FIDO2 Facing Kleptographic Threats By-Design
We analyze the popular in practice FIDO2 authentication scheme from the point of view of kleptographic threats that have not been addressed so far in the literature. We show that despite its spartan design and apparent efforts to make it immune to dishonest protocol participants, the unlinkability f...
Saved in:
| Main Authors: | , , , |
|---|---|
| Format: | Article |
| Language: | English |
| Published: |
MDPI AG
2024-12-01
|
| Series: | Applied Sciences |
| Subjects: | |
| Online Access: | https://www.mdpi.com/2076-3417/14/23/11371 |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| _version_ | 1846124441821511680 |
|---|---|
| author | Mirosław Kutyłowski Anna Lauks-Dutka Przemysław Kubiak Marcin Zawada |
| author_facet | Mirosław Kutyłowski Anna Lauks-Dutka Przemysław Kubiak Marcin Zawada |
| author_sort | Mirosław Kutyłowski |
| collection | DOAJ |
| description | We analyze the popular in practice FIDO2 authentication scheme from the point of view of kleptographic threats that have not been addressed so far in the literature. We show that despite its spartan design and apparent efforts to make it immune to dishonest protocol participants, the unlinkability features of FIDO2 can be effectively broken without a chance to detect it by observing protocol executions. Moreover, we show that a malicious authenticator can enable an adversary to seize the authenticator’s private keys, thereby enabling the impersonation of the authenticator’s owner. As a few components of the FIDO2 protocol are the source of the problem, we argue that either their implementation details must be scrutinized during a certification process or the standardization bodies introduce necessary updates in FIDO2 (preferably, minor ones), making it resilient to kleptographic attacks. |
| format | Article |
| id | doaj-art-7e0f4be3ff264334be80c8c013f26b08 |
| institution | Kabale University |
| issn | 2076-3417 |
| language | English |
| publishDate | 2024-12-01 |
| publisher | MDPI AG |
| record_format | Article |
| series | Applied Sciences |
| spelling | doaj-art-7e0f4be3ff264334be80c8c013f26b082024-12-13T16:23:42ZengMDPI AGApplied Sciences2076-34172024-12-0114231137110.3390/app142311371FIDO2 Facing Kleptographic Threats By-DesignMirosław Kutyłowski0Anna Lauks-Dutka1Przemysław Kubiak2Marcin Zawada3NASK National Research Institute, Kolska 12, 01-045 Warsaw, PolandFaculty of Computer Science and Telecommunication, Wrocław University of Science and Technology, Wybrzeże Wyspiańskiego 27, 50-370 Wrocław, PolandNASK National Research Institute, Kolska 12, 01-045 Warsaw, PolandFaculty of Computer Science and Telecommunication, Wrocław University of Science and Technology, Wybrzeże Wyspiańskiego 27, 50-370 Wrocław, PolandWe analyze the popular in practice FIDO2 authentication scheme from the point of view of kleptographic threats that have not been addressed so far in the literature. We show that despite its spartan design and apparent efforts to make it immune to dishonest protocol participants, the unlinkability features of FIDO2 can be effectively broken without a chance to detect it by observing protocol executions. Moreover, we show that a malicious authenticator can enable an adversary to seize the authenticator’s private keys, thereby enabling the impersonation of the authenticator’s owner. As a few components of the FIDO2 protocol are the source of the problem, we argue that either their implementation details must be scrutinized during a certification process or the standardization bodies introduce necessary updates in FIDO2 (preferably, minor ones), making it resilient to kleptographic attacks.https://www.mdpi.com/2076-3417/14/23/11371FIDO2authenticationkleptographylinkabilityimpersonationhidden channel |
| spellingShingle | Mirosław Kutyłowski Anna Lauks-Dutka Przemysław Kubiak Marcin Zawada FIDO2 Facing Kleptographic Threats By-Design Applied Sciences FIDO2 authentication kleptography linkability impersonation hidden channel |
| title | FIDO2 Facing Kleptographic Threats By-Design |
| title_full | FIDO2 Facing Kleptographic Threats By-Design |
| title_fullStr | FIDO2 Facing Kleptographic Threats By-Design |
| title_full_unstemmed | FIDO2 Facing Kleptographic Threats By-Design |
| title_short | FIDO2 Facing Kleptographic Threats By-Design |
| title_sort | fido2 facing kleptographic threats by design |
| topic | FIDO2 authentication kleptography linkability impersonation hidden channel |
| url | https://www.mdpi.com/2076-3417/14/23/11371 |
| work_keys_str_mv | AT mirosławkutyłowski fido2facingkleptographicthreatsbydesign AT annalauksdutka fido2facingkleptographicthreatsbydesign AT przemysławkubiak fido2facingkleptographicthreatsbydesign AT marcinzawada fido2facingkleptographicthreatsbydesign |