Skip to main content
SpringerLink
Log in

A Security Evaluation of FIDO’s UAF Protocol in Mobile and Embedded Devices

  • Conference paper
  • First Online:
Digital Communication. Towards a Smart and Secure Future Internet (TIWDC 2017)

Part of the book series: Communications in Computer and Information Science ((CCIS,volume 766))

Included in the following conference series:

Abstract

The FIDO (Fast Identity Online) Universal Authentication Framework is a new authentication mechanism that replaces passwords, simplifying the process of user authentication. To this end, FIDO transfers user verification tasks from the authentication server to the user’s personal device. Therefore, the overall assurance level of user authentication is highly dependent on the security and integrity of the user’s device involved. This paper analyses the functionality of FIDO’s UAF protocol and identifies a list of critical vulnerabilities that may compromise the authenticity, privacy, availability, and integrity of the UAF protocol, allowing an attacker to launch a number of attacks, such as, capturing the data exchanged between a user and an online service, impersonating a user at any UAF compatible online service, impersonating online services to the user, and presenting fake information to the user’s screen during a transaction.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Das, A., et al.: The tangled web of password reuse. In: NDSS, vol. 14 (2014)

    Google Scholar 

  2. 55K Twitter Passwords Leaked. http://www.newser.com/story/145750/55k-twitter-passwords-leaked.html

  3. Yahoo Hacked: 450,000 passwords posted online. http://www.cnn.com/2012/07/12/tech/web/yahoo-users-hacked

  4. 6.46 million LinkedIn passwords leaked online. http://www.zdnet.com/blog/btl/6-46-million-linkedin-passwords-leaked-online/79290

  5. FIDO Alliance: Fido security reference. http://www.fidoalliance.org/specifications

  6. Srinivas, S., et al.: Universal 2nd factor (U2F) overview. FIDO Alliance Proposed Standard, pp. 1–5 (2015)

    Google Scholar 

  7. FIDO Alliance: FIDO UAF Protocol Specification v1.1: FIDO Alliance Proposed Standard (2016)

    Google Scholar 

  8. FIDO Alliance: FIDO Certified Products. https://fidoalliance.org/certification/fido-certified-products/. Accessed 5 June 2017

  9. FIDO Alliance: Fido security reference (2014). www.fidoalliance.org/specifications

  10. Panos, C., et al.: A specification-based intrusion detection engine for infrastructure-less networks. Comput. Commun. 54, 67–83 (2014)

    Article  Google Scholar 

  11. Trusted Computing Platform Alliance: TCPA main specification v. 1.2. http://www.trustedcomputing.org

  12. Winter, J.: Trusted computing building blocks for embedded linux-based ARM trustzone platforms. In: Proceedings of the 3rd ACM Workshop on Scalable Trusted Computing. ACM (2008)

    Google Scholar 

  13. Common Criteria for Information Technology Security Evaluation. SAMSUNG SDS FIDO Server Solution V1.1 Certification Report (2016)

    Google Scholar 

  14. Helfmeier, C., Nedospasov, D., Tarnovsky, C., Krissler, J.S., Boit, C., Seifert, J.-P.: Breaking and entering through the silicon. In: Computer and Communications Security (CCS), pp. 733–744 (2013)

    Google Scholar 

  15. Cooijmans, T., de Ruiter, J., Poll, E.: Analysis of secure key storage solutions on Android. In: Proceedings of the 4th ACM Workshop on Security and Privacy in Smartphones & Mobile Devices. ACM (2014)

    Google Scholar 

  16. Cooijmans, T., et al.: Secure key storage and secure computation in Android. Master’s thesis, Radboud University Nijmegen (2014)

    Google Scholar 

  17. Davi, L., Dmitrienko, A., Sadeghi, A.-R., Winandy, M.: Privilege escalation attacks on Android. In: Burmester, M., Tsudik, G., Magliveras, S., Ilić, I. (eds.) ISC 2010. LNCS, vol. 6531, pp. 346–360. Springer, Heidelberg (2011). doi:10.1007/978-3-642-18178-8_30

    Chapter  Google Scholar 

  18. Shen, D.: Exploiting Trustzone on Android. In: Black Hat USA (2015)

    Google Scholar 

  19. Rosenberg, D.: Qsee trustzone kernel integer over flow vulnerability. In: Black Hat Conference (2014)

    Google Scholar 

  20. Abhishek, P.C.: Student research abstract: analysing the vulnerability exploitation in Android with the device-mapper-verity (dm-verity) (2017)

    Google Scholar 

  21. Does, T., Maarse, M.: Subverting Android 6.0 fingerprint authentication (2016)

    Google Scholar 

  22. Loutfi, I., Jøsang, A.: FIDO trust requirements. In: Buchegger, S., Dam, M. (eds.) NordSec 2015. LNCS, vol. 9417, pp. 139–155. Springer, Cham (2015). doi:10.1007/978-3-319-26502-5_10

    Chapter  Google Scholar 

  23. Hu, K., Zhang, Z.: Security analysis of an attractive online authentication standard: FIDO UAF protocol. IEEE China Commun. 13(12), 189–198 (2016)

    Article  Google Scholar 

Download references

Acknowledgments

This research has been funded by the European Commission in part of the ReCRED project (Horizon H2020 Framework Programme of the European Union under GA number 653417).

Author information

Authors and Affiliations

  1. Department of Informatics and Telecommunications, University of Athens, Athens, Greece

    Christoforos Panos

  2. Department of Digital Systems, University of Piraeus, Pireas, Greece

    Stefanos Malliaros, Christoforos Ntantogian, Angeliki Panou & Christos Xenakis

Authors
  1. Christoforos Panos
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Stefanos Malliaros
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Christoforos Ntantogian
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Angeliki Panou
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Christos Xenakis
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Christos Xenakis .

Editor information

Editors and Affiliations

  1. University of Florence, Florence, Italy

    Alessandro Piva

  2. University of Palermo, Palermo, Italy

    Ilenia Tinnirello

  3. University of Florence, Florence, Italy

    Simone Morosi

Rights and permissions

Reprints and permissions

Copyright information

© 2017 Springer International Publishing AG

About this paper

Cite this paper

Panos, C., Malliaros, S., Ntantogian, C., Panou, A., Xenakis, C. (2017). A Security Evaluation of FIDO’s UAF Protocol in Mobile and Embedded Devices. In: Piva, A., Tinnirello, I., Morosi, S. (eds) Digital Communication. Towards a Smart and Secure Future Internet. TIWDC 2017. Communications in Computer and Information Science, vol 766. Springer, Cham. https://doi.org/10.1007/978-3-319-67639-5_11

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-67639-5_11

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-67638-8

  • Online ISBN: 978-3-319-67639-5

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation