Web Cryptography Next Steps

W3C Workshop on Authentication, Hardware Tokens and Beyond

10-11 September 2014, Silicon Valley (Mountain View), California

Final Report

Executive Summary

The Web Crypto v.Next Workshop focused on improving secure authentication in the Open Web Platform. We reviewed the possible integration of hardware tokens as well as other forms of authentication, with the aim of being able to replace the password with more phishing-resistant cryptographic credentials. The workshop attracted more than 70 participants, including representatives from major browser vendors, hardware token vendors, mobile phone operators, payment technologists, government eID experts, and other bodies such as GlobalPlatform, SmartCard Alliance, FIDO Alliance, and SIM Alliance.

Today on the Web, users typically use weak passwords across multiple sites, making them increasingly vulnerable to phishing and data breaches. To support high-value transactions on the Web, we must improve the security and usability of user authentication. Open standards for both two-factor authentication and the use of cryptographic material for authentication would make the Web more secure. Such secure cryptographic material is naturally stored on hardware tokens such as smartcards and USB dongles that are currently difficult to interface with Web application development.

Attendees at the packed workshop spent two days discussing the future of W3C standardization in this space, reaching a number of tentative conclusions:

The workshop operated through a series of panel presentations, each followed by lively whole-room discussion.


Chair Virginie Galindo (Gemalto) opened the meeting, with welcomes from host Tony Nadalin (Microsoft) and sponsors Dirk Balfanz (Google) and Siva Narendra (Tyfone). W3C thanks all of the host, sponsors, and participants for a productive workshop.

Richard Barnes of Mozilla (slides) discussed how any future Working Group must focus on good design pattern and then encapsulate the precise functions we need.

Dirk Balfanz of Google (slides) discussed an approach where the user authenticates to a device and then device-bound crypto (like FIDO U2F login) and stop phishing.

Peter Cattaneo of Intercede (slides) discussed that while the user-interface and desired content may be in the browser, there will have to be backwards compatibility for authenticators not native to the Web.

Many of the possible designs involving choosing the right level of abstraction. There are a few keys points: namely that crypto-based authentication will likely require key material outside browser environment and bound to a local authenticator, with the authenticators and their current state being discoverable by the browser.

Chair's opening remarks by Virginie Galindo (Gemalto) - Photo credit: Wendy Seltzer

Chair's opening remarks by Virginie Galindo (Gemalto) - Photo credit: Wendy Seltzer

Extending the Existing W3C Web Cryptography API

Brian LaMacchia of Microsoft (slides) brought up that BigNum is necessary for WebCrypto to engage with many kinds of cryptography such as new elliptic curves and anonymous voting schemes, as using 16 bits to simulate large-field math is simply too slow.

Kelsey Cairns of WSU (slides) presented on her research on using formal models to test the current version of WebCrypto. She highlighted their inability to give good security guarantees due to attacker in compromised Javascript replacing the wrapping key or otherwise polyfilling the Javascript maliciously.

Nick Van den Bleeken of Inventive Designs (slides) discussed the difficulties in using the current WebCrypto API with using eIDs to sign documents like European taxes, and that some discovery for keys on smartcards would be needed.b

Sangrae Cho of ETRI (slides) presented the issues facing the Korean online banking use-case that effects over 20 million people. In order to get Korea off of the ActiveX control, Korea requires private keys and certificates stored in secure hardware-based solutions but accessible from browser.

Philip Hoyer of HID Global (slides) talked about how the Proximity API could end up being crucial in order to authenticate to nearby devices and retrieve secure capabilities

Currently, many countries - including Europe, Korea, and Japan - have some form of nationally-mandated digital identity system, often tied to a country-specific PKI infrastructure and some form of hardware token that currently requires plug-ins to be installed for use on the Web. Users consistently do not install those plug-ins or those plug-ins themselves have various (often security) flaws. Yet the desire for eID systems to use multi-origin key infrastructure requires various difficult privacy and usability issues to be addressed. Thus, there seemed to be consensus to aim for a same-origin model but to allow authenticators to operate over multiple origins. BigNum and other primitives were needed to implement anonymous authentication via zero-knowledge proofs, which is being considered in many European countries. Lastly, it is still problematic for WebCrypto to be used with any Javascript code that does not completely trust the origin with "remote code execution", and so work on verified Javascript code may be necessary in addition to access to better key storage and authenticators.

Discussion between Brian LaMacchia (Microsoft), Richard Barnes (Mozilla), and Dirk Balfanz (Google) - Photo credit: Wendy Seltzer

Discussion between Brian LaMacchia (Microsoft), Richard Barnes (Mozilla), and Dirk Balfanz (Google) - Photo credit: Wendy Seltzer


Brad Hill of Paypal and representing the FIDO Alliance (slides) summarizes the lessons of FIDO: Users and servers want hardware-bound keys but users also want unlinkability, and FIDO has ways outside the browser to approach these problems. FIDO intents to promulgate specifications, especially its Web-facing APIs, into other standards groups such as W3C when IPR inside FIDO is complete.

Detlef H├╝hnlein of ECSEC (slides) pointed out that the FIDO authentication protocol is simple when approached from the client side, and could be made compatible with ISO 24727 to standardize ID cards as it abstracts away from national-level details.

John Mattsson of Ericsson discussed that SIM card-based authentication should be supported in the browser since SIM cards are increasingly widely used (solving the distribution of hardware-based credentials), and that GBA has already standardized 3GPP for the use of existing SIM credentials.

Hannes Tschofenig of ARM (slides) talked about how widespread deployment was necessary for replacing the password and so all stakeholders must co-operate, and that a suitable abstraction layer should be posited above FIDO and GBA, that can be compatible with different protocols.

Sean Wykes of Nascent Technology Consultants (slides) presented on how as browsers move away from applets, banks and governments are forcing to go with Javascript, but that the lack of any trusted user-interface and out-of-band authentication make it impossible.He suggested some combination of trusted frames, signed JavaScript, and web workers be bundled up to make a trusted user interface.

In general, there was a wide diversity of deployed authentication solutions and heterogeneous landscape of use-cases. The key question was how much the Web should just start from scratch or attempt to support legacy architectures. In more detail, the question is how much of FIDO technology could be opened up to incorporate other authentication mechanisms and the role of ISO 25747 in mediating the various hardware token standards, as well as the support of SIM cards. Access to these authenticators could happen in many different ways: How can trusted user-interfaces really compare to and relate with HTTPS and Content Security Policy? Just because an authentication technique is outside the Web does not necessarily mean it is better, for example replay attacks on certain layers (SMS) present security problems. In general, it was felt that multi-factor and "passwordless" authentication should be simple for average user but the user be treated as an intelligent human being: Anyone should have control over the flow of their own information and the option to remain anonymous.

Jeff Hodges (Paypal) displaying workshop's IRC channel - Photo credit: Wendy Seltzer

Jeff Hodges (Paypal) displaying workshop's IRC channel - Photo credit: Wendy Seltzer

Hardware Tokens

Siva Narendra of Tyfone (slides) discussed how the W3C needs to remain neutral as regards the underlying authenticators and key storage devices. He noted that security goes beyond multi-factor authentication to include decentralizing identity validation and key storage on smartcard chips. However, he believes the W3C has a role to play as current browser interfaces to smartcards are proprietary, even though smartcards themselves are not and are based on open ISO standards.

Herve Sibert represented GlobalPlatform (slides), a standard for managing applications on secure chip technology that focuses on mobile. Their proposal to the W3C was to consider transport and service layers from the Global Platform work, identify services levels in Secure Elements/Trusted Execution Environments, and to synchronize roadmaps.

Bruno Javary of Oberthur Technologies (slides) presented on the use of Secure Elements API, which had been worked on by the W3C Systems Applications Working Group. Given there are 7 billion smartcards already deployed, he argued that a common open standard would vastly improve usability for access to such secure tokens such as PIV (Personal Identity Verification) cards.

Natasha Rooney of GSMA (slides) overviewed their work on Mobile Connect, which allows users to authenticate easily on mobiles without passwords. It requires an applet running on a device that uses SIM as a hardware token, and its main disadvantage is that currently applets needs to be preprovisioned, although work is ongoing on "over the air" provisioning.

Karen Lu of Gemalto (slides) brought up that the kinds of APIs used by hardware tokens were multi-level and W3C should focus on the right layering. Low-level access to secure microprocessing, memory, and cryptographic engines generally is via APDUs (Application Protocol Data Units). The middle level is access to for cryptographic operations (such as done via the current Web Cryptography API) and secure storage. A high level API for services would also be necessary for layering authentication, payment,and token management on lower levels.

The discussion focused mostly on the economic case for how to increase hardware token adoption. While smartcards and SIM cards have solved the problem of distribution, in general these hardware tokens pre-date and do not work well with the Web. However, new Web standards that try to build from scratch ignore the hard problem of distributing authenticators to users. Furthermore, today issues pay for hardware tokens, but the consumer space does not have such an issuer. Indeed, many of the economic issues seem to deal with liability. Furthermore, any W3C standard should avoid force access to proprietary services or business model but should allow a variety of services (some with attendant business models) to be accessed by both consumer-facing (where individuals enroll to some service) and organization-facing (where enrollment in mandated by some organization, such as a government or enterprise). It was thought that open standards should support different levels of assurance, including different levels of convenience of enrollment and authentication.

Siva Narendra (Tyfone) being introduced by Cathy Medich (Smartcard Alliance)  - Photo credit: Wendy Seltzer

Siva Narendra (Tyfone) being introduced by Cathy Medich (Smartcard Alliance) - Photo credit: Wendy Seltzer

New Security Features for the Web

Ilhan Gurel of Trustonic (slides) presented their use of ARM TrustZone based TEE for isolation between secure and insecure at the hardware level and to produce a trusted UI.

Giridhar Mandyam of Qualcomm (slides) presented multifactor authentication based on a user's contextual data via Device APIs such as gelocation and media capture.

Mike Jones of Microsoft (slides) discussed "proof-of-possession" to eligibility to participate, where the proofs may be unstealable cookies, passwordless login, proof of eligibility, and the like. In particular, there may be a need to connect OAuth's Proof of Possession with W3C WebCrypto. Channel-binding should also be considered.

Vlaidimir Katardjiev of Ericsson (slides) posited that trusting the server via the "same-origin" is not enough for the Web, and the next generation of the Web should protect the user's data from their own service provider, including data breaches, and government demands. For example, cleartext of important information should not be accessible by the WebApp Javascript in runtime.

Jonas Andersson of Fingerprints works on fingerprint sensors for mobile phones, and notes that biometric fingerprint readers are becoming more common across devices. The major barrier of the use of these as authenticators is that there is a limited supply of biometrics, and thus zero-knowledge proof techniques and others must be used to avoid having biometric data being endangered.

The various proposals showed that any future standard should take careful account not only of convenience but also privacy. For example, biometrics could remove privacy via removing choice. Furthermore, the use of keys on hardware tokens should be distinguished on a fine level between keys that are controlled ultimately by the user (user keys), keys controlled by the service such as a Web site (service keys) as well as keys embedded in the operating hardware (platform keys) and keys embedded in devices (device keys). These keys may overlap in certain cases and may have complex relationships with one another. There are hard questions such as how to explain to a typical user how they exposing their identity to another web site that they have not pre-existing relationship with.

Audience at workshop - Photo credit: Wendy Seltzer

Audience at workshop - Photo credit: Wendy Seltzer

Next Steps

Israel Hilerio of Microsoft (slides) advocated for Algorithm discovery API that let a service evaluate user-agent capabilities before execution, which could be especially important if there was different kinds of cryptography deployed across different browsers.

At the end of the workshop, there was strong consensus that large swathes of industry felt that better authentication and hardware token support should be built into the Open Web Platform. However, there was not agreement on the precise standard or set of standards for doing so, although there was agreement that such an approach should be compatible with a wide-array of authenticators ranging from multi-factor authentication via SMS to smartcards.

There is much prior work that should inform any new standardization effort. The FIDO Alliance has committed to standardizing the web-facing components of their U2F (Universal 2nd Factor) work and UAF (Universal Authentication Framework) for passwordless authentication at the appropriate standards bodies, including the W3C for web-facing components. There is ongoing work by the Smartcard Alliance and the widespread use of ISO 24727 in the field. There is also GSMA and the SIMAlliance working on SIM card work such as Mobile Connect. Mozilla noted they were modifying their DOM PKCS#11 interface. There is work in the IETF on HOBA, a purely software-based method for authenticating using cryptographic key material. Although not an official W3C Working Draft, the W3C SysApps Working Group has an Editor's Draft of a Secure Elements API. The W3C hopes to see much of this work mature over the next year and work not available under a W3C Royalty Free Patent Policy may be submitted as a Member Submission at any time. The W3C will commit to liasioning with the appropriate relevant other organizations.

The workshop concluded with a set of straw polls to gauge support for and interest in participating in standardization. Although some of these terms should be better-defined, these can be roughly categorized as (details on wiki):

We heard significant consensus interest in pursuing standards for authentication and hardware token support at W3C that support user-control, high security, and privacy. People unanimously agreed that adding the ability to use platform-accessible secure keys (both platform-held and device-held keys) from the browser is a critical next step.

Both the Web Cryptography Working Group and the Web Application Security Working Group, which have related areas of focus and relevant participants, will be in process of re-chartering at the end of 2014. We can consider either of these groups (re-chartered) or a newly chartered group as a home for new work supporting authentication and hardware tokens.

The next steps will be the development of one or more draft charters. W3C members and the public can participate in that discussion on the Web Security Interest Group mailing list.

Harry Halpin (W3C/MIT) taking a strawpoll on next steps for chartering - Photo credit: Wendy Seltzer

Harry Halpin (W3C/MIT) taking a strawpoll on next steps for chartering - Photo credit: Wendy Seltzer