[webauthn] Issue: Security: Signature format doesn't cover whole context marked as spec:signature-format

• From: Alexei Czeskis via GitHub <sysbot+gh@w3.org>
• Date: Fri, 13 May 2016 09:46:35 +0000
• To: public-webauthn@w3.org
• Message-ID: <issues.labeled-154673808-None-sysbot+gh@w3.org>

leshi has just labeled an issue for https://github.com/w3c/webauthn as
 "spec:signature-format":

== Security: Signature format doesn't cover whole context ==
The basic principle we should follow is that the Authenticator should 
sign over the entire context that is presented to it; this just a best
 practice. This allows the RP to verify exactly what the authenticator
 saw when it created a registration or assertion intended for the RP.

Currently, the signature produced by getAssertion does not sign over 
the RP ID seen by the authenticator.  **We should modify the signature
 format so that it also covers the RP ID.**

These concerns are purely theoretical.  For example, here is one 
possible consequence of not following best practices.  This is just an
 example, there may be other attacks that we haven't though of.

**Example**:
The TL;DR the attacker achieves in this attack is that a user with a 
compromised client device and a properly functioning authenticator is 
put in a situation where that authenticator will only work with the 
compromised client device (i.e., attack persistence). The external 
authenticator won't work with any normally functioning client (i.e, a 
denial of service on any un-compromised client). So the user will have
 an incentive to keep using the compromised client device, because 
their external authenticator "doesn't work with anything else".

Details: The user registers their good external authenticator on 
Bank.com using this compromised client device. During the registration
 (and in all subsequent sign-ins) the attacker changes the RPID being 
sent to the external authenticator from Bank.com to Changed-Bank.com. 
The registration happens correctly as far as the user and Bank.com are
 concerned. After registering, the user is able to log-in to Bank.com 
on this compromised client device, since the change of RPID is 
consistent.

However, if the user now takes that authenticator to a normally 
functioning client device, he/she cannot login to Bank.com. The 
Credential ID sent by bank.com does not match the RPID for Bank.com 
and so the authenticator silently refuses to sign. The user sees it as
 "My token doesn't work with this device"

If the authenticator also signed over the RPID that it saw, the above 
attack would not work. At registration time and with assertions, 
Bank.com would realize that the external authenticator saw something 
saw some RPID other than Bank.com.


**There are likely more attack examples**

See https://github.com/w3c/webauthn/issues/107

Received on Friday, 13 May 2016 09:46:37 UTC