1C/ “Verifier Impersonation Resistance”

From IIW

"Verifier Impersonation Resistance" (anti phish) & OIDF EAP

Thursday 1C

Convener: Jim Fenton and John Bradley

Notes-taker(s): Tom Brown

Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:

Phishing can occur by clicking a link to a phony site in an email or a link to a phony site from web search results

How do you present a credential to an RP/verifier without it being replayed?

If you don't have an audience restriction in the authentication token/assertion or bind the token to a channel, you are at risk

If you sign something, someone can replay it

Problem of bad guy posing as an RP cannot be solved with only challenge-response: Bad guy gets challenge from real RP and sends it to user agent and proxies response back to real RP

1. password S → RP

2. challenge response f(S,C) → RP

3. verifier impersonation resistance f(S,C,RP) → RP

Attack against #2 is real. E.g. Fancy Bear MIM attack on DNC (google authenticator)

BBVA – 10 million euros stolen. Hacked DNS and got certificate issued

If you can highjack cert (sophisticated attack), simple FIDO is vulnerable. Need to be able to detect that TLS channel 1 does not equal TLS channel 2 (see diagram)

LOA 4 – strong man-in-the-middle resistance

Browsers don't support mutual TLS well. Poor user experience.