Security Analysis And Research Of New Generation User Authentication Protocol

User identity verification is an important technical means for online service systems or enterprise internal information systems to ensure that only authorized users are provided with services.At present,username-password is still a commonly used user authentication method,but this method has the disadvantages of being easily dragged or hit the database by the attacker,and difficult to remember complicated passwords.It shows that the username-password authentication method has poor security and user experience.In order to replace the traditional username-password authentication method,the FIDO(Fast Identity Online)Alliance has proposed the FIDO UAF protocol,which enables users to complete registration in online services using local authentication methods(such as fingerprint identification,PIN code,etc.)After that,you can log in to the online service using local authentication.Due to the characteristics of no need to use a password and the storage of identity information in the user device to avoid attack of dragging the library,the FIDO UAF protocol is widely supported by a large number of manufacturers and has been widely used.However,the FIDO protocol is relatively complicated,and related research work has just begun.The design and implementation of the protocol have not been tested by large-scale real-world experiments,the security of this protocol in practical applications cannot be guaranteed.In response to this problem,this article studies the implementation of the FIDO UAF protocol on the Android platform,analyzes the security of the FIDO UAF protocol in the implementation,finds the existing security problems and the causes,discusses the possible use of security problems,and proposes a specific attack.Based on that,this paper proposes solutions to security problems and attacks to guarantee the security of the FIDO UAF protocol in the specific implementation process.The main work and research results of the paper are as follows.1.Analyze the security of applications using FIDO UAF protocol.This paper designs and implements a batch search tool for UAF applications,and uses this tool to find Android applications using UAF protocol in the application market;Then the applications are analyzed to get their different implementations of the UAF protocol,found out the security issues,including the standardization of UAF protocol implementation and the problems inside the UAF protocol.2.Propose and verify the authenticator rebinding attack.Aiming at two different implementation types of the UAF protocol,two different types of attack processes were designed to bind the identity information(fingerprints,etc.)of the attacker to the victim's account.Using this authenticator rebinding attack method,it successfully attacked the UAF protocol implemented in JingDong Finance and Hebao payment applications.Aiming at the security issues of UAF application,propose and implement corresponding solutions.The causes of security problems are summarized as follows:the implementation of UAF protocol is not standardized;the implementation of UAF protocol does not meet the security assumptions;the authentication strategy between functional entities in UAF protocol is single and the coupling is poor.Then this paper proposes and designs the corresponding solutions:modify the UAF protocol to improve the functional entity authentication strategy,increase the degree of coupling UAF entities;detecting the system environment and functional entities implemented by the UAF protocol.Realized the system environment and UAF functional entity detection tool SecCheck.