Date post: | 21-Jan-2018 |
Category: |
Technology |
Upload: | soluto |
View: | 181 times |
Download: | 0 times |
Authentication Without Authentication
AppSec Israel@omerlh
Source: Nissan
Troy Hunt - Hack Yourself First
- Helping people get the most out of their technology
“...a significant amount of drop-off in app usage,
losing up to 56% of users,
but are pretty much essential for the majority of apps
out there today...”
Source: Optimizely
Authenticate Request Per Second
Source: https://www.engadget.com/2016/01/08/samsung-family-hub-smart-fridge-hands-on/
Source: https://turcomusa.com/turcom-smart-home-camera-kit-with-motion-sensor-door-sensor-and-alarm-key-fob.html
User Id
Application Server
Device Id
Application Server
Agenda
● OpenID
● Digital Signature
● One Time Password
● Demo
● Edge Cases
OpenId --- Digital Signature --- One Time Password --- Demo --- Edges Cases
● “Simple Identity Layer”
● Token-based authentication
● Widely supported
● Modularity - many authentication flows
OpenId --- Digital Signature --- One Time Password --- Demo --- Edges Cases
Authorization Server
Application ServerDevice
OpenId --- Digital Signature --- One Time Password --- Demo --- Edges Cases
Supported Authentication Methods
Authorization/Implicit/Hybrid
Client credentials
Resource Owner
JWT client assertion
OpenId --- Digital Signature --- One Time Password --- Demo --- Edges Cases
We need a new authentication flow
OpenId --- Digital Signature --- One Time Password --- Demo --- Edges Cases
Authorization ServerDevice
OpenId --- Digital Signature --- One Time Password --- Demo --- Edges Cases
Authorization Server
Application ServerDevice
OpenId --- Digital Signature --- One Time Password --- Demo --- Edges Cases
Requirements
❏ Strong authentication solution
❏ Unique device identification
❏ Simple
❏ Unique per request
❏ Replay Attacks
❏ Fault tolerant
OpenId --- Digital Signature --- One Time Password --- Demo --- Edges Cases
Questions?
Let’s use Digital Signature
OpenId --- Digital Signature --- One Time Password --- Demo --- Edges Cases
Dear BobDear BobSign Verify
OpenId --- Digital Signature --- One Time Password --- Demo --- Edges Cases
Leo Bob the BuilderTM
Source: Bob the Buildertm Official Site
This sounds familiar...
OpenId --- Digital Signature --- One Time Password --- Demo --- Edges Cases
How we can use it?
OpenId --- Digital Signature --- One Time Password --- Demo --- Edges Cases
Authorization ServerDevice
Public Key, Id
Public Key, Id
OpenId --- Digital Signature --- One Time Password --- Demo --- Edges Cases
Id: 5467
Authorization ServerDevice
Digital Signature, Id
Public Key, Id
OpenId --- Digital Signature --- One Time Password --- Demo --- Edges Cases
Id: 5467
So far we have:
✓ Strong authentication solution
✓ Unique device identification
✓ Simple
❏ Unique per request
❏ Fault tolerant
OpenId --- Digital Signature --- One Time Password --- Demo --- Edges Cases
Questions?
One Time Password
OpenId --- Digital Signature --- One Time Password --- Demo --- Edges Cases
Authorization ServerDevice
Digital Signature, Id
Public Key, Id
OpenId --- Digital Signature --- One Time Password --- Demo --- Edges Cases
Id: 5467
Time Based
● Use current timestamp
● Allowed time range (e.g. +- 1
min)
● 2FA Solution
● Start with a random seed
● Increase by one after each
request
● Allowed value range (e.g. +- 5)
OpenId --- Digital Signature --- One Time Password --- Demo --- Edges Cases
Counter Based
Synchronization Issues
Let’s build our own OTP
OpenId --- Digital Signature --- One Time Password --- Demo --- Edges Cases
Client State Server State
Old 5
New 2
Old 5
New 2
Old 2
New 42Old 5
New 2
Old 2
New 42
Token
OpenId --- Digital Signature --- One Time Password --- Demo --- Edges Cases
So far we have…
✓ Strong authentication solution
✓ Unique device identification
✓ Simple
✓ Unique per request
✓ Fault tolerant
Questions?
Demo Time
OpenId --- Digital Signature --- One Time Password --- Demo --- Edges Cases
Client
Authorization
Server
Application Server
(Sensitive API)
OpenId --- Digital Signature --- One Time Password --- Demo --- Edges Cases
Let’s see it in action...All the code is available on GitHub
OpenId --- Digital Signature --- One Time Password --- Demo --- Edges Cases
Network request can fail
● Reasons:
○ Timeout
○ Network failure
○ Temporary server errors
● Unknown server state
○ State did not changed
○ State changed
OpenId --- Digital Signature --- One Time Password --- Demo --- Edges Cases
Client State Server State
Old 2
New 42
Old 1
New 2
Old 2
New 42
Old 2
New 42
Old 1
New 2
Token
Error
OpenId --- Digital Signature --- One Time Password --- Demo --- Edges Cases
Client State Server State
Old 2
New 42
Old 2
New 42
Old 1
New 2
Old 2
New 42Old 2
New 42Old 2
New 42
Error
OpenId --- Digital Signature --- One Time Password --- Demo --- Edges Cases
Client State Server State
Old 2
New 42
Old 2
New 42Old 42
New 86
Old 42
New 86
Old 2
New 42
Bad Request (400)
Token
OpenId --- Digital Signature --- One Time Password --- Demo --- Edges Cases
Questions?
What is the weakest link in the chain?
Detecting Compromised Devices
OpenId --- Digital Signature --- One Time Password --- Demo --- Edges Cases
OpenId --- Digital Signature --- One Time Password --- Demo --- Edges Cases
Client State Server State
Old 2
New 42
Old 1
New 2
Eve
Old 2
New 42
Old 1
New 2Old 2
New 42
Old 2
New 42 Token
OpenId --- Digital Signature --- One Time Password --- Demo --- Edges Cases
Client State Server State
Old 2
New 42
Old 2
New 42
Eve
Old 42
New 56
Old 2
New 42Old 2
New 42
Bad
Request
(400)
OpenId --- Digital Signature --- One Time Password --- Demo --- Edges Cases
Client State Server State
Old 42
New 78
Old 2
New 42
Eve
Old 42
New 56
Old 2
New 42Old 42
New 78
Old 42
New 78Token
OpenId --- Digital Signature --- One Time Password --- Demo --- Edges Cases
Client State Server State
Old 78
New 4
Old 7
New 78
Eve
Old 7
New 56
Old 7
New 78Old 7
New 93
400 Bad
Request
OpenId --- Digital Signature --- One Time Password --- Demo --- Edges Cases
OpenId --- Digital Signature --- One Time Password --- Demo --- Edges Cases
Questions?
Conclusion
Responsible Disclosure
Requirements
✓ Strong authentication solution
✓ Unique device identification
✓ Simple
✓ Unique per request
✓ Fault tolerant
Authorization ServerDevice
Authorization Server
Application ServerDevice
How can you use it?
@omerlh