WebAuthn用户句柄

huangapple go评论61阅读模式
英文:

WebAuthn userHandle

问题

get()方法中检索到的userHandle始终为ArrayBuffer(1),即使我在create()中没有传递此参数。

英文:

I m creating passwordless login with u2f key. My application encrypting some data so always on login i need to decrypt them. First i wanna use key AGGUID but i cant get it on navigator.credentials.get(), only getting this with navigator.credentials.create() so i left this idea.

I m using Yubico key.

I found option to save some data on key by userHandle parameter on create() and read this on get().
On read i always retrive userHandle:ArrayBuffer(1).

Data passing to create()

attestation: "direct" 
authenticatorSelection: {authenticatorAttachment: 'cross-platform', userVerification: 'required', requireResidentKey: true, residentKey: 'required'} 
challenge: Uint8Array(32) [113, 73, 120, 104, 50, 115, 117, 82, 57, 109, 111, 81, 119, 85, 65, 120, 69, 105, 108, 114, 112, 103, 53, 101, 68, 65, 73, 89, 85, 67, 71, 67, buffer: ArrayBuffer(32), byteLength: 32, byteOffset: 0, length: 32, Symbol(Symbol.toStringTag): 'Uint8Array'] 
pubKeyCredParams: [{…}] 
rp: {id: 'domain', name: 'localhost'} 
timeout: 10000 
user: {id: Uint8Array(1), name: 'hello@netrizon.eu', displayName: 'Świerżewski'} 
userHandle: Uint8Array(32) [113, 73, 120, 104, 50, 115, 117, 82, 57, 109, 111, 81, 119, 85, 65, 120, 69, 105, 108, 114, 112, 103, 53, 101, 68, 65, 73, 89, 85, 67, 71, 67, buffer: ArrayBuffer(32)

Data passing to get()

allowCredentials: [{…}]
challenge: Uint8Array(32) [68, 78, 65, 120, 97, 80, 56, 50, 78, 117, 71, 89, 86, 108, 86, 117, 65, 111, 114, 121, 78, 97, 105, 98, 81, 80, 104, 82, 101, 74, 86, 82, buffer: ArrayBuffer(32), byteLength: 32, byteOffset: 0, length: 32, Symbol(Symbol.toStringTag): 'Uint8Array']
rpId: "domain"
timeout: 60000
userVerification: "required"

Data received from get()

authenticatorAttachment: null
id: "m-ru-po_y16wehn_I6zum2AVKCnXGXYLrQHlb7Ff6-O42KLluFpQS50vKfLGUKzX"
rawId: ArrayBuffer(48)
response: AuthenticatorAssertionResponse
authenticatorData: ArrayBuffer(37)
clientDataJSON: ArrayBuffer(138)
signature: ArrayBuffer(71)
userHandle: ArrayBuffer(1)
[[Prototype]]: AuthenticatorAssertionResponse
type: "public-key"

userHandle retrived from get() is always ArrayBuffer(1) even if i dont pass this parameter on create().

答案1

得分: 1

如果您使用的是U2F设备,则可能不会存储userHandle。这个值是为FIDO2设备上的可发现凭证设计的,所以您可能需要设置residentKey=required以便将其持久化。不建议将其用作加密密钥,因为它可能在没有用户验证的情况下被披露。

获取加密密钥的预期API是prf扩展。您可以在Chromium中使用此功能(与兼容的安全密钥一起)通过启用chrome://flags/#enable-experimental-web-platform-features。 (我应该在默认情况下启用它)。

英文:

If you're using a U2F device then it mightn't store the userHandle. This value is intended for discoverable credentials on FIDO2 devices, so you might need to set residentKey=required in order to have it persisted. It's also not recommended for using as an encryption key because it'll can be disclosed without user verification.

The intended API for getting encryption keys is the prf extension. You can use this in Chromium (with a compatible security key) by flipping chrome://flags/#enable-experimental-web-platform-features. (I should get around to default-enabling it).

huangapple
  • 本文由 发表于 2023年4月19日 23:28:14
  • 转载请务必保留本文链接:https://go.coder-hub.com/76056305.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定