[webauthn] RP assertion algorithm does not say to validate the credential ID

emlun has just created a new issue for https://github.com/w3c/webauthn:

== RP assertion algorithm does not say to validate the credential ID ==
The [RP algorithm for verifying an assertion][rp-assert] currently makes no mention of verifying that `credential.id` and `credential.response.userHandle` actually have expected values. If an RP does not check this, the following attacks could be possible:

Scenario 1: Second factor mode

1. Eve phishes Bob for his username and password, but fails to obtain his public key credential `bob1234`
2. Eve registers an account with the target RP, and registers the credential `eve1234` with that account
3. Eve uses Bob's username and password to initiate an authentication ceremony for Bob
4. RP sends a challenge for the credential `bob1234`: `{ "challenge": "ABCDEF...", "allowCredentials": [{ "id": "bob1234" }] }`
5. Eve signs the challenge with her credential `eve1234` and returns `{ "id": "eve1234", "response": { ... } }`
6. RP looks up credential `eve1234`, verifies the signature and successfully authenticates Eve as Bob

Scenario 2: First factor mode

1. Eve finds out that Bob's user handle for the target RP is `bob4321`
2. Eve registers an account with the RP, and registers the credential `eve1234` with that account
3. Eve initiates an authentication ceremony
4. RP sends a challenge for any credential: `{ "challenge": "ABCDEF...", "allowCredentials": undefined }`
5. Eve signs the challenge with her credential `eve1234` and returns `{ "id": "eve1234", "response": { "userHandle": "bob4321", ... } }`
6. RP looks up the public key for credential `eve1234`, verifies the signature and successfully authenticates Eve as user `bob4321`, i.e., Bob

[rp-assert]: https://www.w3.org/TR/webauthn/#verifying-assertion

Please view or discuss this issue at https://github.com/w3c/webauthn/issues/753 using your GitHub account

Received on Monday, 22 January 2018 17:19:51 UTC