| Cryptographic Protocols as a fundamental building block for securing electronic communications, are an important direction in the research of cryptography. On the basis of cryptographic algorithms, cryptographic protocols provide implementation schemes for various application requirements of practical system secrecy. With the pervasive deployment of the electronic commerce, such as shopping online, e-bank etc., authentication protocols become an important field in the research of cryptographic protocols, and the design of the authentication protocols would directly affect the performance of the security of users’online authentication.So far, most online websites/servers adopt "username-password" mechanism to achieve users’online authentication. But the password-based authentication shows some disadvantages by now, for example, the difficulty to remember distinct multidigit passwords, database leakage, the insecure transport environment etc. The proposal of the FIDO (Fast IDentity Online) UAF (Universal Authentication Framework) Authentication Protocol standard is to eliminate or weaken the dependence for users on passwords, and achieve "password-less" strong user authentication. In the execution of the UAF Protocol, the server side will not get any secret information of users, and these information will never leave user devices. Meanwhile, a user presents a local biometric or PIN to his authenticator to pass the user’s identity authentication, and avoid the trouble of the memory of the passwords. Although it has drawn a lot of attention from many companies such as Google, Microsoft, Intel etc., there is no related security research work so far.As for the research on the cryptographic protocols’security, it’s the cornerstone for future research work to depict from the security perspective. Meanwhile, analysis of the security goals which are the security criterion to measure the protocols is also one of the basic work. Besides, the complexity of the operating environment and existence of all kinds of attackers intending to malicious process bring great challenges to the security of the cryptographic protocols. Whether the protocols exist attacks on the specific application condition because of the flaw from the design or the execution becomes the focus of the attention. In this thesis, we focus on the above issues and the results are as follows:1. According to the description of the standard specification, we present the protocol’s cryptographic abstractions for the FIDO UAF registration protocol and authentication protocol respectively, and give an expatiation of the concrete execution steps based on the abstractions. Meanwhile, we give a discussion on the key point of the implementation process.2. To analyze of seven of the security goals including strong user authentication, verifier leak resilience, authenticator leak resilience, attestable properties, forgery resistance, parallel session resistance, transaction non-repudiation. According to the definition in the specification, we first depict the attacker abilities and the attack goals item by item, next reduce them to the identified security assumptions and explain the reduction process.3. Combine the presented protocol’s cryptographic abstractions, we propose three underlying attacks on the FIDO UAF Protocol, which we call as the "Mis-Binding" Attack, the "Parallel Session" Attack and the "Multi-User" Attack, and give an repairment to fix the first attack. The results of the attacks are to impersonate the legitimate user to pass the online authentication. |
PDF Full Text Request