Reputation: 81
Webauthn for encryption
We have a project with a PWA where we want to implement client sided encryption. We wanted to use Webauthn as a second-factor in combination with passwords. In the background we use a randomly generated key to encrypt/decrypt the database, which is stored symmetrically encrypted with the password on the server. However I am struggling to find a good way to add encryption to this key with webauthn. My tries so far: Using raw JS samples from https://webauthn.guide , however I cannot find a part which is always the same and could be used for symmetric encryption/decryption, even the public key changes when logging in with the same USB token multiple times (???)
Using fido2-lib from npm: I couldn't get the sample to work, since the sample is not well documented and pretty long
Using server-sided authentication like spring webauthn, however I do not want the server to know anything about the client.
Any suggestions how I could implement an encryption with webauthn?
Upvotes: 8
Views: 2823
Answers (4)
Reputation: 688
There is the prf extension defined for this in the WebAuthn level 3 specification draft of May 2023. It it based on the already mentioned hmac-secret. AFAIU, large-blob seems to head towards certificates or similiar.
You could find some JS code snippets at Encrypting Data in the Browser Using WebAuthn
There are some interesting discussion about the subject at:
- https://github.com/w3c/webauthn/issues/1595
- https://github.com/w3c/webauthn/issues/1608
- https://github.com/w3c/webcrypto/issues/263 and
- https://github.com/solokeys/solo1/issues/575
Upvotes: 4
Reputation: 216
You can learn from the following github repo ,it has many Webauthn out of the box examples (see the tech it supports inside)
Here are some samples I found at github https://github.com/OwnID/samples
In addition,I read about FIDO ,Webauthn and passkeys at passkeys.com
Everything about this cool tech is there
Upvotes: 0
Reputation: 16775
Years after this question, the hmac-secret extension has arrived.
This extension binds a secret to a Webauthn credential. This secret can be used to decrypt or encrypt data on client side.
Another approach could be the use of the largeBlob to store a secret generated during the creation ceremony.
Note that the availability of those extensions depends on the authenticator that is used and may fail.
Upvotes: 3
Reputation: 5264
The protocol as it stands does not provide generic public key crypto services as far as I am aware. The best you can do is prove that a user is in possession of the private key related to the public key you hold.
Upvotes: 5
Related Questions
- Can you use an Ethereum key for Web Authentication (WebAuthn)
- Can Web Authentication work across browsers?
- WebCrypto string encryption using user-submitted password
- Secure Bearer Token using Encryption algorithm
- web.crypto encryption c# decryption
- Web API BasicHttpAuth with hashed password
- Webcrypto API/algorithm to encrypt, decrypt and also sign, verify
- Encrypt data from users in web applications
- Web service encryption
- Multiuser access to encrypted data