Passkeys: How to work with CBOR & COSE
vdelitz
Posted on June 9, 2024
Introduction
Passkeys have emerged as a robust, passwordless authentication standard. Central to this technology is public-key cryptography, implemented within the WebAuthn protocol. This article dives into the key components of WebAuthn, including pubKeyCredParams, CBOR, COSE, and how they interact in the creation, extraction, and management of passkeys.
Public-Key Cryptography in WebAuthn
What is Public-Key Cryptography?
Public-key cryptography, also known as asymmetric cryptography, uses two distinct keys: a public key for encryption and a private key for decryption. This dual-key system ensures data confidentiality and integrity by allowing secure message encryption and digital signature verification.
Common Public-Key Cryptography Algorithms:
- RSA: Widely used, high storage requirements, less efficient on mobile.
- DSA: Digital signatures, moderate efficiency.
- ECDSA: Increasingly popular for secure transactions, high efficiency on mobile.
- EdDSA: Optimal for speed and security, minimal storage needs.
Elliptic Curve Cryptography (ECC), including ECDSA and EdDSA, is particularly advantageous for mobile devices due to its smaller key sizes, which enhance storage efficiency, performance, and battery life.
WebAuthn and Public-Key Cryptography
WebAuthn: Overview
WebAuthn is a security protocol that leverages public-key cryptography to enable secure, passwordless authentication. It supports various authentication methods, including biometrics and hardware security keys.
Key Components:
- pubKeyCredParams: Defines the cryptographic algorithms supported by the Relying Party during the creation of key pairs.
- credentialPublicKey: Used to extract the public key from the attestationObject provided by the authenticator.
Choosing the Right pubKeyCredParams
Relevant COSE Algorithms for WebAuthn:
WebAuthn relies on COSE (CBOR Object Signing and Encryption) Algorithm IDs to specify supported cryptographic algorithms. Key algorithms include:
- RS256: Widely supported, uses RSA with SHA-256.
- ES256: Uses ECDSA with SHA-256, highly efficient.
- EdDSA: Recommended for enhanced security, though less commonly supported.
To ensure broad compatibility, it's advisable to support both RS256 and ES256.
Defining pubKeyCredParams:
Configuring pubKeyCredParams involves specifying the algorithm IDs and types in the PublicKeyCredentialCreationOptions. For example:
const publicKeyCredentialCreationOptions = {
challenge: "*",
rp: {
name: "Corbado",
id: "corbado.com",
},
user: {
id: "user-X",
name: "user@corbado.com",
displayName: "Corbado Name",
},
pubKeyCredParams: [
{ alg: -7, type: "public-key" }, // ES256
{ alg: -257, type: "public-key" }, // RS256
],
authenticatorSelection: {
authenticatorAttachment: "platform",
requireResidentKey: true,
}
};
Extracting the Public Key from attestationObject
Understanding attestationObject:
The attestationObject contains data necessary for the Relying Party to verify the origin and integrity of the public key credential. It is encoded in CBOR format and includes information such as the authenticator data and the attestation statement.
Decoding and Parsing:
Decoding the attestationObject involves parsing the CBOR data to extract the credentialPublicKey. Using established WebAuthn libraries can simplify this process, ensuring accurate and secure extraction and validation of the public key.
COSE Key Format:
COSE Keys, built on CBOR maps, provide a structured way to represent keys. They include attributes specific to the cryptographic algorithm used, such as the modulus and exponent for RSA keys or the elliptic curve coordinates for ECDSA keys.
Conclusion
Understanding WebAuthn's use of pubKeyCredParams and credentialPublicKey, alongside the roles of CBOR and COSE, is crucial for implementing secure, efficient, and future-proof authentication systems. By leveraging the right cryptographic algorithms and well-tested libraries, developers can ensure robust security and optimal performance for passkey authentication.
Read our detailed blog post here.
Posted on June 9, 2024
Join Our Newsletter. No Spam, Only the good stuff.
Sign up to receive the latest update from our blog.
Related
November 29, 2024