If the credentials (public key) are publicly stored after user registration, will there be security risks? #207
Replies: 1 comment 2 replies
-
|
TL;DR, yes it adds security risk, but you have to weigh the risk and how it affects your application to determine what mitigations are best. It depends. As technology and means to break encryption improve breaking them depending on the choices made by authenticators may lead to issues. I personally don't think this is a major concern overall but technically if they have access to this information you're giving them the means by which they can verify they broke the measure, and they can do that offline. For these reasons I'd personally recommend storing it in a location where the associated user can view the content. Additionally if you store them publicly in a location where any user can modify them directly there is a security risk there that the user or users able to modify them directly can bypass the authentication measure entirely. To mitigate risks around this I would recommend storing them with reversible encryption which has inbuilt signature validation like AES-GCM so that just being able to write to the location where the public key is would not be sufficient to bypass authentication (they need your encryption key as well). This prevents malicious actors who have access to the storage location but do not have access to the encryption key. |
Beta Was this translation helpful? Give feedback.
-
|
Crypto-currencies (bitcoin ethereum ...)and some projects like Nostr publicly store public keys and addresses, why can't webauthn do the same? I don't know enough yet, I need to learn more. Can you give me some guidance and tips? Thank you. |
Beta Was this translation helpful? Give feedback.
-
|
So there are a few key differences in these landscapes. However in the current day it is "probably fine" to store them publicly, for the reasons below it's also arguably a bad decision. Blockchains require this information to be public to function. WebAuthn doesn't. Additional information that is not required for a technology to work, especially in the security space, and especially when the information could theoretically be used as a means to verify an offline brute-force are by definition an additional security risk. Authenticators generate the prime number key material for a number of asymmetric algorithms. Each relying-party gets its own public and private key combination. If a flaw in the method used by the authenticator is used that makes these keys predictable then the public key could reasonably be used to identify and breach credentials affected by such a bug. Additionally unlike blockchains which typically have a static algorithm, WebAuthn has a dynamic algorithm where an authenicator can pick which one to use. There is no benefit that I can see to storing it publicly and as technology evolves the chances a particular algorithm or particular authenticator implementation will be compromised. Unless there is a benefit, basically it's something I'd never recommend. Chances are if you do it you will never see an issue, but it doesn't make it a good idea. |
Beta Was this translation helpful? Give feedback.
-
It is difficult to get the private key from the public key in asymmetric algorithms, so can we store the credentials publicly?
Beta Was this translation helpful? Give feedback.
All reactions