Shulou(Shulou.com)06/01 Report--

1. Constraints in Design

The    U2F protocol can only be supported on websites that support HTTPS, which is not a problem for commercial sites, but for local area networks or internal development environments, we use self-signed certificates to implement HTTPS.

When the    U2F device signs and registers on the web page, it will check the "appId" in the request. A facet applied by "appId" in the web application for this web shall conform to the definition of "Web Origin" (RFC6454): it should be a domain name or machine name at the time of implementation, not an IP address, and consistent with the "Web Origin" requesting access to the device page, otherwise an error will occur. For "appId", there are two application modes: Single-facet and Multi-facet. Interested readers can refer to the technical specification of U2F.

two。 A site that supports U2F DEMO2.1. How to get the code

Https://github.com/solarkai/FIDO_U2F_KEDACOM provides a site project that supports U2F. Although it is only a site DEMO, it provides complete functions for user and U2F device management.

2.2. How to build and run

   the project client is written in jquery and jquery-ui, and the server is written in spring-boot framework. You can build using maven, using the following command:

. / mvnw clean package

   can be run directly with the following command (recommended JDK1.8) for the generated jar package (you need to note that there must be a tomcat.keystore file in the current working directory, otherwise an injection error of spring will be reported):

Java-jar Kedacom-U2F-DEMO-0.0.1-SNAPSHOT.jar

After the program above    runs, it starts a tomcat server, which supports both http and https modes. Users can access it in the browser using "http://localhost:8080"" and "https://localhost:8443"" modes, and U2F devices are not supported in http mode.

2.3 how to support HTTPS

For    to use HTTPS, we need to use a self-signed certificate. We use the keytool that comes with JDK to generate a self-signed certificate tomcat.keystore, and the project runtime is placed under the current working directory. The generation command is as follows:

Keytool-genkeypair-keystore tomcat.keystore-alias tomcat-keyalg RSA-keysize 2048-validity 5000-dname "CN=localhost, OU=kedacom, O=kedacom, L=shanghai, ST=shanghai, C=cn"-ext "SAN=DNS:localhost,IP:172.16.64.59"-ext "BC=ca:true"

In order to prevent the browser from alerting the self-signed certificate,    needs to export the public key certificate (cer file) from tomcat.keystore to import the trusted root certificate authority of the browser. The command to export the public key certificate is as follows:

Keytool-keystore tomcat.keystore-export-alias tomcat-file tomcat.cer

   defines the relevant HTTPS parameters in the application.properties file of the project. These parameters are injected into variables by spring when the project starts. Application.properties is defined as follows:

# httpshttps.port=8443https.ssl.key-store=tomcat.keystorehttps.ssl.key-store-password=tomcathttps.ssl.keyAlias=tomcat#u2fu2f.appId= https://localhost:8443

   if readers use the code of the project to build their own site, be sure to make sure that the "u2f.appId" in the application.properties file and the CN,SAN in tomcat.keystore are consistent with the domain name (machine name).

2.4. How to realize the persistence of user data

   the disk persistence of user data is not implemented in this project, which means that the previously saved user data will be lost as soon as the server is restarted. However, it is also very simple for interested readers to achieve persistence. The operation of user data in the project is implemented using com.kedacom.u2f.users.IUserStore, and the implementation object of the interface is injected when the system starts. At present, com.kedacom.u2f.users.UsersStoreInmemory object injection is used in the project code. Readers only need to replace UsersStoreInmemory injection with custom persistence objects that implement IUserStore.

2.5. Site function

   the project site DEMO provides complete user and U2F device management functions, user addition, deletion and modification, U2F device registration binding and authentication and other functions.

2.5.1 user management function

The admin user has been generated by default when the    site starts, and you can log in with the initial user name and password of "admin/admin". Figure 1 shows the user's ability to add, delete, and change passwords.

2.5.2. Bind and unbind U2F devices

   A user in this site can bind (register) multiple U2F devices, and cannot bind the same U2F device twice. The same U2F device can be bound by multiple users.

Figure 2 of    shows a user's device binding process, when the site prompts the user to touch the device.

Figure 3 of    shows the data after the device is bound.

Figure 4 of    shows the registration data of a user binding multiple devices, each of which is identified by keyHandle.

   can choose one of the keyHandle to unbind, and the U2F device corresponding to the keyHandle will no longer work when logging in and authenticating, as shown in figure 5.

2.5.3. User login authentication

For users bound to a U2F device,    needs to verify not only the user name and password, but also the U2F device when logging in, as shown in figure 6.

2.6. Third-party libraries used

   the U2F signature and registration API scripts used in the client side of the project come from https://demo.yubico.com/js/u2f-api.js. The server uses u2flib-server-core and u2flib-server-attestation libraries provided by yubico. The following dependencies can be added to the pom file:

Com.yubico u2flib-server-core 0.19.0 com.yubico u2flib-server-attestation 0.19.0

The two libraries of    complete certificate verification, public key extraction, signature verification and other functions in U2F device registration information. Its core class is com.yubico.u2f.U2F class, which refers to java.security-related packages and classes, and the code is worth reading.

3. Reference https://fidoalliance.org/how-fido-works/https://fidoalliance.org/specs/fido-u2f-v1.2-ps-20170411/FIDO-U2F-COMPLETE-v1.2-ps-20170411.pdfhttps://www.ietf.org/rfc/rfc6454.txt

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.