Abstract
We present a novel attack named “Authenticator Rebinding Attack,” which aims at the Fast IDentity Online (FIDO) Universal Authentication Framework (UAF) protocol implemented on mobile devices. The presented Authenticator Rebinding Attack rebinds the victim’s identity to the attacker’s authenticator rather than the victim’s authenticator being verified by the service in the UAF protocol, allowing the attacker to bypass the UAF protocol local authentication mechanism by imitating the victim to perform sensitive operations such as transfer and payment. The lack of effective authentication between entities in the implementations of the UAF protocol used in the actual system causes the vulnerability to the Authenticator Rebinding Attack. In this paper, we implement this attack on the Android platform and evaluate its implementability, where results show that the proposed attack is implementable in the actual system and Android applications using the UAF protocol are prone to such attack. We also discuss the possible countermeasures against the threats posed by Authenticator Rebinding Attack for different stakeholders implementing UAF on the Android platform.
Highlights
Fast IDentity Online (FIDO) Universal Authentication Framework (UAF) is an authentication mechanism based on public key cryptography designed for replacing password-based authentication [1], which has been criticized for its inconvenience and insecurity because it requires users and verifiers to maintain a growing list of login credentials as well as passwords
The contributions of this paper can be summarized as follows: (i) We present a novel attack called Authenticator Rebinding Attack, which impersonates the victim to perform sensitive operations by rebinding the victim’s identity to the attacker’s authenticator (ii) We demonstrate the technical feasibility of Authenticator Rebinding Attack by giving the details of the attack on the Hebao Pay and Jingdong Finance applications (iii) We prove the practical significance of this attack by analyzing their security on the UAF applications mined from applications in the real world (iv) We present the main causes of this threat and the countermeasures against this attack for different stakeholders on implementing the UAF protocol on the Android platform
In order to comprehensively study the threats of such an attack, we first analyze the applications related to third-party payment, banking, and online shopping; mine those applications that use the UAF protocol; and model two main implementations of the UAF protocol, i.e., Out-App Authenticator Mode and In-App Authenticator Mode
Summary
FIDO UAF is an authentication mechanism based on public key cryptography designed for replacing password-based authentication [1], which has been criticized for its inconvenience and insecurity because it requires users and verifiers to maintain a growing list of login credentials as well as passwords. (i) We present a novel attack called Authenticator Rebinding Attack, which impersonates the victim to perform sensitive operations by rebinding the victim’s identity to the attacker’s authenticator (ii) We demonstrate the technical feasibility of Authenticator Rebinding Attack by giving the details of the attack on the Hebao Pay and Jingdong Finance applications (iii) We prove the practical significance of this attack by analyzing their security on the UAF applications mined from applications in the real world (iv) We present the main causes of this threat and the countermeasures against this attack for different stakeholders on implementing the UAF protocol on the Android platform.
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
