fido2
fido2 copied to clipboard
StrongKey
Some question about fido2
Hi. First, appreciate for your code.
I tried to search about Fido2 and then I found your code. I've learned java with Fido2 with my own but I got some trouble. Need your help I guess...
The first question is variables. In 'Fido2 engine' usage, there's some explanation about it. I can't understand the variables in the code and the variables are 'origin' and 'authcounter'.
Second is difference between 'preauth' and 'auth'. When I tried to analyze 'RestFidoAuthenticate.java', It's really hard to me find difference between 'preauth' and 'auth'. Is there any reason for two sequence 'preauth' and 'auth'?
Hi @ldh3213
Variable explanations for 'origin' and 'authcounter':
origin:
The origin refers to where a request originates from. The syntax for an origin will look like this:
<scheme>"://"<hostname>[":"<port>]
where
<scheme> : The protocol that is used. Usually it is the HTTP protocol or its secured version, HTTPS. <hostname> : The domain name of the server. <port> (Optional) : TCP port on which a server is listening.
For example:
https://strongkey.com
authcounter:
I believe the "authcounter" you are referring to is found in the skfsclient's "FidoEngine.java". The skfsclient uses a FIDO2 simulator instead of an actual Authenticator to demonstrate the SKFS web services on the command line.
This variable refers to a feature of the authenticator that is also known as the signature counter. The signature counter is a number that is incremented for each successful authenticatorGetAssertion operation by some positive value, and its value is returned to the WebAuthn Relying Party within the authenticator data. The signature counter's purpose is to aid Relying Parties in detecting cloned authenticators. Clone detection is more important for authenticators with limited protection measures. You can find more in-depth information about the signature counter here.
Differences between preauth and auth:
preauth and auth in the skfsclient:
The preauth and auth variables found in the file you analyzed (RestFidoAuthenticate.java) look similar because almost all of the code in that file deals in building the requests for the two web services, making the REST API calls using the built requests, and parsing the responses from the server. This file is part of the skfsclient, which is only a sample client that makes API calls to the SKFS and simulates the use of a FIDO Authenticator. In reality, they are very different processes and the reason for a two-step sequence is simply that one comes after the other. To understand what is going on in the SKFS during the preauth and auth web services, I would recommend reading section "4.1.2—Authentication" on page 101 (page 109 in the .pdf file) of the SKFS Administration Guide. You may also want to take a look at the flow of an Authentication Ceremony (you may find the last two links in that definition helpful).
preauth and auth web service
Regarding reason for a two step authentication process with the preauth and auth web services in StrongKey's implementation of the FIDO Server, register and authenticate are two-step processes where a challenge (nonce) must be obtained in a preregister step before a registration, or in a preauthenticate step before an authentication can be completed. For a more detailed explanation of the SKFS authentication flow, check out the section of the SKFS Administration Guide I linked above.
