Token meets Wallet: Formalizing Privacy and Revocation for FIDO2 - Cryptology ...

Page created by Doris Weber
 
CONTINUE READING
Token meets Wallet: Formalizing Privacy and Revocation for FIDO2 - Cryptology ...
Token meets Wallet:
 Formalizing Privacy and Revocation for FIDO2
 Lucjan Hanzlik Julian Loss Benedikt Wagner
 hanzlik@cispa.de loss@cispa.de benedikt.wagner@cispa.de
 CISPA Helmholtz Center for CISPA Helmholtz Center for CISPA Helmholtz Center for
 Information Security Information Security Information Security

ABSTRACT (something she has). This is usually implemented by registering a
The FIDO2 standard is widely-used class of challenge-response device to the user account.
type protocols that allows to authenticate to an online service Universal Second Factor (U2F) (or CTAP1, as it is currently
using a hardware token. Barbosa et al. (CRYPTO ‘21) provided the named) is a protocol to achieve two-factor authentication using a
first formal security model and analysis for the FIDO2 standard. designated device. This cryptographic hardware token (also called
However, their model has two shortcomings: (1) it does not include authenticator) runs a simple piece of code and interacts with the
privacy, one of the key features claimed by FIDO2 (2) their model user’s platform (also called client or agent) represented, e.g., by
and proofs apply only to tokens that store all secret keys locally. In a web browser. The agent acts as a proxy device during the au-
contrast, due to limited memory, most existing FIDO2 tokens use thentication process between an authenticator and a server (also
one of the following approaches to handle an unlimited number of called relying party). The main benefit of this solution over the
keys. Key derivation derives a fresh per-server secret key from a login/password approach is the protection against phishing attacks
common seed. Key wrapping stores an encryption of the key on the and database breaches.
server and retrieves them for each authentication. These approaches CTAP1/U2F and its successor CTAP2 are part of the FIDO au-
substantially complicate the protocols and their security analysis. thentication specification [2]. Together with the complement W3C
In particular, they bear additional risks for privacy and security of web authentication [3] they form the state-of-the-art for online
FIDO2 that are not captured in the model Barbosa et al. model. authentication using security tokens.
 In this paper, we revisit the security of the FIDO2 as implemented In recent work, Barbosa et al. [6] gave the first formal model
in practice. Our contributions are as follows. (1) We adapt the model for token-based two-factor authentication and provided a security
of Barbosa et al. so as to capture authentication tokens using key proof for the FIDO2 standard. On one hand, their model provides an
derivation or key wrapping. (2) In our adapted model, we provide important starting point for further exploration of FIDO2’s security
the first formal definition of privacy for FIDO2 and show that these properties. On the other hand, it does not accurately model several
common FIDO2 token implementations are secure in our model, if key aspects of FIDO2 as used in practice. In this work, we revisit
the underlying building blocks are chosen appropriately. (3) Finally, the FIDO2 standard and give a more complete security analysis of
we address the unsolved problem of global key revocation in FIDO2. its security features. We also augment the existing standard with
We first provide appropriate syntax of a revocation procedure and a new feature that allows to easily revoke keys of compromised
extend our model to support this feature. We then provide the tokens.
first secure global key revocation protocol for FIDO2. Our solution
is based on the popular BIP32 standard used in cryptocurrency 1.1 Our Contribution
wallets. We begin by identifying several disparities between the model of
 Barbosa et al. and how FIDO2 is commonly used in practice, which
CCS CONCEPTS we explain below. For each of these points, we explain how our
• Security and privacy → Mathematical foundations of cryp- work amends the existing security model to close these gaps. We
tography; Security protocols; also discuss a practical feature for key revocation that we call global
 revocation. To the best of our knowledge, this property of FIDO2
KEYWORDS has not been discussed or formalized prior to this work.
FIDO2; BIP32; unlinkability; revocation; Attestation. Barbosa et al. consider a model where the authentica-
 tor and the relying party are initially provided a pair of attestation
1 INTRODUCTION secret key and attestation public key by the (trusted) manufacturer.
 While attestation is common practice for critical interactions such
Online authentication is one of the most pressing challenges faced as banking transactions, it is rarely used for more mundane scenar-
by security engineers and cryptographers today. Reliable authen- ios such as logging in to an internet account. Also, naive attestation
tication is an important concern for both the security of user’s violates privacy [23]. Therefore, to reason about the security and
accounts as well as the reputation of service providers. A simple privacy of FIDO2 in its most widely used form, we consider a model
way to strengthen the security of an authentication process is to without attestation.
introduce additional authentication factors. Usually, the user has to
just provide a login and password (something she knows). A popular Resident Keys vs. Privacy. FIDO2 can be used in two different
way to introduce a second factor is for the user to use a device modes. The first is to store the secret keys of the authenticator
 1
locally, i.e., on the authentication token. Such keys are known as FIDO2 remain secure against impersonation if the random seed is
resident keys. In practice, a more common way is to store (encrypted) ever leaked?
keys with the server, in the form of so-called non-resident keys. This Crypto Wallets to the Rescue. Fortunately, we can rely on a
technique is also called key wrapping. Another approach to non- practical solution from the cryptocurrency space to solve this is-
resident keys is to use a key derivation function. Since the token sue. A common approach to store a multitude of keys compactly
is often limited with regards to storage space, non-resident keys is to use deterministic key derivation1 . Considering the case of
provide a distinct storage advantage over resident keys. BIP32, the most widely implemented procedure for determinis-
 On the downside, non-resident keys give the server additional tic key derivation, keys are derived from a pair of master keys
information that it may use to link separate sessions of the token. msk ∈ Z , mpk = msk and a chaincode chain. Here, denotes
This violates the privacy properties claimed by many common the base point of an elliptic curve and chain can be thought of
implementations of FIDO2. as a random seed. To derive a fresh key pair for an identity id,
 Let us illustrate this using a (pathological) implementation of key BIP32 first computes = Hash(id, chain, mpk), then sets skid :=
wrapping. Assume that the server stores ciphertexts of the form msk + , pkid := mpk · . Proving that ECDSA signatures remain
(Enc( , sk), ( )), where Enc is a symmetric encryption scheme, unforgeable with respect to keys derived in this fashion once chain
is a hash function, denotes the encryption key, and sk denotes the is leaked turns out be non-trivial. In recent work, Das et al. were the
signing key used for authentication. Observe that the above scheme first to consider this stronger form of unforgeability and showed
appends a hash of the secret encryption key to the ciphertext of Enc. that it holds given that no message is ever signed twice [14]. On the
It is not hard to see that if is modelled as a random oracle with other hand, the above procedure provides a very simple means of
independent randomness of Enc, the above scheme remains secure. global revocation. To revoke all public keys associated with a pair
However, ciphertexts produced by the same token (i.e., using the msk, mpk, all one needs to do is to publish chain. Now, each relying
same key ) can trivially be linked using the second component. party can revoke the appropriate public keys by deterministically
Interestingly, we observe that the Yubico implementation of FIDO2 recomputing them (for suitable identities) from mpk and chain.
[32] uses an authenticated encryption scheme based on CCM-mode Given the widespread use of BIP32, our solution offers a practical
of encryption. To the best of our knowledge, key anonymity (i.e., means of global key revocation that can be directly implemented
unlinkability of ciphertexts produced with the same encryption using a multitude of existing hardware devices.
key) of this mode of encryption has not been formally explored.
 The above discussion shows that the use of non-resident keys 1.2 Related Work
leads to unexpected subtleties with regards to privacy across dif-
ferent sessions of the same token. Unfortunately, as Barbosa et The first formal model for the FIDO2 authentication protocol was
al. consider exclusively the setting of resident keys, their model proposed by Barbosa et al. [6]. The authors introduced the notion of
does capture privacy gurantees. One of our key contributions is to passwordless authentication that models the Webauthn protocol in
augment their model with a suitable notion of privacy. the scenario when the token uses resident keys. They also introduce
 a security model for PIN-based access control that tries to formally
 define the CTAP protocol executed between the token and the client.
Adding Global Revocation. When using FIDO2, a crucial aspect Barbosa et al. show that CTAP only provides a weaker notion of
is how to securely revoke keys in case access to the authentication access control and propose an alternative protocol based on a PAKE.
token is ever lost. Indeed, the usability study by Lyastani et al. [26] Guirat et al. [23] analyzed the Webauthn protocol using auto-
shows that one of the top concerns of users is that an adversary mated verification and modeled a simple privacy definition. They
can gain access to their account in case their FIDO2 authenticator showed that if the same key is used for attestation it allows a server
gets lost or is stolen. In such a case, we desire a public procedure to link the same token. Feng et al. [20] also used automated ver-
that allows to simultaneously revoke all keys associated with such ification to check the FIDO UAF protocol. Potential security and
an authenticator. We stress that this includes also any future keys privacy issues that arise during the development phase of FIDO
that the (compromised) authenticator may attempt to register with components were discussed by Alam et al. [4].
the relying party. We refer to such a procedure as global revocation. Another line of related work provides alternative protocols and
Despite significant benefits, current authenticator implementations usability studies. Chakraborty et al. [11] used a TPM implemen-
do not support global revocation. tation (simTPM) based on a sim card, as a secure and convenient
 Implementing the key generation process on the authenticator FIDO2 authenticator. The problem of backdoored FIDO tokens was
in a way that is compatible with global revocation is challenging. To discussed Dauterman et al. [16]. They introduced an alternative
see the issue, suppose that the authenticator naively generates each design for a token, which is resistant against backdoors introduced
key pair using a fresh random seed. In this case, it is not possible to to the device by the manufacturer. Frymann et al. [22] discussed
revoke any of the future keys that the authenticator could derive the token backup procedure proposed by Yubico. A usability and
post-compromise. Thus, any solution for global revocation seems acceptability study of FIDO2 was done by Lyastani et al. [26]. Flo-
to require that the authenticator generates keys using correlated rian et al. [19] show that despite security benefits, hardware tokens
randomness (e.g., deterministically from the same seed). Later, it face acceptability challenges in small companies.
can reveal this randomness to revoke all past and future keys at From a cryptographic point of view, FIDO2 is a simple authen-
once. However, this solution might introduce different issues: first, tication scheme, a primitive which has been extensively studied.
is it possible to link sessions if keys are correlated? Second, does 1 Such a mechanism is colloquially referred to as a wallet.
 2
Everything started with simple solutions. One of the first and well- • Setup. The experiment generates (sk, pk) via (sk, pk) ←
known protocols is the Schnorr identification scheme [29]. Authen- kg(param). It runs the adversary A on input pk.
ticated key exchange (AKE) protocols [17, 24, 25] simultaneously to • Online Phase. In this phase, A is given access to oracle
authentication provide means to agree on a secret key between the Sign, which takes as input a message and returns the
interacting parties. A different approach to authentication is the signature ← sign(sk, ).
folklore challenge-response protocol based on signature schemes, • Output Phase. When A returns ( ∗, ∗ ), the experiment
which FIDO2 is based on. This technique provides a framework returns 1 if ver(pk, ∗, ∗ ) = 1 and ∗ was not queried to
for creating authentication protocols. Instantiated with group sig- Sign. Otherwise, it returns 0.
natures [7, 12] the protocol provides a way for group members to A as
 We define the advantage of A in euf-cmasig
anonymously authenticate to a server. A direct solution introduced
 A A
by Teranishi, Furukawa, and Sako is anonymous authentication Adveuf-cma,sig := Pr[euf-cmasig = 1].
[10, 30] .
 Definition 2.3 (Rerandomizable Signature Scheme.). A rerandom-
 Dwork, Naor and Sahai [18] introduced the concept of deniable
 izable signature scheme is a tuple of algorithms sig = (kg, sign,
authentication where an interaction between the parties cannot
 srerand, prerand, ver), where (kg, sign, ver) is a digital signature
be used as undeniable proof of interaction. This notion was later
 scheme, and algorithms srerand, prerand have the following prop-
extended to proof systems [27]. An alternative approach to authen-
 erties.
tication using a hardware device is the extended access control
protocol (EAC) [9, 13] for machine-readable travel documents (e.g. • The deterministic secret key rerandomization algorithm
e-Passports). This protocol is used for local authentication can be srerand takes as input a secret key sk and a string . It
easily be used to authenticate the document online. outputs a rerandomized key sk .
 • The deterministic public key rerandomization algorithm
2 PRELIMINARIES prerand takes as input a public key pk and a string . It
 outputs a rerandomized key pk .
In this section we fix some notation and provide the necessary
cryptographic background that will be needed for our analysis. Moreover, we require that for all (sk, pk) ∈ kg(param), key pairs
 (sk , pk ) generated as ← {0, 1} , sk := srerand(sk, ), and
Notation. We denote by ← A ( ) the execution of algorithm A pk := prerand(pk, ) are identically distributed to key pairs gen-
on input and with output . We write ∈ A ( ) to indicate that
 erated via (sk ′, pk ′ ) ← kg(param).
 is a possible output of A on input . By ← $
 we mean that 
is chosen uniformly at random over the set . We will use [ ] to We next recall the security notion of unforgeability under hon-
denote the set {1, . . . , }. Throughout the paper, we assume public estly rerandomized keys [14, 15].
parameters param are given implicitly to all algorithms. Definition 2.4 (Unforgeability under Honestly Rerandomized Keys.).
Signatures. We recall the standard notion of digital signatures. Let sig = (kg, sign, srerand, prerand, ver) be a rerandomizable sig-
 nature scheme and consider the experiment ufcma-hrk1sig A defined
We also introduce the notion of rerandomizable signature schemes
[15, 21] and the corresponding security notion. as follows:
 • Setup. The experiment generates (sk, pk) via (sk, pk) ←
 Definition 2.1 (Digital Signature Scheme.). A digital signature
 kg(param). It runs the adversary A on input pk.
scheme is a tuple of algorithms sig = (kg, sign, ver) with the follow-
 • Online Phase. In this phase, A is given access to oracles
ing properties.
 Sign and Rand:
 • The randomized key generation algorithm kg takes as input – Rand takes no inputs and returns ← {0, 1} .
 parameters param. It outputs a secret key and public key – Sign takes as input a message and a string ∈
 (sk, pk).
 {0, 1} . If was not a previous output of Rand or the
 • The randomized signing algorithm sign takes as input a
 pair ( , ) has been queried before, Sign returns ⊥.
 secret key sk and a message . It outputs a signature .
 Otherwise, it returns the signature computed via
 • The deterministic verification algorithm ver takes as input
 ← sign(srerand(sk, ), ).
 a public key pk a signature , and a message . It outputs
 • Output Phase. When A returns ( ∗, ∗, ∗ ), the experi-
 0 (reject) or 1 (accept).
 ment returns 1 if ver(prerand(pk, ∗ ), ∗, ∗ ) = 1, ∗ was
We say that a digital signature scheme is correct if for all (sk, pk) ∈ a previous output of Sign, and ( ∗, ∗ ) was not queried to
kg(param) and all messages ∈ {0, 1}∗ we have Sign. Otherwise, it returns 0.
 Pr [ver(pk, , ) = 1] = 1. A as
 We define the advantage of A in ufcma-hrk1sig
 ←sign(sk, )
 A A
Further, without loss of generality, we assume that secret keys are Advufcma-hrk1,sig := Pr[ufcma-hrk1sig = 1].
chosen uniformly at random and there is an algorithm toPK that
maps secret keys to public keys, i.e. pk := toPK(sk). Symmetric Key Encryption. Here, we recall the definition of
 symmetric key encryption that is both authenticated and anony-
 Definition 2.2 (Unforgeability under Chosen Message Attacks.). mous. For the definition of security, we follow [5]. We note that
Let sig = (kg, sign, ver) be a digital signature scheme and consider a scheme that satisfies this notion can be constructed using for
the experiment euf-cmasig A defined as follows:
 example the OCB mode of operation [28].
 3
Definition 2.5 (Symmetric Key Encryption Scheme.). A symmet- Non-Resident Keys. To accommodate for memory-constraints,
ric key encryption scheme (SKE) is a tuple of algorithms ske = tokens commonly implement one of two techniques for outsourcing
(Gen, Enc, Dec) with the following properties. secret key storage that we describe below. Keys that are not stored
 • The randomized key generation algorithm Gen takes as on the token are called non-resident keys. By contrast, resident keys
 input parameters param. It outputs a secret key sk. are kept internally by the token.
 • The randomized encryption algorithm Enc takes as input a The first technique to outsource key storage is referred to as
 secret key sk and a message . It outputs a ciphertext . key wrapping. The server-specific secret key sk is encrypted and
 • The deterministic decryption algorithm Dec takes as input the resulting ciphertext cid (the credential identifier) is stored on
 a secret key sk and a ciphertext . It outputs either ⊥ or a the server. During authentication, cid is returned by the server and
 message . allows the token to restore sk. The server uses a structure known
 as a key handle to send cid to the token for authentications.
 Definition 2.6 (Authenticated Anonymous Security for SKE.). Let The second technique uses a key derivation function to compute
ske = (Gen, Enc, Dec) be a symmetric key encryption scheme. For the server-specific key pair using a master secret, id and a random
an algorithm A and a bit ∈ {0, 1}, consider the following experi- seed cid chosen by the token during registration. Similarly to key
 A :
ment anon-authske, wrapping, cid is stored (with no encryption necessary) on the server
 and can be retrieved for later authentication via the key handle
 • Setup. The experiment generates a key sk ← Gen(param) structure.
 and initializes a map [·].
 • Online Phase. The adversary A is run on input param Attestation. If required by the server, the public key pk and other
 with oracle access to oracles EncO , DecO , which are data can also be attested by the token. In the following, we explain
 defined as follows. two ways to implement attestation.
 – EncO0 ( ): Return ← Enc(sk, ). The first option is to create an attestation signature using a fresh
 – DecO0 ( ): Return := Dec(sk, ). key pair. This approach requires the token to receive a certificate
 – EncO1 ( ): Sample a ciphertext uniformly at ran- for each key pair. To receive such a certificate, the token must au-
 dom, define [ ] := and return . thenticate itself to the certification authority (also called privacy
 – DecO1 ( ): If [ ] ≠⊥, return [ ]. Otherwise, return CA) using a special endorsement key, which is loaded during man-
 ⊥. ufacturing. Note that the same key cannot be used to attest public
 • Output Phase. The adversary outputs a bit ′ . The exper- keys for different services since this would immediately break un-
 iment outputs ′ . linkability of separate user sessions with the server. Attestation, in
 this case, consists of a signature and an attestation certificate for
We define the advantage of A against authenticated anonymous
 the signing key.
security of ske as
 The second option is the elliptic curve direct anonymous attes-
 A tation scheme (ECDAA) [1] where an interaction with a privacy
 Advanon-auth,ske := CA is not needed. Instead, the token receives a randomizable cer-
 A A tificate on a secret signing key, e.g. by the manufacturer. To verify
 Pr[anon-authske,0 = 1] − Pr[anon-authske,1 = 1] .
 an attestation signature, the server is only required to use a public
 key provided by the CA. In other words, besides the authenticity
3 MODELING THE FIDO2 PROTOCOL of the attestation, the signature does not leak the signer’s identity
We begin this section with an informal description of the FIDO2 but only that the signer is certified. An advantage of ECDAA is that
standard. It can be used as means of passwordless authentication there is no need for an attestation certificate as with a privacy CA.
or as a second-factor for the standard login-via-password scenario. We note that the model and analysis in [6] focuses on attesta-
 The FIDO2 protocol template consists of a registration and an au- tion with a fixed key instead of the unlinkable attestation options
thentication process executed between a token (also called authen- discussed above.
ticator) and a server (also called relying party). This communication
is relayed through a client (also called agent) which is implemented Authentication. The authentication process begins with the server
e.g. by the user’s browser. More precisely, the user connects to the sending the following data to the client: the key handle generated
server via client interface and simultaneously interacts with the during registration, including cid, the server’s identifier id , and
token. Below we provide a simplified description of the protocol. A a challenge for the token to sign. The client processes this data,
schematic overview can be found in Figure 1. adds extensions (e.g. information about the https connection) and
 forwards it to the token. The token restores the server-specific
Registration. The main purpose of the registration protocol is signing key sk, signs the received data, and returns the signature
to bind the token to the user’s account on the server. During this to the server which accepts if the signature is valid. This signature
step, the server sends a unique identifier id (which is based on the is also called an assertion. An optional way to prevent physical
server’s domain name e.g. login.example.com) and a challenge cloning attacks is to implement a counter mechanism on the token.
 to the client. This data is then processed and sent to the token
which generates a server-specific key pair (sk, pk) and sends pk to 3.1 Passwordless Authentication
the server via the client. The server stores this key and additional We model passwordless authentication for the non-resident key
information in a credential cred. case as follows. Similar to [6], in our model we consider a set of
 4
– The randomized authentication response algorithm
 aresponse takes as input a master secret key msk, a
 challenge, RPID challenge, RPID
 server identity id and a message and outputs a
 response .
 pkID , key handle pkID , key handle
 – The deterministic authentication check algorithm acheck
 attestation certificate
 attestation signature
 attestation certificate
 attestation signature
 takes as input a credential identifier cid and a response
Token Agent (e.g. Browser) Relying Party (Service)
 and outputs a bit ∈ {0, 1}
 challenge, RPID challenge, RPID
 Algorithms rchallenge, rcheck, achallenge, acheck are executed by
 key handle key handle servers ∈ S, algorithms rcommand, acommand are executed by
 assertion signature
 clients (which are not explicitly modeled in security definitions), and
 assertion signature
 the corresponding algorithms rresponse, aresponse are executed
Token Agent (e.g. Browser) Relying Party (Service)
 by tokens ∈ T .
Figure 1: Registration (top) and authentication (bottom) in Definition 3.2 (Completeness of PlANRK). We say that a PlANRK
the FIDO2 authentication process (simplified). PlANRK = (Gen, Reg, Auth) with Reg = (rchallenge, rcommand,
 rresponse, rcheck) and Auth = (achallenge, acommand, aresponse,
 acheck) is complete, if for all msk ∈ Gen(par), parties and ,
parties P = T ∪ S, which is partitioned into the set of tokens T states St , St the following experiment outputs 1:
and the set of servers S. Each party keeps an internal state. We do
 (1) Initialize the state of party with msk and St , and the
not model clients explicitly. Instead, we allow the adversary to do
 state of party with St .
the computation that the clients do.
 (2) Run the registration protocol Reg of at , as follows:
 The state of servers ∈ S is initially empty, while the state of
tokens will be initialized with a long-term key msk. Also, we assume ← rchallenge(id ),
that each server has a unique identifier id . In all experiments that ← rcommand(id , ), (cid, ) ← rresponse(msk, id , ),
we define, we assume that these identifiers are given. ( , cred) ← rcheck(cid, ).
 Syntax. Now, we define the syntax of our schemes. The syntax (3) If = 0, output 0. Otherwise, run the authentication
follows the setup introduced above. protocol Auth of at , which is as follows:
 Definition 3.1 (PlANRK). A passwordless authentication scheme ← achallenge(id ), ← acommand(id , ),
with non-resident keys (PlANRK) is a tuple of algorithms PlANRK = ← aresponse(msk, id , cid, ), ← acheck(cid, ).
(Gen, Reg, Auth) with the following properties:
 (4) Return .
 • The randomized key generation algorithm Gen takes as
 input parameters par. It outputs a master secret key msk. Security. Next, we focus on defining security notions for PlANRK.
 • The registration protocol Reg given as a tuple of stateful To do so, we first define server and token oracles an adversary may
 algorithms (rchallenge, rcommand, rresponse, rcheck). access. These oracles model the capability of an adversary to freely
 – The randomized registration challenge generation algo- communicate with tokens and servers.
 rithm rchallenge takes as input a server identity id 
 Definition 3.3 (Server and Token Oracles). Let A be an algorithm
 and outputs a challenge value .
 and PlANRK = (Gen, Reg, Auth) be a PlANRK. We associate each
 – The deterministic registration command creation algo- , 
 rithm rcommand takes as input a server identity id party ∈ T ∪ S with a set of oracles which model two types
 and a challenge value and outputs a message . of instances corresponding to registration and authentication. Each
 – The randomized registration response algorithm party is represented by a number of instances with a shared state
 rresponse takes as input a master secret key msk, a and we will use the superscript to indicate the particular instance
 , 
 server identity id and a message and outputs and of the party. In other words, we we refer to for = 0 as the -th
 credential identifier cid and a response . registration instance of party and for ≥ 1 as the -th authentica-
 – The deterministic registration check algorithm rcheck tion instance of corresponding to the -th registration. The oracles
 takes as input a credential identifier cid and a response can be accessed by A via interfaces Start, Challenge, Complete as
 and outputs a bit ∈ {0, 1} and a credential cred. follows:
 , , 
 • The authentication protocol Auth given as a tuple of stateful • Start( ): Server oracle executes rchallenge(id ) in
 algorithms (achallenge, acommand, aresponse, acheck). case = 0 or achallenge(id ) in case > 0. The result is
 – The randomized authentication challenge generation returned to A.
 , , 
 algorithm achallenge takes as input a server identity • Challenge( , id , cid, ): Token oracle runs algo-
 id and outputs a challenge value . rithm rresponse(id , ) (if = 0) or aresponse(id , cid, )
 – The deterministic authentication command creation (if > 0). The result is returned to A.
 , , 
 algorithm acommand takes as input a server identity • Complete( , cid, ): Server oracle runs rcheck(cid, )
 id and a challenge value and outputs a message (if = 0) or acheck(cid, ) (if > 0). The result is returned
 . to A.
 5
We assume without loss of generality that an oracle is only executed 3.2 Defining Unlinkability
once with the same type of query. Note that all oracles take as input We will now discuss the problem of unlinkability for passwordless
instances token or server instances and thus A can just query the authentication. Informally, what we want to achieve is that interac-
same input with the next instance ′ = + 1 of the target party. tions between the same token and different servers are unlinkable,
 We follow the work of Bellare et al. [8] to define partnering of even if servers are malicious. If a protocol is proven secure using
oracles, which will be used in the winning condition of our security the below definition then it means the passwordless authentication
 , ′, ′ protocol for non-resident keys does not provide means to malicious
experiments. Informally, two oracles and are partnered, if
 servers to link interactions. This also means that data that is ex-
they share the same view. Here, the notion of view must be defined
 changed outside of the protocol is out of the scope of our definition,
by the protocol. Intuitively, one should think of partnered oracles
 e.g. metadata that could be used to link interactions of the token.
as if the adversary just forwarded messages between these oracles.
 Definition 3.4 (Session Identifiers and Partnering). Let PlANRK = Definition 3.6 (Unlinkability for Passwordless Authentication). For
(Gen, Reg, Auth) be a PlANRK and consider the oracles from Def- PlANRK PlANRK = (Gen, Reg, Auth), define the security exper-
inition 3.3. Let be a function that takes as input the transcript iment Unl run between the challenger and an adversary A as
 , 
 = (id , cid, , ) that a token ∈ T observes in an oracle follows.
 , , 
call to Challenge( , ·), and outputs a bitstring ( ). Simi- • Setup. For each token ∈ T , a key is generated by running
 , msk ← Gen(par). Then, each token is initialized with
larly, let be a function that takes as input the transcript =
 , 
 key msk and each server ∈ S is initialized with an
( , cid, ) that a server ∈ S observes in oracle calls to Start( ), empty state.
 , , 
Complete( , ·), and outputs a bitstring ( ). We assume that • Phase 1. In the online phase the adversary is allowed to
these functions are specified by PlANRK. interact with the oracles Start, Challenge, Complete as in
 , ′, ′ Definition 3.3.
 We say that oracles and are partnered, if the following
hold: • Phase 2. In this phase, the adversary outputs two user
 ′, ′ identifiers 0, 1 , and two (not necessarily distinct) server
 ( = 0 ⇐⇒ ′ = 0) ∧ ( ) = ( ).
 , 
 identifier , ∈ S. Let 0 and 1 be the smallest identi-
 fiers for which the token instances 0 ,0 and 1 ,0 were not
 0 1

 We now define what it means for a passwordless authentication queried to the Challenge oracle in phase 1. The challenger
protocol with non-resident keys to be secure against impersonation. now chooses a bit and initializes two oracles and keeps
Informally, we say that if this property holds then the token must internally two values 0, 1 initialized to 0:
 , 
be used to authenticate against a server and a single interaction – Left(cid, ): Return Challenge( , id , cid, ) and
 
cannot be used to authenticate multiple times. More formally, we increase = + 1,
 , 
define impersonation security as follows. – Right(cid, ): Return Challenge( 1− 1− , id , cid, )
 1− 
 and increase 1− = 1− + 1
 Definition 3.5 (Man-in-the-Middle Security for Passwordless Au-
 • Phase 3. The adversary is allowed to interact with all the
thentication). For PlANRK PlANRK = (Gen, Reg, Auth), let us de-
 oracles defined in Phase 1 and 2.
fine the following security experiment MiM run between the chal-
 • Output Phase. Finally, the adversary outputs a bit ˆ and
lenger and an adversary A.
 the experiment returns 1 if and only if:
 • Setup. For each token ∈ T , a key is generated by running – bit ˆ is equal to bit , and
 msk ← Gen(par). Then, each token is initialized with – (intance freshness) the adversary never made a query
 key msk and each server ∈ S is initialized with an to the Challenge oracle using the token oracle in-
 empty state.
 stances 0 , 0 and 1 , 1 for any 0, 1 , and
 • Phase 1. In the online phase the adversary is allowed to
 – (registration uniqueness) there was never a query
 interact with the oracles Start, Challenge, Complete as in , 
 Definition 3.3. to the Challenge( , id , ·, ·) oracle for any , , ∈
 • Output Phase. Finally, the adversary terminates the ex- { 0, 1 } and ∈ { , }.
 periment which return 1 if and only if there exists a server We define the advantage of A in winning the experiment as:
 , 
 oracle for > 0 such that the following conditions A A
 AdvUnl,PlANRK := | Pr[UnlPlANRK = 1] − 1/2|.
 hold:
 (1) ,0 is partnered with a token oracle ,0 . We will now briefly discuss the idea behind this definition and
 , , 
 (2) accepted, i.e. in the call Complete( , cid, ) the the winning condition. First notice that we reuse the oracles from
 algorithm acheck(cid, ) returned 1. the impersanation experiments. This allows the adversary to create
 , ′, ′
 (3) is not partnered with any token oracle . a view on the system that shows all the connections, i.e. which
We define the advantage of A in winning the experiment as: account (e.g. defined by cid) corresponds to which authenticator.
 A A
 However, such a powerfull adverary would immediately break any
 AdvMiM,PlANRK := Pr[MiMPlANRK = 1]. unlinkability definition by trivially revealing those connection. The
 key point of our unlinkability definition is for the adversary to
 6
reveal connections between two tokens and two servers with the (4) In contrast to [6], we do not consider attestation in this
knowledge of every other connection in the system. paper. As already mentioned in the introduction, attesta-
 Therefore, we restrict the adversary and ask it to output two to- tion is rarely used in practice. What is more, if designed
kens and two servers which will be part of the challenge. Informally, incorrectly, attestation can lead to trivial attacks against
we give the adversary a left and right oracle that are initialized de- unlinkability. We leave a formal analysis of WebAuthn
pending on a bit with one of the two tokens returned by the with anonymous attestation (e.g. using ECDAA [1]) for fu-
adversary. If the adversary tries to interact with those tokens using ture research. To account for this change in the model, the
one of the two returned servers then it must do it via the left or server’s state is not initialized with any public key material
right oracle. We ensure this by the registration uniqueness property of the tokens.
where we only allow to register the target tokens at most once
with those servers. To not allow for trivial attack we also do not 4 EXISTING SCHEMES
allow the adversary to interact with instances of the tokens that There are many ways to implement non-resident keys for the FIDO2
we initialized the left and right oracles with. We call this condition protocol. While the protocol itself remains the same, the only dif-
instance freshness in the definition above. ference is in the way secret keys and key handles are generated. In
 this paper we will focus on the following two:

3.3 Difference to Barbosa et al.’s Model • Key Derivation Function. - the signing key is gener-
 ated in a pseudorandom way using a master secret key,
As we mentioned in the introduction, Barbosa et al. [6] model FIDO2
 the server’s identifier, and the key handle which acts as a
passwordless authentication exclusively for the use of resident keys,
 random salt. This method is e.g. used by the open-source
i.e., where all the secret keys are stored on the authentication device.
 FIDO2 token SoloKey. 2
Our model, on the other hand, focuses on the more practical use
 • Key wrapping. - the signing keys are encrypted together
case, namely authentication using non-resident keys. As a conse-
 with the server’s identifier and the ciphertext is stored in
quence, our syntax and experiment for authentication are different
 the key handle. This method is e.g. used by Yubico in their
from those in [6]. The main novelty of our model, however, is our
 implementation of FIDO2 tokens [32].
definition of unlinkability. Below we will summarize our changes
to Barbosa et al.’s model. We will now describe the above two schemes using our syntax for
 passwordless authentication. Then we will prove security against
 (1) When using resident keys, FIDO2 uses a per-server signa- man-in-the-middle attacks. Additionally, we will also show how
 ture counter to enable cloning detection of token devices. to instantiate the used building blocks (i.e. encryption scheme and
 However, the main feature of non-resident keys is that KDF) to provide privacy. To this end, we will prove the security of
 they allow for use of token devices with limited memory. the above using our unlinkability definition. We will use a common
 Clearly, due to limited memory, a token can not keep state description and refer to each of those schemes as respectively kwrPA
 for every server it interacts with. On the other hand, if and kdfPA.
 the token uses a naive implementation of a global state Key Generation. Initialization of a token is done using the Gen
 (e.g., a counter), this might violate privacy/unlinkability algorithm that outputs a master secret key msk. For kdfPA this key
 of the token. Hence, most authentication tokens used in is generated by executing msk ← $
 {0, 1} . In the case of the key
 practice favor privacy over cloning detection. This change wrapping scheme, this key is the secret key for a symmetric key
 is reflected in the winning condition of the adverary in encryption scheme ske. Thus, we set msk ← ske.Gen(param).
 the passwordless authentication experiment. [6] ensures
 that if a server oracle accepts then it is partnered with a Registration. The registration protocol Reg is formally presented
 unique token oracle with the same session identifier. In our in Figure 2. First, the server executes algorithm rchallenge(id ),
 model we do not include this condition on the number of which generates a random nonce ← $
 {0, 1} and returns the
 partnered token oracles with a single server oracle. This challenge = (id , ). The challenge is then sent to the client,
 models the case that a single server runs multiple sessions which executes the rcommand(id , ) algorithm. This algorithm
 with the same token which is the case e.g. if there exists a verifies that id = id and returns message = ( ). After-
 cloned token (and it is not detected). wards, and id is send to the token, which executes algorithm
 (2) We extract the server identifier sid from the commands rresponse(msk, id , ). Here, the variants kwrPA and kdfPA differ
 exchanged between the server and token. In contrast to [6], slightly.
 all of our schemes require explicit access to this identifier In kdfPA the token first chooses a random identifier cid ← $

 to provide a meaningful unlinkability definition. 
 {0, 1} . It then uses the key derivation function to generate the
 (3) For the same reason, we assume that the credential iden- secret key sk := (msk, cid, id ). Note that we assume here that
 tifier cid is explicitly generated on the token and shared the outputs values in the secret key space of the signature
 with the server during registration (rather than wrapped scheme. This allows the token to compute the corresponding public
 together with other values as done in [6]). We use this iden- key pk := toPK(sk).
 tifier to model the key handle that is bound to the user’s
 account and provided to the token during authentication. 2 see https://github.com/solokeys/solo
 7
In kwrPA the keypair is computed directly using the signature Game G0 : This is the real man-in-the-middle game. Recall that at
scheme key generation algorithm (sk, pk) ← kg(param). The se- the beginning, each token ∈ T is initialized with a master secret
cret key sk is then encrypted by the token together with id as key msk ← $
 {0, 1} . Then, the adversary gets access to oracles
cid := Enc(msk, (id , sk)). Start, Challenge, Complete. By definition, we have
 For both schemes the secret key sk is used to create the signature A
 Adv0 = AdvMiM,kdfPA .
 ← sign(sk, ), where := ( (id ), cid, pk, ℎ = ). Finally, the
token sends a response message = (pk, ) together with cid to Game G1 : This game is as G0 , but we introduce a bad event and
the client, which forwards it directly to the server. let the game abort if this bad event occurs. The bad event occurs,
 The server verifies the token’s response by running algorithm if the adversary ever queries (msk , ·) for any token ∈ T .
rcheck(cid, ), which is as follows. The server returns (0, ⊥) in Note that A obtains no about msk throughout the game (except
case ver(pk, , ), where := ( (id ), cid, pk, ). It then updates via hash values). Thus, we can use a union bound over the 
the internal registration state with the new registration rcs[cid] := random oracle queries and the |T | tokens to obtain
pk and outputs (1, cred := (cid, pk)). · |T |
 |Adv0 − Adv1 | ≤ .
 Authentication. The authentication protocol Auth, given in Fig- 2 
ure 3, begins with the server executing the achallenge(id ) algo- Game G2 : This game is as G1 , but we introduce another bad
rithm, which generates a random nonce ← $
 {0, 1} and returns event and let the game abort if this bad event occurs. The bad event
the challenge = (id , ). The challenge and the identifier cid is occurs, if there are tokens ≠ ′ such that msk = msk ′ . Clearly,
sent to the client. Given the challenge from the server the client we have
 |T | 2
executes the acommand(id , ) algorithm, which parses the chal- |Adv1 − Adv2 | ≤ .
lenge as := (id, ), verifies that id = id and sends the message 2 
 := ( ), the server identifier id and identifier cid to the to- Game G3 : We rule out another bad event. That is, we let the
ken. The token executes the aresponse(msk, id , cid, ) algorithm, game abort if this bad event occurs. Namely, we abort whenever
which is described in the following. there is a collision for random oracle . Precisely, we abort, if for
 In the first step the token recreates the signing key sk that it ≠ ′ we have ( ) = ( ′ ). As the images of are sampled
created during registration. For kdfPA this means that the token uniformly at random from {0, 1}2 , we have
runs sk := (msk, cid, id ). In case of the kwrPA the token first 2
 
decrypts the cid to receive (id, sk ′ ) := Dec(msk, cid). It then checks |Adv2 − Adv3 | ≤ .
 22 
if this secret key correspond to the server, i.e. it returns an error if Game G4 : In this game, we introduce yet another bad event, for
id ≠ id . Otherwise it sets sk = sk ′ . which we let the game abort on its occurrence. To define this event,
 For both schemes the secret key sk is used to create the signature consider the server-side oracles Start. Recall that these oracles
 ← sign(sk, ), where := ( (id ), ). Finally, the token (in both registration and authentication) sample a random ← $

creates a response message = ( ), which is send to the client. ≥ 
 {0, 1} . The bad event occurs if the same is sampled in two
The client forwards this message directly to the server.
 different invocations of the oracle Start. Clearly, we can bound the
 The server verifies the token’s response by running algorithm
 distinguishing advantage by
acheck(cid, ), which is as follows. In the first step, the server
uses the internal state to get the token’s public key pk ← rcs[cid] 2
 |Adv3 − Adv4 | ≤
 .
using the identifier cid. Finally, it sets := ( (id ), ( )) and 2 
outputs ver(pk, , ). Finally, we bound the probability Adv4 that G4 outputs 1. Recall
 that the game outputs 1 if none of the introduced aborts occur, and
Security With Key Derivation Function. We will now show
 the adversary successfully finished an authentication via oracle
man-in-the-middle security and unlinkability for the scheme kdfPA, , , 
which uses a key derivation function. Complete( , ·), for which = 0, the oracle is not partnered
 ′, ′
 with any oracle and the oracle ,0 is partnered with an oracle
 Lemma 4.1. Let A be an adversary in the man-in-the-middle game ′
 ,0 .
 In the following, we will call this interaction with oracle
of kdfPA. Assume that A makes at most , queries to random
 Complete the forged authentication. We refer to the interaction with
oracles , , respectively, at most queries to oracle Start, and at ′
most queries to oracle Challenge. Then there exists an algorithm oracle ,0 as above via oracle Challenge as the target registration.
B with the same running time as A such that A’s advantage in the Now, we give a reduction B from the euf-cma security of sig.
man-in-the-middle game can be upper bounded by The reduction is as follows.
 • B gets as input a public key pk∗ . It gets access to a signing
 · |T | + |T | 2 + 2 2
 B oracle Sign.
 + + · Adveuf-cma,sig .
 2 22 • B samples an index ∗ ← $
 [ ]. It simulates game G4 ,
 except for the ∗ -th query to oracle Challenge, for which
 it works as follows:
 Proof. We show the statement via a sequence of games. For – If this query is an authentication query, i.e. it is of the
 , 
each game G , we denote the advantage of A, i.e. probability that form Challenge( , ·) for > 0, then it the reduction
G outputs 1, by Adv . B aborts.
 8
– If this query is a registration query, i.e. it is of the form game (except via hash values). Thus, we can use a union bound
 Challenge( ,0, ·), then it sets pk := pk∗ , and contin- over the random oracle queries and the |T | tokens to obtain
 ues the simulation using this key. Thereby, it obtains · |T |
 the signature from its signing oracle Sign. Let cid pr0 − pr1 ≤ .
 2 
 be the random credential identifier sampled within Game G2 : This game is as G1 , but we introduce another bad
 this simulation. Later, whenever the adversary queries
 event and let the game abort if this bad event occurs. The bad event
 oracle Challenge for authentications for this cid, the
 occurs, if there are tokens ≠ ′ such that msk = msk ′ . Clearly,
 reduction uses its signing oracle Sign to answer the
 we have
 query. |T | 2
 • After termination of A, reduction B first finds the forged pr1 − pr2 ≤ .
 2 
 authentication and the corresponding target registration. Game G3 : This game is as G2 , but we change how oracle Left be-
 • If the target registration is not the ∗ -th query to oracle , 
 Challenge, B aborts. Otherwise, let be the signature that haves. Recall that in G2 , oracle Left runs Challenge( , id , ·, ·).
 
 A submitted in the forged authentication, id be the server Concretely, in each call Left(cid, ) in G2 , a key pair (sk, pk) is
 identity that is used in the forged authentication, and sampled as
 be the challenge that is used. sk := (msk , cid, id ), pk := toPK(sk).
 • B returns
 In game G3 we change the way these keys are generated. Namely,
 ∗ := ( (id ), ( )), ∗ := . we instead keep a map [·], and in each call Left(cid, ) we first
 First, assume that B does not abort. It is easy to see that, the check if [cid] is already defined. If it is defined, we use it as a key
simulation of game G4 is perfect. Also, by definition of algorithm pair. Otherwise, we sample a fresh key pair (sk, pk) ← kg(param),
acheck, as the forged authentication accepted, ∗ is a valid signa- store it as [cid] := (sk, pk) and use it. The rest of the oracle stays
ture on ∗ under pk∗ . Furthermore, due to the changes introduced the same, using that particular key pair.
in games G3 and G4 , if A wins game G4 , we know that the sign- We claim that pr2 = pr3 . This can be argued as follows. With-
ing oracle Sign was never used on a message (·, ( )), and thus out loss of generality, we can focus on the case where A does
the forgery output by B is fresh. Finally, note that A’s view is not violate registration uniqueness or instance freshness. Also, we
independent of ∗ , until an abort happens. Thus, we have can assume that the bad events defined in games G1, G2 do not
 occur. In case any of these assumptions does not hold, both games
 B
 Adv4 ≤ · Adveuf-cma,sig . G2 and G3 output 0. Using these assumptions, we see that the ad-
 □ versary learns nothing about (msk , cid, id ) in game G1 .
 Especially, due to registration uniqueness and non-colliding msk’s,
 Lemma 4.2. Let A be an adversary in the unlinkability game of the oracle Challenge never queries (msk , cid, id ). Thus,
kdfPA. Assume that A makes at most queries to random oracle (msk , cid, id ) is uniformly random for A, which implies
 . Then A’s advantage in the unlinkability game can be upper that the distribution of key pairs used is exactly the same as in
bounded by game G3 . We have
 · |T | + |T | 2 pr2 = pr3 .
 .
 2 Game G4 : This game is as G3 , but we change how oracle Right
 behaves. Concretely, we apply a similar change using fresh key
 Proof. We show the statement via a sequence of games. For pairs and a map as we did for oracle Left in game G3 . With the
each game G , we denote the probability that G outputs 1 by pr . same arguments, it follows that
We note that games G1, G2 are taken verbatim from the proof of pr3 = pr4 .
Lemma 4.1.
 Game G0 : This game is the real unlinkability game. Recall that Finally, we see that the behavior of oracles Left and Right in
 game G4 and thus A’s view is independent of the bit . Thus, we
at the beginning of this game, a master secret key msk ← $
 {0, 1} 
 have pr4 = 1/2. This shows the claim. □
is generated for each token ∈ T . The adversary A gets access
to oracles Start, Challenge, Complete. Then, it outputs two tokens
 Security of Key Wraping. We will now show man-in-the-middle
 0, 1 and servers , . Afterwards, it also gets access to ora-
 , security and unlinkability for the scheme kwrPA, which uses key
cles Left, Right, which internally run Challenge( , id , ·, ·) and wrapping. Notably, our proofs require that the encryption scheme
 
 , 
Challenge( 1− 1− , id , ·, ·), respectively. Throughout the game, that is used is anonymous. To the best of our knowledge, it is not
 1− 
the adversary A also gets access to random oracle . By defini- known if the CCM mode used in Yubico’s implementation of key
tion, we have wrapping is anonymous. Due to space limitations, we postpone the
 A
 pr0 = AdvUnl,kdfPA . proofs of the statements to Appendix A.
 Game G1 : This game is as G0 , but we introduce a bad event and Lemma 4.3. Let A be an adversary in the man-in-the-middle
let the game abort if this bad event occurs. The bad event occurs, game of kwrPA. Assume that A makes at most queries to random
if the adversary ever queries (msk , ·) for any token ∈ T . oracle , at most queries to oracle Start, and at most queries to
Note that A obtains no information about msk throughout the oracle Challenge. Then there exist algorithms B and C with the same
 9
running time as A such that A’s advantage in the man-in-the-middle Definition 5.2 (Revocation Soundness of PlANRK). Let PlANRK =
game can be upper bounded by (Gen, Reg, Auth) be a PlANRK. Consider an algorithm A and the
 following experiment rev-soundPlANRKA :
 2 2
 B C
 + + |T | · Advanon-auth,ske + · Adveuf-cma,sig . • Setup. For each token ∈ T , a key is generated by running
 2 22 msk ← Gen(par). Then, each token is initialized with
 key msk and each server ∈ S is initialized with an
 Lemma 4.4. Let A be an adversary in the unlinkability game of empty state.
kwrPA. Then there exists an algorithm B, which has the same running • Online Phase 1. A gets as input {mpk } ∈T and oracle
time as A, such that A’s advantage in the unlinkability game can access to oracles Start, Challenge, Complete as in Defini-
be upper bounded by tion 3.3. Then, A outputs a token ∗ and a server ∗ .
 • Registration. Run the registration protocol Reg of ∗ at
 B
 |T 2 | · Advanon-auth,ske . ∗ , which is as follows:
 ← rchallenge(id ∗ ),
 ← rcommand(id ∗ , ), (cid, ) ← rresponse(msk ∗ , id ∗ , ),
5 GLOBAL KEY REVOCATION
 ( , cred) ← rcheck(cid, ).
A useful feature that FIDO2 currently does not support is a means of
revoking keys of a comprised token. Informally, we want to give the • Online Phase 2. Continue the execution of A with the
user the option to revoke its keys globally, without accessing all the same oracles as before. Additionally, provide the input
servers which her token is registered to one by one. In this section, ( , , cid, , , cred) to A.
we focus on formally defining syntax and security for global key • Challenge Phase. The adversary outputs rk∗ . The experi-
revocation. Then, in the next section we show a way to add this ment outputs 1 if and only if CheckCred(id ∗ , cred, rk∗ ) =
feature to FIDO2 using BIP32 key derivation. 1.
 A
 We define the advantage of A in rev-soundPlANRK as
 In short, we define a global revocation mechanism as two algo-
rithms that are associated with PlANRK. Intuitively, these should A A
 Advrev-sound,PlANRK := Pr[rev-soundPlANRK = 1].
be understood as follows. First, when a user starts using its token
 ∈ T , it also obtains a revocation key rk, which is extracted from To show our informal claim that even for globally revoked keys
the long-term key msk using some algorithm Revoke. Recall from impersonation is impossible, we extend the notion of impersonation
Definition 3.1 that when token registers at a server ∈ S, the security.
server stores a credential cred for this token in its state. If the user
wants to revoke its key, it publishes rk. We do not further specify Definition 5.3 (Man-in-the-Middle Security with Global Revoca-
how the user publishes rk. However, we assume that all servers tion). Let PlANRK = (Gen, Reg, Auth) be a PlANRK. We consider
periodically scan for published revocation keys rk. Whenever a new the experiment given in Definition 3.5 with the following modifica-
revocation key is published, the server (with identity id ) runs an tion:
algorithm CheckCred(id , cred, rk) for each credential cred in its After generating msk for each ∈ T , the experiment also
state. If this algorithm accepts, the server considers this credential generates rk ← Revoke(msk ) for each ∈ T . Then, {rk } ∈T
as revoked. is given to algorithm A as an additional input.
 We define the advantage of an algorithm A in the experiment as
 Definition 5.1 (Global Key Revocation of PlANRK). A PlANRK A A
 AdvMitM-GR,PlANRK := Pr[MitM-GRPlANRK = 1].
PlANRK = (Gen, Reg, Auth) satisfies global key revocation if there
are algorithms Revoke, CheckCred with the following syntax: 6 BIP32 PASSWORDLESS AUTHENTICATION
 • Revoke(msk) takes as input a master secret key msk and In this section, we show how to instantiate FIDO2 by deriving
 outputs a revocation key rk. ECDSA keypairs using the BIP32 key derivation [31] The resulting
 • CheckCred(id , cred, rk) takes as input a server identity scheme, denoted by bip32PA supports global key revocation.
 id , a credential cred and a revocation key rk and outputs
 a bit ∈ {0, 1}. Key-Prefixed ECDSA.. We recall the necessary background of the
Further, the algorithms should be complete in the following sense: ECDSA signature scheme. We denote the scheme by sig = (kg, sign,
For all msk ∈ Gen(par), parties and , states St , St the follow- srerand, prerand, ver). For the purpose of this work, we can treat
ing experiment outputs 1 with probability 1: signing and verification as a black box. For details, see [14]. We
 highlight that we use a variant of ECDSA, where messages are pre-
 (1) Run steps (1)-(3) from the experiment in Definition 3.2. fixed with the public key, see [14]. We now describe key generation
 (2) If = 0, output 0. Otherwise, run rk ← Revoke(msk) and and randomization. The system parameters of the scheme contain
 ← CheckCred(id , cred, rk). Return . a group G of prime order with generator ∈ G. Key generation
 Clearly, the above definition is easily satisfied if we make algo- and rerandomization, i.e. algorithms kg, srerand, prerand, are as
rithm CheckCred always output = 1. This is not what we aim for. follows:
Instead, we need a security notion that ensures that only the owner • Secret keys are sampled uniformly from Z , i.e. sk ← $
 Z .
of msk can revoke keys that are stored on an honest server. sk
 • The public key for a secret key sk is pk := .
 10
• To rerandomize a secret key with randomness ∈ Z , we Lemma 6.2. Let A be an adversary in the revocation soundness
 compute pk ′ := pk · and sk ′ := sk + . game of bip32PA. Assume that A makes at most ˆ queries to oracle
In terms of security, Das et al. [14] show that the key-prefixed ˆ . Then the advantage of A against revocation soundness can be
ECDSA scheme is ufcma-hrk1. We will use this result to show the upper bounded by
security of our construction.
 A
 3 ˆ + 1
 Advrev-sound,PlANRK ≤ .
 Lemma 6.1 (informal, [14]). Let sig be the key-prefixed ECDSA 2 
signature scheme as above. Then, under a suitable assumption, for each
 A
efficient algorithm A, the advantage Advufcma-hrk1,sig is negligible. Lemma 6.3. Let A be an adversary in the unlinkability game
 Key Generation. Let us describe how master secret keys msk of bip32PA. Assume that A makes at most ˆ queries to random
are generated for our scheme bip32PA. A master secret key msk oracle ˆ . Then A’s advantage in the unlinkability game can be upper
consists of an ECDSA key pair (sk0, pk0 ) and a so called chaincode bounded by
 ℎ. Looking ahead, the chaincode and the public key pk0 can later ˆ · |T | + |T | 2
be used to revoke keys. Concretely, the components of the key are .
 2 
generated as sk0 ←$
 Z , pk0 := sk0 , ℎ ←
 $
 {0, 1} .
 Registration and Authentication. Registration and authentication Lemma 6.4. Let A be an adversary in the man-in-the-middle with
follow the FIDO2 specification. Thus, they are very similar to the global revocation game with global revocation of bip32PA. Assume
protocols described in Section 4. Formally, we present protocols Reg that A makes at most , ˆ queries to random oracles , ˆ , re-
and Auth in Figures 2 and 3. Let us describe the differences between spectively, at most queries to oracle Start, and at most queries
bip32PA and the existing schemes. The most important difference to oracle Challenge. Then there exists an algorithm B with the same
is how keys are derived during registration and authentication. running time as A such that A’s advantage in the man-in-the-middle
Namely, the token chooses a random cid ← $
 {0, 1} as in the scheme with global revocation game can be upper bounded by
kdfPA. Then, it derives a randomness := (pk0, ℎ, cid, id ) using
 ˆ 2 + 2 + · ˆ 2
 B
a random oracle ˆ . This randomness is used to rerandomize the + + Advufcma-hrk1,sig .
 2 2 2 
pair (sk0, pk0 ) to a new keypair, i.e. sk := srerand(sk0, ) and pk :=
prerand(pk0, ). As in the scheme kdfPA, the server obtains and
stores cid, pk during registration and the key sk is used to sign Proof. We show the statement by presenting a sequence of
challenges. One minor detail that we have to change is the use games G , where for each such game G the probability that the
of an additional nonce ← $
 {0, 1} that is sampled by the token game outputs 1 is denoted by Adv .
and added to the actual challenge before signing. This ensures that Game G0 : This game is the real man-in-the-middle with global
with high probability, even for malicious servers a token never revocation game. That is, at the beginning a master secret key
signs the same message twice. We need this, as the security notion msk = (sk ,0, pk ,0, ℎ ) is generated for each token ∈ T .
ufcma-hrk1 that ECDSA satisfies only allows one signature query Further, the global revocation keys rk := (pk ,0, ℎ ) are passed
per message. to the adversary. Then, the adversary A gets access to oracles
 Start, Challenge, Complete. By definition, we have
 Global Revocation. The advantage of the BIP32 key derivation A
compared to key wrapping or simple key derivation is global key re- Adv0 = AdvMitM-GR,bip32PA .
vocation, as defined in the previous section. Informally, the scheme Game G1 : This game is as G0 , but we introduce an additional
bip32PA allows to publish a revocation key rk to globally revoke abort. Namely, G1 aborts whenever for we have ( ) = ( ′ ) for
a lost/stolen token without compromising the user’s account. For- ≠ ′ . As the images of are sampled uniformly at random from
mally, we present algorithms Revoke and CheckCred for our scheme {0, 1}2 , we have
bip32PA. Algorithm Revoke(msk) is given as follows: 2
 
 (1) Parse (sk0, pk0, ℎ) := msk. |Adv0 − Adv1 | ≤ .
 (2) Return rk := (pk0, ℎ). 22 
 Game G2 : In this game, another abort is introduced. Namely, we
Algorithm CheckCred(id , cred, rk) is as follows:
 consider the server-side oracles Start. Recall that in an execution
 (1) Parse (pk0, ℎ) := rk and (cid, pk) := cred. of such an oracle, the game samples a random value ← $
 {0, 1} ≥ .
 (2) Run pk ′ := prerand(pk0, ˆ (pk0, ℎ, cid, id )). Now, game G2 aborts if the same is sampled in two different
 (3) Return 1 if pk = pk ′ . Otherwise, return 0. invocations of the oracle Start. Clearly, we have
6.1 BIP32 Scheme Security 2
 |Adv1 − Adv2 | ≤ .
Next, we show security of our scheme. Concretely, we first show 2 
that only the owner of a token can revoke its keys (i.e. revocation Game G3 : In this game, we introduce another abort. Consider
soundness). Then, we show unlinkability. Finally, we show that even the token-side oracle Challenge. More precisely, consider a query
 , 
given all revocation keys, man-in-the-middle security still holds. Challenge( , id , cid, ) with > 0, i.e. an authentication inter-
Due to space limitations, we postpone the proofs of revocation action. Recall that in the execution of this oracle, a value ← $

soundness and unlinkability to Appendix B. {0, 1} is sampled, and then the message := ( , ) is signed.
 11
You can also read