Re: [webauthn] Support for FIDO passkey with HMAC-Secret extension (#1830) from Sebastian Elfors (IDnow) via GitHub on 2022-12-07 (public-webauthn@w3.org from December 2022)

From: Sebastian Elfors (IDnow) via GitHub <sysbot+gh@w3.org>
Date: Wed, 07 Dec 2022 07:23:15 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-1340507978-1670397793-sysbot+gh@w3.org>

Hi Emil,

Thanks for your answers!

“Yes, although depending on application you might want to pass the PRF output through a key derivation function (KDF) first, rather than use the raw PRF outputs directly.”

Good point. For example, how about using PBKDF2 with the PRF output as salt in conjunction with the user’s password?

One more question: Is the proposed WebAuthn L3 PRF-extension<https://w3c.github.io/webauthn/#prf-extension> function intended to be called from a native app at the device? In other words, will it be possible to generate the PRF output in a local environment, without the involvement of an external RP?

Kind regards,
Sebastian

From: Emil Lundberg ***@***.***>
Sent: Tuesday, 6 December 2022 18:22
To: w3c/webauthn ***@***.***>
Cc: Sebastian Elfors ***@***.***>; Author ***@***.***>
Subject: Re: [w3c/webauthn] Support for FIDO passkey with HMAC-Secret extension (Issue #1830)


  1.  Could FIDO passkey credentials support the HMAC-Secret extension (without the need for CTAP2)?

Yes, they could implement a feature that is API-compatible with HMAC-Secret.

  1.  Could the proposed WebAuthn L3 PRF-extension<https://w3c.github.io/webauthn/#prf-extension> function be able to generate PRF values using FIDO passkey credentials with the HMAC-Secret extension?

Yes, this is one of the intended use cases of the PRF extension.

  1.  Can the output PRF values be used as AES-256 keys for encrypting/decrypting opaque data?

Yes, although depending on application you might want to pass the PRF output through a key derivation function (KDF) first, rather than use the raw PRF outputs directly.

—
Reply to this email directly, view it on GitHub<https://github.com/w3c/webauthn/issues/1830#issuecomment-1339717861>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AZUANMLVXBHUULJI4OXC5R3WL5Y4BANCNFSM6AAAAAASVEUORY>.
You are receiving this because you authored the thread.Message ID: ***@***.******@***.***>>


-- 
GitHub Notification of comment by Sebastian-Elfors-IDnow
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1830#issuecomment-1340507978 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Wednesday, 7 December 2022 07:23:16 UTC