-
Notifications
You must be signed in to change notification settings - Fork 0
Core Architecture
- Introduction
- System Overview
- Core Components
- Architectural Patterns
- Data Flow Architecture
- Security Architecture
- Performance Considerations
- Extensibility Framework
- Infrastructure Requirements
- Production Deployment
- Conclusion
The Post-Quantum WebAuthn Platform is a sophisticated authentication system built on Flask that provides quantum-resistant authentication capabilities through WebAuthn standards. The platform serves as a bridge between modern web applications and authenticators that support post-quantum cryptographic algorithms, specifically ML-DSA (Module-Lattice-based Digital Signature Algorithm).
The system integrates seamlessly with existing WebAuthn infrastructure while extending it with post-quantum cryptography through liboqs (Open Quantum Safe), enabling secure authentication against potential quantum computing threats. The architecture emphasizes modularity, security, and extensibility while maintaining compatibility with standard WebAuthn protocols.
The platform consists of several interconnected layers that work together to provide comprehensive authentication services:
graph TB
subgraph "Client Layer"
Browser[Web Browser]
WebApp[Web Application]
end
subgraph "Server Layer"
Flask[Flask Application]
Routes[Route Handlers]
Config[Configuration]
end
subgraph "WebAuthn Layer"
Fido2[FIDO2 Library]
WebAuthn[WebAuthn Protocol]
COSE[COSE Keys]
end
subgraph "Transport Layer"
HID[HID Transport]
CTAP2[CTAP2 Protocol]
Authenticator[Authenticator Devices]
end
subgraph "Cryptographic Layer"
LibOQS[liboqs Library]
PQC[Post-Quantum Crypto]
Classical[Classical Crypto]
end
subgraph "Storage Layer"
Storage[Credential Storage]
Metadata[Metadata Cache]
Cloud[Cloud Storage]
end
Browser --> WebApp
WebApp --> Flask
Flask --> Routes
Routes --> Fido2
Fido2 --> WebAuthn
WebAuthn --> COSE
COSE --> HID
HID --> CTAP2
CTAP2 --> Authenticator
Authenticator --> LibOQS
LibOQS --> PQC
PQC --> Classical
Storage --> Cloud
Metadata --> Storage
Diagram sources
- server/server/app.py
- fido2/webauthn.py
- fido2/ctap2/base.py
Section sources
- server/server/app.py
- fido2/init.py
The platform is built around a Flask application that serves as the central orchestrator for all authentication operations. The application structure follows Flask's recommended patterns with modular route handlers and configuration management.
classDiagram
class FlaskApp {
+app : Flask
+config : AppConfig
+routes : RouteHandlers
+run(host, port, ssl_context)
+configure_logging()
}
class RouteHandlers {
+general_routes : GeneralRoutes
+simple_routes : SimpleRoutes
+advanced_routes : AdvancedRoutes
+register_begin()
+register_complete()
+authenticate_begin()
+authenticate_complete()
}
class Configuration {
+secret_key : bytes
+rp_entity : PublicKeyCredentialRpEntity
+fido_server : Fido2Server
+session_metadata : SessionMetadata
}
FlaskApp --> RouteHandlers
FlaskApp --> Configuration
RouteHandlers --> Configuration
Diagram sources
- server/server/app.py
- server/server/config.py
The Flask application provides several key capabilities:
- Route Management: Modular route handlers for different authentication scenarios
- Configuration Management: Centralized configuration with environment variable support
- Session Management: Secure session handling with configurable storage backends
- Logging Integration: Comprehensive logging for debugging and monitoring
Section sources
- server/server/app.py
- server/server/config.py
The WebAuthn implementation provides structured data handling through data classes that map directly to the W3C WebAuthn specification. This approach ensures type safety and clear separation of concerns.
classDiagram
class WebAuthnDataClasses {
+PublicKeyCredentialCreationOptions
+PublicKeyCredentialRequestOptions
+AuthenticatorAttestationResponse
+AuthenticatorAssertionResponse
+AttestedCredentialData
+AuthenticatorData
+AttestationObject
+CollectedClientData
}
class COSEKey {
+ALGORITHM : int
+parse(data)
+verify(message, signature)
+from_cryptography_key(key)
}
class Fido2Server {
+attest()
+assert()
+register_begin()
+register_complete()
+get_assertion()
}
WebAuthnDataClasses --> COSEKey
Fido2Server --> WebAuthnDataClasses
Fido2Server --> COSEKey
Diagram sources
- fido2/webauthn.py
- fido2/cose.py
The data class architecture provides:
- Type Safety: Strong typing for all WebAuthn data structures
- Immutability: Frozen data classes for thread-safe operations
- Serialization: Built-in JSON serialization support
- Validation: Automatic validation of WebAuthn data structures
Section sources
- fido2/webauthn.py
- fido2/cose.py
The CTAP2 (Client to Authenticator Protocol) implementation provides a clean abstraction layer over the HID transport protocol, enabling communication with authenticators that support the latest WebAuthn standards.
classDiagram
class CtapDevice {
<<abstract>>
+capabilities : int
+call(cmd, data, event, on_keepalive)
+close()
+list_devices()
}
class Ctap2 {
+CMD : CommandEnum
+send_cbor(cmd, data, event, on_keepalive)
+get_info()
+make_credential()
+get_assertion()
+client_pin()
+reset()
}
class HIDTransport {
+read_packet()
+write_packet(data)
+close()
}
class AuthenticatorDevice {
+descriptor : HidDescriptor
+channel_id : int
+capabilities : int
}
CtapDevice <|-- AuthenticatorDevice
CtapDevice --> HIDTransport
Ctap2 --> CtapDevice
Diagram sources
- fido2/ctap.py
- fido2/ctap2/base.py
- fido2/hid/base.py
Section sources
- fido2/ctap.py
- fido2/ctap2/base.py
- fido2/hid/base.py
The platform integrates post-quantum cryptography through liboqs, providing ML-DSA algorithm support alongside traditional cryptographic methods.
classDiagram
class PQCIntegration {
+PQC_ALGORITHM_ID_TO_NAME : Dict
+detect_available_pqc_algorithms()
+is_pqc_algorithm(alg_id)
+describe_algorithm(alg_id)
+log_algorithm_selection(stage, alg_id)
}
class MLDSAKeys {
+MLDSA44 : Algorithm
+MLDSA65 : Algorithm
+MLDSA87 : Algorithm
+verify(message, signature)
+from_cryptography_key(key)
}
class LibOQSInterface {
+get_enabled_sig_mechanisms()
+Signature(algorithm)
+verify(message, signature, public_key)
}
PQCIntegration --> MLDSAKeys
MLDSAKeys --> LibOQSInterface
Diagram sources
- server/server/pqc.py
- fido2/cose.py
Section sources
- server/server/pqc.py
The platform employs a comprehensive data class mapping pattern that provides type-safe, immutable data structures for all WebAuthn operations.
flowchart TD
Request[HTTP Request] --> Validation[Data Validation]
Validation --> DataClass[Data Class Creation]
DataClass --> Processing[Business Logic Processing]
Processing --> Response[Response Generation]
Response --> Serialization[JSON Serialization]
DataClass --> Immutable[Immutable Objects]
DataClass --> Typed[Type Safety]
DataClass --> Structured[Structured Data]
Diagram sources
- fido2/webauthn.py
This pattern ensures:
- Type Safety: Compile-time and runtime type checking
- Immutability: Thread-safe operations without side effects
- Clear Contracts: Well-defined interfaces between components
- Easy Testing: Predictable input/output behavior
Section sources
- fido2/webauthn.py
The CTAP2 protocol abstraction separates the application logic from the transport layer, enabling easy switching between different transport mechanisms.
sequenceDiagram
participant App as Application
participant CTAP2 as CTAP2 Layer
participant HID as HID Transport
participant Auth as Authenticator
App->>CTAP2 : make_credential()
CTAP2->>CTAP2 : encode_cbor()
CTAP2->>HID : write_packet()
HID->>Auth : USB/HID Packet
Auth-->>HID : Response Packet
HID-->>CTAP2 : read_packet()
CTAP2->>CTAP2 : decode_cbor()
CTAP2-->>App : AttestationResponse
Diagram sources
- fido2/ctap2/base.py
- fido2/hid/base.py
Section sources
- fido2/ctap2/base.py
- fido2/hid/base.py
The platform uses a feature flagging system to enable optional functionality and maintain backward compatibility.
flowchart TD
Feature[Feature Request] --> Check{Feature Enabled?}
Check --> |Yes| Execute[Execute Feature]
Check --> |No| Warn[Issue Warning]
Check --> |None| Default[Use Default Behavior]
Warn --> Log[Log Deprecation]
Default --> Log
Execute --> Complete[Complete Operation]
Log --> Complete
Diagram sources
- fido2/features.py
Section sources
- fido2/features.py
The registration process demonstrates the platform's ability to handle both classical and post-quantum cryptographic operations seamlessly.
sequenceDiagram
participant Client as Web Client
participant Server as Flask Server
participant Fido2 as FIDO2 Library
participant HID as HID Transport
participant Auth as Authenticator
Client->>Server : POST /api/register/begin
Server->>Fido2 : create_fido_server()
Fido2->>Fido2 : generate_options()
Fido2-->>Server : PublicKeyCredentialCreationOptions
Server-->>Client : Registration Options
Client->>Auth : User Interaction
Auth->>HID : CTAP2 Commands
HID->>Server : Registration Response
Server->>Fido2 : server.register_complete()
Fido2->>Fido2 : verify_attestation()
Fido2-->>Server : AttestedCredentialData
Server->>Server : store_credential()
Server-->>Client : Registration Success
Diagram sources
- server/server/routes/simple.py
- fido2/webauthn.py
Section sources
- server/server/routes/simple.py
The authentication flow showcases the platform's ability to verify signatures using appropriate cryptographic algorithms.
sequenceDiagram
participant Client as Web Client
participant Server as Flask Server
participant Fido2 as FIDO2 Library
participant Storage as Credential Storage
Client->>Server : POST /api/authenticate/begin
Server->>Storage : load_credentials()
Storage-->>Server : Stored Credentials
Server->>Fido2 : generate_assertion_options()
Fido2-->>Server : PublicKeyCredentialRequestOptions
Server-->>Client : Assertion Options
Client->>Server : POST /api/authenticate/complete
Server->>Fido2 : server.assertion_complete()
Fido2->>Fido2 : verify_signature()
Fido2-->>Server : AuthenticatorAssertionResponse
Server-->>Client : Authentication Success
Diagram sources
- server/server/routes/simple.py
- fido2/webauthn.py
Section sources
- server/server/routes/simple.py
The platform uses CBOR (Concise Binary Object Representation) for efficient serialization of WebAuthn data structures.
flowchart LR
Data[WebAuthn Data] --> Serialize[CBOR Serialize]
Serialize --> Encode[Binary Encoding]
Encode --> Transport[Transport Layer]
Transport --> Decode[Binary Decoding]
Decode --> Deserialize[CBOR Deserialize]
Deserialize --> Objects[Python Objects]
subgraph "CBOR Operations"
Serialize
Deserialize
end
subgraph "Transport Operations"
Encode
Decode
end
Diagram sources
- fido2/cbor.py
Section sources
- fido2/cbor.py
The platform implements a comprehensive security model that protects against various attack vectors while maintaining usability.
graph TB
subgraph "Transport Security"
TLS[TLS Encryption]
AntiReplay[Anti-Replay Protection]
Session[Secure Sessions]
end
subgraph "Cryptographic Security"
PQC[Post-Quantum Crypto]
Classical[Classical Crypto]
KeyGen[Secure Key Generation]
end
subgraph "Authentication Security"
Attestation[Attestation Verification]
Signature[Signature Validation]
MDS[Metadata Verification]
end
subgraph "Access Control"
RateLimit[Rate Limiting]
IPFilter[IP Filtering]
Audit[Audit Logging]
end
TLS --> PQC
AntiReplay --> Signature
Session --> Attestation
PQC --> Signature
Classical --> Signature
KeyGen --> Attestation
Attestation --> MDS
Signature --> Audit
RateLimit --> Audit
Diagram sources
- server/server/attestation.py
- server/server/storage.py
The platform implements a sophisticated attestation verification pipeline that validates both classical and post-quantum cryptographic attestations.
flowchart TD
Attestation[Attestation Object] --> Type{PQC or Classical?}
Type --> |PQC| PQCV[ML-DSA Verification]
Type --> |Classical| CV[X.509 Verification]
PQCV --> PQCSign[Verify ML-DSA Signature]
PQCSign --> PQCCert[Validate Certificate Chain]
PQCCert --> PQCMetadata[Check Metadata]
CV --> X509Sign[Verify X.509 Signature]
X509Sign --> X509Cert[Validate Certificate Chain]
X509Cert --> X509Metadata[Check Metadata]
PQCMetadata --> Combine[Combine Results]
X509Metadata --> Combine
Combine --> Trust[Trust Decision]
Diagram sources
- server/server/attestation.py
- server/server/attestation.py
Section sources
- server/server/attestation.py
The platform implements secure key handling practices to protect cryptographic material throughout the system lifecycle.
Section sources
- server/server/storage.py
Post-quantum cryptographic operations introduce computational overhead compared to classical algorithms. The platform addresses this through several optimization strategies:
- Algorithm Selection: Intelligent algorithm selection based on performance characteristics
- Caching: Metadata caching to reduce repeated expensive operations
- Parallel Processing: Concurrent processing of independent operations
- Resource Management: Efficient resource allocation and cleanup
The platform is designed to scale horizontally and vertically to accommodate growing user bases and increasing transaction volumes.
graph TB
subgraph "Load Balancing"
LB[Load Balancer]
Health[Health Checks]
Monitor[Monitoring]
end
subgraph "Application Tier"
App1[App Instance 1]
App2[App Instance 2]
App3[App Instance N]
end
subgraph "Storage Tier"
Cache[Redis Cache]
DB[(Database)]
Blob[Object Storage]
end
subgraph "Authenticator Tier"
Auth1[Authenticator 1]
Auth2[Authenticator 2]
AuthN[Authenticator N]
end
LB --> App1
LB --> App2
LB --> App3
App1 --> Cache
App2 --> Cache
App3 --> Cache
App1 --> DB
App2 --> DB
App3 --> DB
App1 --> Blob
App2 --> Blob
App3 --> Blob
Auth1 --> App1
Auth2 --> App2
AuthN --> App3
Diagram sources
- server/server/storage.py
The platform provides a flexible plugin system through the feature flagging mechanism, allowing for easy extension of functionality.
classDiagram
class FeatureSystem {
+webauthn_json_mapping : Feature
+require(state)
+warn()
+enabled : bool
}
class Feature {
+name : str
+description : str
+enabled : Optional[bool]
+require(state)
+warn()
}
class ExtensionPoint {
+load_extension()
+register_callback()
+execute_hook()
}
FeatureSystem --> Feature
Feature --> ExtensionPoint
Diagram sources
- fido2/features.py
Section sources
- fido2/features.py
The platform supports easy addition of new cryptographic algorithms through well-defined extension points.
Section sources
- fido2/cose.py
- server/server/pqc.py
The platform supports deployment across various hardware configurations:
- Minimum: 2 CPU cores, 4GB RAM, 10GB storage
- Recommended: 4 CPU cores, 8GB RAM, 50GB storage
- High Availability: 8+ CPU cores, 16GB+ RAM, SSD storage
Core dependencies include:
- Python 3.8+: Runtime environment
- Flask: Web framework
- liboqs: Post-quantum cryptography library
- cryptography: Classical cryptography operations
- fido2: WebAuthn protocol implementation
- Ports: 5000 (HTTP), 5001 (HTTPS)
- Protocols: HTTP/HTTPS, WebSocket (optional)
- Authenticators: USB HID, Bluetooth, NFC (depending on device support)
The platform supports containerized deployment through Docker with optimized configurations for production environments.
graph TB
subgraph "Development"
DevCode[Source Code]
DevDocker[Docker Dev]
DevTest[Unit Tests]
end
subgraph "CI/CD Pipeline"
Build[Build Image]
Test[Integration Tests]
Scan[Security Scan]
Deploy[Deploy]
end
subgraph "Production"
ProdLB[Load Balancer]
ProdApp[App Instances]
ProdCache[Redis Cache]
ProdDB[(Database)]
ProdStorage[Object Storage]
end
DevCode --> DevDocker
DevDocker --> Build
Build --> Test
Test --> Scan
Scan --> Deploy
Deploy --> ProdLB
ProdLB --> ProdApp
ProdApp --> ProdCache
ProdApp --> ProdDB
ProdApp --> ProdStorage
The platform includes comprehensive monitoring capabilities:
- Metrics Collection: Request latency, error rates, throughput
- Logging: Structured logging with correlation IDs
- Health Checks: Endpoint health monitoring
- Alerting: Configurable alerting for critical events
Production deployments should include:
- TLS Termination: Proper SSL/TLS configuration
- Secret Management: Secure handling of API keys and certificates
- Network Security: Firewall rules and network segmentation
- Regular Updates: Automated patch management
Section sources
- server/server/app.py
- server/server/config.py
The Post-Quantum WebAuthn Platform represents a forward-thinking approach to authentication security, combining established WebAuthn standards with cutting-edge post-quantum cryptography. The architecture demonstrates several key strengths:
- Modularity: Clean separation of concerns enables easy maintenance and extension
- Security: Multi-layered security approach protects against both classical and quantum threats
- Performance: Optimized for production deployment with scalability in mind
- Standards Compliance: Full adherence to WebAuthn specifications ensures interoperability
- Future-Proofing: Post-quantum cryptography integration prepares for future threats
The platform successfully bridges the gap between current authentication needs and future quantum-resistant requirements, providing organizations with a secure foundation for digital identity management. Its extensible architecture and comprehensive security model make it suitable for deployment across diverse environments while maintaining the flexibility needed for evolving security requirements.