The wiki mention:

Verifies the claim :

• pk_m <- Validate(cert_m)
• Verify(pk_m, H(pk_d), s_m)
• Verify(pk_d, H(C001||h_f||pk_f), s_d)
• Validate(h_f)

I don't understand how cert_m could become public key of model (pk_m).

I saw that the source code mention:

   // There is no support for real certificate validation yet.
   // For now, just pass in the model public key in place of the
   // ASN.1 DER encoded X509 cert.
   uint8_t claim_hash[SDCP_DIGEST_SIZE_V1] = { 0 };
   ASSERT_EQUAL(0, sdcpcli_hash_claim(
       g_model_pub_key, sizeof(g_model_pub_key), // Pub key in place of cert for now.
       device_key.pk, sizeof(device_key.pk),
       firmware_key.pk, sizeof(firmware_key.pk),
       &firmware_signature,
       &model_signature,
       claim_hash, sizeof(claim_hash)));
   print_bytes("H(c)", claim_hash, sizeof(claim_hash));

It is hard to understand how the real product should response both pk_m and cert_m or just response cert_m from the device to host.

Could anyone explain that?

Hi,

Starting the Windows Hello Enrollment first time after secure connect, EngineAdapterIdntifyFeatureSetAuthenticated is called as there is no template enrolled i return WINBIO_E_UNKNOWN_ID which results in event "Windows Biometric service could not complete an identification process" with no Error and windows hello show "some error occured". How to make this function pass? i tried returning S_OK, WINBIO_E_NO_MATCH, WINBIO_E_ENROLLMENT_IN_PROGRESS all of them returns some error event in event viewer.

Thanks

Hi, as in the line 159 and line 315 of sample code client.c , there is two assert to make sure that the mpi big num lenght is equal to 32 bytes long.

I've checked the SEC 1 V2, it seems there is no any requirement on the private key length and the ecdh shared secret length.

In line 159, as follows:

In line 315, as follows:

can you let us know the possible error values and reasons for secure connect response failure.
We are seeing 0x80070057(invalid argument) error from event viewer bio-metric log with EventId as 1609.
We have used mbedtls+github(secureDeviceConnectionProtocol) sources to generate secure connect response to sensor adapter library.
We are using Test signing machine with bio-metric service enable and observed that windows event viewer detected secure connect response and returned above error.

Hi,

It is mentioned to use sdcp.sln to build the test executable for windows environment, couldn't locate sdcp.sl file. Is this environment can still run on windows?
"And then open sdcp.sln with Visual Studio"

Thanks,
Prafulla Kota

Currently, none of the functions are documented, which is not very helpful for sample code...

I want to confirm whether the SDCP is designed to be different from SP-800, as to discard "0x00" in KDF ?

KDF described by wiki.

However, in NIST SP800-108, it is as follows:

Hello,
After reading the SDCP wiki documentation, I have some questions about SDCP.

1. Match on host is not supported for SDCP?
2. How can I program to generate vsmEngineAdapterBinary, vsmSensorAdapterBinary, and vsmStorageAdapterBinary, Is there any document about how to guide us program in the trusted execution environment?
3. Any requirements for platform to do SDCP demo? Because I program a version 6 SensorAdapter Interface demo which implements nothing in new api, for example,

//
// Additional methods available in V6.0 and later
//
static HRESULT 
WINAPI
SensorAdapterConnectSecure(
        _Inout_ PWINBIO_PIPELINE Pipeline,
	_In_ const WINBIO_SECURE_CONNECTION_PARAMS* ConnectionParams,
	_Outptr_ WINBIO_SECURE_CONNECTION_DATA** ConnectionData
)
{
	TRACE(_T("SensorAdapter-> SensorAdapterConnectSecure\n"));
	return S_OK;
}

depending on the log infomation it seems that WBS does not call the new API SensorAdapterConnectSecure.
Event viewer report the information as the following, I suspect this may impact the SDCP and some requirements does not meet the SDCP.

Could anyone explain those? Thank you.

While developing the SecureBIO Driver by referring to SecureDeviceConnectionProtocol on GitHub,
I'm sending you an email with any questions about the Test Vector you have posted on GitHub.

Here is our status of developing Fingerprint Driver with SecureBiometrics.

1. Using Lenovo T14s (Intel) NotePC and Enable Enhanced sign-in security (set SecureBiometrics on Registry and enabled SecureBIO SDEV )
   (I checked operation of Synaptics UWP WBDI on Lenovo NotePC T14s with SecureBiometrics - Secured-Core ready PC)

2. Windows 10 Build 20190.1000 (Preview Build), also checked it in 20161, 20170, 20180, 20185 Builds

3. Enable Test Signing Mode (TestSigning On / NoIntegrityChecks On / Debug On)

4. Using TestVector (Model Certificate / Model Private Key) on our fingerprint sensor

5. Implement all necessory SDCP Functions on our device

• Set SecureBIO attributes on INF file
• SensorAdapter

  SecureAdapterConnectSecure

• EngineAdapter

  EngineAdapterCreateKeyAuthenticated
  EngineAdapterCommitEnrollment
  EngineAdapterIdentifyFeatureSetAuthenticated
  and necessory functions (CheckForDuplicate)

When our sensor and driver are connected to the T14s, the creation of the Biometric Unit is normal, but the following error is displayed in the Event Viewer at the actual ConnectSecure stage and does not work.

"The Windows Biometric Service secure component failed to establish a secure connection with sensor. Error Code : 0xc0000428"

https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55
0xc0000428 STATUS_INVALID_IMAGE_HASH : The hash for image %hs cannot be found in the system catalogs. The image is likely corrupt or the victim of tampering.

Q1. Can I use the Test Vector (Certificate / Secret Key) on GitHub for development?
When checked in Event Viewer, the certificate is displayed as invalid.
Also, if TestVector has expired, I would like to get a new TestVector Certificate and Private Key.

Q2. Is there a way to check the Event Log related to BioISO (Bio Trustlet)?

Q3. If possible, I would like to know the contact point for SDCP development.

In sample code, reconnect just generate the host random for device to generate a MAC,

    // Now simulate a reconnect. The host will send new random bytes for
    // the client to MAC.
    puts("\nReconnect:\n----------\n");
    ASSERT_EQUAL(0, sdcpcli_gen_rand(host_random, sizeof(host_random)));
    print_bytes("r", host_random, sizeof(host_random));

    ASSERT_EQUAL(0, sdcpcli_mac_reconnect(
        &app_keys,
        host_random, sizeof(host_random),
        mac, sizeof(mac)));
    print_bytes("m", mac, sizeof(mac));

But it should derives application keys before generate a MAC that wiki described, right?

3. Device:
   i. Derives application keys:
   - (s, k) <- KDF(ms, "application keys")
   ii. Generates a MAC over the r_h:
   - m <- MAC(s, "reconnect"||r_h)
   iii. Sends the ReconnectResponse message, containing m.

I am testing secure connect on system (20H2, 20128/20140) with fingerprint device. I found one confusing case.

One complete fingerprint enroll needs user to touch 12 times. During enrollment, I leave for other work for about 5 min (maybe I just touch 5 times, for example) . When I came back to continue to finish the left 7 times, the windows hello unit showed: something went wrong.

I was confused and then test more. I ensure that the fingerprint device remains in its working state. I found if the time I leave was limited within about 4 mins, I can finish enrollment successfully. Leaving more than 5 mins would lead to an unsuccessful enrollment. (Always show "something went wrong".

I doubt whether the secure connection has a timeliness? Is there a document explaining this case?

Hi,

I am using "Appendix A" Model Certificate(846 Bytes)/IntermediateCA1(1025 Bytes)/IntermediateCA2(1114 Bytes) in our fingerprint device and writing them to SecureConnect response in the sensor adapter driver, But the event log reports 0x80070057. Do I need to convert these 3 Test vectors to certificates CA and install on Windows 10? I don't see any "Secure Bio Sensor" certificate in "Trusted root certificates Authority" or "Intermediate certification" on my windows 10 machine.

1. Do I need to create 3 certificates each from the model/Ca1/Ca2 test vector?
2. Are these prebuilt or locattion to download?
3. Or the Process/Tool to how to create certificates from Test Vectors.
4. How "Microsoft ECC Root Certificate Authority 2017 " is different then "Microsoft ECC Device Root Certificate Authority 2017"?

Thanks

removed

When i finished all the compile steps following the instructions on the README.md, and all the steps turned out successful, but i can't find the sdcp.sln file in the "SecureDeviceConnectionProtocol" folder or any of its sub folders.
Pls check my compile steps shown in the attached picture.

Does is that right ?

connecting security protocols

Hello,

INF Changes section indicates vendor sensor and sensor adapters must be provided when enabling SDCP.

Can we expect inbox adapters supporting SDCP? If not, is there some code available (or library) to limit errors/bugs (and spare me some time) in re-codding those adapters with their default behavior (or an updated version)?

Assuming the answer is no, can you confirm is it would be ok to remove WBDI driver and do all the sensor control logic from the sensor adapter?

Thanks you!

Regards,
Paul

https://github.com/Microsoft/SecureDeviceConnectionProtocol/blob/1f891d44ed7517e8a246b0b86789dea1bbf29184/src/client/client.c#L639

Change "i" to 64 bits in the client code, and specify lifetime in the wiki.

Hello,

I have some questions regarding Secure Biometric with basic/advanced sensor. I hope it is an acceptable place to ask them. I apologize if not.

Looking at https://github.com/Microsoft/SecureDeviceConnectionProtocol/wiki/Secure-Device-Connection-Protocol#sample-collection-and-template-storage-layer-one it is said:

For basic, match-on-host senor in VSM, the biometric trustlet secures the templates, which are encrypted to VSM at rest. The remaining gap at this layer is raw biometric samples, which must pass through the untrusted OS on their way to the matcher.

In this scenario, the EngineAdapter will get the encrypted sample. It can decrypt it with WbioFrameworkVsmDecryptSample(), extract features and generate or load template using the default WinBio storage adapter.

• Can I considered the EngineAdapter to be secured since dll is signed (even if OS is compromised), or should I rely on a TEE (Intel SGX) for processing the sample data?

In case of a advanced, match-off-host sensors, templates should be stored on the device.

• Is there a requirements on the number of templates the device should be able to store?
• If device don't have sufficient memory, could we consider doing the matching on the device while retrieving templates stored in the host? Documentation does not suggest this scenario but somewhat maybe could be achievable...

Thanks to anyone that can provides some input!

Regards,
Paul

Hello,

Can you confirm if HLK for Windows 17763.rs5_release and more specifically, the FingerprintReaderTest properly supports advanced device with SecureBio?

Also, is the statement in wiki (https://github.com/Microsoft/SecureDeviceConnectionProtocol/wiki/Secure-Device-Connection-Protocol#footnotes) saying the certification process for the device bootloader/firmware is not yet define is still true at this date? If not, any inputs how to get this kind of information?

Thanks a lot.

Hello,

When doing an enrollment from Windows Hello, it starts by doing an identify by calling EngineAdapterIdentifyFeatureSetAuthenticated(), even when no finger are yet enroll on the device and the system.

In this case, and according to my understanding of the documentation of EngineAdapterIdentifyFeatureSetAuthenticated(), I return:

• Identity data set to zero
• SubFactor set to WINBIO_SUBTYPE_NO_INFORMATION
• AuthenticationSize set to zero.
• Return S_OK as HRESULT

This will cause Windows Hello to fail with “Something went wrong” message. The system event viewer indicates identification has failed with error E_INVALIDARG.

If I return WINBIO_E_NO_MATCH, the system event viewer indicates identification has failed with error WINBIO_E_NO_MATCH.

What should I return in case of failed authentication (because of no template on the device or wrong finger detected) ?

This blocks enrollment in Windows Hello but I would think it is expected to have a failed authentication in this case...

When doing enrollment from a test application using WBF Client Application APIs (skipping identification before starting enrollment), I can successfully complete an enrollment according to event viewer messages.

However, when attempting an identification, I will get the error WINBIO_E_DATABASE_NO_RESULTS event if finger is properly match and the secure id reported to the host. All HMAC checks are good on FW side.

Error is reported by the service after EngineAdapterIdentifyFeatureSetAuthenticated() has returned with all outputs set as follow:

• Identity->Value.SecureId set to the value given by EngineAdapterCommitEnrollment()
• SubFactor set to the value given in EngineAdapterCommitEnrollment()
• AuthenticationSize set to WINBIO_SCP_DIGEST_SIZE_V1
• Authentication set to pointer to internal engine adapter buffer containing the HMAC from the device
• Return S_OK as HRESULT

I have also check FW hash and device public key was consistent between secure connection.

Am I missing something?

I am testing using build 17754.

Thanks for any input!

Regards,
Paul

Test code needs to be added to show usage of the client library.

Hello,

The SDCP wiki documentation indicates IOCTL_BIOMETRIC_CONNECT_SECURE will be added to WBF and the expected output is WINBIO_SECURE_CONNECTION_RESPONSE which nests WINBIO_SECURE_CONNECTION_DATA.

However, after updating WDK and looking at the updated winbio headers for RS4, there is no structure WINBIO_SECURE_CONNECTION_RESPONSE defined.

So, what does the framework really expects? WINBIO_SECURE_CONNECTION_RESPONSE or WINBIO_SECURE_CONNECTION_DATA?

If the later, as there is no WinBioHresult field, how to report a failure in case the request to the device was unsuccessful?

Thank you!

Regards,
Paul

There are important files that Microsoft projects should all have that are not present in this repository. A pull request has been opened to add the missing file(s). When the pr is merged this issue will be closed automatically.

Microsoft teams can learn more about this effort and share feedback within the open source guidance available internally.

Merge this pull request