1C/ “Verifier Impersonation Resistance”
"Verifier Impersonation Resistance" (anti phish) & OIDF EAP
Thursday 1C
Convener: Jim Fenton and John Bradley
Notes-taker(s): Tom Brown
Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:
Phishing can occur by clicking a link to a phony site in an email or a link to a phony site from web search results
How do you present a credential to an RP/verifier without it being replayed?
If you don't have an audience restriction in the authentication token/assertion or bind the token to a channel, you are at risk
If you sign something, someone can replay it
Problem of bad guy posing as an RP cannot be solved with only challenge-response: Bad guy gets challenge from real RP and sends it to user agent and proxies response back to real RP
1. password S → RP
2. challenge response f(S,C) → RP
3. verifier impersonation resistance f(S,C,RP) → RP
Attack against #2 is real. E.g. Fancy Bear MIM attack on DNC (google authenticator)
BBVA – 10 million euros stolen. Hacked DNS and got certificate issued
If you can highjack cert (sophisticated attack), simple FIDO is vulnerable. Need to be able to detect that TLS channel 1 does not equal TLS channel 2 (see diagram)
LOA 4 – strong man-in-the-middle resistance
Browsers don't support mutual TLS well. Poor user experience.