doAuthenticate does not check request and response challenge #6

araab opened this Issue Oct 30, 2014 · 2 comments


None yet

3 participants

araab commented Oct 30, 2014

The current doAuthenticate only checks the counter and if the signature is
valid. It should also check if the response challenge is the request

klali commented Oct 31, 2014

Thank you for noticing this!

fix coming shortly.

@klali klali added a commit that closed this issue Oct 31, 2014
@klali klali check the request challenge on authenticate
fixes #6
@klali klali closed this in e7bd701 Oct 31, 2014

This may still leave the challenge parameter at some level of risk. Need to lock out tokens that have a good signature but a bad challenge. (see thread for discussion)

The challenge isnt suitable for out-of-order reply detection, and instead the requestId parameter as defined in u2f-fido javascript api 3.1.1 should be relied upon. This might necessitate building a dictionary of valid challenge parameters for multiple outstanding auth requests.

@shield-9 shield-9 added a commit to shield-9/php-u2flib-server that referenced this issue Nov 27, 2014
@klali @shield-9 klali + shield-9 check the request challenge on authenticate
fixes #6
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment