DEV Community: Dmitry

Security analysis of a repository pattern and asking ChatGPT about it.

Dmitry — Sat, 17 Dec 2022 03:05:59 +0000

This week I discovered that SAST tools are struggling with a repository pattern.

So, let's say we have an IRepo interface with a single defined method.

We have 2 implementations: Repo and DummyRepo

    public interface IRepo
    {
        void DoRepoStuff(string username, string name);
    }

    public class Repo : IRepo
    {
        public void DoRepoStuff(string username, string name)
        {
            string concatSql = "SELECT * FROM Accounts WHERE Username='" + username + "' OR  Name='" + name + "'";

            using (SqlConnection connection = new SqlConnection("dummyconnectionstring"))
            {
                SqlCommand concatSqlCommand = new SqlCommand()
                {
                    CommandText = concatSql,
                    CommandType = CommandType.Text,
                };

                concatSqlCommand.ExecuteReader();
            }
        }
    }

    public class DummyRepo : IRepo
    {
        public void DoRepoStuff(string username, string name)
        {
            return;
        }
    }

We declare instances somewhere.

public IRepo _repoVulnerable = new Repo();

public IRepo _repoDummy = new DummyRepo();

Test case 1: Let's call a vulnerable method DoRepoStuff of _repoVulnerable instance. Note, that it is IRepo.

public IActionResult SqlClientVulnerable(string username, string name)
    {
        _repoVulnerable.DoRepoStuff(username, name);
        return new OkResult();
    }

So we found a security vulnerability - SQL Injection, right?
Yes, but not all tools will report it.

Test case 2: Let's call a safe method DoRepoStuff of _repoDummy instance. Note, that it is IRepo.

public IActionResult SqlClientDummySafe(string username, string name)
{
    _repoDummy.DoRepoStuff(username, name);
    return new OkResult();
}

We should not have a problem here, but some security tools will report security vulnerability by following the IRepo interface.

Test case 3:
Declare _repoVulnerable as Repo and _repoDummy as DummyRepo:

public Repo _repoVulnerable = new Repo();

public DummyRepo _repoDummy = new DummyRepo();

It can help some tools to properly identify the true positive _repoVulnerable and do not trigger safe _repoDummy because no need to do a taint analysis by interface.

I can try to group security tools by behaviour.

Following interface implementations and marking all invocations vulnerable
1.1. If a tool displays only a single source, you may not see this behaviour
1.2. If a tool displays all sources that lead to the sink, you will most likely get a security vulnerability for the Dummy repo.
Not following interface
2.1. Do not display anything - no findings
2.2. Do not use Taint Analysis decreasing the confidence level.

Which tools are doing what.

Github Code Scanning will follow by interface, thus you will identify all true positives along with dummy false positives. Dummy interface implementation simply returns return containing no security issues.

SonarCloud will follow by interface but it shows a single source for a single sink. So a single finding.
Note that SonarCloud has 2 rules to detect SQL injections:
2.1. S2077 doesn't use Taint Analysis, thus it is a security hotspot.
2.2. S3649 use Taint Analysis, but like I mention it doesn't show all paths.
Security Code Scan is not following by interface, at least in NoAudit mode.
Semgrep has no clue about used sinks and shows nothing. Knowing its taint analysis limitation, it should find a known sink in the best case without providing the code flow.
Snyk Code use a single source to report a vulnerability, so it is hard to tell for sure if the Dummy stuff is in equation. It also decreases security severity of the finding to Low in my case.

Which is funny, because the same issue is reported as High without using interfaces. So, it is more about confidence then?

Summary
The repository pattern can be tricky for static code analyzers, be ready to do some manual review!

PS: I mentioned ChatGPT, so let's ask it.
Why static code analyzers cannot properly check code that uses a repository pattern?

Answer:

Static code analyzers are tools that automatically scan source code to identify potential issues, such as bugs, security vulnerabilities, and coding errors. These tools are typically designed to work with a specific programming language and follow a set of rules and best practices for that language.

One of the challenges of using static code analyzers with code that uses a repository pattern is that the repository pattern is a design pattern that is implemented in a variety of ways, and each implementation can have its own unique characteristics. Because static code analyzers are designed to work with specific programming languages and follow a set of rules, they may not be able to properly analyze code that uses a repository pattern if it deviates from those rules.

Additionally, the repository pattern is often used to abstract away the details of how data is stored and retrieved, which can make it difficult for static code analyzers to understand the full context of the code and identify potential issues. For these reasons, static code analyzers may have difficulty properly checking code that uses a repository pattern.

Sounds smart but not a real answer. I consider it as a nice try!

My code repository is located here.

A quick comparison of Security Static Code Analyzers for C#

Dmitry — Sat, 19 Nov 2022 19:48:17 +0000

Intro

Static Application Security Testing (SAST) has become an integral part of any Secure Development Lifecycle. It is relatively fast and can catch security issues before committing to the codebase. You may hear Veracode, Coverity, and Checkmarx. These players are a long time in market. Their analyzers are slow and expensive but mark all checkboxes for a typical "enterpise".

I will test new players for a single language C# and a single vulnerability type - SQL injection. My focus area will be quality of analysis (though it is wrong to make a decision based on a single issue type), vulnerability review (devs can quickly validate findings), and remediation guidance (devs know how to fix it). I would probably try "enterprise" stuff as well if they provide a free tier for open-source projects, but I could not find this option.

So, here are the generic requirements for the SAST tool:

Free to try for public repositories
Supports C#
Provides security rules, can find security issues
Supports Taint Analysis (data flow analysis from input (source) to vulnerable invocation (sink))
Provides a proper description and how to fix it

Bonus:

Fast enough
Small number of false positives
IDE plugin (so devs can view results locally)
Supports SARIF export (so results can be viewed by other tools, e.g., Github Security Scanning)

Candidates:

CodeQL aka Github Security Scanning (GHAS) - a full-sized security solution from Github (formerly Semmle LGTM)
SonarCloud - affordable but powerful, a cloud version of SonarQube Dev Edition
Semgrep - regex on steroids, you don't need to compile anything, and you can create your own rules
Security Code Scan - Roslyn-based C#/VB only analyzers with minimal integration options, but super fast
Snyk Code (formerly DeepCode) - "Dark magic" AI-based, you don't need to compile the code

They are quite different on purpose. Let's see them in action.

Honorable mentions:

Sonarlint for C#, Codacy for C#, SonarQube Community Edition - provided rules are great for quality checks only; they lack Taint Analysis, so no Injections can be found!
Official Roslyn Analyzers from MS (they have a minimal set of sinks meaning they can catch just a few methods).
Puma Security - commercial version of Security Code Scan. The community edition could have been better, but the Pro version sounds interesting.

Testing methodology

I'm not planning to use Juliet Test Suite (just >28000 test cases for C#) or OWASP Benchmark. Juliet Test Suite is very synthetic, it is a good idea to validate your SAST against it, but nobody shares the results. OWASP Benchmark is a bit easier to run, but companies also do not publicly share results. You can ask for them, and maybe you will be lucky.

So, I created my project SharpSaster - https://github.com/dbalikhin/SharpSaster. It is .NET 6 Web Application, fully compilable but without an actual database. Just enough for our SAST folks.

There are 5 controllers (uses ControllerBase class):

SqlBasicController: one safe method EfCoreInjectionSafe (with multiple sinks), and 8 vulnerable methods - EfCoreInjectionVulnerableX. We access a database with EntityFrameworkCore here. Test new stuff!
SqlBasicSinkController: 3 safe and 5 vulnerable methods + extra vulnerable method SqlClientVulnerable10 where we have a parameterized stored procedure but user controllable stored procedure name. We use old-school SqlCommand here. Test old stuff!
SqlAdvancedController: 2 safe (integer conversion), 2 vulnerable (1 or many vulnerable sources).
SqlFlowController: 4 vulnerable flows with a single sink! 1 unreachable safe flow that easy to detect.
SqlFlowSingleSourceController: Similar to the previous class, but for each source, we will have our own sink (I found that some tools combine findings be a sink. If you fix a sink (e.g. with parameterization), you will fix all sources. Although I prefer to see a group of sources combined by a sink, see Results section).

All input (sources) will come from an action of the controller.

Bonus: A typical SAST tool without customization cannot catch conditional cases. I included a couple of them, and all of our candidates marked them vulnerable, as expected. Therefore, I excluded conditional methods from the quality assessment.
An example of the conditional case is below:



var localCondition = false;

if (localCondition)
{
    ExecuteSQLCommandWithVulnerableInput(string source);
}

You should not expect that your SAST analyzer will understand conditions/validation. However, just a few tools support user-controllable customization.

Taint Analysis 101

There is input (user-controllable source) - a parameter in the API controller, main method of console applications, etc.
There is a method that may execute vulnerability (sink) - for SQL injections, it will be any method sending a SQL command to a server.
The source is marked as tainted. If it reaches the sink without sanitization, we have a vulnerability.
Sanitization - any known method that will "untaint" (make it safe) a user-controllable value between the source and the sink.
"Tainting" - any assignment / referencing to the tainted variable. I just created this term, but it is what is happening in reality.



public IActionResult Controller(string source)
{
    // source - I'm tainted
    var otherVariable = source + "stuff";
    // otherVariable - Now I'm tainted too :(
}

An analyzer needs to perform data-flow analysis from the source to the sink (+ from any tainted value in between) "untainting" variables with sanitizers. This is called Taint Analysis.
Sanitizer creates a new safe value as an output. XSS Encoding method or SQL parameterization would be examples of SAST sanitizers, or at least in my interpretation 😉.

Validators do not change "tainted" status. They do not produce output that will be used later. That's why all conditional cases are problematic for analyzers.

A good SAST tool should know as many sinks and sanitizers as possible (sources are usually very limited). And, of course, it should have a solid taint analysis engine.

Categories of results

True Positives / False Positives

How many findings were detected correctly (true positives) or declared safe code as vulnerable (false negatives)?
"Conditional" issues are ignored!

CodeQL (100% of true positives with 0% false positives, conditional stuff is out of scope):

SqlBasicController: 8 of 8 found, 0 false positives.
SqlBasicSinkController: 6 of 6 found, 0 false positives, combining results by a sink if there are 2 sources.
SqlAdvancedController: 2 of 2 found, 0 false positives.
SqlFlowController: 4 of 4 found but in a single issue (combining results by a sink), 0 false positives
SqlFlowSingleSourceController: 4 of 4 found similar to SqlFlowController but cannot combine results because we have unique sinks, 0 false positives

SonarCloud (100% good findings for EFCore, almost 100% bad for SQLCommand. It is an unpleasant "surprise" for me + it is weird to see some SQL Injections in the Hotspots area):

SqlBasicController: 8 of 8 found, 0 false positives.
SqlBasicSinkController: 0 of 6 found. Checking Security Hotspots.
SqlAdvancedController: 2 of 2 found, 0 false positives.
SqlFlowController: 1 of 4 found. I could not find a way to display all sources. A single sink => a single source.
SqlFlowSingleSourceController: 4 of 4 found, 0 false positives

SonarCloud has 2 types of security findings: vulnerabilities (confirmed) and security hotspots (maybe context dependant, requires manual review). I found a single issue for SqlBasicSinkController in the security hotspots area. Technicality, 0% false positives, just missed vulnerabilities.

For some reason, SonarCloud created 22 security hotspots, some for safe items, and other for confirmed vulnerabilities. Unfortunately, I cannot explain why it is doing that.

Semgrep (terrible findings - basically 0% true positives, I had to add an example from the official ruleset to make sure I configured it correctly):

SqlBasicController: 0 of 8 found, 0 false positives.
SqlBasicSinkController: 1 of 6 found, 0 false positives.
SqlAdvancedController: 0 of 2 found, 0 false positives.
SqlFlowController: 0 of 4 found, 0 false positives.
SqlFlowSingleSourceController: 0 of 4 found, 0 false positives.

I didn't have any findings, so I went to the rule to check how it worked. I am confident that my security policy is properly configured, it is not a great ruleset for SQL Injections provided by Semgrep.

Security Code Scan (100% of true positives with 0% false positives. It does not group findings by the same sink, so more issues).

SqlBasicController: 8 of 8 found, 0 false positives.
SqlBasicSinkController: 6 of 6 found (technically 7 of 7, I do have 2 sources with a single sink in one of the cases), 0 false positives.
SqlAdvancedController: 2 of 2 found (+ extra finding from 2 sources with a single sink), 0 false positives.
SqlFlowController: 4 of 4 found (not grouping by the same sink), 0 false positives.
SqlFlowSingleSourceController: 4 of 4 found, 0 false positives.

Snyk Code (it found 100% of true positives. However, it failed significantly on safe EFCore statements).

SqlBasicController: 8 of 8 found, 4 false positives.
SqlBasicSinkController: 6 of 6 found, 0 false positives.
SqlAdvancedController: 2 of 2 found, 0 false positives.
SqlFlowController: 1 of 4 found (I could not find any grouping, so a single sink detected), 0 false positives.
SqlFlowSingleSourceController: 4 of 4 found, 0 false positives.

True Positives / False Positives Summary

CodeQL is a leader along with completely free Security Code Scan. Snyk takes a second place, SonarCloud - third. Semgrep is hardly usable for security needs in this testing scenario.

Snyk shows inconsistent results, but overall, 100% of true positives with some false positives are better than missed issues.

In real life, I saw much better results produced by SonarCloud (SonarQube Dev Edition), but not in this run. I'm disappointed.

Taint Analysis and Visualization

After a scanner finds an issue, a developer/security specialist will need to validate the finding. For SQL Injection issue type, we will need to review the code flow and make sure that tainted input (source) goes all the way to the SQL invocation (sink) without having any known sanitizing function in between. It is called taint analysis (a form of data flow analysis). Not all security rules require taint analysis, but if you want meaningful results for SQL Injections, you will need proper taint analysis.

A scanner should produce a trace in a consumable format so a human can identify the correctness of the findings. Let's check the output of the tools and compare them. I will mostly use "Flow" and "Advanced" controllers.

Note: If a tool supports Github Annotation and allows you to upload results to Github in the SARIF format, you can see annotated code within Github Checks.

CodeQL

CodeQL combines findings by the same sink in the UI. So it makes sense - you need to fix a single sink, e.g., by adding parameters to your SQL statement.
It shows the found sink; to get more details, you need to click on Show Paths to review all available sources.

Remember, we have 4 issues here + 2 conditional "safe" flows, that no tool can detect; you need some old fashion manual code review for that.

CodeQL can properly identify the source parameter - string input.

You need to scroll down to review the sink. The flow is easy to understand, and a short comment is provided for each step. The execution order is shown.

The only possible improvement is to include a variable assignment in the last block, so we can see how concatSql is crafted - I selected this line manually, see below.

Now let's check multiple sources on a single line.

In this scenario, we have 2 vulnerable inputs, CodeQL created 2 paths for them, and each one clearly identifies the vulnerable source.

Overall, the taint analysis looks great. A bit narrow window, so you need to scroll horizontally sometimes.

SonarCloud

SonarCloud doesn't combine findings by a sink; it will only report "first" finding. But it is doing it beautifully.

Execution order can be easily followed by numbers and comments on the left side. It marks all required code, nothing to add or remove. Unless we are talking about conditional execution 😊
My only concern, it doesn't show the exact source parameter.

Now let's check multiple sources on a single line.

Oh well, it simply highlights the method with the source but not the parameter. In our case, user is not vulnerable, but name. It needs to be clarified from the screenshot.

The tool supports SARIF upload, but you will still need to go to SonarCloud website; it is a simple link on the Code Scanning page with basic remediation examples.

Overall, the taint analysis looks great too. The UI requires fewer actions to take than CodeQL. However, a scanner needs to identify a source more specifically.

Semgrep

I have a single finding. Here it is.

I'm not sure if I can say Semgrep supports Taint Analysis. The rule is not simple, but not complicated as well. Semgrep stores just a finding with reference to the Github (permalink).

It supports SARIF upload, so you can use Github Security Code Scanning page to view results.

Security Code Scan

The tool supports SARIF upload. The message format is from the Visual Studio Error List window, a single line with minimal required information that is not easy to read but provides some value. We can get the source, the accessing method, and the sink. I would love to see improvements.

Snyk Code

Snyk Code doesn't combine findings by a sink. Taint analysis visualization is easy to understand, and execution (data) flow provides more steps. It displays almost all tainted data, where CodeQL and SonarCloud prefer to show only method invocation and assignments related to reaching the sink. It may be helpful if you need to validate "validators" (by reviewing the whole data flow) manually - different goals.

Sometimes UI is not responsive, but you can switch between the Data flow and the Fix analysis tabs to refresh it.

So you will get results after all.
It can properly identify what origin of the source used. No need to guess if one or more parameters are vulnerable in the same method.

You can navigate through the steps on the left side. Overall, it is a decent solution.

Note: I didn't check if Snyk Action allows you to upload to Code Scanning in SARIF format.

Taint Analysis and Visualization Summary

CodeQL, Snyk, SonarCloud provide great data flow visualization.
Only CodeQL can show different paths for the same sink, so I will give it 1st place.
SonarCloud visualization is more intuitive, but it doesn't show what origin of the source was used. Snyk provides much more steps but can properly identify the source. They will share 2nd place.
Security Code Scan and Sempgrep do not really visualize anything, so they are in 3rd place.

Remediation Guidance

CodeQL

You will be redirected to Code Scanning Page to view details. Don't forget to expand "Show More" section. Recommendations, samples, and references are useful. First-party integration makes it look beautiful.

SonarCloud

It provides enough information if you click the "Why is this an issue" link.

It is even better for Security Hotspots, so I wonder if they decided to mark my SQL injections as a Hotspot for this reason 😊
You can navigate between multiple tabs to get more insights about the vulnerability. Pretty cool.

Code Scanning Page

Semgrep
Semgrep could be more generous in providing details. It is a bare minimum, and I need more!

Code Scanning Page

Security Code Scan
This is Sparta! It will provide a link where you can read about the vulnerability type, bad/good code, and find other references. Still useful.

Code Scanning Page

Snyk Code
They made some progress from the last year, but it can be better.
"Details" and "Best Practices" sections are too generic; samples don't make sense most of the time.

How can I fix a SQL injection with this?

Remediation Guidance Summary

CodeQL, SonarCloud, Security Code Scan provide a proper description and compliant/non-compliant samples - 1st place.
Snyk Code and Semgrep - 2nd.

Other features

This is a light assessment of the tools.
I can also compare some other valuable features of these tools but without providing any reference 😉

Performance
It depends on technology, the aggressiveness of the scan (e.g., the depth of analysis), and how well-optimized are preparation steps.
CodeQL, SonarCloud, and Security Code Scan will need to compile the code first, so they will also need to fetch the required dependencies. It slows the process, but still, it will be minutes only. On small codebases, expect the time to be between 3-5 minutes. Then it grows this way:

for Security Code Scan - extra seconds
for SonarCloud - extra minute or 2
for CodeQL - extra minutes

Semgrep and Snyk will complete a scan for a small project within a minute. Simply remove building time from the equation. For bigger projects, analysis time increase is somewhat linear.

IDE support
The most mature will be SonarCloud with its SonarLint extension in the connected mode. However, you cannot perform taint analysis on the client; results will be fetched from the server and displayed in your IDE.
Snyk Code made great progress from the last year, more IDEs supported, and you will get a similar to the portal (app.snyk.io) experience. The plugin will need to upload all files to be scanned on the server, an initial scan will be longer, but then it can handle only delta.
Semgrep supports a limited number of IDEs, but scanning is happening locally.
Security Code Scan is nothing more than a NuGet package with Roslyn analyzers. It will populate your error list, and you can utilize Visual Studio's built-in features. It works in entirely disconnected mode, and scanning is local.
CodeQL doesn't support any IDE, as far as I know. Technically, you can try to export to SARIF format in your Github action and review results with SARIF viewer extension in your IDE.

Price
All options are free for open-source projects.

If you are developing a closed-source application, you will still pay nothing for Security Code Scan.

SonarCloud is excellent for small and medium businesses. Its "line of code" price model is pretty cheap. Enterprises may prefer SonarCloud because of the cost/value and quality/performance ratio.

Semgrep has a free community tier (up to 20 developers). Snyk Code has a Free tier with a hard limit of scans. If we compare Team / Enterprise editions, they will be about the same. Even the same as CodeQL. Expect to spend at least 40 dollars per user per month. Well, your negotiating skills can definitely lower this number, all enterprise-oriented companies are quite flexible 😊

Don't forget that the Software Composition Analysis add-on is "free" for Sempgrep and Github Advanced Security if you use their SAST solution. However, it costs extra for Snyk because it is an entirely separate product.

Summary

I will remind you of my focus area first:

quality of analysis
vulnerability review
remediation guidance

CodeQL is a mature and solid solution with excellent results in any focus area. Just remember that it doesn't support IDE and will be the slowest one in our group.
If CI/CD checks are enough for you, go for it.

SonarCloud is also a very mature solution. It supports more programming languages, including very exotic ones. Sometimes it will produce not ideal results, but it is easy to use and costs little. It definitely helps to improve security in your organization.

Sempgrep is still in the beta phase in my opinion. You can easily customize rules for your need, and speed is great, but security checks are limited to the underlying engine. I encourage you to check available rules and decide if it is worth it.

Security Code Scan can be your "second" scanner for C#/VBA. It works in an IDE ultra-fast (literally a couple of seconds at most) and produces solid results. CI/CD integration is very basic, but it is entirely free.

Snyk Code is close to being a solid product. They need to slightly improve quality of analysis and their remediation guidance. Will it justify a high price? Well, maybe, the speed is great.

Creating Passwordless FIDO2 experience

Dmitry — Fri, 07 Oct 2022 22:36:59 +0000

How many websites natively support FIDO2 (WebAuthn)? Just a few.

Microsoft and other big Identity providers have something in place.
Demo sites like webauthn.io
Individual companies (to provide the best level of security), e.g. Bitwarden password manager.
Start-ups, prototypes, e.g. my fido2me.com creation (also open-source)

So how can we easily build a website supporting FIDO2 (WebAuthn)?

Use FIDO2 libraries

Webauthn website contains a list of open-source libraries for many programming languages:

Python
Go
TypeScript
Ruby
Java
dotnet

The repositories are great, and fido2me uses a customized version of this project.

If you are a developer, I recommend reviewing these repositories. They will provide flexibility in exchange for your time to learn new technology. But it is also rewarding and quite fascinating.

These projects are focused on supporting all available features of FIDO2. It is not a solution, but rather a framework to build one.

FIDO2 integrations

If you don't want to start from scratch, choose one of the 3 options.

API style, e.g. passwordless.dev
Components, e.g. fido2-for-aspnet
OpenId Connect (OIDC): B2B (via Identity providers) or B2C (Social login identity providers)

I built fido2me as a social login identity provider. You need to create a new account and you will be able to access any website that accepts fido2me. Let's quickly build one.

Enable FIDO2me authentication for Azure Functions

Azure Functions service has built-in OIDC support - a great candidate to start. Similarly, you can enable a new OIDC provider for Azure App Service.

The official guide covers integration with a generic OIDC provider. You will need to know:

The metadata URL
Client ID
Client Secret

Create a new function app, go to the Authentication section, and add a new identity provider selecting "OpenID Connect" as a type.

The metadata URL will be: https://fido2me.com/.well-known/openid-configuration

Client ID and Client Secret need to be created on fido2me.com. Let's do it.

Visit https://fido2me.com/apps and click on "New Client".

Complete fields, 2 of them are required: application Name and Callback URL (Redirect URI).

Copy and paste Client ID / Client Secret into Azure Portal.

Can use Secret needs to be selected. We use a confidential client.

Unselect Proof Key (PKCE). The authorization code grant with PKCE flow is recommended even for confidential clients. But it is not supported by Azure right now.

Enter your callback URL - https://your website/.auth/login/Azure App OIDC provider name/callback

My function is hosted at https://fido2metest2.azurewebsites.net. I called my identity provider as fido2me2 in Azure Function App. Thus, my callback URL: https://fido2metest2.azurewebsites.net/.auth/login/fido2me2/callback

Save the app on fido2me.com and complete the creation of a new OIDC provider at Azure Function App. You may need to accept additional changes related to changing the authentication methods in Azure Function App.

Testing FIDO2me OIDC

Visit Azure Function URL.
Complete FIDO2 Sign In.
You are now authenticated and redirected back to your Function.

Note: FIDO2 challenge and related authentication cookies will expire after a few minutes. You will need to refresh the page to try to sign in again.

Congratulations: Now we have one more FIDO2-enabled website. In the next article, I will show how to develop a new web application with dotnet that actually supports the authorization code grant with PKCE flow!

Fido2me: Passwordless registration and login

Dmitry — Fri, 30 Sep 2022 18:23:46 +0000

FIDO2 Introduction

FIDO2 is a passwordless technology, meaning you don't need to create and remember a secret. Instead, the secret will be generated for you and stored by any supported authenticator. Authenticators can be a platform (laptop, desktop, mobile) or roaming device (security key, e.g. Yubikey). For simplicity, we can refer to authenticators as devices.

From a security perspective, if a platform device uses a TPM, it can provide the same level of assurance as a security key. A secret never leaves a device; instead, it supports API to perform basic cryptographic operations. The device can be tamper-proof and compliant with FIPS 140-2 standards. It is a good idea to check what devices are FIPS 140 certified. Not all security keys are FIPS 140 certified, but it doesn't make a difference for a regular user.

You can take a roaming device with you and provide access to any device that supports USB or NFC (at least in theory). In practice, it is more complicated, and depending on the browser and the operating system (OS) you may have different outputs. From my experience, security keys work best with laptops and desktops.

You don't need a security key to start using FIDO2 Passwordless.

A security key is not something that a typical user has. It will cost you ~25-50 USD. Double it if you need a spare. But everyone has a laptop (desktop) or a mobile device. Let's use it!

How FIDO2 works

The official FIDO website provides great illustrations for registration and login flows.

Registration

Login

FIDO2me follows the same pattern! Keep in mind, it is not limited to mobile devices.

FIDO2me Registration

Let's visit the FIDO2me website. if it is your first use, you will be redirected to the login page. But we don't have an account yet, click on Sign up.

On the left, we have the "Username" required field, the "Sign up" button, and device selection. On the right side, a couple of examples of platform/roaming authenticators to give an idea of what you can use. Provide your username and click the button. The Username needs to be unique - it is your main identifier for Fido2me.

Congratulations, you've just asked a browser to create a new credential for you. The browser will ask available authenticators on the system to handle the request.

Register with Platform authenticator

Platform authenticators are preferred options. If you didn't change a default "Any" device type selection, it will ask you to unlock your platform authenticator. In my case, unlock with a PIN (Windows Hello). Note: Windows Hello needs to be enabled with at least a single verification method, e.g. PIN.

Complete unlocking the device and let your browser send the attestation response back to our server. New Credential ID will be generated by the device. The server (Fido2me) will complete the registration ceremony according to FIDO2 specifications and create a new user account for you. You will be redirected back to the Login screen.

Device Type Selection

If you didn't specify the authenticator type, it will first ask a platform authenticator. Don't want to use it - press Esc or click Cancel - Now you work with a roaming device. You will need to create a new PIN or unlock the device.

If you specified a device type, it will ask only for this particular authenticator type.

Register with Roaming authenticator

A browser / OS will guide you, just follow the process. This is what it will look like.

Privacy aspect

You may notice that the website would like to know the make and model of the security key. It is called Direct Attestation. The device will provide a cryptographically signed statement about itself. As a part of the attestation, it will return the AAGUID field. Using AAGUID we can identify the model of the device with the FIDO2 Metadata service (technically, it is just a file). If something terrible happens with the specific model, it should be reflected in the metadata service (MDS). But for our needs, we just need AAGUID to get the model and properly display it in a list of registered devices.

The type will be empty if AAGUID is unknown (not in the MDS). You can try using the nickname field if it is not provided.

AAGUID is not a piece of private information. It is a part of the MDS which is publicly available for everyone. Feel free to check all AAGUIDs of Yubikey as an example.

FIDO2me Login

Can you spot the difference?

The "Username" is optional, and the device type is defaulted to "Any" authenticator (so no selection).

Woah, why I don't need my username? The credential is stored on the device if we create a new credential as a resident key (typical case for security keys).

This is what I hear every day during the login process.

Fido2me: I prepared a challenge already on the initial load and provided it to your browser.
Browser / OS: Hey, known devices, does anyone have a credential for fido2me? I have the challenge to sign from fido2me. Anyone?
Platform device: Okay, I have fluffybunny1 and fluffybunny3 records associated with fido2me.com, what do you want to use? Or maybe you want to try a security key?
User: I feel like fluffybunny3 today; let's do it!
Platform device: You are the boss, but you know I need to verify your PIN
User: Click-clack
Platform device: You did it; now I will send a special response back to the server, so it can complete the login process.
Fido2me: Looks good, you shall pass.

You can still provide the username to speed up the process. In this case, the credential selection is skipped.
...

Browser / OS: Hey, known devices, does anyone have this credential for fido2me? I have the challenge to sign from fido2me.
Device with this credential: It is me, sir! Give me your challenge.

...

Non-resident keys

Not all devices support resident keys!

Non-resident keys cannot find a record based on the username, but they work with the Credential ID. They need some help from the server.

During the registration, your device will create a new one. The Credential ID is a long random string, it doesn't relate to your private key in any way. The server (Fido2me) stores this credential along with the username. The server can find your Credential ID by the username and provide it back to the device.

Now the device can find the private key by the Credential ID and complete the challenge.

It means that a username is required for the non-resident key flow.

Fido2me combines both flows and makes username optional. If you know that you work with resident keys, you can immediately click the "Sign in" button and enjoy the Usernameless experience. If you are not sure, always type the "Username".

And that's it! Now you can play with this cool technology on the fido2me website.

Fido2me: When code meets a purpose, promotes security, and improves user experience

Dmitry — Sun, 25 Sep 2022 02:25:14 +0000

Try, Fail, Learn, Repeat

I'm a big fan of learning by doing, and in many cases, it leads to something amazing. I can code, and my code works more or less as expected giving me a reason to create something new and experiment with the latest technologies. During this process, challenges meet me, and you make discoveries. That's how I learn, and I assume many of us.

Security and Usability

I wrote a lot of code during my software development career. Now I'm doing application and product security. At some point, I realized that psychological acceptance plays a crucial role in security.
After a while, many security controls started to irritate me as a regular user. I can understand why they are in place, but it doesn't change the fact that security is not a friend of usability and user experience. We used to think this way, but is it always the case?

You should create a strong password containing A, B, C, .., Z. Rotate it every X days, utilize password history, use min days to change, etc. Do you think you create a password compliant with any policy, try this. It's annoying, right?

But NIST studied and provided different password guidelines in 2020 (quick summary here). Complexity doesn't really help, but length does. No need to rotate a password if there is no evidence of compromise. Check for breached passwords. That's common sense and improved user experience. I like it.

Passwords are not terrible, but they are hard to use correctly. If you care about security, you will use a password manager, unique passwords per site, strong passphrase, disable auto-completion in a browser on a page load, etc. Passwords are easy to transfer - it is the main pros but also the con.

Passwords Enhancements

There are three authentication factors: something you know, something you have, and something you are. When you add a second factor, it becomes 2FA / MFA (2-factor or multi-factor authentication). It is the best security practice, and it will effectively protect your accounts. So passwords are something you know, security keys / one-time codes - something you have, biometrics (fingerprints, face, retina) - something you are.

Why do we need extra protection? Because password hygiene is hard, we want a safety net to protect against data breaches, exposure in log files, phishing attacks, etc. An additional layer of protection helps to reduce the risk level. Keep in mind that in some cases, a successful phishing campaign can bypass 2FA if a user is tricked into providing a 2FA code or approving a push notification.

If you use a password manager extension in a browser, you will most likely detect that you are not on a legit website. It is a part of the auto-fill functionality. This functionality is super helpful to protect against phishing attacks, but it is recommended to disable auto-fill on a page load and click on this button manually. Why does a phishing attack fail? Credentials stored in a password manager are bound to the website (origin). If the origin is different, the password manager will have 0 matches and nothing to fill. A user may still find credentials manually, but it is a different story.

The same situation happens with FIDO U2F security key (for example Yubikey). A user login is bound to the origin, meaning that only the real site can authenticate with the key. I will not cover the case when you need to change the origin on purpose, yes, it has this limitation 😊

FIDO is future

FIDO stands for Fast Identity Online. The FIDO Alliance is an open industry association with a focused mission: authentication standards to help reduce the world’s over-reliance on passwords. I already mentioned FIDO U2F as the most secure second factor. It relies on a private key (public key cryptography) that never leaves a device. But U2F is not the only technology provided by the FIDO Alliance. Please meet FIDO2.

The FIDO Alliance developed FIDO Authentication standards based on public key cryptography for authentication that is more secure than passwords and SMS OTPs, simpler for consumers to use, and easier for service providers to deploy and manage. FIDO Authentication enables password-only logins to be replaced with secure and fast login experiences across websites and apps.

FIDO2 consists of two main parts: CTAP2 and WebAuthN. For simplicity, CTAP2 protocol handles communication between a browser and a device (authenticator, e.g. Yubikey), and WebAuthN describes communication between a browser and a relying party (FIDO2 Server). WebAuthN is more known than FIDO2, so you likely heard about WebAuthN rather than FIDO2.

FIDO2 effectively moves 2FA on the user side. It is very similar to a chip-and-pin credit card. A security device will store a private key (something you have), and you will need to unblock the device to use it with something you know (PIN) or something you are (biometrics). You perform a transaction with a credit card with your PIN, and the card has a special chip that cryptographically signs each transaction. What will happen if you enter the PIN 3 times incorrectly? The card will be blocked. Yubikey will erase a security key after 8 bad attempts to unblock it with the PIN. It means that you can have a relatively short PIN code that is easy to remember and type and be secure.

Authenticator's world

You don't need a security key to use FIDO2! A security key is a roaming authenticator, but you can also use any platform authenticator: a desktop, a laptop, an Android or IOS phone. If the platform supports it, you are good to go - simply enable Windows Hello or biometrics on your phone. Using a security key is always a good idea, but you can add another platform authenticator as a backup or vice-versa.

Having a secondary device is crucial. If you lose your device, you will lose your account. FIDO has great technology to help you with that - passkeys, but it has own limitations. I want to focus on the end game - device-bound credentials. But we need to address handling multiple devices problem.

Many libraries are available to support FIDO2, but still, it is not easy to build a final solution. I played with FIDO2 a lot and decided why not to try providing a service instead of a library.

Fido2me

Fido2me = FIDO2 + OAuth Server. A user authentication gateway to a passwordless world. Try at Fido2me.com

Why not have FIDO2 social login?

It is open sourced and available at Github (please visit the link to read more details). It is the opinionated implementation of user-friendly FIDO2 Server. It supports multiple authenticators (devices) and CIBA (Client Initiated Backchannel Authentication) to be able to sign in from external devices (you may or may not to add them as trusted authenticators). If you are using Chrome you can try to add new phone (passkeys flow) but don't forget to enable bluetooth on both devices (laptop/desktop + phone).

How to integrate with Fido2me

A gateway will be useless without users and integrated applications. If you have some knowledge about using social providers or generic OAuth2 integration, you are good to go. Create a confidential (public client will be available soon) client, copy Client ID / Client Secret, and use your existing experience. Fido2me is just another OAuth server.

But to be a social provider, Fido2me needs to be much greater. It requires a community of users and builders.

If you want to play with FIDO2 and Fido2me, learn more, provide feedback, or say nah - do not hesitate to contact me (leave a comment or add a reaction) or open a new Github discussion.

I believe FIDO2 is really awesome, and at least I will help promote it!

Password(less) 101

Dmitry — Sun, 25 Sep 2022 02:00:55 +0000

Passwords

Passwords help to confirm the user's identity. When you type your username or email, it is your identity on the website. A password supports your claim that you are who you are. It is something you know, and nobody else knows, allegedly. What else can we use?

Email Ownership

You can confirm your identity by proving that you have access to the specific mailbox. One-time codes or magic links can be sent to the email address. If you can access it, all good!

You need to open an email every time. Sometimes you can get "bad" emails from bad guys. So you need to be careful. A service provider can access your email too. The email ownership model is easy to understand, and widespread, but it is far from ideal.

What will happen if a verification code goes to a different email address? Someone else claims your identity. There are many potential flows with the email ownership method, but the biggest benefit is accessibility and very low cost.

Other authentication factors

Certificates, smart cards, biometrics. Something that only you can access or possess. These factors are unguessable, but you can still try to steal them.

Let's talk about public key / certificate-based authentication. It is based on public key cryptography. Two keys are to rule them all - one to encrypt the data and another one to decrypt it. A public part can be shared, but you still need to protect a private key somehow. The default way is to encrypt it with a passphrase. Now, nobody can use it without knowing a secret, nice! Just remember the secret. You cannot use a weak one, because there no brute-force protection is built in. People are bad at remembering long strings, so they utilize password managers.

Password managers

Password managers use a special master password to encrypt the entire vault. You decrypt the vault with this password. Because you are doing it every day, muscle memory works for you, and it is hard to forget this master secret. Service providers store only encrypted data, if they are breached, attackers will still need to break the encryption, and modern encryption is a state of the art. Unless you typed the master password on a malicious resource, fall a victim to a phishing attack, or forgot the password, you can sleep very well!

PIN unlock

It is annoying to type the master password every time to unlock the vault although it is the most secure method. A PIN code or some biometrics factor can be used to unlock the vault on a local device. It improves usability greatly, is it still secure? Yes, if you have a rate limiting in place. If a PIN has only 3 digits and 10 attempts are allowed to unblock the vault, attackers can try to guess the PIN with a 1% success chance. Everyone has their own risk acceptance, 1% is too high for me. I would prefer to have 8 digits PIN with 5 attempts - 0.000005% is much better compared to 1%, but I will have to type 8 digits every time. Think about this simple math when selecting a PIN - longer is better.

Biometrics unlock

But it is 2022, we have biometrics available on many devices (laptops, IR web cameras, mobile phones). Yup, start using it! Just keep in mind, that fingerprint readers are not friends with water or grease. Fingerprints are great unless you are a high-profile person or worry that someone can force you to unlock the device. In this case, a PIN is your choice.

To have a good balance between security and usability you will still need to use a rate-limited "master unlocker" to protect a master secret that is a key to your digital life.

FIDO2 Passwordless

A FIDO2 device (authenticator) is a vault to store your private keys. FIDO2 relies on public key cryptography and doesn't allow to do anything stupid. It is a very strict process to comply with FIDO2 standards for device manufacturers. So they are doing a heavylifting for you!

Resident Keys

You can ask a device to store the private key and associated metadata. It is called resident keys. Not all devices support resident keys, but when they do they can provide usernameless experience additionally to passwordless.

How does it work? We store the metadata within the authenticator, so we can ask the device to check for credentials for this specific server (relying party). If we have multiple entries, a prompt will be shown with all available options.

Registration: We ask a device to create new resident credentials and provide information only about the relying party. The device will send the attestation response to a relying party, so the server can complete registration and store a public key associated with the device.
Login: A relying party generates a challenge (a random string) that needs to be signed with a private key stored on the device. It responds with a signed challenge as a part of the assertion response.

You can find a great example here.

What to keep in mind when working with resident credentials?

Not supported by some devices
A limited number of entries (e.g. 25 resident keys for Yubikey)
Possible duplicate entries (there is no way to restrict multiple registrations on the same device with the same username if you do not provide a username)
A device needs to be unlocked during registration and login

User Verification

Device unlocking is one of three supported user verification methods (Required, Preferred, or Discouraged). Available user verification methods are provided by a relying party (server), but an authenticator can have their own opinion. Based on my experience, all devices when working with resident keys require user verification.

So what will you get if you set the Discouraged option for resident keys flow? Exception! In some cases, a device will switch to the Required mode. This is built-in protection against unauthorized use of the device.

Let's go back to these 3 options for user verification.

Required - a user must unlock the device for each action
Preferred - a device will say what it wants (expect Required 😊)
Discouraged - if user verification can be skipped (non-resident keys), it will be skipped

You can still ask for user presence, e.g. touch a Yubikey, but it is a different setting. From UX perspective, it is not very convenient and doesn't save time.

You can unlock (verify a user) the device with something you know (PIN) and something you are (biometrics). And it is exactly the same experience as you would get when unlocking a password manager. Choose your PIN wisely, enable biometrics, and use common sense.

I lost my device (authenticator), am I in trouble? Not really, after 5-10 unsuccessful attempts the specific user verification method will be disabled (e.g. fingerprint), or some devices will be wiped (8 tries on Yubikey). If the authenticator is tamper-resistant, it is game over for attackers. Lost FIDO2 device means, it cannot be used, but you cannot use it as well - think about redundancy in this case.

Hardware authenticators are better than software ones - search for TPM word from this day.

FIDO2 authenticators preps

FIDO2 authenticators are not unified and may require extra steps before first use.

Windows: Enable Windows Hello

Select at least one method supported by Windows Hello, for example, PIN. If no methods are enabled, a browser handling FIDO2 request will ask to connect a security key (e.g. Yubikey).

You will need to set a PIN on a security key. Some security keys support biometrics (fingerprints), but they are more expensive and less common.

Windows Hello cannot use passwords.

Mac: You can use a password for FIDO2. A browser will ask you to enter your local password to unlock "the vault". If fingerprints or other verification methods are configured, you can use them too.

Mobile: To be honest, I'm unsure if you can use FIDO2 without setting a PIN, pattern, or registering biometrics. If you are reading about FIDO2, most likely your mobile device cannot be unlocked by swiping only 😉

FIDO2 Adoption

It is good, but not great. There are many moving parts, I suggest starting from this page to get an idea.

Try FIDO2

Feel free to play with FIDO2 at fido2me.com.

I created this website, and no unicorns were harmed!

The source code is available here.