What is included in the clientdata #680
-
I am fairly new to Fido and a bit confused about what the ClientData means. In the example "cred" the client data is set in line 61: My question is what is contained in the byte array? According to the documentation, the following members are contained there (see. Section 3.1(https://fidoalliance.org/specs/fido-v2.0-ps-20150904/fido-signature-format-v2.0-ps-20150904.html#dictionary-clientdata-members)):
I'm a bit confused now, as this information is presumably not stored in a 32byte array? Also, it's not clear to me whether this array in the example is already hashed or not. I would appreciate any clarification. Furthermore, it is not clear to me where this client data should come from. For example, does the challenge have to be created via a cryptography library or is this already included in the libfido2 library? If the challenge is statically contained in the ClientData array, as in the example, the security of the procedure is undermined. |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment
-
For the sake of keeping the example simple, consider its client data array to be an opaque blob of bytes as retrieved from somewhere else. You should never use fully static data as client data in a real client. This library mostly concerns itself with the communication with the authenticators themselves, i.e. the CTAP part of the FIDO family of specifications. At this level, the client data is opaque (and only the hash of it is sent to the authenticator). As a result, you can technically call The specification you linked is fairly old and superseded by WebAuthn which defines its clientData slightly differently, but in a nutshell still a combination of data collected by the client (e.g. a browser) and data provided by the Relying Party (e.g. the challenge). You may also want to look at the WebAuthn credential registration procedure and note about cryptographic challenges. Finally, if you're interested in an example implementation of a basic WebAuthn client using libfido2, you can have a look at https://github.com/martelletto/fido2-webauthn-client.
libfido2 does not modify the client data in any way ( Does that clear things up slightly? |
Beta Was this translation helpful? Give feedback.
For the sake of keeping the example simple, consider its client data array to be an opaque blob of bytes as retrieved from somewhere else. You should never use fully static data as client data in a real client.
This library mostly concerns itself with the communication with the authenticators themselves, i.e. the CTAP part of the FIDO family of specifications. At this level, the client data is opaque (and only the hash of it is sent to the authenticator). As a result, you can technically call
fido_cred_set_clientdata()
with any set of bytes.The…