Masaryk University Faculty of Informatics Support for U2F FIDO tokens in mobile applications Bachelor’s Thesis Marek Hrašna Brno, Spring 2019 Masaryk University Faculty of Informatics Support for U2F FIDO tokens in mobile applications Bachelor’s Thesis Marek Hrašna Brno, Spring 2019 This is where a copy of the official signed thesis assignment and a copy ofthe Statement of an Author is located in the printed version of the document. Declaration Hereby I declare that this paper is my original authorial work, which I have worked out on my own. All sources, references, and literature used or excerpted during elaboration of this work are properly cited and listed in complete reference to the due source. Marek Hrašna Advisor: RNDr. Petr Švenda Ph.D. i Acknowledgements I would like to express my gratitude to my advisor, RNDr. Petr Švenda Ph.D. his guidance, patience, and helpful advice throughout the mak- ing of this thesis. iii Abstract One of the biggest security problems on the Internet is the usage of weak credentials, such as passwords, for user authentication. Second- Factor Authentication (2FA) provides a valid answer to this threat. Still, there are many 2FA schemes vulnerable to prominent web threats such as phishing attacks. The U2F protocol provides a phishing-resistant 2FA solution, optionally based on secure hardware elements. This thesis provides an analysis of the security brought by the U2F authen- tication scheme and shows its real-world adaptation in mobile plat- forms. It discusses problems that occur while using commercial tokens implementing this standard and describes the process of installing a U2F applet onto a JavaCard while discussing possible problems that may occur. iv Keywords U2F, FIDO, FIDO2, Bachelor thesis v Contents Introduction 1 1 Analysis of the U2F protocol 3 1.1 Motivation for FIDO standards ................3 1.2 Protocols overview ......................5 1.3 Security analysis .......................7 2 U2F JavaCard Applet 15 2.1 Applet description ....................... 15 2.1.1 Installation parameters . 16 2.1.2 Response status words table . 17 2.1.3 Attestation certificate upload . 18 2.1.4 Exchanged data . 18 2.2 Problems ........................... 23 2.3 Results ............................ 25 3 Testing on Android 27 3.1 Experiment setup ....................... 27 3.2 Experiment results ...................... 28 3.3 Analysis and summary .................... 32 3.4 Existing tokens ........................ 32 4 Conclusion and future work 35 5 An appendix 37 Bibliography 39 vii Introduction The need for a more secure way to authenticate has been clear for years. Time and time again, you can see news of leaks of user information – and they often come from a company with millions of users. Companies and state organization have tackled this problem di- versely – from using biometrics to using hardware tokens or other means. This required costly development for the companies, but oth- erwise, it had worked well. That inspired an idea to create a universal standard which would not only reduce the costs for the companies, but that could bring this possibility of stronger authentication to the huge user base of the Internet. “The specifications and certifications from the FIDO Alliance en- able an interoperable ecosystem of hardware-, mobile- and biometrics- based authenticators that can be used with many applications and websites. This ecosystem enables enterprises and service providers to deploy strong authentication solutions that reduce reliance on pass- words and protect against phishing, man-in-the-middle and replay attacks using stolen passwords.” (FIDO Alliance, 2013) The idea of universal second factor protocol is to provide one au- thentication device that works across any number of services with no shared secrets amongst multiple servers. This enables users to be unlinkable by third parties, and thus have multiple, yet secure identi- ties. Many companies with worldwide reach have joined the alliance, which makes pushing the protocol out to the public much easier. “The core ideas driving FIDO are (1) ease of use, (2) privacy and security, and (3) standardization. For implementing authentication be- yond a password (and perhaps an OTP), companies have traditionally been faced with an entire stack of proprietary clients and protocols.“ (FIDO Alliance, 2013) 1 The U2F authentication devices can be connected using a USB port or (in some cases) using contactless interface like Bluetooth or NFC1. The aim of this thesis is to analyze the state of these tools for second- factor authentication within mobile platforms (Android). With the continuous rise of smartphone usage for many tasks that concern the user’s privacy, it is important that this U2F standard can be applied in this scenario as well. We focus mainly on the U2F (FIDO) protocol family and hardware tokens. In the theoretical part, we cover analysis of U2F standard, consulting its strong and weak points. Next, we cover the testing of U2F tokens with a native mobile application for Android and discuss problems that we encountered. Furthermore, we provide an overview of a JavaCard applet that we used and modified so that we could usea smartcard as a U2F token. We discuss problems that we encountered along the way and modifications we had to make. The practical part consists of the said native mobile application for Android, commu- nicating with a hardware token through NFC or Bluetooth. It also includes source codes of the JavaCard U2F Applet. Firstly, we studied available documentation concerning U2F stan- dard and FIDO generally. We analyzed the strong and weak points of this standard. Secondly, we have found and modified an available demo application for Android, which would allow us to register and consequently log-in using a FIDO U2F token. Thirdly, we analyzed an existing JavaCard U2F Applet and analyzed its properties when used on programmable smartcard as FIDO U2F token. Finally, we described a real use-case scenario and used both implementations to show how it works. 1. Near Field Communication 2 1 Analysis of the U2F protocol 1.1 Motivation for FIDO standards In general, there are three factors used for authentication: ∙ Something you know - a password or a personal identifica- tion number (PIN) for example, is the most common means of authentication. It is also easiest to beat. ∙ Something you have - some form of a token or a smart card ∙ Something you are - Biometrics - fingerprint, iris scan, retina scan, face scan, handwriting, hand geometry These factors can be combined to form multi-factor authentication. As cited on FIDO Alliance’s documents, their goal is to change the nature of strong online authentication. With password being still the most common means of authenticating a user on the web, phishing attacks, data breaches and other forms of hacking are as dangerous as they have ever been. There are numerous problems with password - to be secure, they should be of some minimal length, contain uppercase and lowercase letters, use special symbols, and should be unique for each service. That is usually much more than an average user is able to remember, so it is understandable that they reuse them. That leads to undesirable problems -if a password is stolen from one service, the chances are that the same password can be used by the attacker with a number of other services. Strong authentication is looking to solve this problem. Strong authentication has several unofficial definitions and isof- ten understood as multi-factor authentication. Nevertheless, it does not have to necessarily mean that, as it does not in FIDO UFA and FIDO2 standards. Here, it is rather meant as authentication based on a challenge-response protocol. 3 1. Analysis of the U2F protocol Challenge-response protocols work in the following way: One party proposes a challenge, usually a nonce or a random value; the other party combines this value with a secret to generate a response, and sends it back. The first party can then verify the response andcon- firm that the other party possesses the secret. An example of one the earliest challenge-response protocol would be a simple password authentication - one party asks for the password, and the other must answer correctly. This method was later improved, in certain applica- tions, by providing a password identifier within the challenge, and the other party must have responded with a correct password for a given identifier. This would spoil possible interceptor’s effort tomali- ciously authenticate against challenges with different identifiers, thus improving security. The basic idea of this method is used to this day, for example, by certain internet banking solutions - but the exchanged data is cryptographically protected. The client receives a document with different passwords for different challenges during the set upof a bank account and is challenged during the log-in process. Authentication techniques that were not cryptographically pro- tected were usually sufficient before the Internet. The risk of the system asking for the password not being the system the user was trying to en- ter, or the possibility of an eavesdropper watching the communication channel were significantly lower. Cryptographic techniques used to solve this problem were mainly mutual authentication and implementation of a cryptographic nonce. Some of the challenge-response protocols developed over the years are for example CHAP1, OCRA2, and SCRAM3[1]. FIDO aims to change strong online authentication by: ∙ Developing technical