Web Authentication
Abstract
主要内容与FIDO一致,基于非对称密钥认证用户身份
Web Authentication API
What is FIDO2 and Web Authentication?
注册关键数据流
- client触发注册
- relying party server将challenge和相关注册配置信息给到client
- client组装相关信息给到authenticator
- authenticator校验成功后,随机生成key pair,并基于上述信息生成attestation(其中包含signature,思路类似PKCS#10 CSR)
- authenticator将公钥、attestation等信息给到client
- client将authenticator提供的信息组装后给到relying party server
- relying party server校验成功后,存储对应关键信息(例如credential id, 公钥等等)
认证关键数据流
- client触发认证
- relying party server将challenge和相关认证配置信息给到client
- client将对应relying party id和data hash给到authenticator
- authenticator校验成功后,针对data hash进行签名
- authenticator将签名数据传给client
- client将authenticator提供的信息组装后给到relying party server
- relying party server校验成功后,client成功登录
相关协议文档
RFC8264, RFC8265, RFC8266: PRECIS Framework: Preparation, Enforcement, and Comparison of Internationalized Strings in Application Protocols
Client to Authenticator Protocol (CTAP)
RFC7049: Concise Binary Object Representation (CBOR)
RFC8152: CBOR Object Signing and Encryption (COSE)
RFC8230: Using RSA Algorithms with CBOR Object Signing and Encryption (COSE) Messages
