How Not to Handle Keys: Timing Attacks on FIDO Authenticator Privacy

Kepkowski, Michal and Hanzlik, Lucjan and Wood, Ian D. and Kaafar, Mohamed Ali
(2022) How Not to Handle Keys: Timing Attacks on FIDO Authenticator Privacy.
In: 22nd Privacy Enhancing Technologies Symposium (PETS 2022).
Conference: PETS Privacy Enhancing Technologies Symposium (was International Workshop of Privacy Enhancing Technologies)
(In Press)

This is the latest version of this item.

[img]
Preview
Text
popets-2022-0129.pdf - Published Version

Download (2MB) | Preview

Abstract

This paper presents a timing attack on the FIDO2 (Fast IDentity Online) authentication protocol that allows attackers to link user accounts stored in vulnerable authenticators, a serious privacy concern. FIDO2 is a new standard specified by the FIDO industry alliance for secure token online authentication. It complements the W3C WebAuthn specification by providing means to use a USB token or other authenticator as a second factor during the authentication process. From a cryptographic perspective, the protocol is a simple challenge-response where the elliptic curve digital signature algorithm is used to sign challenges. To protect the privacy of the user the token uses unique key pairs per service. To accommodate for small memory, tokens use various techniques that make use of a special parameter called a key handle sent by the service to the token. One of the most popular techniques used by leading token manufacturers (e.g. Yubico), termed key wrapping, stores the encrypted secret key in the server’s database and provides it to the token via the key handle parameter. We identify and analyse a vulnerability in the way the processing of key handles is implemented that allows attackers to remotely link user accounts on multiple services. We show that for vulnerable authenticators there is a difference between the time it takes to process a key handle for a different service but correct authenticator, and for a different authenticator but correct service. This difference can be used to perform a timing attack allowing an adversary to link the same authenticator across different services. Two of the eight hardware authenticators we tested were vulnerable despite FIDO level 1 certification, indicating a not insignificant problem. This vulnerability cannot be easily mitigated on authenticators because, for security reasons, they usually do not allow firmware updates. In addition, we show that due to the way existing browsers implement the WebAuthn standard, the attack can be executed remotely. However, we discuss countermeasures that can be implemented by browser providers to mitigate the remote form of the attack

Available Versions of this Item

Actions

Actions (login required)

View Item View Item