An Interest In:
Web News this Week
- April 23, 2024
- April 22, 2024
- April 21, 2024
- April 20, 2024
- April 19, 2024
- April 18, 2024
- April 17, 2024
Some of Our Sources
- Mashable
- TutsPlus - Code
- Spoon Graphics
- Web Design Ledger
- Wal You
- CSS Tricks
- Spyre Studios
- Freelance Switch
- Codrops
- Android Headlines
Help Webnuz
Referal links:
September 10, 2018 08:08 am
Original Link: http://rss.slashdot.org/~r/Slashdot/slashdot/~3/-V5UiFf1DKw/worries-arise-about-security-of-new-webauthn-protocol
Worries Arise About Security of New WebAuthn Protocol
An anonymous reader writes: "A team of security researchers has raised the alarm about some cryptography-related issues with the newly released WebAuthn passwordless authentication protocol," reports ZDNet. "The new WebAuthn protocol will allow users of a device -- such as a computer or a smartphone -- to authenticate on a website using a USB security key, a biometric solution, or his computer or smartphone's password." But researchers say that because WebAuthn uses weak algorithms for the operations of registering a new device, they can pull off some attacks against it. "If converted into a practical exploit, the ECDAA attacks discussed in the article would allow attackers to steal the key from a [server's] TPM, which would allow attackers to effectively clone the user's hardware security token remotely," Arciszewski, one of the researchers, told ZDNet. "The scenarios that follow depend on how much trust was placed into the hardware security token," he added. "At minimum, I imagine it would enable 2FA bypasses and re-enable phishing attacks. However, if companies elected to use hardware security tokens to obviate passwords, it would allow direct user impersonation by attackers." Attacks aren't practical, and experts say the root cause relies in badly written documentation that may fool some implementers into supporting the old algorithms instead of newer and more solid ones. The FIDO Alliance was notified and has started work on updating its docs so it won't look like it's recommending ECDAA or RSASSA-PKCS1-v1_5. "PKCS1v1.5 is bad. The exploits are almost old enough to legally drink alcohol in the United States," Arciszewski said.Read more of this story at Slashdot.
Original Link: http://rss.slashdot.org/~r/Slashdot/slashdot/~3/-V5UiFf1DKw/worries-arise-about-security-of-new-webauthn-protocol
Share this article:
Tweet
View Full Article
Slashdot
Slashdot was originally created in September of 1997 by Rob "CmdrTaco" Malda. Today it is owned by Geeknet, Inc..More About this Source Visit Slashdot