> for server to fetch appropriate public key.

This is up to an implementation, but one useful way is to use the
"username" associated with a user.

> 5) Is this FIDO UAF authenticator is inbuilt in client devices (For ex :
> Browsers and Android devices)

UAF is designed to be used with mobile devices. Consequently, the
entire mobile device itself is the Authenticator. It might rely upon a
Secure Element to generate and store the ECDSA key-pair; it might use a
variety of biometric mechanisms to locally-authenticate the user to the
Authenticator (the mobile device); etc. The cryptographic key is used
with mobile apps that may use the browser on the device, in their app.


If your interest is only in mobile devices, you have the choice of using
UAF or FIDO2/WebAuthn - the newer FIDO protocol for strong-authentication.

If your interest is only desktop/laptop platforms, you can consider
using U2F - a simpler FIDO protocol.

Finally, if your interest is in using any platform - mobile, desktop,
laptop, etc. - then you should focus on FIDO2/WebAuthn.

Arshad Noor
StrongKey

[Madhusudhan B]

Hi Arshad Noor,

Thank you very much for the replay, its really very helpful.

I have couple more question, Could you please answer these as well, If you don't mind :).

1) In FIDO UAF, how server recognizes a particular client 1) is FIDO capable 2) know user has enrolled and registered for FIDO authentication. I mean once the registration is done how just by opening a link (Lets say login page) server respond with UAF login page but not usual login page. Is there any message exchange happens in the background.

2) Is FIDO open source, Where can i find FIDO authenticator, FIDO client and FIDO server for download. I found very little info about the FIDO LICENSE. I just wanted to know some details about it.
3) If my understanding is not wrong FIDO is open source but once we have the implement in place we have to get it certified by FIDO alliance.

4) Can we use External FIDO Security device(Example YubiKey)  for UAF authentication. From what I have found I think  we can use but FIDO Security device should be fingerprint capable and usual devices where just a tap doesn't work for UAF because there will be no user validation done there.

5) What is this FIDO Security device consists of, I mean does it have, FIDO Client and/or FIDO authenticator and storage?. I asked this question because if we use this FIDO device does the actual device where client application is running no need to have its own FIDO Client and/or FIDO authenticator and storage.

Thanks,

Madhusudhan.

[Arshad Noor]

On 06/19/2018 07:11 AM, Madhusudhan B wrote:
>
> Hi Arshad Noor,
>
> Thank you very much for the replay, its really very helpful.
> I have couple more question, Could you please answer these as well, If
> you don't mind :).
>

> 1) In FIDO UAF, how server recognizes a particular client is FIDO
> capable

In all FIDO protocols, a FIDO Server does not interact with the FIDO
Client directly. A web-application is responsible for relaying messages
between the FIDO Client and the FIDO Server. As such, if the FIDO
Client is communicating with the web-app, either the web-app knows it
supports FIDO or it does not. If it does support FIDO, it will do
things differently than a web-app that does not support FIDO.

2) know user has enrolled and registered for FIDO
> authentication. I mean once the registration is done how just by opening
> a link (Lets say login page) server respond with UAF login page but not
> usual login page. Is there any message exchange happens in the background.

It is not the FIDO Server that knows a user has a FIDO key registered;
it is up to the web-app in between to query the FIDO Server if the user
(whose username is learned by the web-app through properties or through
a form submission) has a FIDO key registered with the FIDO Server. If
it does, then the FIDO Server returns a challenge to the web-app, which
is relayed to the FIDO Client, thus causing the Client to display the
appropriate message.

> 2) Is FIDO open source, Where can i find FIDO authenticator, FIDO client
> and FIDO server for download. I found very little info about the FIDO
> LICENSE. I just wanted to know some details about it.

The FIDO protocol is open and royalty-free. However, implementations
may be FOSS or commercial licensed products. To the best of my
knowledge, there is only one FOSS UAF server: from eBay on Github. There
may be others, but I don't know of them. (Our company has a FOSS FIDO
Certified U2F Server at https://sourceforge.net/projects/skce).

> 3) If my understanding is not wrong FIDO is open source but once we have
> the implement in place we have to get it certified by FIDO alliance.

The FIDO protocol is open; implementations do not have to be. You can
create an implementation and license it however you want. Whether you
choose to get it certified by the FIDO Alliance is a business decision.
It is not mandatory. However, implementers get their products certified
to send a signal to the market that they are serious about conformance
to an industry standard. Anyone can make a FIDO-compliant product; but
it doesn't necessarily mean that a customer has independent verification
that it has passed a certification process.

> 4) Can we use External FIDO Security device(Example YubiKey)  for UAF
> authentication. From what I have found I think  we can use but FIDO
> Security device should be fingerprint capable and usual devices where
> just a tap doesn't work for UAF because there will be no user validation
> done there.

To the best of my knowledge, Yubikey only supports the U2F protocol.
Remember, UAF was designed for mobile phone devices. While a mobile
phone can (technically) support UAF, U2F and/or FIDO2/WebAuthn, an
Authenticator that is not a mobile phone may choose to support only a
specific protocol (although it is theoretically possible to create a
standalone device that is not a mobile phone that supports all three
protocols; I just don't know of any).

> 5) What is this FIDO Security device consists of, I mean does it have,
> FIDO Client and/or FIDO authenticator and storage?. I asked this
> question because if we use this FIDO device does the actual device where
> client application is running no need to have its own FIDO Client and/or
> FIDO authenticator and storage.

The answer to your question depends on the type of FIDO Authenticator
you're referring to. There are many terms to refer to Authenticators:

* Platform, or Bound or Embedded Authenticator: An Authenticator that is
built into a mobile phone, a laptop, etc. that has the ability to
interact with a local FIDO Client (usually a browser) without the need
for an external transport protocol (such as Bluetooth, Near Field
Communications (NFC), etc.)

* External or Roaming Authenticator: An Authenticator that cannot be
used unless it is in communication with a FIDO-aware platform on another
device over a protocol such as Bluetooth, NFC, USB, etc. The Yubikey
working with a desktop/laptop over USB or with a mobile phone over NFC
is an example of this type of Authenticator.

Authenticators may support many features: secure elements, biometric
capability, different communication protocols (BLE, NFC, etc.) for
transporting packets of data. However, what they support are usually a
business decision. From a FIDO protocol conformance point-of-view, an
Authenticator must generate a byte-structure in conformance with a
specific FIDO protocol, and provide a "test of user presence".
Everything else is optional.

What makes this all confusing is that you can use one External
Authenticator with an NFC transport, another with a Bluetooth transport
and both can be "paired" to communicate with a mobile device that may
have its own Bound Authenticator. And, all three Authenticators may
have unique FIDO keys registered to work with the same web-application.
You can, technically, use any of the three Authenticators to login into
the web-application.

This sounds confusing because no authentication protocol has ever had
this kind of capability before; so it does take a little effort to
"forget" the old paradigms and understand the new one. But, once you
do, it all becomes quite simple.

If you're trying to understand FIDO, I would recommend you start with
learning U2F; it is a simpler protocol to understand. Once you
understand this, you can advance to UAF. Many of the principles will
remain the same even though the protocol is different. You will also
better understand the additional features UAF offers. When you're
finished with UAF, you'll be able to follow FIDO2/WebAuthn much more easily.

Good luck.

Arshad Noor
StrongKey