How does Public Key Cryptography work with FIDO?
398 views
Skip to first unread message
Callum Brankin
Oct 21, 2016, 11:10:41 AM10/21/16
to FIDO Dev (fido-dev)
From my understanding is that, after registration, the private key is stored on the users device and the public key is stored on the database server (normally it's the other way round). So when a user comes to do the first part of the UAF authentication, the app will make a call to the server to 'grab' the public key to "match" it with the private key on the users device, if the keys "match", it authenticates the users device. Is my understanding on this part of FIDO authentication correct?
Satish KARRY
Oct 21, 2016, 1:07:16 PM10/21/16
to Callum Brankin, FIDO Dev (fido-dev)
Here is a simple video that explains this concept. Let me know if this is helpful.
https://www.youtube.com/watch?v=BXl6npgDk8o
Thanks,
Satish
Satish KARRY
650 804 3824 | ska...@noknok.com | Palo Alto, CA
--
You received this message because you are subscribed to the Google Groups "FIDO Dev (fido-dev)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to fido-dev+u...@fidoalliance.org.
To post to this group, send email to fido...@fidoalliance.org.
Visit this group at https://groups.google.com/a/fidoalliance.org/group/fido-dev/.
To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/20935e29-af9f-482d-957f-c5bf5d54635e%40fidoalliance.org.
Ron Garret
Oct 21, 2016, 1:17:11 PM10/21/16
to Callum Brankin, FIDO Dev (fido-dev)
On Oct 21, 2016, at 8:10 AM, Callum Brankin <cal...@pixelpin.co.uk> wrote:
> From my understanding is that, after registration, the private key is stored on the users device and the public key is stored on the database server
> (normally it's the other way round).
> So when a user comes to do the first part of the UAF authentication, the app will make a call to the server to 'grab' the public key to "match" it with the private key on the users device, if the keys “match"
rg
Arshad Noor
Oct 22, 2016, 5:28:37 AM10/22/16
to fido...@fidoalliance.org
One of the best introductions to Public Key Cryptography was written by
someone at Netscape almost two decades ago. We've permanently linked to
this article on our own website and use it to train every employee we
hire. You can find the article at:
https://developer.mozilla.org/en-US/docs/Archive/Security/Introduction_to_Public-Key_Cryptography
Apply the concepts you read in this paper - except substitute Public Key
wherever you see "digital certificate" - and you'll understand.
However, FIDO neither uses Certification Authorities nor any artifact
associated with Public Key Infrastructure (PKI) - save for the
Attestation Certificate - in its protocols.
Arshad Noor
StrongAuth, Inc.
someone at Netscape almost two decades ago. We've permanently linked to
this article on our own website and use it to train every employee we
hire. You can find the article at:
https://developer.mozilla.org/en-US/docs/Archive/Security/Introduction_to_Public-Key_Cryptography
Apply the concepts you read in this paper - except substitute Public Key
wherever you see "digital certificate" - and you'll understand.
However, FIDO neither uses Certification Authorities nor any artifact
associated with Public Key Infrastructure (PKI) - save for the
Attestation Certificate - in its protocols.
Arshad Noor
StrongAuth, Inc.
Tiểu Hảo Lương
Oct 25, 2016, 9:17:51 PM10/25/16
to FIDO Dev (fido-dev)
Hi all,
Let me ask some question. If I have a private key, can I generate a public key to combine with private key and make a key pair?
Thanks!
Arshad Noor
Oct 26, 2016, 7:18:22 AM10/26/16
to fido...@fidoalliance.org
Depends on the programming language and cryptographic library you are
using.
Speaking for the Java programming language, if you already have a
Private Key, you generally already have the Public Key too, since the
Java Cryptographic Extensions (JCE) API generates a KeyPair in a single
call to the library. From the KeyPair, you can choose to extract the
PublicKey and/or the PrivateKey (if your cryptographic module supports
extracting the PrivateKey; some will give you a "handle", but you do
not actually get the PrivateKey).
I do recall that BouncyCastle provides some API methods that allow you
to derive the PublicKey from the PrivateKey (but it has been sometime
since I last recall using that capability so I could be foggy on it).
In any case, with Object Oriented Programming languages, you generate
KeyPairs in one call and can extract either key from that as needed
Arshad Noor
StrongAuth, Inc.
using.
Speaking for the Java programming language, if you already have a
Private Key, you generally already have the Public Key too, since the
Java Cryptographic Extensions (JCE) API generates a KeyPair in a single
call to the library. From the KeyPair, you can choose to extract the
PublicKey and/or the PrivateKey (if your cryptographic module supports
extracting the PrivateKey; some will give you a "handle", but you do
not actually get the PrivateKey).
I do recall that BouncyCastle provides some API methods that allow you
to derive the PublicKey from the PrivateKey (but it has been sometime
since I last recall using that capability so I could be foggy on it).
In any case, with Object Oriented Programming languages, you generate
KeyPairs in one call and can extract either key from that as needed
Arshad Noor
StrongAuth, Inc.
Fred Le Tamanoir
Oct 26, 2016, 8:21:28 AM10/26/16
to Tiểu Hảo Lương, FIDO Dev (fido-dev)
Arshad answered with tools consideration in mind, but to be clear :
FIDO U2F specifications make it mandatory to use Elliptic curve cryptography (ECC) with this specific curve NIST P-256 (also called SECG secp256r1 or ANSI prime256v1).
If you know an ECC private key and the used curve name, you can generate the public key from the private key.
If you are used to work with RSA private keys, you can't do that with RSA, meaning you always have to store the full RSA key pair. With ECC, you don't have to have a full stored key pair if you want. It is still asymmetric cryptography but you can generate the public key from the private one.
FIDO U2F specifications make it mandatory to use Elliptic curve cryptography (ECC) with this specific curve NIST P-256 (also called SECG secp256r1 or ANSI prime256v1).
If you know an ECC private key and the used curve name, you can generate the public key from the private key.
If you are used to work with RSA private keys, you can't do that with RSA, meaning you always have to store the full RSA key pair. With ECC, you don't have to have a full stored key pair if you want. It is still asymmetric cryptography but you can generate the public key from the private one.
Callum Brankin
Oct 26, 2016, 10:42:45 AM10/26/16
to FIDO Dev (fido-dev), cal...@pixelpin.co.uk
Great video (link is dead now). How are the public and private keys created exactly? And in the FIDO UAF documentations,are they referred to as Attestation keys?
Ron Garret
Oct 26, 2016, 11:52:42 AM10/26/16
to Tiểu Hảo Lương, FIDO Dev (fido-dev)
The answer to your question as stated is: yes, of course you can.
But a more constructive answer is: why are you asking? Because the only circumstances I can imagine under which you would need to do this are ones in which you would have already known not only that you can do it, but exactly how to do it.
--
You received this message because you are subscribed to the Google Groups "FIDO Dev (fido-dev)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to fido-dev+u...@fidoalliance.org.
To post to this group, send email to fido...@fidoalliance.org.
Visit this group at https://groups.google.com/a/fidoalliance.org/group/fido-dev/.
To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/7c4163c0-a9ad-49f8-a6de-1eaaeef78f6a%40fidoalliance.org.
Reply all
Reply to author
Forward
0 new messages