Difference between key handle and credential id

Question

What is the difference between a key handle and a credential id for WebAuthN?

I see mention of the two here in the spec which states that allowCredentials MAY contain a mixture of both WebAuthn credential IDs and U2F key handles but I don't fully understand the difference.

Answer 1

So there is a practical short answer and deep technical long answer.

So short answer: CredentialID in U2F is called keyHandle. So CredID == KeyHandle.

Long answer:

The CredID identifies a unique private/public keypair in the authenticator.

The question is: How do you store tens and hundreds of keypairs while having very constraint and limited secure cryptographic storage? Well, you do not. During registration, the device generates the private/public keypair using some seed. It then adds some additional informations, like RPID hash, and then wraps(encrypts) this data with the device secret, that is randomly generated on each reset.

The wrapped(encrypted) keypair is called KeyHandle. For the devices that have basically unlimited memory, like your phone, you most likely just create a randomly generated credential identifier, which called KeyID.

So. CredID is a standardised name for the unique credential identifier. It can be either a KeyHandle(wrapped user's privated key) or KeyID(randomly generated credid).

Should you care about it? No. I just have nothing else to do at 4am cause I have insomnia.