IMPLEMENTATION AND ANALYSIS OF TIMING ATTACK IN FIDO AUTHENTICATION SYSTEM
FIDO2 (fastidentity online) is an authentication protocol based on public key cryptography. The main goal of FIDO2 is to replace the password authentication system, because password authentication has flaws in the security aspect. The basis of FIDO2 authentication is challenge-response, where the...
Saved in:
| Main Author: | |
|---|---|
| Format: | Theses |
| Language: | Indonesia |
| Online Access: | https://digilib.itb.ac.id/gdl/view/86178 |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| Institution: | Institut Teknologi Bandung |
| Language: | Indonesia |
| id |
id-itb.:86178 |
|---|---|
| spelling |
id-itb.:861782024-09-15T05:59:31ZIMPLEMENTATION AND ANALYSIS OF TIMING ATTACK IN FIDO AUTHENTICATION SYSTEM Husni, Faizal Indonesia Theses FIDO, Authentication, Registration, Timing Attack INSTITUT TEKNOLOGI BANDUNG https://digilib.itb.ac.id/gdl/view/86178 FIDO2 (fastidentity online) is an authentication protocol based on public key cryptography. The main goal of FIDO2 is to replace the password authentication system, because password authentication has flaws in the security aspect. The basis of FIDO2 authentication is challenge-response, where the FIDO authenticator creates a public key pair and performs a cryptographic signing on a challenge provided by the server. Apart from the security aspect, FIDO2 also offers a privacy aspect, with the concept that the FIDO authenticator creates a different public key pair for each registered service. In this research, a side-channel timing attack method is designed, with the aim of checking whether a credential comes from an authenticator. Timing Attack has the concept of measuring two registration times by exploiting the excludeCredentialList parameter, with the assumption of there is a difference between the processing time if the credentials have been registered with the authenticator. The timing attack was tested on six authenticators and 3 clients (browsers). Test results show that three out of six authenticators and one out of three clients are vulnerable to this timing attack. This research also tested the accuracy of linking on vulnerable authenticators, and the results obtained were that linking accuracy on an authenticator reached 97.5%. To overcome the timing of this attack, updates can be made to the authenticator or client. text |
| institution |
Institut Teknologi Bandung |
| building |
Institut Teknologi Bandung Library |
| continent |
Asia |
| country |
Indonesia Indonesia |
| content_provider |
Institut Teknologi Bandung |
| collection |
Digital ITB |
| language |
Indonesia |
| description |
FIDO2 (fastidentity online) is an authentication protocol based on public key
cryptography. The main goal of FIDO2 is to replace the password authentication system,
because password authentication has flaws in the security aspect. The basis of FIDO2
authentication is challenge-response, where the FIDO authenticator creates a public key
pair and performs a cryptographic signing on a challenge provided by the server. Apart
from the security aspect, FIDO2 also offers a privacy aspect, with the concept that the
FIDO authenticator creates a different public key pair for each registered service. In this
research, a side-channel timing attack method is designed, with the aim of checking
whether a credential comes from an authenticator. Timing Attack has the concept of
measuring two registration times by exploiting the excludeCredentialList parameter, with
the assumption of there is a difference between the processing time if the credentials have
been registered with the authenticator. The timing attack was tested on six authenticators
and 3 clients (browsers). Test results show that three out of six authenticators and one out
of three clients are vulnerable to this timing attack. This research also tested the accuracy
of linking on vulnerable authenticators, and the results obtained were that linking accuracy
on an authenticator reached 97.5%. To overcome the timing of this attack, updates can be
made to the authenticator or client. |
| format |
Theses |
| author |
Husni, Faizal |
| spellingShingle |
Husni, Faizal IMPLEMENTATION AND ANALYSIS OF TIMING ATTACK IN FIDO AUTHENTICATION SYSTEM |
| author_facet |
Husni, Faizal |
| author_sort |
Husni, Faizal |
| title |
IMPLEMENTATION AND ANALYSIS OF TIMING ATTACK IN FIDO AUTHENTICATION SYSTEM |
| title_short |
IMPLEMENTATION AND ANALYSIS OF TIMING ATTACK IN FIDO AUTHENTICATION SYSTEM |
| title_full |
IMPLEMENTATION AND ANALYSIS OF TIMING ATTACK IN FIDO AUTHENTICATION SYSTEM |
| title_fullStr |
IMPLEMENTATION AND ANALYSIS OF TIMING ATTACK IN FIDO AUTHENTICATION SYSTEM |
| title_full_unstemmed |
IMPLEMENTATION AND ANALYSIS OF TIMING ATTACK IN FIDO AUTHENTICATION SYSTEM |
| title_sort |
implementation and analysis of timing attack in fido authentication system |
| url |
https://digilib.itb.ac.id/gdl/view/86178 |
| _version_ |
1822999457918091264 |