avatarAckermann Yuriy

Free AI web copilot to create summaries, insights and extended knowledge, download it at here

3096

Abstract

0aa4.js" allowfullscreen="" frameborder="0" height="undefined" width="undefined"> </div> </div> </figure></iframe></div></div></figure><p id="3faf">JWT(pronounced as JOT) is stands for JSON Web Token. Not going to deep technical details, its basically base64url concatenation of signed header and payload with signature, separated by a full stop(.). You can play with my JTW by pasting at <a href="https://jwt.io/">https://jwt.io/</a>.</p><figure id="c52f"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*J8oBqWzdbGH5oeuJG-mCuw.png"><figcaption></figcaption></figure><p id="eef2">The steps to verify FIDO2 SafetyNet attestation are:</p><ol><li>Verify payload</li><li>Verify header</li><li>Verify signature over the concatenation of the payload and header joined by a full stop</li></ol><h1 id="b35e">Verifying payload</h1><p id="0b24">The payload is the second base64url encoded string</p><blockquote id="2864"><p><b>ey</b>Jub25jZSI6IlhQQjdWVGRSWGJEM01mMENvTFF5ZVJQclA5ZjIzYW9mVHBtVWd6cmlrbzA9IiwidGltZXN0YW1wTXMiOjE1NDA2NTE2ODQwOTMsImFwa1BhY2thZ2VOYW1lIjoiY29tLmdvb2dsZS5hbmRyb2lkLmdtcyIsImFwa0RpZ2VzdFNoYTI1NiI6ImVRYyt2elVjZHgwRlZOTHZYSHVHcEQwK1I4MDdzVUV2cCtKZWxlWVpzaUE9IiwiY3RzUHJvZmlsZU1hdGNoIjp0cnVlLCJhcGtDZXJ0aWZpY2F0ZURpZ2VzdFNoYTI1NiI6WyI4UDFzVzBFUEpjc2x3N1V6UnNpWEw2NHcrTzUwRWQrUkJJQ3RheTFnMjRNPSJdLCJiYXNpY0ludGVncml0eSI6dHJ1ZX0</p></blockquote><p id="cb85">Fun fact: if you see string that start with “<b>ey</b>”, it’s most likely JSON in Base64. If we decode it to UTF8 and JSON decode it, we will get this:</p> <figure id="3691"> <div> <div>

            <iframe class="gist-iframe" src="/gist/herrjemand/62f03f5695a2749031c933d00cbfba07.js" allowfullscreen="" frameborder="0" height="undefined" width="undefined">
          </div>
        </div>
    </figure></iframe></div></div></figure><p id="c50b">To verify the payload you need:</p><ol><li>Hash <b>clientDataJSON</b> using SHA256, to create <b>clientDataHash</b></li><li>Concatenate <b>authData</b> with <b>clientDataHash</b> to create <b>nonceBase</b></li><li>Hash <b>nonceBase</b> using SHA256 to create <b>nonceBuffer</b>.</li><li>Base64 encode <b>nonceBuffer</b> to create <b>expectedNonce</b></li><li>Check that “<b>nonce</b>” is set to <b>expectedNonce</b></li><li>Check that “<b>ctsProfileMatch</b>” is set to true. If its not set to true, that means that device has been rooted and so can not be trusted to provide trustworthy attestation.</li></ol><p id="1fad">I won’t be discussing what other field are used for. If you are planing to implement your own SafetyNet authenticator, you should watch Collin’s video above.</p><h1 id="07ca">Verifying header</h1><p id="7b13">The next step would be to verify header. Header is the first Base64url encoded string. When decoded:</p>
    <figure id="dddd">
        <div>
          <div>
            
            <iframe class="gist-iframe" src="/gist/herrjemand/be2377ef410ec9ba0bac0dedb1c099ae.js" allowfullscreen="" frameborder="0" hei

Options

ght="undefined" width="undefined"> </div> </div> </figure></iframe></div></div></figure><p id="137c">To verify header we need to:</p><ol><li>If you are implementing Metadata Statement, or Metadata Service support: Verify that “alg” field is corresponds to the authenticationAlgorithm in the Metadata Statement.</li><li>Get leaf certificate of x5c certificate chain, decode it, and check that it was issued for “attest.android.com”</li><li>If you are using MDS or Metadata Statements, for each attestationRoot in attestationRootCertificates: append attestation root to the end of the header.x5c, and try verifying certificate chain. If none succeed, throw an error</li><li>If you are not using MDS or Metadata Statements, then download <a href="https://pki.goog/gsr2/GSR2.crt"><i>GlobalSign Root CA — R2”</i></a><i> </i>from <a href="https://pki.goog/">Google PKI directory</a>. Attach it to the end of header.x5c and try to verify it</li></ol><h1 id="fc08">Verifying JWT</h1><p id="20fb">If you have successfully verified header and payload, then you can finally verify the JWT.</p><ol><li>Concatenate Base64URL encoded header and payload with full stop, to create signatureBase</li><li>Extract public key from leaf certificate</li><li>Verify signature over signatureBase using the public key extracted from leaf certificate</li></ol><h1 id="5068">Best practices</h1><ul><li>Use well established libraries to verify JWT. <a href="https://jwt.io/">jwt.io</a> has a great list of libraries for basically every popular programming language there are.</li></ul><h1 id="caa2">References</h1><ul><li><a href="https://w3c.github.io/webauthn/#android-safetynet-attestation">https://w3c.github.io/webauthn/#android-safetynet-attestation</a></li><li><a href="https://jwt.io/">https://jwt.io/</a></li><li><a href="https://lapo.it/asn1js/">https://lapo.it/asn1js/</a></li><li><a href="https://developer.android.com/training/safetynet/">https://developer.android.com/training/safetynet/</a></li><li><a href="https://www.youtube.com/watch?v=8lv_9mydrjg">https://www.youtube.com/watch?v=8lv_9mydrjg</a></li></ul><h1 id="53d0">Snippets</h1> <figure id="bdac"> <div> <div>

            <iframe class="gist-iframe" src="/gist/herrjemand/4c7850e53ba4a04cc9e000b41b8e6f8f.js" allowfullscreen="" frameborder="0" height="undefined" width="undefined">
          </div>
        </div>
    </figure></iframe></div></div></figure><h1 id="e082">License</h1><p id="dbc8">This article is licensed under <a href="https://creativecommons.org/licenses/by-nc-nd/4.0/">Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International (CC BY-NC-ND 4.0)</a>. So you are free to read, share, etc. If you are interested in commercial use of this article, or wish to translate it to a different language, please contact ackermann(dot)yuriy(at)gmail(dot)com.</p><p id="2701">The code samples are licensed under <a href="https://gist.github.com/herrjemand/09492b2c6fc6c4ebc0d49b5942d4ec30">MIT license</a>.</p></article></body>

WebAuthn/FIDO2: Verifying SafetyNet Attestation

!!! THIS ATTESTATION BEEN DEPRECATED AND NO LONGED NEED TO BE SUPPORTED !!!

Please note that this is an advance post, and requires prior understanding of the FIDO2 attestations. You can read more about them here.

“If it keeps on rainin' levee's goin' to break” Led Zeppelin would sing over and over in their songs. But then Google put some crazy big-data on their Play Store, and suddenly infinite rain of data can be not just be handled, but actually used to ensure that apps installed are not doing something stupid, by just analysing their behaviour.

So to be up to date “If it keeps on rainin’ data, levee’s goin’… to protect your apps”

SafetyNet is a set of Google Play Services API’s, that are helpful for defence against security threats on Android, such as device tampering, bad URLs, malicious apps, and fake user accounts. Main solutions that SafetyNet provides are device attestation, safe browsing, re-captcha and app check APIs. I won’t be going into details on how to successfully work and deploy SafetyNet, or how it works under the hood. If you wish to learn deep technical details, Collin Mulliner gave a talk at 34C3 “Inside Android’s SafetyNet Attestation: Attack and Defense”

Our only interest today is Device Attestation and how to verify it in FIDO2.

Typical example of FIDO2 SafetyNet attestation looks like this:

As you can see there is “ver” and “response” fields. We can ignore version and get to “response” field. The response field is a buffer of JWT string of the SafetyNet attestation. In current example for simplicity it is hex encoded. So when we encode buffer to UTF-8 string we will get this:

JWT(pronounced as JOT) is stands for JSON Web Token. Not going to deep technical details, its basically base64url concatenation of signed header and payload with signature, separated by a full stop(.). You can play with my JTW by pasting at https://jwt.io/.

The steps to verify FIDO2 SafetyNet attestation are:

  1. Verify payload
  2. Verify header
  3. Verify signature over the concatenation of the payload and header joined by a full stop

Verifying payload

The payload is the second base64url encoded string

eyJub25jZSI6IlhQQjdWVGRSWGJEM01mMENvTFF5ZVJQclA5ZjIzYW9mVHBtVWd6cmlrbzA9IiwidGltZXN0YW1wTXMiOjE1NDA2NTE2ODQwOTMsImFwa1BhY2thZ2VOYW1lIjoiY29tLmdvb2dsZS5hbmRyb2lkLmdtcyIsImFwa0RpZ2VzdFNoYTI1NiI6ImVRYyt2elVjZHgwRlZOTHZYSHVHcEQwK1I4MDdzVUV2cCtKZWxlWVpzaUE9IiwiY3RzUHJvZmlsZU1hdGNoIjp0cnVlLCJhcGtDZXJ0aWZpY2F0ZURpZ2VzdFNoYTI1NiI6WyI4UDFzVzBFUEpjc2x3N1V6UnNpWEw2NHcrTzUwRWQrUkJJQ3RheTFnMjRNPSJdLCJiYXNpY0ludGVncml0eSI6dHJ1ZX0

Fun fact: if you see string that start with “ey”, it’s most likely JSON in Base64. If we decode it to UTF8 and JSON decode it, we will get this:

To verify the payload you need:

  1. Hash clientDataJSON using SHA256, to create clientDataHash
  2. Concatenate authData with clientDataHash to create nonceBase
  3. Hash nonceBase using SHA256 to create nonceBuffer.
  4. Base64 encode nonceBuffer to create expectedNonce
  5. Check that “nonce” is set to expectedNonce
  6. Check that “ctsProfileMatch” is set to true. If its not set to true, that means that device has been rooted and so can not be trusted to provide trustworthy attestation.

I won’t be discussing what other field are used for. If you are planing to implement your own SafetyNet authenticator, you should watch Collin’s video above.

Verifying header

The next step would be to verify header. Header is the first Base64url encoded string. When decoded:

To verify header we need to:

  1. If you are implementing Metadata Statement, or Metadata Service support: Verify that “alg” field is corresponds to the authenticationAlgorithm in the Metadata Statement.
  2. Get leaf certificate of x5c certificate chain, decode it, and check that it was issued for “attest.android.com”
  3. If you are using MDS or Metadata Statements, for each attestationRoot in attestationRootCertificates: append attestation root to the end of the header.x5c, and try verifying certificate chain. If none succeed, throw an error
  4. If you are not using MDS or Metadata Statements, then download GlobalSign Root CA — R2” from Google PKI directory. Attach it to the end of header.x5c and try to verify it

Verifying JWT

If you have successfully verified header and payload, then you can finally verify the JWT.

  1. Concatenate Base64URL encoded header and payload with full stop, to create signatureBase
  2. Extract public key from leaf certificate
  3. Verify signature over signatureBase using the public key extracted from leaf certificate

Best practices

  • Use well established libraries to verify JWT. jwt.io has a great list of libraries for basically every popular programming language there are.

References

Snippets

License

This article is licensed under Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International (CC BY-NC-ND 4.0). So you are free to read, share, etc. If you are interested in commercial use of this article, or wish to translate it to a different language, please contact ackermann(dot)yuriy(at)gmail(dot)com.

The code samples are licensed under MIT license.

Security
Fido2
Webauthn
Safetynet
Android
Recommended from ReadMedium
avatarProf Bill Buchanan OBE FRSE
DES, AES, SHA-3, LWC and PQC: Are Cryptography Competitions a Good Idea?

We are so lucky to have Daniel J Bernstein coming along for a chat [here], and he has a great new paper on cryptographic competitions for…

4 min read
avatarAlexander Nguyen
The resume that got a software engineer a $300,000 job at Google.

1-page. Well-formatted.

4 min read
avatarStaney Joseph 🎖️
Encryption: The Invisible Shield of Privacy

In the digital age, where information flows freely across the globe, privacy has become a paramount concern. Encryption, a cryptographic…

3 min read
avatarDylan Smith
Interview: How to Check Whether a Username Exists Among One Billion Users?

My articles are open to everyone; non-member readers can read the full article by clicking this link.

9 min read
avatarcorbado
Activate Google Android Passkeys

How to Turn on Google Android Passkeys: Step-by-Step Guide for Secure, Passwordless Logins

3 min read
avatarOlenin Slava
Few things that you are probably getting wrong about why Flutter uses Dart.

More and more often, I would get emails about why people think Google choose Dart for Flutter. It seems, most of those articles written by…

5 min read