英文:
Webauthn securely store user credential data
问题
我正在尝试将WebAuthn添加到我的Web应用程序,并且希望安全地存储私钥与凭据数据。我找到的用于存储凭据数据的方法有:hmac-secret扩展、大型二进制数据扩展、CredentialsContainer.store()。这些方法中,如果有的话,哪一种可以安全地存储数据在/与验证器上?还有更好的方法吗?
英文:
I am trying to add webauthn to my web app, and I want to securely store a private key with the credential data. The methods I have found for storing data with a credential are: hmac-secret extension, large blob extension, CredentialsContainer.store() . Which, if any, of these methods can securely store data on/with the authenticator? Are there better ways of doing it?
答案1
得分: 1
CredentialsContainer.store
不适用于公钥凭据:它们永远不会被存储,只会被创建。(您可以存储其他类型的凭据,比如密码,但标题提到了“WebAuthn”,所以我将专注于这个主题。)
hmac-secret
扩展(在 WebAuthn 级别作为 prf
扩展公开)允许使用像 HMAC 这样的 PRF 派生任意数量的密钥。目前,这需要启用 chrome://flags/#enable-experimental-web-platform-features
,但在安全密钥中将有最大程度的支持,并将在未来几个月内受到 Android 设备的支持。这预计将成为您问题的答案,但目前尚未完全准备好。
credBlob
扩展允许存储与凭据一起的少量固定数据。但最初并不是用于存储密钥。只有较新的安全密钥支持此功能。
largeBlob
扩展用于将几 KB 的数据与凭据一起存储,通常是与该密钥相关的证书。这将具有最少的安全密钥支持。
然而,目前在 Safari 中可能没有这些选项中的任何一个正常工作。
英文:
CredentialsContainer.store
is not pertinent for public-key credentials: they are never stored, only created. (You can store other types of credentials, like passwords, but the title says "WebAuthn" so I'll stick to that topic.)
The hmac-secret
extension (exposed as the prf
extension at the WebAuthn level) allows an arbitrary number of secrets to be derived using a PRF like HMAC. This is currently behind chrome://flags/#enable-experimental-web-platform-features but will have the greatest degree of support in security keys and will be supported by Android devices in the coming months. This is intended to be the answer to your question but is not fully ready yet.
The credBlob
extension allows a small, fixed amount of data to be stored with a credential. It was not originally intended for secrets, however. Only newer security key will support this.
The largeBlob
extension is for storing a KB or two of data with a credential, usually a certificate for that key. This will have the least security key support.
Probably none of those options currently work in Safari, however.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论