This group is a result of the 2021/22 Hot Topics in Secure Identity Research seminar and the 2022 Behavioral Authentication and Physical Access Management seminar at the Hasso-Plattner-Institute (HPI).
In the 2021/22 winter semester, we evaluated whether FIDO2 can be used not only for authentication in the web, but also for authentication offline in electronic locking systems.
This organization holds the changes we made to existing tools in order to build a working proof of concept. It uses a Solo 2 hacker edition as the FIDO2 authenticator, an ACR-122U NFC reader, a Raspberry Pi 3B+, and some status LEDs. The access rights are written onto the authenticator using a custom web application and Chromium.
We modified the following components of the Solo 2 firmware and tools to include the necessary CTAP 2.1 features:
- solo2
- fido-authenticator
- ctap-types
- apdu-dispatch
- oath-authenticator
- admin-app
- ctaphid-dispatch
- lpc55-host
To test our firmware changes and simulate a lock, we developed a small suite of tools for FIDO2.
Even though the CTAP2.1 standard specifies DEFLATE (RFC 1951) for large blob compression, Chromium uses GZIP (RFC 1952). Therefore, we added GZIP compression to the libfido2 for now. We filed a bug report for Chromium to address this behavior.
Finally, we write access rights onto a FIDO2 authenticator using a small web application. The dependencies we used did not support the newest FIDO2 features, so we added them.
In the 2022 summer semester we built upon the previous project and implemented a FIDO2 library for microcontrollers called libmicrofido2.
The library was inspired by libfido2 and we ran it on the AVR ATmega1284P, the nRF52480 and the ESP32-C3FN4 microcontrollers.
With this library, the existing structure from the previous semester can be used on microcontrollers, thus the access control can be implemented on electronic door cylinders.
To implement the libmicrofido2, we modified various other libraries and integrated them into the library.
To test and develop the application, the previously mentioned fido2-debug-client was used. To create FIDO2 access rights with the CTAP 2.1 largeBlob extension, the webauthn-updater was used.