Skip to content

Project Overview

Jump to bottom
Rain Zhang edited this page Nov 6, 2025 · 2 revisions

Project Overview

Table of Contents

  1. Introduction
  2. Core Goals and Target Audience
  3. System Architecture
  4. Key Workflows
  5. Post-Quantum Cryptography Integration
  6. Architectural Trade-offs and Design Constraints

Introduction

The Post-Quantum WebAuthn Platform is a full-stack implementation of the FIDO2/WebAuthn standard with integrated support for post-quantum cryptography (PQC), specifically the ML-DSA (Module-Lattice Digital Signature Algorithm) family of algorithms. This platform serves as a comprehensive development and demonstration environment for quantum-resistant authentication systems. It provides a complete implementation of the WebAuthn protocol stack, from the frontend JavaScript components that interact with the browser's WebAuthn API to the backend Flask server that processes registration and authentication requests.

The platform is designed to be both a practical tool for developers and a reference implementation for security engineers and cryptographers. It demonstrates how PQC algorithms can be seamlessly integrated into existing WebAuthn infrastructure, providing a path forward for organizations preparing for the post-quantum era. The system leverages the liboqs library, which provides standardized implementations of various PQC algorithms, ensuring that the cryptographic primitives used are well-vetted and aligned with industry standards.

The platform's architecture follows a clear separation of concerns, with distinct components for handling the WebAuthn protocol, cryptographic operations, metadata validation, and user interface. This modular design allows for easy extension and modification, making it an ideal platform for experimentation with new PQC algorithms and WebAuthn features. The system is built using Python for the backend and modern JavaScript for the frontend, ensuring compatibility with a wide range of development environments and deployment scenarios.

Section sources

  • app.py
  • webauthn.py

Core Goals and Target Audience

The Post-Quantum WebAuthn Platform has three primary goals: enabling quantum-resistant authentication, demonstrating secure WebAuthn flows, and serving as a development platform for PQC-integrated identity systems. The first goal, enabling quantum-resistant authentication, is achieved through the integration of ML-DSA algorithms via the liboqs library. This ensures that the cryptographic signatures used in the authentication process are resistant to attacks from both classical and quantum computers, providing long-term security for user credentials.

The second goal, demonstrating secure WebAuthn flows, is accomplished by implementing the complete WebAuthn protocol, including registration, authentication, and metadata validation. The platform provides a clear and well-documented example of how these flows should be implemented in a secure manner, with proper handling of cryptographic operations, user verification, and attestation. This makes it an invaluable resource for developers who are new to WebAuthn or who want to ensure that their implementations are secure and compliant with the standard.

The third goal, serving as a development platform, is achieved through the platform's modular design and comprehensive documentation. The system is designed to be easily extended and modified, allowing developers to experiment with new PQC algorithms, WebAuthn features, and integration scenarios. This makes it an ideal platform for research and development in the field of post-quantum cryptography and identity systems.

The target audience for this platform includes security engineers, cryptographers, FIDO2 implementers, and web developers who are integrating quantum-safe authentication into their applications. Security engineers and cryptographers will find the platform useful for evaluating the security and performance of PQC algorithms in a real-world context. FIDO2 implementers will benefit from the clear and well-documented implementation of the WebAuthn protocol, which can serve as a reference for their own implementations. Web developers will appreciate the platform's user-friendly interface and comprehensive documentation, which make it easy to get started with quantum-safe authentication.

Section sources

  • pqc.py
  • config.py

System Architecture

The Post-Quantum WebAuthn Platform has a well-defined architecture that consists of several key components: a Flask-based server, frontend JavaScript components, a FIDO2 protocol stack, and a prebuilt liboqs library. The Flask-based server serves as the backend of the platform, handling all server-side logic and providing a RESTful API for the frontend to interact with. The server is responsible for processing registration and authentication requests, managing user sessions, and storing credential data.

The frontend JavaScript components are responsible for interacting with the browser's WebAuthn API and providing a user interface for the registration and authentication flows. These components are built using modern JavaScript and are designed to be modular and reusable. They handle tasks such as generating challenge values, sending requests to the server, and displaying the results of the authentication process.

The FIDO2 protocol stack is implemented in the fido2 Python package, which provides a comprehensive implementation of the WebAuthn specification. This stack handles the low-level details of the WebAuthn protocol, such as encoding and decoding CBOR data, managing authenticator data, and verifying attestation statements. The stack is designed to be extensible, allowing for the integration of new cryptographic algorithms and attestation formats.

The prebuilt liboqs library provides the post-quantum cryptographic algorithms used by the platform. This library is a C library that has been compiled and packaged for use on Linux systems. It provides implementations of various PQC algorithms, including the ML-DSA family of algorithms. The platform integrates with this library through Python bindings, which allow the server to call the cryptographic functions provided by liboqs.

The interaction between these components is orchestrated through a series of well-defined APIs and data structures. When a user initiates a registration or authentication flow, the frontend JavaScript components send a request to the Flask server. The server then uses the FIDO2 protocol stack to generate the necessary options and send them back to the frontend. The frontend uses these options to interact with the browser's WebAuthn API, which in turn communicates with the authenticator device. The response from the authenticator is sent back to the server, where it is processed by the FIDO2 protocol stack and verified using the cryptographic functions provided by liboqs.

graph TD
subgraph "Frontend"
JS[JavaScript Components]
Browser[Web Browser]
end
subgraph "Backend"
Flask[Flask Server]
FIDO2[FIDO2 Protocol Stack]
LibOQS[liboqs Library]
end
JS --> Flask
Flask --> FIDO2
FIDO2 --> LibOQS
Browser --> JS
Loading

**Diagram sources **

  • app.py
  • webauthn.py
  • pqc.py

Section sources

  • app.py
  • webauthn.py
  • pqc.py

Key Workflows

The Post-Quantum WebAuthn Platform implements several key workflows that are essential for secure authentication: registration, authentication, and metadata validation. The registration workflow begins when a user initiates the process through the frontend interface. The frontend sends a request to the Flask server, which uses the FIDO2 protocol stack to generate a set of registration options. These options include a challenge value, which is a random string that is used to prevent replay attacks, and a set of parameters that specify the requirements for the authenticator, such as the type of attestation and the user verification method.

The registration options are sent back to the frontend, which uses them to call the navigator.credentials.create() method in the browser's WebAuthn API. This method prompts the user to interact with their authenticator device, which generates a new key pair and returns a response that includes the public key, the authenticator data, and the attestation object. The response is sent back to the server, where it is processed by the FIDO2 protocol stack. The stack verifies the attestation object to ensure that the authenticator is genuine and that the public key was generated by a trusted device. The public key and other credential data are then stored in the server's database.

The authentication workflow is similar to the registration workflow, but it is used to verify the user's identity rather than to create a new credential. When a user attempts to authenticate, the frontend sends a request to the server, which generates a set of authentication options. These options include a challenge value and a list of allowed credentials, which are the credentials that the user has previously registered. The options are sent back to the frontend, which uses them to call the navigator.credentials.get() method in the browser's WebAuthn API. This method prompts the user to interact with their authenticator device, which signs the challenge value using the private key and returns a response that includes the signature, the authenticator data, and the user handle.

The response is sent back to the server, where it is processed by the FIDO2 protocol stack. The stack verifies the signature to ensure that it was generated by the correct private key and that the authenticator data has not been tampered with. If the verification is successful, the user is authenticated and granted access to the requested resource.

The metadata validation workflow is used to ensure that the authenticator devices used in the registration and authentication processes are genuine and have not been compromised. The platform uses the FIDO2 Metadata Service (MDS) to obtain information about the authenticator devices, such as their manufacturer, model, and security level. This information is used to verify the attestation statements returned by the authenticators and to detect any devices that have been revoked or are known to be vulnerable.

sequenceDiagram
participant User as "User"
participant Frontend as "Frontend JavaScript"
participant Server as "Flask Server"
participant Authenticator as "Authenticator Device"
User->>Frontend : Initiate Registration
Frontend->>Server : Request Registration Options
Server->>Server : Generate Options
Server-->>Frontend : Return Options
Frontend->>Authenticator : Call navigator.credentials.create()
Authenticator-->>Frontend : Return Response
Frontend->>Server : Send Response
Server->>Server : Verify Attestation
Server-->>Frontend : Confirm Registration
Frontend-->>User : Show Success
Loading

**Diagram sources **

  • simple.py
  • auth-simple.js

Section sources

  • simple.py
  • auth-simple.js

Post-Quantum Cryptography Integration

The integration of post-quantum cryptography (PQC) into the Post-Quantum WebAuthn Platform is a key feature that distinguishes it from classical WebAuthn implementations. The platform uses the ML-DSA (Module-Lattice Digital Signature Algorithm) family of algorithms, which are designed to be resistant to attacks from both classical and quantum computers. These algorithms are provided by the liboqs library, which is a C library that has been compiled and packaged for use on Linux systems.

The integration of ML-DSA algorithms is handled by the pqc.py module in the server. This module defines a mapping between COSE (CBOR Object Signing and Encryption) algorithm identifiers and the corresponding liboqs mechanism names. For example, the COSE algorithm identifier -50 is mapped to the liboqs mechanism name ML-DSA-87. This mapping is used to determine which algorithm should be used for a given registration or authentication request.

When a registration request is received, the server checks the list of supported algorithms provided by the client and selects the appropriate ML-DSA algorithm based on the client's preferences and the server's configuration. The selected algorithm is then used to generate the public key and to verify the attestation signature. The public key is encoded in COSE format and included in the attestation object, which is sent back to the client.

During the authentication process, the server uses the same algorithm to verify the signature generated by the authenticator. The signature is verified using the public key that was stored during the registration process. If the verification is successful, the user is authenticated and granted access to the requested resource.

The use of ML-DSA algorithms has several practical implications for the platform. First, the key sizes and signature sizes are larger than those used in classical algorithms, which can impact performance and storage requirements. Second, the computational complexity of the algorithms is higher, which can affect the speed of the registration and authentication processes. However, these trade-offs are necessary to ensure long-term security in the face of quantum computing threats.

classDiagram
class PQCAlgorithm {
+int COSE_ID
+string LIBOQS_NAME
+generate_key_pair() PublicKey, PrivateKey
+sign(message, private_key) Signature
+verify(signature, message, public_key) bool
}
class MLDSA44 {
+COSE_ID = -48
+LIBOQS_NAME = "ML-DSA-44"
}
class MLDSA65 {
+COSE_ID = -49
+LIBOQS_NAME = "ML-DSA-65"
}
class MLDSA87 {
+COSE_ID = -50
+LIBOQS_NAME = "ML-DSA-87"
}
PQCAlgorithm <|-- MLDSA44
PQCAlgorithm <|-- MLDSA65
PQCAlgorithm <|-- MLDSA87
Loading

**Diagram sources **

  • pqc.py
  • liboqs

Section sources

  • pqc.py

Architectural Trade-offs and Design Constraints

The design of the Post-Quantum WebAuthn Platform involves several architectural trade-offs and design constraints that are necessary to balance security, performance, and usability. One of the key trade-offs is the choice of cryptographic algorithms. The platform uses ML-DSA algorithms, which are designed to be resistant to attacks from quantum computers. However, these algorithms have larger key sizes and higher computational complexity than classical algorithms, which can impact performance and storage requirements. To mitigate these impacts, the platform uses efficient implementations of the algorithms provided by the liboqs library and optimizes the storage and transmission of cryptographic data.

Another trade-off is the choice of attestation format. The platform supports the "packed" attestation format, which is a compact format that is designed to minimize the size of the attestation object. This format is suitable for most use cases, but it does not provide the same level of detail as other formats, such as the "fido-u2f" format. The choice of format is a trade-off between size and security, with the "packed" format providing a good balance between the two.

The platform also has several design constraints that are necessary to ensure security and compliance with the WebAuthn standard. For example, the server must verify the attestation object to ensure that the authenticator is genuine and that the public key was generated by a trusted device. This verification process involves checking the attestation signature, the attestation certificate chain, and the attestation root certificate. The server must also ensure that the challenge value is unique and unpredictable, to prevent replay attacks.

The platform's modular design allows for easy extension and modification, but it also introduces some complexity. For example, the integration of the liboqs library requires careful management of the library's dependencies and build process. The platform must also handle the differences between the various ML-DSA algorithms, such as their key sizes and signature sizes, in a consistent and secure manner.

Despite these trade-offs and constraints, the Post-Quantum WebAuthn Platform provides a robust and secure implementation of the WebAuthn standard with integrated support for post-quantum cryptography. The platform's design ensures that it can be used as a reference implementation for developers and as a development platform for researchers and engineers working on the next generation of identity systems.

Section sources

  • config.py
  • mds3.py

Post-Quantum WebAuthn Platform

Getting Started

Home

Project Overview

Technology Stack & Dependencies

Installation & Setup

Developer Guide

Testing Strategy

Architectural Foundations

Core Architecture

System Overview

Data Flow Architecture

Component Interaction Model

Design Patterns and Abstractions

Cryptography & Security

Post-Quantum Cryptography Implementation

ML DSA Algorithm Integration

PQC Algorithm Detection and Selection

Fallback to Classical Cryptography

Security and Performance Considerations

Security Considerations

Cryptographic Security

Authentication Security

Configuration Security

Session Security

Input Validation and Error Handling

Authentication Platform

Core Protocol

FIDO2 Protocol Implementation

CTAP2 Commands

Flows & Interfaces

Authentication Flows

Simple Authentication Flows

Advanced Configuration & Management

Simple Authentication Interface

Advanced Authentication Interface

Authenticator Capabilities

Authenticator Configuration

Authenticator Selection Hints Processing

PIN_UV Authentication

Biometric Enrollment

Large Blob Storage

Extension Support

Server Platform

Server Implementation

Flask Application Structure

Configuration Management

Route Handlers

Shared Utilities & General Endpoints

Frontend Platform

Architecture

Frontend Implementation

JavaScript Architecture

Template Structure

CSS Styling System

State Management System

Interaction & Utilities

UI Components

UI Interaction Utilities

Form Handling and Input Validation

Shared Client Utilities

Local Storage Implementation

Client Interfaces

Client Integration

Metadata Service (MDS)

Metadata Service (MDS) Integration

MDS Integration

MDS3 Implementation

MDS Data Loading and Caching

MDS Filtering and Search

Custom Metadata Management

MDS Snapshot Update Process

MDS UI State Management

MDS Validation Errors

Frontend MDS Integration

Server Metadata Management

Storage & Data Management

Storage & Persistence

Storage Backend

Storage Backend Issues

Credential Artifacts Management

Session Metadata Store

Google Cloud Storage Integration

Data Models & Encoding

Data Schemas

Request Options Schemas

Response Objects Schemas

Data Encoding & Transformation

Data Encoding Utilities

CBOR Encoding_Decoding

API Reference

API Reference

Server Endpoints

Simple Authentication Flow Endpoints

Advanced Configuration Flow Endpoints

General Application Endpoints

Cross-Platform & HID

Cross Platform Support

HID Transport Layer

HID Base Architecture

Linux HID Implementation

macOS HID Implementation

Windows HID Implementation

BSD HID Implementations

HID Communication Failures

Operations & Troubleshooting

Deployment & Operations

Troubleshooting

Error Handling

Installation Issues

Configuration Errors

Server Errors

Authentication Flow Errors

FIDO2 Error Handling

Client Errors

WebAuthn Specific Errors

Post Quantum Cryptography Failures

Glossary & References

Glossary & References

Clone this wiki locally