Skip to main content
SpringerLink
Log in

Protecting FIDO Extensions Against Man-in-the-Middle Attacks

  • Conference paper
  • First Online:
Emerging Technologies for Authorization and Authentication (ETAA 2022)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 13782))

  • 498 Accesses

Abstract

FIDO authentication has many advantages over password-based authentication, since it relies on proof of possession of a security key. It eliminates the need to remember long passwords and, in particular, is resistant to phishing attacks. Beyond that, the FIDO protocols consider protocol extensions for more advanced use cases such as online transactions. FIDO extensions, however, are not well protected from Man-in-the-Middle (MitM) attacks. This is because the specifications require a secure transport between client and server, but there exists no end-to-end protection between server and authenticator.

In this paper, we discuss MitM scenarios in which FIDO extensions may be intercepted. We further propose an application-layer security protocol based on the CBOR Object Signing and Encryption (COSE) standard to mitigate these threats. This protocol was verified in a formal security evaluation using ProVerif and, finally, implemented in a proof-of-concept.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 44.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 59.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    https://github.com/Digital-Security-Lab/protecting-fido-extensions-proverif.

  2. 2.

    https://github.com/Digital-Security-Lab/protecting-fido-extensions-poc.

  3. 3.

    https://github.com/abuettner/cose-lib.

References

  1. Akter, S., Chellappan, S., Chakraborty, T., Khan, T.A., Rahman, A., Al Islam, A.A.: Man-in-the-middle attack on contactless payment over NFC communications: design implementation, experiments and detection. IEEE Trans. Depend. Secur. Comput. 18, 3012–3023 (2020)

    Article  Google Scholar 

  2. Arshad, S., Kharraz, A., Robertson, W.: Include me out: in-browser detection of malicious third-party content inclusions. In: Grossklags, J., Preneel, B. (eds.) FC 2016. LNCS, vol. 9603, pp. 441–459. Springer, Heidelberg (2017). https://doi.org/10.1007/978-3-662-54970-4_26

    Chapter  Google Scholar 

  3. Barbosa, M., Boldyreva, A., Chen, S., Warinschi, B.: Provable security analysis of FIDO2. In: Malkin, T., Peikert, C. (eds.) CRYPTO 2021. LNCS, vol. 12827, pp. 125–156. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-84252-9_5

    Chapter  Google Scholar 

  4. Bianchi, A., Corbetta, J., Invernizzi, L., Fratantonio, Y., Kruegel, C., Vigna, G.: What the app is that? Deception and countermeasures in the android user interface. In: 2015 IEEE Symposium on Security and Privacy, pp. 931–948. IEEE (2015)

    Google Scholar 

  5. Blanchet, B.: Modeling and verifying security protocols with the applied pi calculus and ProVerif. Found. Trends® Priv. Secur. 1(1–2), 1–135 (2016)

    Google Scholar 

  6. Bormann, C., Hoffman, P.E.: Concise Binary Object Representation (CBOR). RFC 8949, December 2020. https://doi.org/10.17487/RFC8949, https://rfc-editor.org/rfc/rfc8949.txt

  7. Bui, T., Rao, S.P., Antikainen, M., Bojan, V.M., Aura, T.: Man-in-the-machine: exploiting ill-secured communication inside the computer. In: 27th USENIX Security Symposium (USENIX Security 2018), pp. 1511–1525 (2018)

    Google Scholar 

  8. Büttner, A., Gruschka, N.: Enhancing FIDO Transaction Confirmation with Structured Data Formats. In: Norsk IKT-konferanse for forskning og utdanning. No. 3 (2021)

    Google Scholar 

  9. Büttner, A., Nguyen, H.V., Gruschka, N., Lo Iacono, L.: Less is often more: header whitelisting as semantic gap mitigation in HTTP-based software systems. In: Jøsang, A., Futcher, L., Hagen, J. (eds.) SEC 2021. IAICT, vol. 625, pp. 332–347. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-78120-0_22

    Chapter  Google Scholar 

  10. Dougan, T., Curran, K.: Man in the browser attacks. Int. J. Amb. Comput. Intell. (IJACI) 4(1), 29–39 (2012)

    Article  Google Scholar 

  11. Feng, H., Li, H., Pan, X., Zhao, Z.: A formal analysis of the FIDO UAF protocol. In: Proceedings of 28th Network And Distributed System Security Symposium (NDSS) (2021)

    Google Scholar 

  12. Fernandes, E., et al.: Android UI deception revisited: attacks and defenses. In: Grossklags, J., Preneel, B. (eds.) FC 2016. LNCS, vol. 9603, pp. 41–59. Springer, Heidelberg (2017). https://doi.org/10.1007/978-3-662-54970-4_3

    Chapter  Google Scholar 

  13. FIDO Alliance: FIDO Transaction Confirmation White Paper. Technical report, August 2020. https://media.fidoalliance.org/wp-content/uploads/2020/08/FIDO-Alliance-Transaction-Confirmation-White-Paper-08-18-DM.pdf

  14. FIDO Alliance: Fido alliance metadata service (2021). https://fidoalliance.org/metadata/

  15. FIDO Alliance: Fido alliance specifications overview (2021). https://fidoalliance.org/specifications/

  16. FIDO Alliance: History of fido alliance (2021). https://fidoalliance.org/overview/history/

  17. Frymann, N., Gardham, D., Kiefer, F., Lundberg, E., Manulis, M., Nilsson, D.: Asynchronous remote key generation: an analysis of Yubico’s proposal for W3C WebAuthn. In: Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security, pp. 939–954 (2020)

    Google Scholar 

  18. Gil, O.: Web cache deception attack. Black Hat USA 2017 (2017)

    Google Scholar 

  19. Google: Fido2 API for android (2020). https://developers.google.com/identity/fido/android/native-apps

  20. Group, W.W.A.W.: Web authentication (webauthn) (2020). https://www.iana.org/assignments/webauthn/webauthn.xhtml

  21. Jakkal, V.: The passwordless future is here for your microsoft account (2021). https://www.microsoft.com/security/blog/2021/09/15/the-passwordless-future-is-here-for-your-microsoft-account/

  22. Kumar, A., Jones, J., Hodges, J., Jones, M., Lundberg, E.: Web authentication: an API for accessing public key credentials - level 2. In: W3C recommendation, W3C, April 2021. https://www.w3.org/TR/2021/REC-webauthn-2-20210408/

  23. Kunke, J., Wiefling, S., Ullmann, M., Lo Iacono, L.: Evaluation of account recovery strategies with fido2-based passwordless authentication. In: Roßnagel, H., Schunck, C.H., Mödersheim, S. (eds.) Open Identity Summit 2021, pp. 59–70. Gesellschaft für Informatik e.V, Bonn (2021)

    Google Scholar 

  24. Lahmadi, A., Duque, A., Heraief, N., Francq, J.: MitM attack detection in BLE networks using reconstruction and classification machine learning techniques. In: Koprinska, I., et al. (eds.) ECML PKDD 2020. CCIS, vol. 1323, pp. 149–164. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-65965-3_10

    Chapter  Google Scholar 

  25. Landrock, P., Pedersen, T.: WYSIWYS?-What you see is what you sign? Inf. Secur. Techn. Rep. 3(2), 55–61 (1998)

    Article  Google Scholar 

  26. Linhart, C., Klein, A., Heled, R., Steve, O.: HTTP Request Smuggling (2005). https://www.cgisecurity.com/lib/HTTP-Request-Smuggling.pdf

  27. McGruer, S., Solomakhin, R.: Secure Payment Confirmation. In: W3C working draft, W3C, August 2021. https://www.w3.org/TR/2021/WD-secure-payment-confirmation-20210831/

  28. Owens, K., Anise, O., Krauss, A., Ur, B.: user perceptions of the usability and security of smartphones as FIDO2 roaming authenticators. In: Seventeenth Symposium on Usable Privacy and Security (SOUPS 2021), pp. 57–76 (2021)

    Google Scholar 

  29. Pfeffer, K., et al.: On the usability of authenticity checks for hardware security tokens. In: 30th USENIX Security Symposium (USENIX Security 2021) (2021)

    Google Scholar 

  30. Porter, J.: Safari to support password-less logins via face id and touch id later this year (2020). https://www.theverge.com/2020/6/24/21301509/apple-safari-14-browser-face-touch-id-logins-webauthn-fido2

  31. Raspberry Pi Ltd: Raspberry Pi Documentation - Raspberry Pi Pico (2022). https://www.raspberrypi.com/documentation/microcontrollers/raspberry-pi-pico.html

  32. Rescorla, E.: The Transport Layer Security (TLS) Protocol Version 1.3. RFC 8446, August 2018. https://doi.org/10.17487/RFC8446, https://rfc-editor.org/rfc/rfc8446.txt

  33. Schaad, J.: CBOR Object Signing and Encryption (COSE). RFC 8152, July 2017. https://doi.org/10.17487/RFC8152, https://rfc-editor.org/rfc/rfc8152.txt

  34. Selander, G., Mattsson, J.P., Palombini, F.: Ephemeral Diffie-Hellman Over COSE (EDHOC). Internet-Draft draft-ietf-lake-edhoc-12, Internet Engineering Task Force, October 2021. https://datatracker.ietf.org/doc/html/draft-ietf-lake-edhoc-12. (work in Progress)

  35. Sun, D.Z., Mu, Y., Susilo, W.: Man-in-the-middle attacks on secure simple pairing in Bluetooth standard V5. 0 and its countermeasure. Pers. Ubiquit. Comput. 22(1), 55–67 (2018)

    Article  Google Scholar 

  36. Wendlandt, D., Andersen, D.G., Perrig, A.: Perspectives: improving ssh-style host authentication with multi-path probing. In: USENIX Annual Technical Conference, vol. 8, pp. 321–334 (2008)

    Google Scholar 

  37. Xu, P., Sun, R., Wang, W., Chen, T., Zheng, Y., Jin, H.: SDD: a trusted display of FIDO2 transaction confirmation without trusted execution environment. Future Gener. Comput. Syst. 125, 32–40 (2021)

    Article  Google Scholar 

  38. Zhang, Y., Wang, X., Zhao, Z., Li, H.: Secure display for FIDO transaction confirmation. In: Proceedings of the Eighth ACM Conference on Data and Application Security and Privacy, pp. 155–157 (2018)

    Google Scholar 

  39. Zhang, Z., Diao, W., Hu, C., Guo, S., Zuo, C., Li, L.: An empirical study of potentially malicious third-party libraries in Android apps. In: Proceedings of the 13th ACM Conference on Security and Privacy in Wireless and Mobile Networks, pp. 144–154 (2020)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. University of Oslo, Gaustadalléen 23B, 0373, Oslo, Norway

    Andre Büttner & Nils Gruschka

Authors
  1. Andre Büttner
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Nils Gruschka
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Andre Büttner .

Editor information

Editors and Affiliations

  1. Istituto di Informatica e Telematica, Consiglio Nazionale delle Ricerche, Pisa, Italy

    Andrea Saracino

  2. Istituto di Informatica e Telematica, Consiglio Nazionale delle Ricerche, Pisa, Italy

    Paolo Mori

Rights and permissions

Reprints and permissions

Copyright information

© 2023 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Büttner, A., Gruschka, N. (2023). Protecting FIDO Extensions Against Man-in-the-Middle Attacks. In: Saracino, A., Mori, P. (eds) Emerging Technologies for Authorization and Authentication. ETAA 2022. Lecture Notes in Computer Science, vol 13782. Springer, Cham. https://doi.org/10.1007/978-3-031-25467-3_5

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-25467-3_5

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-25466-6

  • Online ISBN: 978-3-031-25467-3

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation