 Hello, everyone. Thank you for coming to the last talk of Open Source Summit Japan. And I'm a little nervous because it's my first time, but I hope you forgive me if I started a little or missed a few points here and there. So let me introduce myself. I am Rishita. I am a student from India. I love open source. I love traveling. I love coding. And of course, I write a few blogs. So yeah, I love content too. So today, I'm going to talk about the role of FIDO2 in safety-critical applications. So as you all know, that open source components are widely used in safety-critical applications. And recently, FIDO2 has been adopted a lot. So some of the places where in open source we can see which has adopted FIDO2 is Department of Defense in USA, European Union Agency of Cybersecurity. And in recent times, the Linux Foundation is trying to integrate FIDO2 into the Linux kernel. So why FIDO2 in safety-critical applications? First of all, it's open source. So the maturity and reliability is there. There's a large group of people who are working continuously to develop the product and make it even better. The cost, of course, it's free. And that's the whole point of open source. And transparency. So when a company is going to choose a product or software, so they can see the lines of codes, which is used to build the software, essentially. So transparency is there as well. But the main problem is their data breaches. These are some of the data I picked out, which shows that about 57% of organizations have suffered phishing attacks. And there has been around a 238% increase in cyber attacks, especially in financial services. And roughly around $18.5 million is the average cost for each cyber attack. And the most concerning part was 42% of the breaches occur because of user password compromises. So of course, there's a password problem. So one time pass codes were introduced, but they weren't very convenient. Because SMS reliability, you log into your application, then OTP comes to your phone. Then you have to put the OTP code in your website again. So it's really inconvenient. And plus token necklaces are quite expensive. At the end of the day, the user confusion is there. And after all of this, it's still fishable. So we need a better solution. We need a better model, essentially. That better model is Fast Identity Online, or FEDO. So FEDO Alliance is a family of protocols. They have different kind of protocols, which essentially help you to eliminate password. It can be UAF, or U2F, or FEDO2. So in this talk, I'll focus mostly on FEDO2 and the website browser applications of it. So in the old paradigm, if you wanted your application to be more secure, it would have been a little expensive. And if it's affordable, it is not that secure. So FEDO2 actually eliminates this and using open standards for simpler, stronger authentication using public cryptography. You can have easier access, plus the usability is easy, plus the security is very strong. So let's understand how it works. So the web server, or the relying party, essentially sends the credential IDs and origin information to the client, which is basically a web browser, or the website, or basically the browser. That is a client. The client tells the authenticator, OK, this is the challenge. This is the information I've got from the relying party. Now check if the user is there or not. Essentially, user verification. So it can happen variously. Currently, biometrics, or these external security keys, or passcodes, these basically are used for user verification. So suppose the authenticator is a security key one. So the user has to enter the security key. As a result, the user has been verified. Now once the user is verified, this authenticator has a private key inside of it, which then signs the response and sends it back to the client. The client takes the signed response and combines with the previous payload it got from the relying party and sends it back to the server. If there's any anomalies or any adversities happening in the middle, the server doesn't allow the user to access it. Basically, if there's anything wrong in the entire process, any suspicions in the entire process, the relying party won't accept it. So in summary, it reduces the complex password because on the user end, you just have to tap something or do a gesture or do anything. And you can sign in. That's why it's the single gesture to log on. It works mostly on all the devices, like recently Microsoft has adopted it, Google has adopted it. You have used it also when you log out of your Gmail account on your laptop and if you want to re-log in. So basically, Google tells you that, hey, click the number 34 on your phone. So you click on it and then you're logged in on your laptop. So that's basically an example of it. Another would be same authentication of multiple devices. So if you have a security key, you can use that same security key to get access to your multiple devices. And most importantly, it's fast and convenient. So the question arises, how does it help safety-critical applications? So it mitigates the risk and enhances security. So some of the main types of risk are phishing attacks. So phishing attacks, as you all know how it happens, someone is pretending to be you. So because this cryptographic keys are unique for each website, it's very difficult to replicate or intercept, making it extremely difficult for attackers to replicate or intercept during the phishing attacks. And strong protocols are also there. So RSA, AES-128, AES-256, these or SHA-256, these kind of strong cryptographic systems are used. So it's very difficult, very, very, very difficult to break into the system. Also, it supports MFA, multi-factor authentication. Like security keys or biometric authentication, these are some of the things. And also a very amazing thing is device attestation or device-based authentication. So you can use your smartphone because it has a TPM inside of it to register yourself or attest yourself to the platform. And then you can log into the service or the application again and again. Now, in the new generation, every one uses web. So Fido2, along with WebAuthn, has been really adopted. And it also supports cross-platform. So the basic architecture would be something, as I previously explained. An authentication request comes. Public keys, which is basically the credential IDs, are downloaded from the storage systems or the databases, which is used to generate a challenge. And the challenge is sent to the client, that is the laptop here. And when the challenge has been fulfilled using, suppose, the Fido key right there, the key has been tapped, the user has been verified. So the challenge is signed by the client. And it's sent to the server to be verified. Once the challenge is verified, a response has been returned. So to simplify the entire process, WebAuthn is used for the challenge, sending the challenge, and signing up the challenge. So these are basically JavaScript APIs. C-bar is one of the examples of it. Now, let's understand how it can be done better using a case study here. So this is one of my own projects. It has been accepted by the international journal of critical computer-based systems. So it's basically a Fido 2 compatible smart card system for healthcare information storage. So what happens is, when you want to log into your dashboard or your system, pop-up comes up, where you have to enter your security key. So once I enter the security key, I get several options, like register a temporary tag, register a new card, or register a device, or upload, download the reports. So registering this device is basically device attestation, as I explained previously. And registering a new card is supposed, I want to have access to this device, but suppose in future, I have some kind of medical emergency. So I take a NFC card and I register it to my dashboard. And in future, I can just access my dashboard using that NFC card. And registering temporary tags is used for the hospital ends. So you can register temporary NFC tags, it's very cheap. It has a certain expiry date. So the hospitals can access your dashboard using this. And something like this would come up on the hospital end, where they don't have the admin access. So they can't delete or edit your previous information. All they can do is download your reports or upload your reports. Another application of it would be IOMT, which is Internet of Medical Things. That is medical devices like MRI machines and all those devices can directly upload the reports to the system. As a result of it, we are automating the entire process and making it more secure. So this would be something like the architecture. As I said, this would be the server. And on the user end, the user can access using NFC, BLE or USB or a medical card or a temporary token, which can be a web NFC or a NFC card. And using that, they can perform authentication for FIDO. And on the hospital end, they can just access using temporary tokens or web NFCs. And again, they can access your previous datas. So basically it has three different ways of authenticating. One would be logging in with FIDO specifications, which I explained earlier was the cards and the security keys and all those things. And the second, when this fails, suppose the user can't log in, then they have that one-time links. But the one-time links are special because it contains the authentication token, which is UUID version four. And the requesters IP address, all encrypted together and sent. And as I said, that the hospital's NFC tokens. So coming to the security aspects of it, it's extremely secure because AES128, AES256, encryption, RSA, crypto systems are used here. Along with that, it takes the client's IP address and issues token, which are stored in cookies. And these are also encrypted by AES128 crypto systems. So as a result, we are preventing cookie hijacking, which can also prevent session hijacking in a way. And along with this, when the requesters IP address does not matches, the person who clicks these links, links IP address does not matches with the dashboard's IP address. A conflict is created. So the user can't log in. I hope I'm making clear. Like the person who's trying to access the dashboard, his IP address we have, and the person clicking this link, we have their IP address. So these are like two different locations in a way. So you can't basically access the account in a way. Yeah. So we are achieving various security goals. Authentication, we have primary authentication using Fido and we have a secondary authentication using the one-time links. We are also having session security, auto log off when the session keys expire, you log off of the system. It also prevents session hijacking, you know, the cookies, one I told. Also it maintains confidentiality and integrity as the files which are uploaded are encrypted at rest. And also when they're transferred over the lines, SSL encryption has been performed. Also we need to know that the server only accepts HTTPS requests. So when a HTTP request comes, it has been redirected to HTTPS. Also network security is also maintained. The data has been, the internal APIs are secure in a way because it's all running on a virtual machine. So cloud security has also been used. So we did a benchmarking to see what is generally the time taken for such things, like such authentications. So the yellow bar chart shows that the time taken for Fido authentication and the average is roughly around 500 milliseconds. Whereas the time taken for the password based authentication is around 1,100 milliseconds. So we are almost reducing the time taken for Fido authentication by half. Basically increasing our convenience. So coming to ensuring security, FidoDo also provides certifications based on different requirements of a product or a company. So they provide functional certifications which are confirmation testing, interpolated testing, universal servers. And also along with it, it provides security certification levels which are basically how do you protect the private keys, third party laboratory verification, these are given. Also it provides biometric certification programs, making it more secure, empirically validate biometric throughout third parties. Now coming to how do we test it and harden it? So one of the main points is load testing. So to prevent DOS attack protection, a load testing has to be done and the virtual machine should be able to handle when large amount of loads are coming. Cookie hijacking is another very serious issue of which needs to be provided protected against MITM. So session, sorry, I'm really sorry. Okay, another would be malware. Cloud should have an anti-malware service which scans the virtual machine to note if any malware has come into the system or not. Fishing as I mentioned previously is one of the main critical problems that Fido2 solves. And another would be man in the middle attack. When the DOS protection is kicked in, when high number of requests are coming in and it lowers the load on the virtual machine and keeping the service running only for the legitimate users. As I said, DOS attack protection. SQL injection is again a very big problem. So we have to protect against that also. Coming to the future scopes of Fido2. Currently, the target of the Fido2 Fido alliance is to increase the adoption last year. In May, it was noted that Apple, Google, Microsoft all have standardized Fido2 as the primary, as a standard for passwordless login. And also they're working on mobile and IoT integration. Their main focus right now is IoT integration only. So next is these are some of the references which can make you understand this topic even more. And thank you, and my talk was extremely short. I'm sorry for that. Yeah. Do you have any questions? Yeah. Thank you for your presentation. It seems to me you are from India, right? Right, yeah. And my curiosity is that how Indian market adoption for those PASCII or Fido alliance authentication mechanisms into smartphone, web service, internet services, just you mentioned the example of the whole pistol access key or something like that. So what's the adoption rate for the Indian market? Right now, Indian market is quite far behind it. Fido2 adoption hasn't been that much. We have seen it in private companies like Google provides Fido2, but on a holistic level, unless private companies adopt it, I don't think that people are of course ready for the adoption, but on the government and I haven't seen anything as of, I mean, Aadhaar and other things are there for more secure environment, but Fido2, it's still like under adoption. Yeah. Thank you so much. Thank you. So first of all, very nice talk, very clear, understandable. You did a great job presenting everything. Thank you. Can you go back eight slides? I think it is. Which one? Sorry. So to the slides where you have the timing differences. Okay, perfect. So when people enter passwords, the time that it takes them to enter the password is the dominant cost in that. And when people authenticate via tokens, the time to find your dongle or to use your fingerprint or whatever also probably dominates. So can you, given that observation, how much does like half a second of processing time matter? Yeah, so the first, in the yellow bar chart, you can see the first one, the smallest one is the time to create the challenge. The middle one would be time to verify and unlock the challenge, which is roughly around 300. And the total time for authentication is 500 milliseconds. So time to create the challenge and the time to verify and unlock it is combined to be 500 seconds. Each one is quite less. But here we have used different types of MDS, SHA1, SHH256, these are different kind of cryptographic systems we've used. So the average time for each entire performance is roughly around 1100, right? Okay, let me try to, let me ask it a different way. Okay, so if you're gonna sit down at your laptop and do some work in Starbucks, right? If you are able to unlock your laptop by your fingerprint, you reach your finger over and put it on the fingerprint reader and it unlocks. And that might take half a second or something. If you have to type in a password, if you have a long, strong password, the amount of time it takes you to actually type that password is gonna be very long, right? So if the processing time of checking your fingerprint or hashing your password is a second or so, then isn't the time to type the password or use your token or do other things like that? Doesn't that just dominate this time anyway? Isn't that time so much bigger than the computational time? That the computational time doesn't really matter that much? It was mostly performance benchmarking, basically the time taken. So yeah, if we factor on those things, that might work, but on the user end with these JWT token and all these, they are also encrypted. So overall it would be, Fido would still be a little less, but yeah, it's the niscule amount of time we are reducing and increasing the convenience of the user. Also typing is a little too boring and people are lazy, so they would rather tap the fingers than type the entire thing, yeah. Yes, thank you, nice talk from my end as well. Do you have some experience to run Fido in offline environment because I know some countries now have the requirement for industrial applications to have a two-factor identification, often, for instance, to lock in an embedded Linux that was weak internet connection. Do you have some experiences running that offline for such a purpose? Yeah, this exact project, this case study, I'm still a college student, a university student, so I try to implement this in my own university medical unit, so it was tested around 100 to 150 users, so it worked and apart from that, it has huge users, use cases in financial services as well. Like recently, not around 2021, 18 to 2019, Visa has also tried to adopt this one and other passwordless like passage IDs and these one password, these are some of those companies which are adopting these technologies and yeah, it has huge applications in blockchain technology as well because in the blockchain, scams don't occur, but on the wallet end, it is very easy to do the, it is very easy to scam and fraud people to send the money, so these kind of things, Fido too would stop against that. Okay, yeah, thanks. Yes, sirs? Okay, thank you. Thank you so much. Thank you.