doAuthenticate does not check request and response challenge #6

Closed
araab opened this Issue Oct 30, 2014 · 2 comments

Projects

None yet

3 participants

@araab
araab commented Oct 30, 2014

The current doAuthenticate only checks the counter and if the signature is
valid. It should also check if the response challenge is the request
challenge.

@klali
Member
klali commented Oct 31, 2014

Thank you for noticing this!

fix coming shortly.

@klali klali added a commit that closed this issue Oct 31, 2014
@klali klali check the request challenge on authenticate
fixes #6
e7bd701
@klali klali closed this in e7bd701 Oct 31, 2014
@StormTide
Contributor

This may still leave the challenge parameter at some level of risk. Need to lock out tokens that have a good signature but a bad challenge. (see https://twitter.com/KevinSMcArthur/status/528204854875783169 thread for discussion)

The challenge isnt suitable for out-of-order reply detection, and instead the requestId parameter as defined in u2f-fido javascript api 3.1.1 should be relied upon. This might necessitate building a dictionary of valid challenge parameters for multiple outstanding auth requests.

@shield-9 shield-9 added a commit to shield-9/php-u2flib-server that referenced this issue Nov 27, 2014
@klali @shield-9 klali + shield-9 check the request challenge on authenticate
fixes #6
4163a4f
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment