Abstract
FIDO authentication has many advantages over password-based authentication, since it relies on proof of possession of a security key. It eliminates the need to remember long passwords and, in particular, is resistant to phishing attacks. Beyond that, the FIDO protocols consider protocol extensions for more advanced use cases such as online transactions. FIDO extensions, however, are not well protected from Man-in-the-Middle (MitM) attacks. This is because the specifications require a secure transport between client and server, but there exists no end-to-end protection between server and authenticator.
In this paper, we discuss MitM scenarios in which FIDO extensions may be intercepted. We further propose an application-layer security protocol based on the CBOR Object Signing and Encryption (COSE) standard to mitigate these threats. This protocol was verified in a formal security evaluation using ProVerif and, finally, implemented in a proof-of-concept.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Akter, S., Chellappan, S., Chakraborty, T., Khan, T.A., Rahman, A., Al Islam, A.A.: Man-in-the-middle attack on contactless payment over NFC communications: design implementation, experiments and detection. IEEE Trans. Depend. Secur. Comput. 18, 3012–3023 (2020)
Arshad, S., Kharraz, A., Robertson, W.: Include me out: in-browser detection of malicious third-party content inclusions. In: Grossklags, J., Preneel, B. (eds.) FC 2016. LNCS, vol. 9603, pp. 441–459. Springer, Heidelberg (2017). https://doi.org/10.1007/978-3-662-54970-4_26
Barbosa, M., Boldyreva, A., Chen, S., Warinschi, B.: Provable security analysis of FIDO2. In: Malkin, T., Peikert, C. (eds.) CRYPTO 2021. LNCS, vol. 12827, pp. 125–156. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-84252-9_5
Bianchi, A., Corbetta, J., Invernizzi, L., Fratantonio, Y., Kruegel, C., Vigna, G.: What the app is that? Deception and countermeasures in the android user interface. In: 2015 IEEE Symposium on Security and Privacy, pp. 931–948. IEEE (2015)
Blanchet, B.: Modeling and verifying security protocols with the applied pi calculus and ProVerif. Found. Trends® Priv. Secur. 1(1–2), 1–135 (2016)
Bormann, C., Hoffman, P.E.: Concise Binary Object Representation (CBOR). RFC 8949, December 2020. https://doi.org/10.17487/RFC8949, https://rfc-editor.org/rfc/rfc8949.txt
Bui, T., Rao, S.P., Antikainen, M., Bojan, V.M., Aura, T.: Man-in-the-machine: exploiting ill-secured communication inside the computer. In: 27th USENIX Security Symposium (USENIX Security 2018), pp. 1511–1525 (2018)
Büttner, A., Gruschka, N.: Enhancing FIDO Transaction Confirmation with Structured Data Formats. In: Norsk IKT-konferanse for forskning og utdanning. No. 3 (2021)
Büttner, A., Nguyen, H.V., Gruschka, N., Lo Iacono, L.: Less is often more: header whitelisting as semantic gap mitigation in HTTP-based software systems. In: Jøsang, A., Futcher, L., Hagen, J. (eds.) SEC 2021. IAICT, vol. 625, pp. 332–347. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-78120-0_22
Dougan, T., Curran, K.: Man in the browser attacks. Int. J. Amb. Comput. Intell. (IJACI) 4(1), 29–39 (2012)
Feng, H., Li, H., Pan, X., Zhao, Z.: A formal analysis of the FIDO UAF protocol. In: Proceedings of 28th Network And Distributed System Security Symposium (NDSS) (2021)
Fernandes, E., et al.: Android UI deception revisited: attacks and defenses. In: Grossklags, J., Preneel, B. (eds.) FC 2016. LNCS, vol. 9603, pp. 41–59. Springer, Heidelberg (2017). https://doi.org/10.1007/978-3-662-54970-4_3
FIDO Alliance: FIDO Transaction Confirmation White Paper. Technical report, August 2020. https://media.fidoalliance.org/wp-content/uploads/2020/08/FIDO-Alliance-Transaction-Confirmation-White-Paper-08-18-DM.pdf
FIDO Alliance: Fido alliance metadata service (2021). https://fidoalliance.org/metadata/
FIDO Alliance: Fido alliance specifications overview (2021). https://fidoalliance.org/specifications/
FIDO Alliance: History of fido alliance (2021). https://fidoalliance.org/overview/history/
Frymann, N., Gardham, D., Kiefer, F., Lundberg, E., Manulis, M., Nilsson, D.: Asynchronous remote key generation: an analysis of Yubico’s proposal for W3C WebAuthn. In: Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security, pp. 939–954 (2020)
Gil, O.: Web cache deception attack. Black Hat USA 2017 (2017)
Google: Fido2 API for android (2020). https://developers.google.com/identity/fido/android/native-apps
Group, W.W.A.W.: Web authentication (webauthn) (2020). https://www.iana.org/assignments/webauthn/webauthn.xhtml
Jakkal, V.: The passwordless future is here for your microsoft account (2021). https://www.microsoft.com/security/blog/2021/09/15/the-passwordless-future-is-here-for-your-microsoft-account/
Kumar, A., Jones, J., Hodges, J., Jones, M., Lundberg, E.: Web authentication: an API for accessing public key credentials - level 2. In: W3C recommendation, W3C, April 2021. https://www.w3.org/TR/2021/REC-webauthn-2-20210408/
Kunke, J., Wiefling, S., Ullmann, M., Lo Iacono, L.: Evaluation of account recovery strategies with fido2-based passwordless authentication. In: Roßnagel, H., Schunck, C.H., Mödersheim, S. (eds.) Open Identity Summit 2021, pp. 59–70. Gesellschaft für Informatik e.V, Bonn (2021)
Lahmadi, A., Duque, A., Heraief, N., Francq, J.: MitM attack detection in BLE networks using reconstruction and classification machine learning techniques. In: Koprinska, I., et al. (eds.) ECML PKDD 2020. CCIS, vol. 1323, pp. 149–164. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-65965-3_10
Landrock, P., Pedersen, T.: WYSIWYS?-What you see is what you sign? Inf. Secur. Techn. Rep. 3(2), 55–61 (1998)
Linhart, C., Klein, A., Heled, R., Steve, O.: HTTP Request Smuggling (2005). https://www.cgisecurity.com/lib/HTTP-Request-Smuggling.pdf
McGruer, S., Solomakhin, R.: Secure Payment Confirmation. In: W3C working draft, W3C, August 2021. https://www.w3.org/TR/2021/WD-secure-payment-confirmation-20210831/
Owens, K., Anise, O., Krauss, A., Ur, B.: user perceptions of the usability and security of smartphones as FIDO2 roaming authenticators. In: Seventeenth Symposium on Usable Privacy and Security (SOUPS 2021), pp. 57–76 (2021)
Pfeffer, K., et al.: On the usability of authenticity checks for hardware security tokens. In: 30th USENIX Security Symposium (USENIX Security 2021) (2021)
Porter, J.: Safari to support password-less logins via face id and touch id later this year (2020). https://www.theverge.com/2020/6/24/21301509/apple-safari-14-browser-face-touch-id-logins-webauthn-fido2
Raspberry Pi Ltd: Raspberry Pi Documentation - Raspberry Pi Pico (2022). https://www.raspberrypi.com/documentation/microcontrollers/raspberry-pi-pico.html
Rescorla, E.: The Transport Layer Security (TLS) Protocol Version 1.3. RFC 8446, August 2018. https://doi.org/10.17487/RFC8446, https://rfc-editor.org/rfc/rfc8446.txt
Schaad, J.: CBOR Object Signing and Encryption (COSE). RFC 8152, July 2017. https://doi.org/10.17487/RFC8152, https://rfc-editor.org/rfc/rfc8152.txt
Selander, G., Mattsson, J.P., Palombini, F.: Ephemeral Diffie-Hellman Over COSE (EDHOC). Internet-Draft draft-ietf-lake-edhoc-12, Internet Engineering Task Force, October 2021. https://datatracker.ietf.org/doc/html/draft-ietf-lake-edhoc-12. (work in Progress)
Sun, D.Z., Mu, Y., Susilo, W.: Man-in-the-middle attacks on secure simple pairing in Bluetooth standard V5. 0 and its countermeasure. Pers. Ubiquit. Comput. 22(1), 55–67 (2018)
Wendlandt, D., Andersen, D.G., Perrig, A.: Perspectives: improving ssh-style host authentication with multi-path probing. In: USENIX Annual Technical Conference, vol. 8, pp. 321–334 (2008)
Xu, P., Sun, R., Wang, W., Chen, T., Zheng, Y., Jin, H.: SDD: a trusted display of FIDO2 transaction confirmation without trusted execution environment. Future Gener. Comput. Syst. 125, 32–40 (2021)
Zhang, Y., Wang, X., Zhao, Z., Li, H.: Secure display for FIDO transaction confirmation. In: Proceedings of the Eighth ACM Conference on Data and Application Security and Privacy, pp. 155–157 (2018)
Zhang, Z., Diao, W., Hu, C., Guo, S., Zuo, C., Li, L.: An empirical study of potentially malicious third-party libraries in Android apps. In: Proceedings of the 13th ACM Conference on Security and Privacy in Wireless and Mobile Networks, pp. 144–154 (2020)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2023 Springer Nature Switzerland AG
About this paper
Cite this paper
Büttner, A., Gruschka, N. (2023). Protecting FIDO Extensions Against Man-in-the-Middle Attacks. In: Saracino, A., Mori, P. (eds) Emerging Technologies for Authorization and Authentication. ETAA 2022. Lecture Notes in Computer Science, vol 13782. Springer, Cham. https://doi.org/10.1007/978-3-031-25467-3_5
Download citation
DOI: https://doi.org/10.1007/978-3-031-25467-3_5
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-25466-6
Online ISBN: 978-3-031-25467-3
eBook Packages: Computer ScienceComputer Science (R0)