 |
|
Notes for Developers
|
Our goal is to provide clear instructions for developers.
Our hope is that WebAuthn+ will used as the code foundation for educating new developers.
One of the most difficult tasks for new developers is system configuration. We will walk you through everything step by step.
Please contact us with any questions or recommendations for improvement: trustnexus.io@austin.rr.com.
|
|
|
Remember, WebAuthn+ is still a prototype application.
|
|
We need two simple changes to the Web Bluetooth API
in order to make WebAuthn+ fully functional:
|
|
First, the host's domain name needs to be sent from the browser application code to the Bluetooth Gatt Server running on the user's mobile device. Application level (from within the browser code) messaging from the browser to the smart phone over bluetooth is not yet supported by the
Web Bluetooth API. The prototype uses a direct Java Script method call:
|
| domainNameCharacteristic.writeValue(textEncoder.encode(domainName)); |
| With this direct java Script call, the domain name could be spoofed in a sophisticated man in the middle attack. All that is necessary to make
this process completely secure is a simple addition to the
Web Bluetooth API. A method needs to be added and this method needs to be run from within the
browser context. The domain name needs to be sent by the browser, not as a parameter in the Java Script (which could be easily modified): |
| writeDomainNameCharacteristic() |
| This is the key problem that needs to be solved for web authentication to be secure: a secure "out of band confirmation" that the user is on the "right" web page.
The solution is a simple addition to the Web Bluetooth API.
|
| Once this change is made, excluding attacks against the operating system and malware that mimics or compromises a true application, there is only one threat vector:
If a bad actor "looks over your shoulder", steals your password, then steals your smart phone, and defeats the fingerprint reader (or other security) before
you can report your smart phone lost or stolen... then the bad actor can access your account.
|
| Second, the pairing process currently specified by the
Web Bluetooth API is not user friendly and not highly secure.
"Session Specific Pairing" would be a great improvement.
|
| Currently, JavaScript code in the web browser makes a request for a Bluetooth device advertising a specific service.
Any device with the service UUID within sixty meters will show up in the pairing screen.
|
|
| The user must select from potentially multiple devices in the pairing list.
The reason for this manual selection has to do with security. The creators of the Web Bluetooth API
did not want a web application to pair with just any Bluetooth device that happened to be close by and advertising a specific service.
|
| However, it is incredibly annoying to have to manually pair your mobile phone whenever you sign on,
especially when your phone is the only device in the list.
|
| The process would be far more efficient and secure
if a session UUID was added to the filters for the
Bluetooth.requestDevice() JavaScript method.
This session UUID would be sent to the mobile device by the browser and checked against the session UUID sent to the mobile device from the server.
With this change, Web Bluetooth pairing could become automatic and more secure (no chance of the user selecting the wrong device).
|
| In the Java Script, we would just add a sessionUuid to the services attributes:
|
| let device = await navigator.bluetooth.requestDevice({filters: [{services: [serviceUuid, sessionUuid]}]}); |
| A "message" attribute could also be added to the filters; e.g., "{message: ['Activate your WebAuthn+ mobile app.']}"
|
|
| Once the app is activated it will start advertising with the service UUID and the session UUID;
it will be picked up by the browser and automatically paired. Life will be beautiful.
|
|
|
We currently have source code in Java for the server application and source code in Android for the mobile application. All the
browser based functionality is done with standard JavaScript. We need three more code projects:
|
- Objective-C for the iOS mobile application.
- Python for an alternative server application.
- Ruby for an alternative server application.
|
|
It looks like we will also need a fourth project to create a prototype Chromium browser with the modifications to
the Web Bluetooth API mentioned above. We will then gives these modifications away to all players.
|
|
If you would like to to become a collaborator or help in any way please contact us: trustnexus.io@austin.rr.com.
|
| We plan to create a program that will compensate core developers who contribute to the open source effort.
We are not socialists. We believe the software developers
who contribute to this effort should be well compensated. The idea that talented software engineers should contribute their talents as slave labor to the richest corporations
in the world is truly ridiculous.
|
|
|
Let's begin with the basics.
|
|
Download and Install Java SE JDK
|
|
These instructions will assume you are installing on a WIndows 10 system.
If you are installing on a Linux system, you probably do not need these instructions.
|
Follow the instructions here to download the Java SE JDK.
Just to be safe (from the Oracle license restrictions), select,
"End users and developers looking for free JDK versions: Oracle OpenJDK".
|
|
Then select the latest "Reference Implementation"
(in this case, JAVA SE 16) and download the zip file (in this case, "Windows 10 x64 Java Development Kit (sha256) 176 MB").
|
|
Unzip the zip file in a temp directory, then copy the folder "jdk-16" to "C:\Program Files\Java".
|
|
Add "C:\Program Files\Java\jdk-16\bin" to the system PATH.
|
|
Set the "JAVA_HOME" system variable to "C:\Program Files\Java\jdk-16" (it is in the same place as you set the PATH).
|
|
On Windows 10, after you complete the step for setting the PATH and JAVA_HOME system variables, you can test the installation on Windows 10 by opening a command prompt and entering, "java -version" and "echo %JAVA_HOME%".
|
|
|
|
Download and Install The Eclipse IDE (code editor)
|
|
Follow the instructions here.
|
|
In "step 3." select "Eclipse IDE for Enterprise Java EE Developers".
|
|
|
Once Eclipse is installed it will open. Select "Window >> Preferences" then type "tab" in the filter box.
|
|
Select "General >> Editors >> Text Editors". Set the "Displayed tab width" to "4" and check "Insert spaces for tabs".
|
|
|
Select "Java >> Code Style >> Formatter"; then click the "Edit" button. The "Profile" screen will be displayed.
|
|
|
Set the "Tab policy" to "Spaces only". Set the "Indentation size" to "4". Set the "Tab size" to "4".
|
|
Set the "Profile name" to "WebAuthnPlus". Click "OK".
|
|
|
|
|
|