W3C home > Mailing lists > Public > public-webauthn@w3.org > April 2018

[webauthn] Obfuscate Safetynet nonce

From: Alexei Czeskis via GitHub <sysbot+gh@w3.org>
Date: Thu, 12 Apr 2018 21:36:41 +0000
To: public-webauthn@w3.org
Message-ID: <issues.opened-313896301-1523569000-sysbot+gh@w3.org>
leshi has just created a new issue for https://github.com/w3c/webauthn:

== Obfuscate Safetynet nonce ==
The current signing procedure for the Safetynet attestation states:

> Let authenticatorData denote the authenticator data for the attestation, and let clientDataHash denote the hash of the serialized client data.
> 
> Concatenate authenticatorData and clientDataHash to form attToBeSigned.
> 
> Request a SafetyNet attestation, providing attToBeSigned as the nonce value.

This has the product of sending unnecessary data to the Safetynet servers.  For example, ```rpIdHash``` would be easy to brute-force.

Instead, we should be sending the hash of ```attToBeSigned.```

Please view or discuss this issue at https://github.com/w3c/webauthn/issues/868 using your GitHub account
Received on Thursday, 12 April 2018 21:36:43 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:32 UTC