fido 생체인증 기술 개발 사례
TRANSCRIPT
![Page 1: FIDO 생체인증 기술 개발 사례](https://reader035.vdocuments.pub/reader035/viewer/2022082210/58707cd01a28ab57368b5769/html5/thumbnails/1.jpg)
생체 인증 Platform 개발
Platform Architecture팀 신기은 매니저
![Page 2: FIDO 생체인증 기술 개발 사례](https://reader035.vdocuments.pub/reader035/viewer/2022082210/58707cd01a28ab57368b5769/html5/thumbnails/2.jpg)
Fast IDentity Online
![Page 3: FIDO 생체인증 기술 개발 사례](https://reader035.vdocuments.pub/reader035/viewer/2022082210/58707cd01a28ab57368b5769/html5/thumbnails/3.jpg)
![Page 4: FIDO 생체인증 기술 개발 사례](https://reader035.vdocuments.pub/reader035/viewer/2022082210/58707cd01a28ab57368b5769/html5/thumbnails/4.jpg)
FIDO Alliance
• 2012년 설립
• 사용자 인증 시 Password에 대한 의존도를 낮추기 위한 Open, Scalable, Interoperable 기술 Spec 제안
• Spec의 전세계적인 적용 확대를 위한 Industry Program을 운영
• 현재 약 250여 회원사로 구성 됨
![Page 5: FIDO 생체인증 기술 개발 사례](https://reader035.vdocuments.pub/reader035/viewer/2022082210/58707cd01a28ab57368b5769/html5/thumbnails/5.jpg)
새로운 인증 모델
OTP MFA
Password PIN
Security Usability
Usability Secu
rity
FIDO
![Page 6: FIDO 생체인증 기술 개발 사례](https://reader035.vdocuments.pub/reader035/viewer/2022082210/58707cd01a28ab57368b5769/html5/thumbnails/6.jpg)
FIDO Adoption
![Page 7: FIDO 생체인증 기술 개발 사례](https://reader035.vdocuments.pub/reader035/viewer/2022082210/58707cd01a28ab57368b5769/html5/thumbnails/7.jpg)
FIDO Enabled Device
![Page 8: FIDO 생체인증 기술 개발 사례](https://reader035.vdocuments.pub/reader035/viewer/2022082210/58707cd01a28ab57368b5769/html5/thumbnails/8.jpg)
Demonstration
![Page 9: FIDO 생체인증 기술 개발 사례](https://reader035.vdocuments.pub/reader035/viewer/2022082210/58707cd01a28ab57368b5769/html5/thumbnails/9.jpg)
Technical Details
![Page 10: FIDO 생체인증 기술 개발 사례](https://reader035.vdocuments.pub/reader035/viewer/2022082210/58707cd01a28ab57368b5769/html5/thumbnails/10.jpg)
How FIDO Works
User Verification FIDO Authentication
Authenticator
Local verification
Online
authentication
(Asymmetric Key
Cryptography)
![Page 11: FIDO 생체인증 기술 개발 사례](https://reader035.vdocuments.pub/reader035/viewer/2022082210/58707cd01a28ab57368b5769/html5/thumbnails/11.jpg)
FIDO System Architecture
![Page 12: FIDO 생체인증 기술 개발 사례](https://reader035.vdocuments.pub/reader035/viewer/2022082210/58707cd01a28ab57368b5769/html5/thumbnails/12.jpg)
FIDO Building Blocks
Built-in or External
![Page 13: FIDO 생체인증 기술 개발 사례](https://reader035.vdocuments.pub/reader035/viewer/2022082210/58707cd01a28ab57368b5769/html5/thumbnails/13.jpg)
Metadata (1111#0001) { "aaid": "1111#0001", "description": "SKP FIDO UAF Authenticator v1.0", "authenticatorVersion": 1, "upv": [{ "major": 1, "minor": 0 }], "assertionScheme": "UAFV1TLV", "authenticationAlgorithm": 2, "publicKeyAlgAndEncoding": 257, "attestationTypes": [15880], "userVerificationDetails": [[{"userVerification": 2}]], "keyProtection": 6, "matcherProtection": 2, "attachmentHint": 1, "isSecondFactorOnly": false, "tcDisplay": 3, "tcDisplayContentType": "image/png", "tcDisplayPNGCharacteristics": [{ "width": 320, "height": 240, "bitDepth": 16, "colorType": 2, "compression": 0, "filter": 0, "interlace": 0 }], "attestationRootCertificates": [] }
UAF Protocol Version: 1.0
DER encoded ECDSA signature on the NIST secp256r1 curve
DER encoded ANSI X.9.62 formatted SubjectPublicKeyInfo
Surrogate Use fingerprint for user verification
Hardware and TEE based key management Authenticator's matcher is running inside the TEE
Software-based transaction confirmation display
![Page 14: FIDO 생체인증 기술 개발 사례](https://reader035.vdocuments.pub/reader035/viewer/2022082210/58707cd01a28ab57368b5769/html5/thumbnails/14.jpg)
Elliptic Curve Cryptography (ECC)
• Elliptic curve based public key cryptography
• Faster, Smaller, and more efficient – Faster (Key generation, Signature generation/verification)
– Smaller (Key size (pub/priv key)
• Android – API Level 19+ – SHA256withECDSA (secp256r1)
– SHA256withECDSA (secp256k1)
![Page 15: FIDO 생체인증 기술 개발 사례](https://reader035.vdocuments.pub/reader035/viewer/2022082210/58707cd01a28ab57368b5769/html5/thumbnails/15.jpg)
Policy { "accepted": [ [{ "userVerification": 2}], [{ "userVerification": 16}] ] }
{ "accepted": [ [{ "userVerification": 18}] ] }
Accept authenticators based on fingerprint or face
recognition
Accept authenticators based on alternative combination of
fingerprint and face recognition
{ "accepted": [ [{ "userVerification": 1042}] ] }
Accept authenticators based on mandatory combination of
fingerprint and face recognition
{ "accepted": [ [{ "vendorID": "1111"}] ], "disallowed": [{ "keyProtection": 1}] }
Accept authenticators having a vendorID as “1111” and
reject authenticators based on software-based key
management
![Page 16: FIDO 생체인증 기술 개발 사례](https://reader035.vdocuments.pub/reader035/viewer/2022082210/58707cd01a28ab57368b5769/html5/thumbnails/16.jpg)
Registration
![Page 17: FIDO 생체인증 기술 개발 사례](https://reader035.vdocuments.pub/reader035/viewer/2022082210/58707cd01a28ab57368b5769/html5/thumbnails/17.jpg)
Registration
FIDO Client API (Register Request) [ { "header": { "upv": { "major": 1, "minor": 0 }, "op": "Reg", "appID": "android:apk-key-hash:YHNHKiwobCkMLtCQw8XmVcR/A+s", "serverData": "c8729acc-c3c1-491d-8fe9-b65c3345bbc3;FBu4YyXMWO9qxJwPIsEKdHY7sAdCC9oJYedxg8WsIeM=" }, "challenge": "RRvq5yj3Z3Y4V64PykpJ_H-E_uqvYFCgBys48DxJkV0", "username": "test", "policy": { "accepted": [ [ { "aaid": [ "1111#0001" ] } ] ] } } ]
![Page 18: FIDO 생체인증 기술 개발 사례](https://reader035.vdocuments.pub/reader035/viewer/2022082210/58707cd01a28ab57368b5769/html5/thumbnails/18.jpg)
Registration
ASM API (Register Request) { "args": { "appID": "android:apk-key-hash:YHNHKiwobCkMLtCQw8XmVcR/A+s", "attestationType": 15880, "finalChallenge": "eyJhcHBJRCI6ImFuZHJvaWQ6YXBrLWtleS1oYXNoOllITkhLaXdvYkNrTUx0Q1F3OFhtVmNSL0ErcyIsImNoYWxsZW5nZSI6IlJSdnE1eWozWjNZNFY2NFB5a3BKX0gtRV91cXZZRkNnQnlzNDhEeEprVjAiLCJjaGFubmVsQmluZGluZyI6e30sImZhY2V0SUQiOiJhbmRyb2lkOmFway1rZXktaGFzaDpZSE5IS2l3b2JDa01MdENRdzhYbVZjUi9BK3MifQ", "username": "test" }, "asmVersion": { "major": 1, "minor": 0 }, "authenticatorIndex": 0, "requestType": "Register" }
![Page 19: FIDO 생체인증 기술 개발 사례](https://reader035.vdocuments.pub/reader035/viewer/2022082210/58707cd01a28ab57368b5769/html5/thumbnails/19.jpg)
Registration
Authenticator Commands (Register Command) AjSQAA0oAQAABCgwAGFuZHJvaWQ6YXBrLWtleS1oYXNoOllITkhLaXdvYkNrTUx0Q1F3OFhtVmNSL0ErcwouIABSNjVSMmcmDI9kEMTK5MZuz70oUfxPEaF6AGiwfL-wVgYoBQB0ZXN0MQcoAgAIPgUoIABAF5rkA5HOb-OL_zLsaSx8G8Vw9CDgVzidSM-t710pgg
![Page 20: FIDO 생체인증 기술 개발 사례](https://reader035.vdocuments.pub/reader035/viewer/2022082210/58707cd01a28ab57368b5769/html5/thumbnails/20.jpg)
Registration
Authenticator Commands (Register Command Response) AjZ1AQgoAgAAAA8oIQEBPh0BAz7LAAsuCQAxMTExIzAwMDEOLgcAAQABAgABAQouIABSNjVSMmcmDI9kEMTK5MZuz70oUfxPEaF6AGiwfL-wVgkuIACZXU3VXZNJQJmJ_iwt6qXBAAAAAAAAAAAAAAAAAAAAAA0uCAAAAAAABwAAAAwuWwAwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASOLHgEB8IsrH-f9vS15RaSvVdztrT_CMugBNk3QYVVKuh0XvDXKjx4dHl1YkOqOrSuYe-VxDwfl-rKD3I4j8cmCD5KAAYuRgAwRAIgC6ro5a2GoM3wZPhbIq1elnLbAqY0kHRj_9QMPdZmSMQCIAuFWqhSFlUPqGVeKWc9nRwOmyp8BqyyEV3ifG0XlFHOAShGAA-W3gpU0KEtL9_AhznAF7GKoK8MYK7IPYOyVsFT_l8hmV1N1V2TSUCZif4sLeqlwQAAAAAAAAAAAAAAAAAAAAAFdGVzdDE
![Page 21: FIDO 생체인증 기술 개발 사례](https://reader035.vdocuments.pub/reader035/viewer/2022082210/58707cd01a28ab57368b5769/html5/thumbnails/21.jpg)
Registration
ASM API (Register Response) { "responseData": { "assertion": "AT4dAQM-ywALLgkAMTExMSMwMDAxDi4HAAEAAQIAAQEKLiAAFsP_hdL1x8R4hBONuORxHasJ2llsHtlbUpwBGCDeemQJLiAAXo9V-9YUT6Orufn5H-4xBAAAAAAAAAAAAAAAAAAAAAANLggAAAAAABkAAAAMLlsAMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEdYxS-2CR6zlZ0PvbopPnwr5yinSH97RGAu0ijlpzwIOV3ZKTH_a-SKSZXTtuxTUgFj7IQWgxJk1AyZpvT5QJmgg-SgAGLkYAMEQCICldUnDdcnEemZib-pXpiiyOnHMpYLmCyVZ35tVASLmDAiBW6LUHhKrgMmtty4S2UEjgNwPewHQU-py4WBn8UXahsg", "assertionScheme": "UAFV1TLV" }, "statusCode": 0 }
![Page 22: FIDO 생체인증 기술 개발 사례](https://reader035.vdocuments.pub/reader035/viewer/2022082210/58707cd01a28ab57368b5769/html5/thumbnails/22.jpg)
Registration
FIDO Client API (Register Response) [ { "assertions": [ { "assertion": "AT4dAQM-ywALLgkAMTExMSMwMDAxDi4HAAEAAQIAAQEKLiAAFsP_hdL1x8R4hBONuORxHasJ2llsHtlbUpwBGCDeemQJLiAAXo9V-9YUT6Orufn5H-4xBAAAAAAAAAAAAAAAAAAAAAANLggAAAAAABkAAAAMLlsAMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEdYxS-2CR6zlZ0PvbopPnwr5yinSH97RGAu0ijlpzwIOV3ZKTH_a-SKSZXTtuxTUgFj7IQWgxJk1AyZpvT5QJmgg-SgAGLkYAMEQCICldUnDdcnEemZib-pXpiiyOnHMpYLmCyVZ35tVASLmDAiBW6LUHhKrgMmtty4S2UEjgNwPewHQU-py4WBn8UXahsg", "assertionScheme": "UAFV1TLV" } ], "fcParams": "eyJhcHBJRCI6ImFuZHJvaWQ6YXBrLWtleS1oYXNoOllITkhLaXdvYkNrTUx0Q1F3OFhtVmNSL0ErcyIsImNoYWxsZW5nZSI6IlJSdnE1eWozWjNZNFY2NFB5a3BKX0gtRV91cXZZRkNnQnlzNDhEeEprVjAiLCJjaGFubmVsQmluZGluZyI6e30sImZhY2V0SUQiOiJhbmRyb2lkOmFway1rZXktaGFzaDpZSE5IS2l3b2JDa01MdENRdzhYbVZjUi9BK3MifQ", "header": { "appID": "android:apk-key-hash:YHNHKiwobCkMLtCQw8XmVcR/A+s", "op": "Reg", "serverData": "c8729acc-c3c1-491d-8fe9-b65c3345bbc3;FBu4YyXMWO9qxJwPIsEKdHY7sAdCC9oJYedxg8WsIeM=", "upv": { "major": 1, "minor": 0 } } } ]
![Page 23: FIDO 생체인증 기술 개발 사례](https://reader035.vdocuments.pub/reader035/viewer/2022082210/58707cd01a28ab57368b5769/html5/thumbnails/23.jpg)
TLV (Tag-Length-Value) Structure
Authenticator uses TLV format to communicate with the outside world (Authenticator commands and response – little endian)
013e1e01033ecb000b2e09003131313123303030310e2e070001000102000101 ……………
![Page 24: FIDO 생체인증 기술 개발 사례](https://reader035.vdocuments.pub/reader035/viewer/2022082210/58707cd01a28ab57368b5769/html5/thumbnails/24.jpg)
Authentication
![Page 25: FIDO 생체인증 기술 개발 사례](https://reader035.vdocuments.pub/reader035/viewer/2022082210/58707cd01a28ab57368b5769/html5/thumbnails/25.jpg)
Transaction Confirmation
![Page 26: FIDO 생체인증 기술 개발 사례](https://reader035.vdocuments.pub/reader035/viewer/2022082210/58707cd01a28ab57368b5769/html5/thumbnails/26.jpg)
Deregistration
![Page 27: FIDO 생체인증 기술 개발 사례](https://reader035.vdocuments.pub/reader035/viewer/2022082210/58707cd01a28ab57368b5769/html5/thumbnails/27.jpg)
How to apply FIDO Solution to your system
1. Import FIDO library (Cover FIDO Client API and RP Transport)
2. Implement logic and UI 3. If your service is Webapp,
import javascript library
1. Implement FIDO Server API (only 3 APIs) 2. Implement logic to support FIDO
1. Register policy and assign policy ID
![Page 28: FIDO 생체인증 기술 개발 사례](https://reader035.vdocuments.pub/reader035/viewer/2022082210/58707cd01a28ab57368b5769/html5/thumbnails/28.jpg)
왜 FIDO를 도입해야 하나요?
• 공개키 (PKI) 기반의 안전한 인증 방식 – 인증 서버에 비밀번호와 같은 credential이 저장되지 않아, 기존 PW 방식에 비해 안전함
– PW와 같은 credential이 네트워크를 통해 전송되지 않음
• 생체 인식 등의 다양한 기술 활용 가능한 구조 – 지문, 얼굴, 홍채, 또 다른 무엇이라도 적용 가능 (동일한 API, Policy만 변경!!!)
– Without FIDO: 지문인식 / 얼굴 / 홍채 등 새로운 인증 기능 신규 개발 필요 (Every time)
• 생체 정보에 대한 보호 – 생체 정보는 절대 단말 외부로 전송이 되거나 외부에 저장되지 않음
– 단말 내에 안전한 공간 (Trust Zone)에 저장됨
• 표준 기술 적용을 통한 범용성 제공 – Web (W3C Web API), Android, iOS, Windows 에서 FIDO 기술 활용 가능 또는 예정
– 제2의 ActiveX 등은 이제 그만..
• 한번의 등록을 통해 Multiple app 또는 platform 적용
• 설계/구현/운용 상의 실수를 피할 수 있음 – 인증 기술에 대한 이해 부족으로 인한 잘못된 구현, 그리고 보안 사고 발생
– FIDO 인증 솔루션 도입 시, 인증 기능을 FIDO 솔루션에 위임
![Page 29: FIDO 생체인증 기술 개발 사례](https://reader035.vdocuments.pub/reader035/viewer/2022082210/58707cd01a28ab57368b5769/html5/thumbnails/29.jpg)