line-fido2-server icon indicating copy to clipboard operation
line-fido2-server copied to clipboard

Published 20 hours ago verified publisher icon line

Set User Handle to a salted hash or random

Open seachicken opened this issue 3 years ago • 2 comments

The current User Handle (a.k.a user ID) is a hash of the user name. https://github.com/line/line-fido2-server/blob/22d5aa954efe4e1a383c9eea3b2dc109e700f973/rpserver/src/main/java/com/linecorp/line/auth/fido/fido2/rpserver/controller/CredentialController.java#L147

The documentation appears to recommend it with salted hash or random, so should we change that?

This includes hash values of personally identifying information, unless the hash function is salted with salt values private to the Relying Party, since hashing does not prevent probing for guessable input values. It is RECOMMENDED to let the user handle be 64 random bytes, and store this value in the user’s account.

https://www.w3.org/TR/2021/REC-webauthn-2-20210408/#sctn-user-handle-privacy

seachicken avatar Nov 27 '21 10:11 seachicken

Yes, you are right. Thank you for your opinion.

~~I think it would be better to provide a random value:slightly_smiling_face:~~

kj84park avatar Nov 27 '21 14:11 kj84park

Yes, you are right. Thank you for your opinion.

~I think it would be better to provide a random value🙂~

I realized that there might be a lot of parts that need to be fixed to provide random values.

I think we might have to find another way.

kj84park avatar Nov 27 '21 19:11 kj84park