fido2 icon indicating copy to clipboard operation
fido2 copied to clipboard
verified publisher icon StrongKey

Basic Signature Validation - Possible?

Open cyberphone opened this issue 5 years ago • 3 comments

Pardon my "n00b" status when it comes to FIDO servers...

According to https://w3c.github.io/webauthn/images/fido-signature-formats-figure2.svg: fido the signed data consists of two parts.

Question: I have an application which depends on `clientDataHash'. Is there any way using your server (hopefully unmodified) and even better, the simulator as well that permit this? I.e. there would be no server-generated challenge, just signed data coming from a CTAP2 compatible client.

cyberphone avatar Apr 05 '21 15:04 cyberphone

Not sure I understand, Anders. Without a server challenge, ColectedClientData https://www.w3.org/TR/webauthn-2/#dictdef-collectedclientdata would not make sense to a FIDO server trying to verify a response from a client - the server would have no way of knowing if the response was coming from a User whose digital signature it could trust and verify. Perhaps, you can explain the larger context of what you're trying to achieve?

On 4/5/21 8:04 AM, Anders Rundgren wrote:

Pardon my "n00b" status when it comes to FIDO servers...

According to https://w3c.github.io/webauthn/images/fido-signature-formats-figure2.svg https://w3c.github.io/webauthn/images/fido-signature-formats-figure2.svg: fido https://camo.githubusercontent.com/143cb72add2e96707d29c5c8f19d3e4cc434cb5f335b1097b212d2ed5cec72d4/68747470733a2f2f7733632e6769746875622e696f2f776562617574686e2f696d616765732f6669646f2d7369676e61747572652d666f726d6174732d666967757265322e737667 the signature consists of two parts.

Question: I have an application which depends on `clientDataHash'. Is there any way using your server (hopefully unmodified) and even better, the simulator as well that permit this? I.e. there would be no server-generated challenge, just signed data coming from a CTAP2 compatible client.

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/StrongKey/fido2/issues/99, or unsubscribe https://github.com/notifications/unsubscribe-auth/ALLPGO2J5FS4AAVR6JS2AA3THHGRVANCNFSM42M6GGRQ.

max-smyth avatar Apr 05 '21 18:04 max-smyth

Thanx Max for the quick response! My application is not compliant with WebAuthn but (hopefully) with FIDO2/CTAP2.

Imagine a FIDO2 client that hashes a JSON object like:

  {
     "toPay": "$100.00"
  }

Result: b6 f0 85 c7 9a 3b 06 06 85 3e 12 89 d0 3a c3 8d cc 6a cf c3 df f4 11 99 cb 2a cc 2f 5b 73 f1 bc

This would then be used as clientDataHash in a local FIDO2 signature process.

A verifier has the original JSON object and hashes it as well. Now it wants to know if the received signature validates. The signer is supposed to provide the information required to identify the key like userid.

The idea is creating a functional equivalent to an EMV card.

https://fido-web-pay.github.io/

cyberphone avatar Apr 05 '21 19:04 cyberphone

https://github.com/rsolomakhin/secure-payment-confirmation/issues/40#issuecomment-780156203

cyberphone avatar Apr 05 '21 19:04 cyberphone