FIDO 생체인증 기술 개발 사례
29
생체 인증 Platform 개발 Platform Architecture팀 신기은 매니저
-
Upload
jieun-lee -
Category
Technology
-
view
2.370 -
download
1
Transcript of FIDO 생체인증 기술 개발 사례
생체 인증 Platform 개발
Platform Architecture팀 신기은 매니저
Fast IDentity Online
FIDO Alliance
• 2012년 설립
• 사용자 인증 시 Password에 대한 의존도를 낮추기 위한 Open, Scalable, Interoperable 기술 Spec 제안
• Spec의 전세계적인 적용 확대를 위한 Industry Program을 운영
• 현재 약 250여 회원사로 구성 됨
새로운 인증 모델
OTP MFA
Password PIN
Security Usability
Usability Secu
rity
FIDO
FIDO Adoption
FIDO Enabled Device
Demonstration
Technical Details
How FIDO Works
User Verification FIDO Authentication
Authenticator
Local verification
Online
authentication
(Asymmetric Key
Cryptography)
FIDO System Architecture
FIDO Building Blocks
Built-in or External
Metadata (1111#0001) { "aaid": "1111#0001", "description": "SKP FIDO UAF Authenticator v1.0", "authenticatorVersion": 1, "upv": [{ "major": 1, "minor": 0 }], "assertionScheme": "UAFV1TLV", "authenticationAlgorithm": 2, "publicKeyAlgAndEncoding": 257, "attestationTypes": [15880], "userVerificationDetails": [[{"userVerification": 2}]], "keyProtection": 6, "matcherProtection": 2, "attachmentHint": 1, "isSecondFactorOnly": false, "tcDisplay": 3, "tcDisplayContentType": "image/png", "tcDisplayPNGCharacteristics": [{ "width": 320, "height": 240, "bitDepth": 16, "colorType": 2, "compression": 0, "filter": 0, "interlace": 0 }], "attestationRootCertificates": [] }
UAF Protocol Version: 1.0
DER encoded ECDSA signature on the NIST secp256r1 curve
DER encoded ANSI X.9.62 formatted SubjectPublicKeyInfo
Surrogate Use fingerprint for user verification
Hardware and TEE based key management Authenticator's matcher is running inside the TEE
Software-based transaction confirmation display
Elliptic Curve Cryptography (ECC)
• Elliptic curve based public key cryptography
• Faster, Smaller, and more efficient – Faster (Key generation, Signature generation/verification)
– Smaller (Key size (pub/priv key)
• Android – API Level 19+ – SHA256withECDSA (secp256r1)
– SHA256withECDSA (secp256k1)
Policy { "accepted": [ [{ "userVerification": 2}], [{ "userVerification": 16}] ] }
{ "accepted": [ [{ "userVerification": 18}] ] }
Accept authenticators based on fingerprint or face
recognition
Accept authenticators based on alternative combination of
fingerprint and face recognition
{ "accepted": [ [{ "userVerification": 1042}] ] }
Accept authenticators based on mandatory combination of
fingerprint and face recognition
{ "accepted": [ [{ "vendorID": "1111"}] ], "disallowed": [{ "keyProtection": 1}] }
Accept authenticators having a vendorID as “1111” and
reject authenticators based on software-based key
management
Registration
Registration
FIDO Client API (Register Request) [ { "header": { "upv": { "major": 1, "minor": 0 }, "op": "Reg", "appID": "android:apk-key-hash:YHNHKiwobCkMLtCQw8XmVcR/A+s", "serverData": "c8729acc-c3c1-491d-8fe9-b65c3345bbc3;FBu4YyXMWO9qxJwPIsEKdHY7sAdCC9oJYedxg8WsIeM=" }, "challenge": "RRvq5yj3Z3Y4V64PykpJ_H-E_uqvYFCgBys48DxJkV0", "username": "test", "policy": { "accepted": [ [ { "aaid": [ "1111#0001" ] } ] ] } } ]
Registration
ASM API (Register Request) { "args": { "appID": "android:apk-key-hash:YHNHKiwobCkMLtCQw8XmVcR/A+s", "attestationType": 15880, "finalChallenge": "eyJhcHBJRCI6ImFuZHJvaWQ6YXBrLWtleS1oYXNoOllITkhLaXdvYkNrTUx0Q1F3OFhtVmNSL0ErcyIsImNoYWxsZW5nZSI6IlJSdnE1eWozWjNZNFY2NFB5a3BKX0gtRV91cXZZRkNnQnlzNDhEeEprVjAiLCJjaGFubmVsQmluZGluZyI6e30sImZhY2V0SUQiOiJhbmRyb2lkOmFway1rZXktaGFzaDpZSE5IS2l3b2JDa01MdENRdzhYbVZjUi9BK3MifQ", "username": "test" }, "asmVersion": { "major": 1, "minor": 0 }, "authenticatorIndex": 0, "requestType": "Register" }
Registration
Authenticator Commands (Register Command) AjSQAA0oAQAABCgwAGFuZHJvaWQ6YXBrLWtleS1oYXNoOllITkhLaXdvYkNrTUx0Q1F3OFhtVmNSL0ErcwouIABSNjVSMmcmDI9kEMTK5MZuz70oUfxPEaF6AGiwfL-wVgYoBQB0ZXN0MQcoAgAIPgUoIABAF5rkA5HOb-OL_zLsaSx8G8Vw9CDgVzidSM-t710pgg
Registration
Authenticator Commands (Register Command Response) AjZ1AQgoAgAAAA8oIQEBPh0BAz7LAAsuCQAxMTExIzAwMDEOLgcAAQABAgABAQouIABSNjVSMmcmDI9kEMTK5MZuz70oUfxPEaF6AGiwfL-wVgkuIACZXU3VXZNJQJmJ_iwt6qXBAAAAAAAAAAAAAAAAAAAAAA0uCAAAAAAABwAAAAwuWwAwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASOLHgEB8IsrH-f9vS15RaSvVdztrT_CMugBNk3QYVVKuh0XvDXKjx4dHl1YkOqOrSuYe-VxDwfl-rKD3I4j8cmCD5KAAYuRgAwRAIgC6ro5a2GoM3wZPhbIq1elnLbAqY0kHRj_9QMPdZmSMQCIAuFWqhSFlUPqGVeKWc9nRwOmyp8BqyyEV3ifG0XlFHOAShGAA-W3gpU0KEtL9_AhznAF7GKoK8MYK7IPYOyVsFT_l8hmV1N1V2TSUCZif4sLeqlwQAAAAAAAAAAAAAAAAAAAAAFdGVzdDE
Registration
ASM API (Register Response) { "responseData": { "assertion": "AT4dAQM-ywALLgkAMTExMSMwMDAxDi4HAAEAAQIAAQEKLiAAFsP_hdL1x8R4hBONuORxHasJ2llsHtlbUpwBGCDeemQJLiAAXo9V-9YUT6Orufn5H-4xBAAAAAAAAAAAAAAAAAAAAAANLggAAAAAABkAAAAMLlsAMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEdYxS-2CR6zlZ0PvbopPnwr5yinSH97RGAu0ijlpzwIOV3ZKTH_a-SKSZXTtuxTUgFj7IQWgxJk1AyZpvT5QJmgg-SgAGLkYAMEQCICldUnDdcnEemZib-pXpiiyOnHMpYLmCyVZ35tVASLmDAiBW6LUHhKrgMmtty4S2UEjgNwPewHQU-py4WBn8UXahsg", "assertionScheme": "UAFV1TLV" }, "statusCode": 0 }
Registration
FIDO Client API (Register Response) [ { "assertions": [ { "assertion": "AT4dAQM-ywALLgkAMTExMSMwMDAxDi4HAAEAAQIAAQEKLiAAFsP_hdL1x8R4hBONuORxHasJ2llsHtlbUpwBGCDeemQJLiAAXo9V-9YUT6Orufn5H-4xBAAAAAAAAAAAAAAAAAAAAAANLggAAAAAABkAAAAMLlsAMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEdYxS-2CR6zlZ0PvbopPnwr5yinSH97RGAu0ijlpzwIOV3ZKTH_a-SKSZXTtuxTUgFj7IQWgxJk1AyZpvT5QJmgg-SgAGLkYAMEQCICldUnDdcnEemZib-pXpiiyOnHMpYLmCyVZ35tVASLmDAiBW6LUHhKrgMmtty4S2UEjgNwPewHQU-py4WBn8UXahsg", "assertionScheme": "UAFV1TLV" } ], "fcParams": "eyJhcHBJRCI6ImFuZHJvaWQ6YXBrLWtleS1oYXNoOllITkhLaXdvYkNrTUx0Q1F3OFhtVmNSL0ErcyIsImNoYWxsZW5nZSI6IlJSdnE1eWozWjNZNFY2NFB5a3BKX0gtRV91cXZZRkNnQnlzNDhEeEprVjAiLCJjaGFubmVsQmluZGluZyI6e30sImZhY2V0SUQiOiJhbmRyb2lkOmFway1rZXktaGFzaDpZSE5IS2l3b2JDa01MdENRdzhYbVZjUi9BK3MifQ", "header": { "appID": "android:apk-key-hash:YHNHKiwobCkMLtCQw8XmVcR/A+s", "op": "Reg", "serverData": "c8729acc-c3c1-491d-8fe9-b65c3345bbc3;FBu4YyXMWO9qxJwPIsEKdHY7sAdCC9oJYedxg8WsIeM=", "upv": { "major": 1, "minor": 0 } } } ]
TLV (Tag-Length-Value) Structure
Authenticator uses TLV format to communicate with the outside world (Authenticator commands and response – little endian)
013e1e01033ecb000b2e09003131313123303030310e2e070001000102000101 ……………
Authentication
Transaction Confirmation
Deregistration
How to apply FIDO Solution to your system
1. Import FIDO library (Cover FIDO Client API and RP Transport)
2. Implement logic and UI 3. If your service is Webapp,
import javascript library
1. Implement FIDO Server API (only 3 APIs) 2. Implement logic to support FIDO
1. Register policy and assign policy ID
왜 FIDO를 도입해야 하나요?
• 공개키 (PKI) 기반의 안전한 인증 방식 – 인증 서버에 비밀번호와 같은 credential이 저장되지 않아, 기존 PW 방식에 비해 안전함
– PW와 같은 credential이 네트워크를 통해 전송되지 않음
• 생체 인식 등의 다양한 기술 활용 가능한 구조 – 지문, 얼굴, 홍채, 또 다른 무엇이라도 적용 가능 (동일한 API, Policy만 변경!!!)
– Without FIDO: 지문인식 / 얼굴 / 홍채 등 새로운 인증 기능 신규 개발 필요 (Every time)
• 생체 정보에 대한 보호 – 생체 정보는 절대 단말 외부로 전송이 되거나 외부에 저장되지 않음
– 단말 내에 안전한 공간 (Trust Zone)에 저장됨
• 표준 기술 적용을 통한 범용성 제공 – Web (W3C Web API), Android, iOS, Windows 에서 FIDO 기술 활용 가능 또는 예정
– 제2의 ActiveX 등은 이제 그만..
• 한번의 등록을 통해 Multiple app 또는 platform 적용
• 설계/구현/운용 상의 실수를 피할 수 있음 – 인증 기술에 대한 이해 부족으로 인한 잘못된 구현, 그리고 보안 사고 발생
– FIDO 인증 솔루션 도입 시, 인증 기능을 FIDO 솔루션에 위임
