Any constraints on the length of the challenge in FIDO2

21 views
Skip to first unread message

Thirumal Bandi

unread,
Jun 24, 2021, 11:45:53 PMJun 24
to FIDO Dev (fido-dev)
Hi All,

Spec says that the "Challenges SHOULD therefore be at least 16 bytes long." 

Wondering if there are any constraints on the max length of the challenge that can be used.

Thanks
Thirumal Bandi

Arshad Noor

unread,
Jun 27, 2021, 11:02:19 PMJun 27
to Thirumal Bandi, FIDO Dev (fido-dev)
Thirumal,

16-bytes is a minimum; 20-bytes will be a good balance according to this
blog (https://neilmadden.blog/2018/08/30/moving-away-from-uuids/).

However, the larger you make the challenge, you create 2 problems for
yourself:

1) FIDO servers will take longer to generate and process the challenge;
2) Since Security Keys operate on very small bits of silicon with highly
constrained operating environments, you run the risk that some Security
Keys might simply fail to process the challenge.

But, if you are working with specific authenticator implementations, and
have decided on a policy that constrains use of FIDO to those
implementations, then you can pretty much work within the limits of what
they have to offer.

Arshad Noor
StrongKey
> --
> You received this message because you are subscribed to the Google
> Groups "FIDO Dev (fido-dev)" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to fido-dev+u...@fidoalliance.org
> <mailto:fido-dev+u...@fidoalliance.org>.
> To view this discussion on the web visit
> https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/6ef63362-4886-4bc6-84bf-8903f4d1ed1fn%40fidoalliance.org
> <https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/6ef63362-4886-4bc6-84bf-8903f4d1ed1fn%40fidoalliance.org?utm_medium=email&utm_source=footer>.

John Bradley

unread,
Jun 27, 2021, 11:11:52 PMJun 27
to Arshad Noor, Thirumal Bandi, FIDO Dev (fido-dev)
The challenge is part of client data and not passed directly to the authenticator.   

The platform may have a problem with unusually large challenges, but the authenticator won't. 

John B. 

To unsubscribe from this group and stop receiving emails from it, send an email to fido-dev+u...@fidoalliance.org.
To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/bf80e84d-2279-dde2-e217-7158260b224b%40strongkey.com.

Thirumal Bandi

unread,
Jun 27, 2021, 11:29:48 PMJun 27
to John Bradley, Arshad Noor, FIDO Dev (fido-dev)
Hi John,

Doesn't the challenge signing process happen inside the authenticator? If yes then the challenge is sent into the authenticator

Thirumal

Philipp Junghannß

unread,
Jun 27, 2021, 11:36:21 PMJun 27
to Thirumal Bandi, John Bradley, Arshad Noor, FIDO Dev (fido-dev)
yes and no.

There's this thing called client data hash, where several pieces of "client data" are aggregated and hashed together which then is part of the signature.

This means the challenge is not directly signed but as the hash is signed it is verifiable.

Regards

DUBOUCHER Thomas

unread,
Jun 28, 2021, 3:08:12 AMJun 28
to Philipp Junghannß, Thirumal Bandi, John Bradley, Arshad Noor, FIDO Dev (fido-dev)

Hi all,

 

The wording is probably not precise enough.

 

In order to prevent replay attacks, the challenges MUST contain enough entropy to make guessing them infeasible. Challenges SHOULD therefore be at least 16 bytes long.

 

It should be read as “Challenges MUST contains at least 128 bits of entropy”, which in practical terms requires to generate 16 bytes from a cryptographically secure random number generator.

 

The challenge is indeed hashed, with the client data, before being sent to the authenticator.

 

Best regards,

 

--

Thomas Duboucher

Thirumal Bandi

unread,
Jun 28, 2021, 6:30:41 AMJun 28
to DUBOUCHER Thomas, Philipp Junghannß, John Bradley, Arshad Noor, FIDO Dev (fido-dev)
Philip, Thomas

Thanks for the explaination. It's clear now. 

Thirumal

Arshad Noor

unread,
Jun 28, 2021, 8:48:14 AMJun 28
to DUBOUCHER Thomas, Philipp Junghannß, Thirumal Bandi, John Bradley, FIDO Dev (fido-dev)

Thanks all, for clarifying that the challenge had to be hashed by the platform (browser) before going into the authenticator - sometimes, one gets so deep into the "FIDO woods" that one forgets to see the trees.

Arshad

Reply all
Reply to author
Forward
0 new messages