search

web-auth / webauthn-framework

FIDO-U2F / FIDO2 / Webauthn Framework
MIT License
422 stars 54 forks source link

Apple's Anonymous Attestation support? #148

Closed ryden54 closed 3 years ago

ryden54 commented 4 years ago

Is your feature request related to a problem? Please describe. Apple annouced it's support for web authentication through Touch Id and Face ID

It refer's to an "anonymous attestation" to avoid user tracking throughout their authenticator's attestation.

Do you have any info on how it can be handled with this package. Related to the attestation's format, or to the attestation's metadata ? Maybe it's still too early?

Describe the solution you'd like Working as-is or need an update in the supported attestation formats or metadata services ?

Describe alternatives you've considered None

Additional context https://developer.apple.com/videos/play/wwdc2020/10670/ https://www.biometricupdate.com/202006/apple-launches-web-authentication-using-fido-standard-with-touch-id-or-face-id-biometrics-in-safari

Spomky commented 4 years ago

I don't know what is behind the Apple's "Anonymous Attestation". According to the Webauthn specification, there are 2 anonymous attestation types: none and ecdaa.

ryden54 commented 4 years ago

Thank you for your answer. I guess we'll have to wait to find out.

Spomky commented 4 years ago

I don't know what is behind the Apple's "Anonymous Attestation".

Update: https://twitter.com/IAmKale/status/1304986950554644480 It llooks like its a brand new format… without any documentation at the moment

ryden54 commented 4 years ago

Here is a dump of the $attestationObject after getNormalizedData in AttestationObjectLoader indeed a "apple" attestation statement format

The related doc seems to be https://developer.apple.com/documentation/devicecheck/validating_apps_that_connect_to_your_server in the section "Verify the Attestation"

Here is another fwk referencing information about it https://github.com/abergs/fido2-net-lib/issues/184#issue-681782302

{
            "fmt": "apple",
            "attStmt": {
                "alg": "-7",
                "x5c": [                   "0\u0082\u0002B0\u0082\u0001\u00c9\u00a0\u0003\u0002\u0001\u0002\u0002\u0006\u0001t\u00b5B\u00e2f0\n\u0006\b*\u0086H\u00ce=\u0004\u0003\u00020H1\u001c0\u001a\u0006\u0003U\u0004\u0003\f\u0013Apple WebAuthn CA 11\u00130\u0011\u0006\u0003U\u0004\n\f\nApple Inc.1\u00130\u0011\u0006\u0003U\u0004\b\f\nCalifornia0\u001e\u0017\r200921100133Z\u0017\r200924100133Z0\u0081\u00911I0G\u0006\u0003U\u0004\u0003\f@d606e4e4c24fd70ac505f8e9c30c4eb5fc27d261a8c92caedaec0905783fb1a01\u001a0\u0018\u0006\u0003U\u0004\u000b\f\u0011AAA Certification1\u00130\u0011\u0006\u0003U\u0004\n\f\nApple Inc.1\u00130\u0011\u0006\u0003U\u0004\b\f\nCalifornia0Y0\u0013\u0006\u0007*\u0086H\u00ce=\u0002\u0001\u0006\b*\u0086H\u00ce=\u0003\u0001\u0007\u0003B\u0000\u0004\u00cd\u00e49\u00d03S\u008c\u00fe\u00df\u001f\n\u00a1]Ff\u00bb,\u0094\u00d5{n\u00a0D\u00fd\u00f6\u008f\u00f2\u009e\u008e\u009c\u0015x\u001d\u0001\u00af\u00e4\u00eb\u0010\u00b1\u0011\u00dd\u00ba\u00ce.\n\u0007I>@7\u0089\u00e9\u00a0K\"\u000b\u00f1\u00c8>t_c\u001c\u00de\u00a3U0S0\f\u0006\u0003U\u001d\u0013\u0001\u0001\u00ff\u0004\u00020\u00000\u000e\u0006\u0003U\u001d\u000f\u0001\u0001\u00ff\u0004\u0004\u0003\u0002\u0004\u00f003\u0006\t*\u0086H\u0086\u00f7cd\b\u0002\u0004&0$\u00a1\"\u0004 #P_E\u0006\u009e@\u00ae\u0091V\u008f\u00ccr\u00e3.>\u0084d2y\"w\u00f4\u00c6\u0003E\u00c6\u00fe\u001c\u00b0V\u00dd0\n\u0006\b*\u0086H\u00ce=\u0004\u0003\u0002\u0003g\u00000d\u00020\u0018\u00d6\r\u00c5~A\u0098\u00c1\u00f3\u00ae\u00b5\u00ef\u0002\u00db\u00ec\u00889\u0083\u00f58I\u00b9b\u0014\u00d1\u00f0i\"G\u0081\u0005\u00f6\u0096\u000f\b\u0016\u00ca\u0002\u00df\u00ee:>\u0081\u00d5T\u008d\u00d7\u000203\u00ca\u00fd\u0005kW\u000f\u0089C\u00ee\u0007]w\u00e2\u009aS\u008e\u00f3w%\u0096)Y\u00e1\u0095\u00fd\u00d0\u009f\u00bc\u00bakA^\u008f\u00e78\u0089\u001d5\u00cc\u00ecj[y\u00e1\u00cb2\\",                   "0\u0082\u000240\u0082\u0001\u00ba\u00a0\u0003\u0002\u0001\u0002\u0002\u0010V%S\u0095\u00c7\u00a7\u00fb@\u00eb\u00e2(\u00d8&\bS\u00b60\n\u0006\b*\u0086H\u00ce=\u0004\u0003\u00030K1\u001f0\u001d\u0006\u0003U\u0004\u0003\f\u0016Apple WebAuthn Root CA1\u00130\u0011\u0006\u0003U\u0004\n\f\nApple Inc.1\u00130\u0011\u0006\u0003U\u0004\b\f\nCalifornia0\u001e\u0017\r200318183801Z\u0017\r300313000000Z0H1\u001c0\u001a\u0006\u0003U\u0004\u0003\f\u0013Apple WebAuthn CA 11\u00130\u0011\u0006\u0003U\u0004\n\f\nApple Inc.1\u00130\u0011\u0006\u0003U\u0004\b\f\nCalifornia0v0\u0010\u0006\u0007*\u0086H\u00ce=\u0002\u0001\u0006\u0005+\u0081\u0004\u0000\"\u0003b\u0000\u0004\u0083.\u0087\/&\u0014\u0091\u0081\u0002%\u00b9\u00f5\u00fc\u00d6\u00bbcx\u00b5\u00f5_?\u00cb\u0004[\u00c75\u00994u\u00fdT\u0090D\u00df\u009b\u00fe\u0019!\u0017e\u00c6\u009a\u001d\u00da\u0005\u000b8\u00d4P\u0083@\u001aCO\u00b2M\u0011-V\u00c3\u00e1\u00cf\u00bf\u00cb\u0098\u0091\u00fe\u00c0i`\u0081\u00be\u00f9l\u00bcw\u00c8\u008d\u00dd\u00afF\u00a5\u00ae\u00e1\u00ddQ[Z\u00fa\u00ab\u0093\u00be\u009c\u000b&\u0091\u00a3f0d0\u0012\u0006\u0003U\u001d\u0013\u0001\u0001\u00ff\u0004\b0\u0006\u0001\u0001\u00ff\u0002\u0001\u00000\u001f\u0006\u0003U\u001d#\u0004\u00180\u0016\u0080\u0014&\u00d7d\u00d9\u00c5x\u00c2Zg\u00d1\u00a7\u00dek\u0012\u00d0\u001bc\u00f1\u00c6\u00d70\u001d\u0006\u0003U\u001d\u000e\u0004\u0016\u0004\u0014\u00eb\u00ae\u0082\u00c4\u00ff\u00a1\u00ac[Q\u00d4\u00cf$a\u0005\u0000\u00bec\u00bdw\u00880\u000e\u0006\u0003U\u001d\u000f\u0001\u0001\u00ff\u0004\u0004\u0003\u0002\u0001\u00060\n\u0006\b*\u0086H\u00ce=\u0004\u0003\u0003\u0003h\u00000e\u00021\u0000\u00dd\u008b\u001a4\u0081\u00a5\u00fa\u00d9\u00db\u00b4\u00e7e{\u0084\u001e\u0014L'\u00b7[\u0087jA\u0086\u00c2\u00b1GWP3r'\u00ef\u00e5TE~\u00f6H\u0095\fc.\\H>p\u00c1\u00020,\u008a`D\u00dc \u001f\u00cf\u00e5\u009b\u00c3M)0\u00c1HxQ\u00d9`\u00edju\u00f1\u00ebJ\u00ca\u00be8\u00cd%\u00b8\u0097\u00d0\u00c8\u0005\u00be\u00f0\u00c7\u00f7\u008b\u0007\u00a5q\u00c6\u00e8\u000e\u0007"
                ]
            },
            "authData": "\u00fa]\u00f8\u00a7x=R\u00cc\u00e4\u00a5\u0098\u0013\u0088I\u0019\u00c4<\u00df\u00c8\u000fxz\u0096\u00bdZ[\u0087;\u00f4\u00abIwE\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0014\bT3\u00d4(|\u00b3\u00a0\u001a\u001e\u00c5\u0018\u00f8}w\u00a7;\u0098q\u00a9\u00a5\u0001\u0002\u0003& \u0001!X \u00cd\u00e49\u00d03S\u008c\u00fe\u00df\u001f\n\u00a1]Ff\u00bb,\u0094\u00d5{n\u00a0D\u00fd\u00f6\u008f\u00f2\u009e\u008e\u009c\u0015x\"X \u001d\u0001\u00af\u00e4\u00eb\u0010\u00b1\u0011\u00dd\u00ba\u00ce.\n\u0007I>@7\u0089\u00e9\u00a0K\"\u000b\u00f1\u00c8>t_c\u001c\u00de"
        }
ryden54 commented 4 years ago

I did some tests, based on the packed attestation statement support class Implementing the ASN.1 attribute check in the certificate, for the signature But the iphone on ios 14 keeps on sending an aaguid filled with zeros, preventing any match with the statements repository and certificate chain check. It looks like the first point of the issue reported here https://developer.apple.com/forums/thread/659971?answerId=632081022#632081022

I'm stuck there for now.

Spomky commented 4 years ago

But the iphone on ios 14 keeps on sending an aaguid filled with zeros, preventing any match with the statements repository and certificate chain check.

Thank you for the links.

To get the AAGUID, you must ask for a direct or indirect attestation statement. If none is used and as per the specification: Replace the AAGUID in the attested credential data with 16 zero bytes. In any cases, this should not prevent from verifying the signature. Essential data is supposed to be in the attestation.

ryden54 commented 4 years ago

I do check that the hash of the attestation challenge and the attested authenticator data matches, that's ok (the hash is in the extensions of the first certificate of the attestation statement, as stated in apple's doc)

The issue is that I get the zero-filled aaguid in the authenticator's response, whenever I'm asking for a direct or indirect attestation statement. I can't find online any reference to the expected aaguid for ios 14, which could confirm that they're not sending any for the moment...? For now I'm working around this by overriding the aaguid by a custom one if the attestation format is "apple" :vomiting_face:

joostd commented 4 years ago

I don't know what is behind the Apple's "Anonymous Attestation".

Update: https://twitter.com/IAmKale/status/1304986950554644480 It llooks like its a brand new format… without any documentation at the moment

You can preview documentation from Apple's Jiewen Tan here: https://pr-preview.s3.amazonaws.com/alanwaketan/webauthn/pull/1491.html#sctn-apple-anonymous-attestation

Spomky commented 4 years ago

You can preview documentation from Apple's Jiewen Tan here: https://pr-preview.s3.amazonaws.com/alanwaketan/webauthn/pull/1491.html#sctn-apple-anonymous-attestation

Excellent! Thank you. By the way I started to implement some features of this new version of the specification. I will create an experimental package with this new format.

ryden54 commented 4 years ago

don't know if this one is more reliable, but it matches what we saw https://webkit.org/blog/11312/meet-face-id-and-touch-id-for-the-web/ they confirm the aaguid is all zero and the counter is not used

Spomky commented 3 years ago

Closing as the Apple Attestation Format will be available in the next minor release v3.3.0.

github-actions[bot] commented 1 year ago

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.