Skip to main content
Version: 8.2411.x.x RR

Crypto support

FIDO UAF

Supported Public Key Formats

nevisFIDO stores the public keys of the FIDO UAF authenticators as sent by the FIDO client during the FIDO UAF registration. nevisFIDO supports the following public key algorithms:

  • ALG_KEY_ECC_X962_DER: ASN.1 DER [ITU-X690-2008] encoded ANSI X.9.62 formatted SubjectPublicKeyInfo [RFC5480].
  • ALG_KEY_ECC_X962_RAW: Raw ANSI X9.62 formatted Elliptic Curve public key.
  • ALG_KEY_RSA_2048_DER: ASN.1 DER [ITU-X690-2008] encoded 2048-bit RSA [RFC3447] public key [RFC4055].
  • ALG_KEY_RSA_2048_RAW: Raw encoded 2048-bit RSA public key [RFC3447].

Supported Authentication Algorithms

During registration and authentication, the FIDO UAF client sends attestations to nevisFIDO. nevisFIDO supports the following algorithms when validating the signature of these attestations:

  • ALG_SIGN_SECP256R1_ECDSA_SHA256_DER: DER [ITU-X690-2008] encoded ECDSA signature [RFC5480] on the NIST secp256r1 curve.
  • ALG_SIGN_SECP256R1_ECDSA_SHA256_RAW: ECDSA-ANSI encoded ECDSA signature [RFC5480] on the NIST secp256r1 curve.
  • ALG_SIGN_SECP256K1_ECDSA_SHA256_DER: DER [ITU-X690-2008] encoded ECDSA signature [RFC5480] on the secp256k1 curve.
  • ALG_SIGN_SECP256K1_ECDSA_SHA256_RAW: ECDSA encoded ECDSA signature on the secp256k1 curve.
  • ALG_SIGN_RSASSA_PSS_SHA256_DER: DER [ITU-X690-2008] encoded OCTET STRING containing the RSASSA-PSS [RFC3447] signature.
  • ALG_SIGN_RSASSA_PSS_SHA256_RAW: RAW encoded RSASSA-PSS [RFC3447] signature [RFC4055][RFC4056].
  • ALG_SIGN_RSA_EMSA_PKCS1_SHA256_DER: DER [ITU-X690-2008] encoded OCTET STRING containing the EMSA-PKCS1-v1_5 signature [RFC3447].
  • ALG_SIGN_RSA_EMSA_PKCS1_SHA256_RAW: RAW encoded EMSA-PKCS1-v1_5 signature [RFC3447].

Supported Encryption Methods by the FCM (Firebase Cloud Messaging) Dispatcher

The FCM Dispatcher encrypts the tokens sent through the Firebase Cloud Messaging push service. The following encryption algorithms are supported:

  • RSA-OAEP-256 with encryption method A256CBC_HS512
    • RSA-OAEP-256: RSAES using Optimal Asymmetric Encryption Padding with SHA-256 hash function.
    • A256CBC_HS512: AES_256_CBC_HMAC_SHA_512 authenticated encryption using a 512 bit.
  • ECDH-ES+A256KW with encryption method A256CBC_HS512
    • ECDH-ES+A256KW: Elliptic Curve Diffie-Hellman Ephemeral Static key agreement, where the agreed-upon key is used to wrap the Content Encryption Key (CEK) with the A256KW function.
    • A256CBC_HS512: AES_256_CBC_HMAC_SHA_512 authenticated encryption using a 512 bit.

Supported Signature Methods to Modify Dispatch Targets

To modify dispatch targets (see the Modify Dispatch Target HTTP API) , the client must sign the modification payload. nevisFIDO supports the following JWS algorithms:

  • RS256: RSASSA-PKCS1-v1_5 using SHA-256
  • RS384: RSASSA-PKCS1-v1_5 using SHA-384
  • RS512: RSASSA-PKCS1-v1_5 using SHA-512
  • PS256: RSASSA-PSS using SHA-256 and MGF1 with SHA-256
  • PS384: RSASSA-PSS using SHA-384 and MGF1 with SHA-384
  • PS512: RSASSA-PSS using SHA-512 and MGF1 with SHA-512
  • ES256: ECDSA using P-256 and SHA-256
  • ES384: ECDSA using P-384 and SHA-384
  • ES512: ECDSA using P-521 and SHA-512

FIDO2

Supported signature algorithms

The following algorithms are supported and configurable during registration for the client authenticator to generate the key material with.

  • ES256 : ECDSA using P-256 and SHA-256 (default)
  • ES384 : ECDSA using P-384 and SHA-384
  • ES512 : ECDSA using P-521 and SHA-512
  • RS256 : RSASSA-PKCS1-v1_5 using SHA-256
  • RS384 : RSASSA-PKCS1-v1_5 using SHA-384
  • RS512 : RSASSA-PKCS1-v1_5 using SHA-512
  • RS1 : RSASSA-PKCS1-v1_5 with SHA1

Supported attestation statement format

  • Packed attestation
  • FIDO U2F attestation
  • Android Key attestation
  • Android SafetyNet attestation
  • TPM attestation
  • Apple Anonymous attestation
  • None attestation