webauthn spc

Webauthn

免密登录/安全支付

Posted by Lengzhao Blog on March 15, 2024

Webauthn

简介

Web 身份验证 API(也称为 WebAuthn)是由W3C和FIDO编写的规范,Google、Mozilla、Microsoft、Yubico 等参与。该 API 允许服务器使用公钥加密而不是密码来注册和验证用户。 它允许服务器与现在内置于设备中的强大身份验证器集成,例如 Windows Hello 或 Apple 的 Touch ID。为网站创建私钥-公钥对(称为凭据),而不是密码。 私钥安全地存储在用户的设备上;公钥和随机生成的凭证 ID 被发送到服务器进行存储。然后,服务器可以使用该公钥来证明用户的身份。

公钥不是秘密的,因为如果没有相应的私钥,它实际上是无用的。服务器不接收任何秘密的事实对用户和组织的安全具有深远的影响。数据库对黑客不再那么有吸引力,因为公钥对他们来说没有用处。

WebAuthn 是FIDO2 框架的一部分,FIDO2 框架是一组支持服务器、浏览器和身份验证器之间无密码身份验证的技术。自 2019 年 1 月起,Chrome、Firefox、Edge 和 Safari 支持 WebAuthn。

w3c-webauthn-2 扩展

webauthn-3还是草稿阶段

安全支付

安全付款确认 (SPC) 是建议的 Web 标准,允许客户使用平台身份验证器向信用卡发卡机构、银行或其他付款服务提供商进行身份验证:

macOS 设备上的解锁功能(包括触控 ID) Windows 设备上的 Windows Hello 借助 SPC,商家可以让客户快速、无缝地验证其购买交易,同时发卡银行保护其客户免受欺诈行为的伤害。

  1. w3c-spc草稿
  2. google chrome docs
  3. webauthn playgroud
  4. spc example
  5. code example1
  6. code example2:playgroud

区块链兼容

run log

try

  1. AUTHENTICATION OPTIONS 
    {
  "challenge": "MNgX-5n2OoghUgf4Ws2rT9UkKrFogrKXGCXhEHMgLAC6B-kHj_JF8noG0Re2Bsf_OGPTKd1oLiPAUZkTL7T61A",
  "timeout": 60000,
  "rpId": "webauthn.io",
  "allowCredentials": [],
  "userVerification": "preferred"
}
  2. REGISTRATION OPTIONS 
    {
  "rp": {
 "name": "webauthn.io",
 "id": "webauthn.io"
  },
  "user": {
 "id": "YWFh",
 "name": "aaa",
 "displayName": "aaa"
  },
  "challenge": "2SSSycKxkvfijyIGv2LTAVIJttxtR-1-dmbHj9paDrgeGtGvOBbqGFs5wocEaoNhhiG5F-3VawvbqG_qdFnfiw",
  "pubKeyCredParams": [
 {
   "type": "public-key",
   "alg": -7
 },
 {
   "type": "public-key",
   "alg": -257
 }
  ],
  "timeout": 60000,
  "excludeCredentials": [],
  "authenticatorSelection": {
 "residentKey": "preferred",
 "requireResidentKey": false,
 "userVerification": "preferred"
  },
  "attestation": "none",
  "hints": [],
  "extensions": {
 "credProps": true
  }
}
  3. REGISTRATION RESPONSE 
    {
  "id": "-eNTKYHUb4Npo3rKPJcr7xuV_JkY3arsCC8eAHQch5w",
  "rawId": "-eNTKYHUb4Npo3rKPJcr7xuV_JkY3arsCC8eAHQch5w",
  "response": {
 "attestationObject": "o2NmbXRkbm9uZWdhdHRTdG10oGhhdXRoRGF0YVikdKbqkhPJnC90siSSsyDPQCYqlMGpUKA5fyklC2CEHvBBAAAAAK3OAAI1vMYKZIsLJfHwVQMAIPnjUymB1G-DaaN6yjyXK-8blfyZGN2q7AgvHgB0HIecpQECAyYgASFYIAnN1l6_bqu_TzDb2q_Mlw3tfcwWs1z2cP0O3TXtN73oIlggZeC6HEiVmKzNWhiynUcqqRMARoK9nN_eiXmR4xPDq-0",
 "clientDataJSON": "eyJ0eXBlIjoid2ViYXV0aG4uY3JlYXRlIiwiY2hhbGxlbmdlIjoiMlNTU3ljS3hrdmZpanlJR3YyTFRBVklKdHR4dFItMS1kbWJIajlwYURyZ2VHdEd2T0JicUdGczV3b2NFYW9OaGhpRzVGLTNWYXd2YnFHX3FkRm5maXciLCJvcmlnaW4iOiJodHRwczovL3dlYmF1dGhuLmlvIiwiY3Jvc3NPcmlnaW4iOmZhbHNlLCJvdGhlcl9rZXlzX2Nhbl9iZV9hZGRlZF9oZXJlIjoiZG8gbm90IGNvbXBhcmUgY2xpZW50RGF0YUpTT04gYWdhaW5zdCBhIHRlbXBsYXRlLiBTZWUgaHR0cHM6Ly9nb28uZ2wveWFiUGV4In0",
 "transports": [
   "internal"
 ],
 "publicKeyAlgorithm": -7,
 "publicKey": "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAECc3WXr9uq79PMNvar8yXDe19zBazXPZw_Q7dNe03vehl4LocSJWYrM1aGLKdRyqpEwBGgr2c396JeZHjE8Or7Q",
 "authenticatorData": "dKbqkhPJnC90siSSsyDPQCYqlMGpUKA5fyklC2CEHvBBAAAAAK3OAAI1vMYKZIsLJfHwVQMAIPnjUymB1G-DaaN6yjyXK-8blfyZGN2q7AgvHgB0HIecpQECAyYgASFYIAnN1l6_bqu_TzDb2q_Mlw3tfcwWs1z2cP0O3TXtN73oIlggZeC6HEiVmKzNWhiynUcqqRMARoK9nN_eiXmR4xPDq-0"
  },
  "type": "public-key",
  "clientExtensionResults": {
 "credProps": {
   "rk": true
 }
  },
  "authenticatorAttachment": "platform"
}
  4. AUTHENTICATION OPTIONS 
    {
  "challenge": "RGvq7w9eOodPM0qna7yvaHam2omiURJx1Xgn5VtTtzeYh1JsdghrynpveVEK6V999kkg9KYRMWlwpG0SeVGxQg",
  "timeout": 60000,
  "rpId": "webauthn.io",
  "allowCredentials": [
 {
   "id": "-eNTKYHUb4Npo3rKPJcr7xuV_JkY3arsCC8eAHQch5w",
   "type": "public-key",
   "transports": [
     "internal"
   ]
 }
  ],
  "userVerification": "preferred"
}
  5. AUTHENTICATION RESPONSE 
    {
  "id": "-eNTKYHUb4Npo3rKPJcr7xuV_JkY3arsCC8eAHQch5w",
  "rawId": "-eNTKYHUb4Npo3rKPJcr7xuV_JkY3arsCC8eAHQch5w",
  "response": {
 "authenticatorData": "dKbqkhPJnC90siSSsyDPQCYqlMGpUKA5fyklC2CEHvABAAAAAA",
 "clientDataJSON": "eyJ0eXBlIjoid2ViYXV0aG4uZ2V0IiwiY2hhbGxlbmdlIjoiUkd2cTd3OWVPb2RQTTBxbmE3eXZhSGFtMm9taVVSSngxWGduNVZ0VHR6ZVloMUpzZGdocnlucHZlVkVLNlY5OTlra2c5S1lSTVdsd3BHMFNlVkd4UWciLCJvcmlnaW4iOiJodHRwczovL3dlYmF1dGhuLmlvIiwiY3Jvc3NPcmlnaW4iOmZhbHNlfQ",
 "signature": "MEUCIQDilnoz0ecNlNxpncEHgOiH3-ckUwyqLcf9Te_NbZN1QQIgY9BmPpKBuAK1bUJUsP3-J2bsGDatgHmpmRGVjM7UbY8",
 "userHandle": "YWFh"
  },
  "type": "public-key",
  "clientExtensionResults": {},
  "authenticatorAttachment": "platform"
}

example

代码来自https://rsolomakhin.github.io/pr/spc/

Secure Payment Confirmation

This is a test website. Nothing is charged.

</pre>

(with credential #1)

(with credential #2)

(with credential #1)</button>

(with credential #2)</button>



Based on the Secure Payment
      Confirmation explainer.











                


                


                
                
                
                
                
                

                
                
                
                
                
                

                

            
  

    
        

    
            


                
                
                

                    
                    
FEATURED TAGS

                    

        				
                            
                				
                                    blockchain
                                
                            
        				
                            
        				
                            
        				
                            
                				
                                    grpc
                                
                            
        				
                            
                				
                                    test
                                
                            
        				
                            
        				
                            
        				
                            
        				
                            
        				
                            
        				
                            
                				
                                    dex
                                
                            
        				
                            
                				
                                    DeFi
                                
                            
        				
                            
                				
                                    想法
                                
                            
        				
                            
        				
                            
        				
                            
        				
                            
                				
                                    contract
                                
                            
        				
                            
        				
                            
        				
                            
        				
                            
        				
                            
                				
                                    研究
                                
                            
        				
                            
                				
                                    AI
                                
                            
        				
                            
                				
                                    langchain
                                
                            
        				
                            
        				
                            
        				
                            
        				
                            
        				
                            
        				
                            
        				
                            
                				
                                    密码学
                                
                            
        				
                            
        				
                            
        				
                            
        				
                            
        				
                            
        				
                            
        				
                            
        				
        			

                

                

                
                
                

                
FRIENDS