Add test vectors for PRF extension #2174
Conversation
emlun
force-pushed
the
issue-2088-prf-test-vectors
branch
from
ee8875d
to
37dacda
Compare
|
Do you think it makes sense to add something about the client not sending this data to the server? Admittedly my experience with PRF is related to password managers. The server must never know your "password", or in this case the symmetric encryption key; therefore it's essential that the client does not send A more explicit example is Bitwarden. The server does most of the RP operations including sending the Is it "obvious" that the client should not send this data seeing how if the server had this info it's now at best devolved into a shared secret? |
Using <pre> causes some single quotes in the CDDL examples to be converted into "’" (U+2019) instead of "'" (U+0027), which is incorrect CDDL and also breaks the CDDL syntax highlighting. See the [Bikeshed documentation][1] for more on using `<xmp>`. [1]: https://speced.github.io/bikeshed/#xmp
Hm. I wanted to say that yes, this should be obvious enough in the use cases where this is relevant, and that there are other use cases where you actually do want to send the PRF outputs to the server. But we do since recently have this step in both §7.1. Registering a New Credential and §7.2. Verifying an Authentication Assertion:
which perhaps complicates the matter a bit. The Relying Party Operations sections also don't really make a distinction between client-side and server-side parts of the RP, rather treating both as one entity, so it also doesn't seem quite appropriate to simply add something simple like ", omitting any properties that should not be sent to the server" either. Maybe the right way to go is to just call out the client-side-only use case in the description of |
|
Yeah, it's a tough call. Normally no distinction is made between client and server RP operations; however this is one exception (for password managers at least) where it's important to not follow the ceremony criteria where one "blindly" sends
That's where I am leaning too: a brief cautionary note that mentions one may want to omit this information when sending |
| Pseudo-random values used in this section were generated as follows: | ||
|
|
||
| - <code>"e02eZ9lPp0UdkF4vGRO4-NxlhWBkL1FCmsmb1tTfRyE" = Base64Url(SHA-256(UTF-8("WebAuthn PRF test vectors") || 0x00))</code> | ||
| - <code>h'c4172e982e9097c39a6c0cb720cb375b92e3fcad154a63e43a93f1096b1e1973' = SHA-256(UTF-8("WebAuthn PRF test vectors") || 0x01)</code> |
There was a problem hiding this comment.
| - <code>h'c4172e982e9097c39a6c0cb720cb375b92e3fcad154a63e43a93f1096b1e1973' = SHA-256(UTF-8("WebAuthn PRF test vectors") || 0x01)</code> | |
| - <code>h'c4172e982e9097c39a6c0cb720cb375b92e3fcad154a63e43a93f1096b1e1973' = SHA-256(UTF-8("WebAuthn PRF test vectors") || 0x01)</code> |
There was a problem hiding this comment.
Thanks, but no - this renders incorrectly for similar reasons as noted in PR #2175. Bikeshed replaces ' with ' in the output, but replaces ' with "’" (U+2019) here.
Although now that you pointed it out, maybe it should be ' on both sides in that case...
From my eyes, it is not - though I'll readily admit that's more due to unfamiliarity with the use-cases than going through the actual spec. While it's out of scope on this PR to add more info about use-cases, I think it would be a worthwhile addition to the spec to go into more details there. MasterKale's gist provides a bit more context, but I think more detail about what party manages and/or retains what data would go a long way towards keeping implementations on the successful path. When it comes to cryptography, and especially handling of key material (or inputs to derive it), I'd recommend erring strongly on the side of overly-explicit.
It may be too late to materially change the mechanics, but if this is the case, it seems to me that the sensitive data should have a different access path that's outside of those APIs. In particular, |
I agree especially since it would be a quick remark.
A harsh rebuttal would be that any RP that "accidentally" sends sensitive data is likely not qualified to do whatever it is they are trying to do (e.g., password manager). If/when I implement my own passkey-only password manager; then on the client, I would use I should add that for my general-purpose server-side WebAuthn library I'm writing I always error when deserializing the client extensions when |
I agree, but that doesn't tend to stop it in practice. Mistakes happen.
Indeed! However, once you go down that path, you can rapidly end up at a point where you're doing enough customization to the format that you're better off not bothering with Which is in no way to suggest that your approach is wrong or invalid, but I want to keep in mind the common-case usage of that API. If there's a chance to avoid a pretty major security footgun before that API has widespread support, it's probably wise to do so. Maybe my concerns are overstated. I suspect that most parties will ignore the extension entirely, and (as you suggest) it'll probably only get used by RPs that actually do need it and would understand the security implications. In any case, the addition of test vectors for this looks great and I'm excited to see them added. Maybe it'd be better to spin this aspect off into a separate issue? |
|
Yes, let's move that discussion to #2177 (thanks @zacknewman!). |
SHA: d920442 Reason: push, by nicksteele Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Closes #2088.
Preview | Diff