Shulou(Shulou.com)06/01 Report--

1. U2F JS API

   FIDO U2F defines JavaScript API for developers to develop online services that support U2F devices. U2F JS API is divided into two categories: the bottom API based on message port and the upper application API. The underlying API is described in the FIDO specification document for message communication with U2F devices (using MessagePort Object) to send and receive messages. This paper focuses on the upper API interface which shields the communication details.

two。 Interface definition 2.1. U2f interface

   is defined using the U2f interface defined by WebIDL as follows:

Interface u2f {void register (DOMString appId, sequence registerRequests, sequence registeredKeys, function (RegisterResponse or Error) callback, optional unsigned long? Opt_timeoutSeconds); void sign (DOMString appId, DOMString challenge, sequence registeredKeys, function (SignResponse or Error) callback, optional unsigned long? Opt_timeoutSeconds);}; 2.2. Register method 2.2.1. Request parameter

The parameters in the    register method are described as follows:

Whether the parameter name type can be empty or not optional describes the application IDregisterRequestssequence ✘✘ registration request sequence in appIdDOMString ✘✘ request registeredKeyssequence ✘✘ has registered with the U2F device information callbackfunction (RegisterResponse or Error) ✘✘ registration request callback function opt_timeoutSecondsunsigned long ✔✔ client waiting for request processing timeout 2.2.2. Return value

The data (parameters of callback) returned successfully by the    register method uses the RegisterResponse structure.

Dictionary RegisterResponse {DOMString version; DOMString registrationData; DOMString clientData;}

The meanings of the attributes in    are as follows:

Version:U2F protocol version, such as "U2F_V2" registrationData: registration data encoded with websafe-base64. For the data format, see "FIDO U2F device Application and Development (1)-principles and protocols" section 3.2. ClientData: clientData encoded by websafe-base64. For the data format, see "FIDO U2F device Application and Development (1)-principles and protocols" section 3.5. 2.3. Sign method 2.3.1. Request parameter

The parameters in the    sign method are described as follows:

Whether the parameter name type can be empty or not optional describes the application in the appIdDOMString ✘✘ request IDchallengeDOMString ✘✘ uses the WEBSAFE-BASE64-encoded challenge value registeredKeyssequence ✘✘ registration information of the user to be signed callbackfunction (SignResponse or Error) ✘✘ signature request callback function opt_timeoutSecondsunsigned long ✔✔ client waits for request processing timeout 2.3.2. Return value

The data (parameters of callback) returned successfully by the    sign method uses the SignResponse structure.

Dictionary SignResponse {DOMString keyHandle; DOMString signatureData; DOMString clientData;}

The meanings of the attributes in    are as follows:

KeyHandle: key handlesignatureData provided in the request: signature data encoded in websafe-base64. For the data format, see "FIDO U2F device Application and Development (1)-principles and protocols" section 3.4. ClientData: clientData encoded by websafe-base64. For the data format, see "FIDO U2F device Application and Development (1)-principles and protocols" section 3.5. 2.4. Error code

The error codes returned when the    register and sign methods fail are defined as follows:

Interface ErrorCode {const short OK = 0 countries Const short OTHER_ERROR = 1 countries Const short BAD_REQUEST = 2 countries Const short CONFIGURATION_UNSUPPORTED = 3 countries Const short DEVICE_INELIGIBLE = 4 countries Const short TIMEOUT = 5;}; 2.5. The data structure in the interface 2.5.1. RegisterRequest

The RegisterRequest structure defined by    using WebIDL is as follows:

Dictionary RegisterRequest {DOMString version;DOMString challenge;}

The meaning of the attribute is as follows:

Version:U2F protocol version, such as "U2F_V2" challenge: challenge value 2.5.2 using websafe-base64 encoding. RegisteredKey

The RegisteredKey structure defined by    using WebIDL is as follows:

Dictionary RegisteredKey {DOMString version; DOMString keyHandle; Transports? Transports; DOMString? AppId;}

The meanings of each attribute are as follows:

Version:U2F protocol version, such as "U2F_V2" keyHandle: key handletransports for signing users: transmission method, optional parameter appId: online service website application Id3. Exploration of programming interface example 3.1. Registration process

   brings us to yubico's U2F device testing website (https://demo.yubico.com/u2f), using yubico's secure key to see how the register method and the sign method are used.

   bought two U2F Key from Taobao, as shown in figure 1, one of which is a Feitian brand with Bluetooth.

   first tests the registration process, as shown in figure 2.

By tracking the interactive messages between the client and the server of the website,    found that after the registration process began, the client submitted two requests to the server, corresponding to phases 1 and 3 of the three phases described in section 3 of "FIDO U2F device Application and Development (1)-principles and protocols".

After the    client submits the request to the server for the first time, the parameter contains the user name and password, as shown in figure 3.

After the client-side JS script makes the register function call to the registration request returned by the server,    submits the registration data of register to the server, and the submitted form data is shown in figure 4.

   the data submitted by figure 4 shows that register returned success. The submitted form data is as follows:

Name value modebindusernamezhangkaipasswordzhangkaienroll-data {"challenge": "OlyOzHxaxx6LUXX5chXsxj4GfspKTskBANNOtQ_UwcA", "version": "U2F_V2", "appId": "https://demo.yubico.com"}data(u2f device interface call returns data) {" registrationData ":" BQSns2lmNJhJPSFbiDioTABT5xd2OZQpmpZFREJpbiaQC8zssXg0jLaxz8_gMioQQILSE5lsbH5BqpJwWR4rJoI1QMxn5LhVlLKhs_W-F7x4ppkw9K57h7dsTCDsikFv9BnpfSvj8XYhEHV-KEoBg8sNXq_I6-PRQ5_Z6yDkAFzrlBQwggJKMIIBMqADAgECAgQSSnL-MA0GCSqGSIb3DQEBCwUAMC4xLDAqBgNVBAMTI1l1YmljbyBVMkYgUm9vdCBDQSBTZXJpYWwgNDU3MjAwNjMxMCAXDTE0MDgwMTAwMDAwMFoYDzIwNTAwOTA0MDAwMDAwWjAsMSowKAYDVQQDDCFZdWJpY28gVTJGIEVFIFNlcmlhbCAyNDk0MTQ5NzIxNTgwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQ9ixu9L8v2CG4QdHFgFGhIQVPBxtO0topehV5uQHV-4ivNiYi_O-_XzfIcsL9dehUNhEr-mBA8bGYH2fquKHwCozswOTAiBgkrBgEEAYLECgIEFTEuMy42LjEuNC4xLjQxNDgyLjEuMTATBgsrBgEEAYLlHAIBAQQEAwIFIDANBgkqhkiG9w0BAQsFAAOCAQEAoU8e6gB29rhHahCivnLmDQJxu0ZbLfv8fBvRLTUZiZFwMmMdeV0Jf6MKJqMlY06FchvC0BqGMD9rwHXlmXMZ4SIUiwSW7sjR9PlM9BEN5ibCiUQ9Hw9buyOcoT6B0dWqnfWvjjYSZHW_wjrwYoMVclJ2L_aIebzw71eNVdZ_lRtPMrY8iupbD5nGfX2BSn_1pvUt-D6JSjpdnIuC5_i8ja9MgBdf-Jcv2nkzPsRl2AbqzJSPG6siBFqVVYpIwgIm2sAD1B-8ngXqKKa7XhCkneBgoKT2omdqNNaMSr6MYYdDVbkCfoKMqeBksALWLo2M8HRJIXU9NePIfF1XeUU-dzBFAiAtXTkSxA8NFX8RU-qNtKdzBkuVSk-rIFjhkCJRALTIBwIhAKjY3XT8vJgjgyOyGhEyxGF8zQonpWvdOwFoTe77cOv- "," version ":" U2F_V2 " "challenge": "OlyOzHxaxx6LUXX5chXsxj4GfspKTskBANNOtQ_UwcA", "attestation": "direct", "clientData": "eyJ0eXAiOiJuYXZpZ2F0b3IuaWQuZmluaXNoRW5yb2xsbWVudCIsImNoYWxsZW5nZSI6Ik9seU96SHhheHg2TFVYWDVjaFhzeGo0R2ZzcEtUc2tCQU5OT3RRX1V3Y0EiLCJvcmlnaW4iOiJodHRwczovL2RlbW8ueXViaWNvLmNvbSIsImNpZF9wdWJrZXkiOiJ1bnVzZWQifQ"} 3.2. Authentication process

After    registration is successful, the authentication (login) process can be performed, as shown in figure 5.

   tracks the interaction between the website client and the server, and the first client request comes with a user name and password, as shown in figure 6.

   after the client JS script makes the sign function call to the signature request returned by the server, after the U2F device generates the signature, the client submits the signature data to the server, as shown in figure 7.

The form data submitted by    is:

Name value modeverifyrupusernamezhangkaipasswordzhangkaisign-data {"challenge": "UGZj34u9u3KVWe3jFrcInm7ZcrPWaX_j9tohZ-34FT0", "version": "U2F_V2", "keyHandle": "3sHb84XcS8HfFaQJ_nhf4aRlWe_wYRKcg5wKelF51hOiP4iNJtGPbsfe5InJmGfoxUSjtqT46HBwG7jkFtc01Q", "appId": "https://demo.yubico.com"}data(u2f device API returns data) {" keyHandle ":" 3sHb84XcS8HfFaQJ_nhf4aRlWe_wYRKcg5wKelF51hOiP4iNJtGPbsfe5InJmGfoxUSjtqT46HBwG7jkFtc01Q "," clientData ":" eyJ0eXAiOiJuYXZpZ2F0b3IuaWQuZ2V0QXNzZXJ0aW9uIiwiY2hhbGxlbmdlIjoiVUdaajM0dTl1M0tWV2UzakZyY0lubTdaY3JQV2FYX2o5dG9oWi0zNEZUMCIsIm9yaWdpbiI6Imh0dHBzOi8vZGVtby55dWJpY28uY29tIiwiY2lkX3B1YmtleSI6InVudXNlZCJ9 "," signatureData ":" AQAAAAEwRQIhAMCCFSBV7V8kr07XDY2bT3aPI9siDiOFdFBIm8FVTRq1AiBVaYi06GWIHw6uHE_3MFkjrbSY13k5ukPU9_xnNAo_xQ "}

After the    server verifies the signature, the verification success information is returned.

3.3. Exception handling

During the    experiment, both the register and sign functions return an error code if the U2F device's button is not pressed and the device is not plugged in during the interaction. For the definition of error codes, see Section 2.4.

3.4. U2f-api.js

   u2f-api.js is a U2F js api provided by yubico that encapsulates the interface described in Section 2 interface specification. Can be obtained from the address: https://demo.yubico.com/js/u2f-api.js. The main definitions in u2f-api.js are as follows:

Var U2f = U2f | | {}; u2f.register = function (appId, registerRequests, registeredKeys, callback, opt_timeoutSeconds) u2f.sign = function (appId, challenge, registeredKeys, callback, opt_timeoutSeconds)

   notice that the timeout for register and sign operations is defined as 30 seconds in this script:

U2f.EXTENSION_TIMEOUT_SEC = 30

When    performs the registration process in Section 3.1, by tracking the browser message, you can see that the page returned after the first request from the server contains the following JS code:

SetTimeout (function () {var request = {"challenge": "OlyOzHxaxx6LUXX5chXsxj4GfspKTskBANNOtQ_UwcA", "version": "U2F_V2", "appId": "https://demo.yubico.com"}; console.log (" Register: ", request); var appId = request.appId; var registerRequests = [{version: request.version, challenge: request.challenge, attestation: 'direct'}]; $(' # promptModal'). Modal ('show'); console.log (appId, registerRequests) U2f.register (appId, registerRequests, [], function (data) {console.log ("Register callback", data); $('# promptModal'). Modal ('hide'); $(' # bind-data') .val (JSON.stringify (data)); $('# bind-form'). Submit ();}, 1000)

   this code, the use of U2F's upper function register to register, the reader can be compared with the function parameters in section 2.2, in this code registeredKeys parameters are empty array "[]".

   reads u2f-api.js carefully and finds that the script uses the chrome built-in extension with EXTENSION_ID of "kmendfapggjehodndflmmgagdbamhnfd" to communicate with U2F devices.

When    performs the authentication process in Section 3.2, by tracking the browser message, you can see that the page returned after the first request to the server contains the following JS code:

SetTimeout (function () {var request = {"challenge": "UGZj34u9u3KVWe3jFrcInm7ZcrPWaX_j9tohZ-34FT0", "version": "U2F_V2", "keyHandle": "3sHb84XcS8HfFaQJ_nhf4aRlWe_wYRKcg5wKelF51hOiP4iNJtGPbsfe5InJmGfoxUSjtqT46HBwG7jkFtc01Q", "appId": "https://demo.yubico.com"}; console.log (" sign: ", request); var appId = request.appId; var challenge = request.challenge; var registeredKeys = [{version: request.version, keyHandle: request.keyHandle}] $('# promptModal'). Modal ('show'); u2f.sign (appId, challenge, registeredKeys, function (data) {$(' # promptModal'). Modal ('hide'); $(' # verify-data') .val (JSON.stringify (data)); $('# verify-form'). Submit ();}, 1000)

In the code of   , the upper function sign of U2F is registered.

4. Browser compatibility testing

   uses purchased U2F devices to test chrome, firefox, and IE browsers on PC. Among them, the chrome version is the 69th Firefox version and the firefox quantum 62 version, and both browsers currently support U2F devices.

   using U2F in firefox requires a switch to be turned on (not turned on by default), as shown in figure 8.

   has an interesting question here. The website used in the test is still https://demo.yubico.com/u2f, and the JS script still uses u2f-api.js. As mentioned earlier, this script communicates with the USB port for chrome built-in extension applications. How can it be used normally in firefox?

The reason for    is that firefox implements its own U2f object, and all properties of this U2f object are read-only. U2f-api.js does not overwrite this object, as you can see from the following output on the console:

TypeError: setting getter-only property "U2f"

The    IE browser uses version 11 and does not support U2F devices.

   installed chrome app on the Android phone and tested U2F support using the BLE mode of the U2F device (Bluetooth). It was unsuccessful and the U2F device did not flash when chrome called the register function.

5. Reference https://fidoalliance.org/how-fido-works/https://fidoalliance.org/specs/fido-u2f-v1.2-ps-20170411/FIDO-U2F-COMPLETE-v1.2-ps-20

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.