FIDO 생체인증 기술 개발 사례, SK 플래닛 @tech 세미나

1. 생체 인증 Platform 개발
Platform Architecture팀
신기은 매니저

2. Fast IDentity Online

4. FIDO Alliance
• 2012년 설립
• 사용자 인증 시 Password에 대한 의존도를 낮추기 위한 Open, Scalable,
Interoperable 기술 Spec 제안
• Spec의 전세계적인 적용 확대를 위한 Industry Program을 운영
• 현재 약 250여 회원사로 구성 됨

5. 새로운 인증 모델
OTP
MFA
Password PIN
Security Usability
UsabilitySecurity
FIDO

6. FIDO Adoption

7. FIDO Enabled Device

8. Demonstration

9. Technical Details

10. How FIDO Works
User Verification FIDO Authentication
Authenticator
Local verification
Online
authentication
(Asymmetric Key
Cryptography)

11. FIDO System Architecture

12. FIDO Building Blocks
Built-in or External

13. Metadata (1111#0001)
{
"aaid": "1111#0001",
"description": "SKP FIDO UAF Authenticator v1.0",
"authenticatorVersion": 1,
"upv": [{
"major": 1,
"minor": 0
}],
"assertionScheme": "UAFV1TLV",
"authenticationAlgorithm": 2,
"publicKeyAlgAndEncoding": 257,
"attestationTypes": [15880],
"userVerificationDetails": [[{"userVerification": 2}]],
"keyProtection": 6,
"matcherProtection": 2,
"attachmentHint": 1,
"isSecondFactorOnly": false,
"tcDisplay": 3,
"tcDisplayContentType": "image/png",
"tcDisplayPNGCharacteristics": [{
"width": 320,
"height": 240,
"bitDepth": 16,
"colorType": 2,
"compression": 0,
"filter": 0,
"interlace": 0
}],
"attestationRootCertificates": []
}
UAF Protocol Version: 1.0
DER encoded ECDSA signature on the NIST secp256r1 curve
DER encoded ANSI X.9.62 formatted SubjectPublicKeyInfo
Surrogate
Use fingerprint for user verification
Hardware and TEE based key management
Authenticator's matcher is running inside the TEE
Software-based transaction confirmation display

14. Elliptic Curve Cryptography (ECC)
• Elliptic curve based public key cryptography
• Faster, Smaller, and more efficient
– Faster (Key generation, Signature generation/verification)
– Smaller (Key size (pub/priv key)
• Android – API Level 19+
– SHA256withECDSA (secp256r1)
– SHA256withECDSA (secp256k1)

15. Policy
{
"accepted":
[
[{ "userVerification": 2}],
[{ "userVerification": 16}]
]
}
{
"accepted":
[
[{ "userVerification": 18}]
]
}
Accept authenticators based on fingerprint or face
recognition
Accept authenticators based on alternative combination of
fingerprint and face recognition
{
"accepted":
[
[{ "userVerification": 1042}]
]
}
Accept authenticators based on mandatory combination of
fingerprint and face recognition
{
"accepted":
[
[{ "vendorID": "1111"}]
],
"disallowed": [{ "keyProtection": 1}]
}
Accept authenticators having a vendorID as “1111” and
reject authenticators based on software-based key
management

16. Registration

17. Registration
FIDO Client API (Register Request)
[
{
"header": {
"upv": {
"major": 1,
"minor": 0
},
"op": "Reg",
"appID": "android:apk-key-hash:YHNHKiwobCkMLtCQw8XmVcR/A+s",
"serverData": "c8729acc-c3c1-491d-8fe9-b65c3345bbc3;FBu4YyXMWO9qxJwPIsEKdHY7sAdCC9oJYedxg8WsIeM="
},
"challenge": "RRvq5yj3Z3Y4V64PykpJ_H-E_uqvYFCgBys48DxJkV0",
"username": "test",
"policy": {
"accepted": [
[
{
"aaid": [
"1111#0001"
]
}
]
]
}
}
]

18. Registration
ASM API (Register Request)
{
"args": {
"appID": "android:apk-key-hash:YHNHKiwobCkMLtCQw8XmVcR/A+s",
"attestationType": 15880,
"finalChallenge":
"eyJhcHBJRCI6ImFuZHJvaWQ6YXBrLWtleS1oYXNoOllITkhLaXdvYkNrTUx0Q1F3OFhtVmNSL0ErcyIsImNoYWxsZW5nZSI6IlJSdnE1eWozW
jNZNFY2NFB5a3BKX0gtRV91cXZZRkNnQnlzNDhEeEprVjAiLCJjaGFubmVsQmluZGluZyI6e30sImZhY2V0SUQiOiJhbmRyb2lkOmFway1rZXk
taGFzaDpZSE5IS2l3b2JDa01MdENRdzhYbVZjUi9BK3MifQ",
"username": "test"
},
"asmVersion": {
"major": 1,
"minor": 0
},
"authenticatorIndex": 0,
"requestType": "Register"
}

19. Registration
Authenticator Commands (Register Command)
AjSQAA0oAQAABCgwAGFuZHJvaWQ6YXBrLWtleS1oYXNoOllITkhLaXdvYkNrTUx0Q1F3OFhtVmNSL0ErcwouIABSNjVSMmcmDI9kEMTK5MZuz7
0oUfxPEaF6AGiwfL-wVgYoBQB0ZXN0MQcoAgAIPgUoIABAF5rkA5HOb-OL_zLsaSx8G8Vw9CDgVzidSM-t710pgg

20. Registration
Authenticator Commands (Register Command Response)
AjZ1AQgoAgAAAA8oIQEBPh0BAz7LAAsuCQAxMTExIzAwMDEOLgcAAQABAgABAQouIABSNjVSMmcmDI9kEMTK5MZuz70oUfxPEaF6AGiwfL-
wVgkuIACZXU3VXZNJQJmJ_iwt6qXBAAAAAAAAAAAAAAAAAAAAAA0uCAAAAAAABwAAAAwuWwAwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASOL
HgEB8IsrH-f9vS15RaSvVdztrT_CMugBNk3QYVVKuh0XvDXKjx4dHl1YkOqOrSuYe-VxDwfl-
rKD3I4j8cmCD5KAAYuRgAwRAIgC6ro5a2GoM3wZPhbIq1elnLbAqY0kHRj_9QMPdZmSMQCIAuFWqhSFlUPqGVeKWc9nRwOmyp8BqyyEV3ifG0X
lFHOAShGAA-W3gpU0KEtL9_AhznAF7GKoK8MYK7IPYOyVsFT_l8hmV1N1V2TSUCZif4sLeqlwQAAAAAAAAAAAAAAAAAAAAAFdGVzdDE

21. Registration
ASM API (Register Response)
{
"responseData": {
"assertion": "AT4dAQM-
ywALLgkAMTExMSMwMDAxDi4HAAEAAQIAAQEKLiAAFsP_hdL1x8R4hBONuORxHasJ2llsHtlbUpwBGCDeemQJLiAAXo9V-9YUT6Orufn5H-
4xBAAAAAAAAAAAAAAAAAAAAAANLggAAAAAABkAAAAMLlsAMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEdYxS-
2CR6zlZ0PvbopPnwr5yinSH97RGAu0ijlpzwIOV3ZKTH_a-SKSZXTtuxTUgFj7IQWgxJk1AyZpvT5QJmgg-
SgAGLkYAMEQCICldUnDdcnEemZib-pXpiiyOnHMpYLmCyVZ35tVASLmDAiBW6LUHhKrgMmtty4S2UEjgNwPewHQU-py4WBn8UXahsg",
"assertionScheme": "UAFV1TLV"
},
"statusCode": 0
}

22. Registration
FIDO Client API (Register Response)
[
{
"assertions": [
{
"assertion": "AT4dAQM-
ywALLgkAMTExMSMwMDAxDi4HAAEAAQIAAQEKLiAAFsP_hdL1x8R4hBONuORxHasJ2llsHtlbUpwBGCDeemQJLiAAXo9V-9YUT6Orufn5H-
4xBAAAAAAAAAAAAAAAAAAAAAANLggAAAAAABkAAAAMLlsAMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEdYxS-
2CR6zlZ0PvbopPnwr5yinSH97RGAu0ijlpzwIOV3ZKTH_a-SKSZXTtuxTUgFj7IQWgxJk1AyZpvT5QJmgg-
SgAGLkYAMEQCICldUnDdcnEemZib-pXpiiyOnHMpYLmCyVZ35tVASLmDAiBW6LUHhKrgMmtty4S2UEjgNwPewHQU-py4WBn8UXahsg",
"assertionScheme": "UAFV1TLV"
}
],
"fcParams":
"eyJhcHBJRCI6ImFuZHJvaWQ6YXBrLWtleS1oYXNoOllITkhLaXdvYkNrTUx0Q1F3OFhtVmNSL0ErcyIsImNoYWxsZW5nZSI6IlJSdnE1eWozW
jNZNFY2NFB5a3BKX0gtRV91cXZZRkNnQnlzNDhEeEprVjAiLCJjaGFubmVsQmluZGluZyI6e30sImZhY2V0SUQiOiJhbmRyb2lkOmFway1rZXk
taGFzaDpZSE5IS2l3b2JDa01MdENRdzhYbVZjUi9BK3MifQ",
"header": {
"appID": "android:apk-key-hash:YHNHKiwobCkMLtCQw8XmVcR/A+s",
"op": "Reg",
"serverData": "c8729acc-c3c1-491d-8fe9-b65c3345bbc3;FBu4YyXMWO9qxJwPIsEKdHY7sAdCC9oJYedxg8WsIeM=",
"upv": {
"major": 1,
"minor": 0
}
}
}
]

23. TLV (Tag-Length-Value) Structure
Authenticator uses TLV format to communicate with the outside world
(Authenticator commands and response – little endian)
013e1e01033ecb000b2e09003131313123303030310e2e070001000102000101 ……………

24. Authentication

25. Transaction Confirmation

26. Deregistration

27. How to apply FIDO Solution to your system
1. Import FIDO library (Cover FIDO
Client API and RP Transport)
2. Implement logic and UI
3. If your service is Webapp,
import javascript library
1. Implement FIDO Server API (only 3 APIs)
2. Implement logic to support FIDO
1. Register policy and assign
policy ID

28. 왜 FIDO를 도입해야 하나요?
• 공개키 (PKI) 기반의 안전한 인증 방식
– 인증 서버에 비밀번호와 같은 credential이 저장되지 않아, 기존 PW 방식에 비해 안전함
– PW와 같은 credential이 네트워크를 통해 전송되지 않음
• 생체 인식 등의 다양한 기술 활용 가능한 구조
– 지문, 얼굴, 홍채, 또 다른 무엇이라도 적용 가능 (동일한 API, Policy만 변경!!!)
– Without FIDO: 지문인식 / 얼굴 / 홍채 등 새로운 인증 기능 신규 개발 필요 (Every time)
• 생체 정보에 대한 보호
– 생체 정보는 절대 단말 외부로 전송이 되거나 외부에 저장되지 않음
– 단말 내에 안전한 공간 (Trust Zone)에 저장됨
• 표준 기술 적용을 통한 범용성 제공
– Web (W3C Web API), Android, iOS, Windows 에서 FIDO 기술 활용 가능 또는 예정
– 제2의 ActiveX 등은 이제 그만..
• 한번의 등록을 통해 Multiple app 또는 platform 적용
• 설계/구현/운용 상의 실수를 피할 수 있음
– 인증 기술에 대한 이해 부족으로 인한 잘못된 구현, 그리고 보안 사고 발생
– FIDO 인증 솔루션 도입 시, 인증 기능을 FIDO 솔루션에 위임