[webauthn] Consider allowing authenticators to randomise signed hashes. from Adam Langley via GitHub on 2017-05-07 (public-webauthn@w3.org from May 2017)

From: Adam Langley via GitHub <sysbot+gh@w3.org>
Date: Sun, 07 May 2017 23:38:04 +0000
To: public-webauthn@w3.org
Message-ID: <issues.opened-226905497-1494200282-sysbot+gh@w3.org>

agl has just created a new issue for https://github.com/w3c/webauthn:

== Consider allowing authenticators to randomise signed hashes. ==
In order to frustrate differential power analysis, hardware authenticators will typically randomise as many inputs to cryptographic processing as possible. However, as currently constructed, they don't have an obvious way to randomise the hashes to be signed.

If the [authenticator data](https://www.w3.org/TR/2017/WD-webauthn-20170505/#sec-authenticator-data) structure contained an opaque, 16-byte field then authenticators that wished to do so could fill it with random data, thus randomising the hash to be signed. (Those that don't care can fill it with zeros.)

The `signCount` field might have been intended to help with this problem, but since maintaining a count would involve a flash write for each signature, and would leak tracking information, I imagine most implementations would simply set it to zero every time. (Indeed, that field is not mentioned anywhere else in the spec that I can see and might be a candidate for removal.)

Please view or discuss this issue at https://github.com/w3c/webauthn/issues/453 using your GitHub account

Received on Sunday, 7 May 2017 23:38:10 UTC