Abstract
The FIDO (Fast Identity Online) Universal Authentication Framework is a new authentication mechanism that replaces passwords, simplifying the process of user authentication. To this end, FIDO transfers user verification tasks from the authentication server to the user’s personal device. Therefore, the overall assurance level of user authentication is highly dependent on the security and integrity of the user’s device involved. This paper analyses the functionality of FIDO’s UAF protocol and identifies a list of critical vulnerabilities that may compromise the authenticity, privacy, availability, and integrity of the UAF protocol, allowing an attacker to launch a number of attacks, such as, capturing the data exchanged between a user and an online service, impersonating a user at any UAF compatible online service, impersonating online services to the user, and presenting fake information to the user’s screen during a transaction.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Das, A., et al.: The tangled web of password reuse. In: NDSS, vol. 14 (2014)
55K Twitter Passwords Leaked. http://www.newser.com/story/145750/55k-twitter-passwords-leaked.html
Yahoo Hacked: 450,000 passwords posted online. http://www.cnn.com/2012/07/12/tech/web/yahoo-users-hacked
6.46 million LinkedIn passwords leaked online. http://www.zdnet.com/blog/btl/6-46-million-linkedin-passwords-leaked-online/79290
FIDO Alliance: Fido security reference. http://www.fidoalliance.org/specifications
Srinivas, S., et al.: Universal 2nd factor (U2F) overview. FIDO Alliance Proposed Standard, pp. 1–5 (2015)
FIDO Alliance: FIDO UAF Protocol Specification v1.1: FIDO Alliance Proposed Standard (2016)
FIDO Alliance: FIDO Certified Products. https://fidoalliance.org/certification/fido-certified-products/. Accessed 5 June 2017
FIDO Alliance: Fido security reference (2014). www.fidoalliance.org/specifications
Panos, C., et al.: A specification-based intrusion detection engine for infrastructure-less networks. Comput. Commun. 54, 67–83 (2014)
Trusted Computing Platform Alliance: TCPA main specification v. 1.2. http://www.trustedcomputing.org
Winter, J.: Trusted computing building blocks for embedded linux-based ARM trustzone platforms. In: Proceedings of the 3rd ACM Workshop on Scalable Trusted Computing. ACM (2008)
Common Criteria for Information Technology Security Evaluation. SAMSUNG SDS FIDO Server Solution V1.1 Certification Report (2016)
Helfmeier, C., Nedospasov, D., Tarnovsky, C., Krissler, J.S., Boit, C., Seifert, J.-P.: Breaking and entering through the silicon. In: Computer and Communications Security (CCS), pp. 733–744 (2013)
Cooijmans, T., de Ruiter, J., Poll, E.: Analysis of secure key storage solutions on Android. In: Proceedings of the 4th ACM Workshop on Security and Privacy in Smartphones & Mobile Devices. ACM (2014)
Cooijmans, T., et al.: Secure key storage and secure computation in Android. Master’s thesis, Radboud University Nijmegen (2014)
Davi, L., Dmitrienko, A., Sadeghi, A.-R., Winandy, M.: Privilege escalation attacks on Android. In: Burmester, M., Tsudik, G., Magliveras, S., Ilić, I. (eds.) ISC 2010. LNCS, vol. 6531, pp. 346–360. Springer, Heidelberg (2011). doi:10.1007/978-3-642-18178-8_30
Shen, D.: Exploiting Trustzone on Android. In: Black Hat USA (2015)
Rosenberg, D.: Qsee trustzone kernel integer over flow vulnerability. In: Black Hat Conference (2014)
Abhishek, P.C.: Student research abstract: analysing the vulnerability exploitation in Android with the device-mapper-verity (dm-verity) (2017)
Does, T., Maarse, M.: Subverting Android 6.0 fingerprint authentication (2016)
Loutfi, I., Jøsang, A.: FIDO trust requirements. In: Buchegger, S., Dam, M. (eds.) NordSec 2015. LNCS, vol. 9417, pp. 139–155. Springer, Cham (2015). doi:10.1007/978-3-319-26502-5_10
Hu, K., Zhang, Z.: Security analysis of an attractive online authentication standard: FIDO UAF protocol. IEEE China Commun. 13(12), 189–198 (2016)
Acknowledgments
This research has been funded by the European Commission in part of the ReCRED project (Horizon H2020 Framework Programme of the European Union under GA number 653417).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2017 Springer International Publishing AG
About this paper
Cite this paper
Panos, C., Malliaros, S., Ntantogian, C., Panou, A., Xenakis, C. (2017). A Security Evaluation of FIDO’s UAF Protocol in Mobile and Embedded Devices. In: Piva, A., Tinnirello, I., Morosi, S. (eds) Digital Communication. Towards a Smart and Secure Future Internet. TIWDC 2017. Communications in Computer and Information Science, vol 766. Springer, Cham. https://doi.org/10.1007/978-3-319-67639-5_11
Download citation
DOI: https://doi.org/10.1007/978-3-319-67639-5_11
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-67638-8
Online ISBN: 978-3-319-67639-5
eBook Packages: Computer ScienceComputer Science (R0)