Webauthn 安全存储用户凭据数据

huangapple go评论55阅读模式
英文:

Webauthn securely store user credential data

问题

我正在尝试将WebAuthn添加到我的Web应用程序,并且希望安全地存储私钥与凭据数据。我找到的用于存储凭据数据的方法有:hmac-secret扩展、大型二进制数据扩展、CredentialsContainer.store()。这些方法中,如果有的话,哪一种可以安全地存储数据在/与验证器上?还有更好的方法吗?

英文:

I am trying to add webauthn to my web app, and I want to securely store a private key with the credential data. The methods I have found for storing data with a credential are: hmac-secret extension, large blob extension, CredentialsContainer.store() . Which, if any, of these methods can securely store data on/with the authenticator? Are there better ways of doing it?

答案1

得分: 1

CredentialsContainer.store 不适用于公钥凭据:它们永远不会被存储,只会被创建。(您可以存储其他类型的凭据,比如密码,但标题提到了“WebAuthn”,所以我将专注于这个主题。)

hmac-secret 扩展(在 WebAuthn 级别作为 prf 扩展公开)允许使用像 HMAC 这样的 PRF 派生任意数量的密钥。目前,这需要启用 chrome://flags/#enable-experimental-web-platform-features,但在安全密钥中将有最大程度的支持,并将在未来几个月内受到 Android 设备的支持。这预计将成为您问题的答案,但目前尚未完全准备好。

credBlob 扩展允许存储与凭据一起的少量固定数据。但最初并不是用于存储密钥。只有较新的安全密钥支持此功能。

largeBlob 扩展用于将几 KB 的数据与凭据一起存储,通常是与该密钥相关的证书。这将具有最少的安全密钥支持。

然而,目前在 Safari 中可能没有这些选项中的任何一个正常工作。

英文:

CredentialsContainer.store is not pertinent for public-key credentials: they are never stored, only created. (You can store other types of credentials, like passwords, but the title says "WebAuthn" so I'll stick to that topic.)

The hmac-secret extension (exposed as the prf extension at the WebAuthn level) allows an arbitrary number of secrets to be derived using a PRF like HMAC. This is currently behind chrome://flags/#enable-experimental-web-platform-features but will have the greatest degree of support in security keys and will be supported by Android devices in the coming months. This is intended to be the answer to your question but is not fully ready yet.

The credBlob extension allows a small, fixed amount of data to be stored with a credential. It was not originally intended for secrets, however. Only newer security key will support this.

The largeBlob extension is for storing a KB or two of data with a credential, usually a certificate for that key. This will have the least security key support.

Probably none of those options currently work in Safari, however.

huangapple
  • 本文由 发表于 2023年2月10日 13:15:46
  • 转载请务必保留本文链接:https://go.coder-hub.com/75407223.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定