Date post: | 28-Jan-2015 |
Category: |
Technology |
Upload: | nuno-loureiro |
View: | 110 times |
Download: | 2 times |
Codebits 2011The End Of Passwords...
11/11/11
SAPO Websecurity Team
Summary
2
• Mo&va&on
• Today’s scenario
• Two-‐Factor Authen&ca&on-‐ Biometrics-‐ So>ware Tokens-‐ Hardware Tokens
• Trends
Summary:
SAPO Websecurity Team
Motivation > Lots of accounts compromised
3
SAPO Websecurity Team
Motivation > Lots of accounts compromised
4
SAPO Websecurity Team
Motivation > People Reuse Passwords
5
• Password Sharing: 73% of users share passwords that are used for online banking with at least one non-‐financial website.• Username / Password Sharing: 42% of users share both their username and password with at least one non-‐financial website
in Reusing Login Creden.als, Security Advisor, February 2010, Trusteer Inc.Study on 4M PCs
SAPO Websecurity Team
Today
6
• Weak password and reused in different sites
• Strong password but reused in different sites
• Weak password but different from other sites
• Strong password for criIcal sites, Weak password for other sites
• Strong or weak password and basic derivaIons on other sites
Typical choice of passwords on the Web:
SAPO Websecurity Team
Today
7
Can we memorize hundreds of strong passwords?
SAPO Websecurity Team
Today
8
No way!
SAPO Websecurity Team
Today
9
So what can we do?
SAPO Websecurity Team 10
Password Managers
Pros:
Cons:
• easy to use• prac&cal• enable you to use strong and
different passwords across sites
• If a hacker breaks your password manager, ALL your passwords are compromised!
Use a password manager to manage all your passwords instead of trying to memorize them all
Alternatives > Password Managers
• Local• Stateless• Remote
Types:
SAPO Websecurity Team 11
But Passwords per se are not a secure authenIcaIon mechanism
Passwords
A password is a piece of informaIon, that can be shared, leaked or stolen.
Someone with your password = you
SAPO Websecurity Team 12
What is the alternaIve?
Alternatives
MulL-‐Factor AuthenLcaLon
• Something you know• Something you have• Something you are
Any combinaIon of these:
SAPO Websecurity Team 13
Two-Factor Auth
The most popular combinaIon is the 2-‐factor authenIcaIon: “something you know” and “something you have”
SAPO Websecurity Team 14
Two-Factor Auth
... but the second (physical) factor cannot be stolen?
SAPO Websecurity Team 15
Two-Factor Auth
...sure, but it is about scale.
SAPO Websecurity Team 16
Two-‐Factor AuthenLcaLon
Two-Factor Authentication
SAPO Websecurity Team 17
Some Examples
Pros:
Cons:
• More secure than single-‐factor:)
• Not very convenient• May provide a false sense of security• Typically a closed market (most
vendors rip you off!)
• Biometrics • Smart cards• SMS• So>ware OTP Tokens:
-‐ Google AuthenIcator-‐ Verisign VIP
• Hardware OTP Tokens:-‐ Yubikey-‐ CryptoCard-‐ RSA SecureID
Two-Factor Auth > Examples
SAPO Websecurity Team 18
Biometrics
Pros:
Cons:
• effec&ve and accurate method of iden&fica&on
• Cannot be re-‐issued! • Expensive ($$$$$)• Privacy concerns• Physical and Behavioral aYributes can change• Not suitable for all scenarios• Can be dangerous! (If thief cuts your finger off)
Two-Factor Auth > Biometrics
Verifies a unique personal aYribute or behavior. Divided into two categories: physiological (iris, re&na, fingerprint) or behavioral (signature, keystroke, voice dynamics)
SAPO Websecurity Team 19
Biometrics
Two-Factor Auth > Biometrics
Usage:
• Could be used for Internet banking, to confirm the authen&city of a high-‐value transac&on
• Can be used for authen&ca&on in computers, other systems or applica&ons
SAPO Websecurity Team 20
Smart Cards
Pros:
Cons:
• Good security offered, the secret never leaves the smartcard
• Not very convenient• You may need to install drivers
before using• May provide a false sense of security
Two-Factor Auth > Smart Cards
A smart card has the capability of processing informa&on because it has a microprocessor and integrated circuits incorporated into the card itself.Two-‐factor = PIN + Smart Card Types = contact and contactless
SAPO Websecurity Team 21
Smart Cards
•Some sites allow you to use SSL Client cer&ficates as a mean of authen&ca&on. Cer&ficates can be stored in a Smart Card.
Two-Factor Auth > Smart Cards
Usage:
• Some sites allow you to authen&cate through the smart card (some government sites using the ci&zen card)
• You can use a smart card to sign email, documents, authen&cate to WiFi networks and SSH, use them with PAM, and more...
SAPO Websecurity Team 22
SMS
Pros:
Cons:
• Easy to implement• No need to carry[/buy] extra devices (your
mobile phone is always with you)
• It’s probably the weakest 2nd-‐factor (easy to fake and intercept)
Two-Factor Auth > Smart Cards
Some sites can send a text message as a 2nd factor of authen&ca&on
SAPO Websecurity Team 23
One Time Passwords (OATH)
Pros:
Cons:
• It’s an Open Standard• You can use it in your own systems (using a PAM
Module or integra&ng it with RADIUS)• You have mul&ple implementa&ons that work
on a panoply of devices (e.g. smartphone, yubikey, hardware tokens)
• Concerns related to security of the device (in so>ware implementa&ons)
• Your baYery may die when you most need an OTP (in case of a smartphone)
• You lose some &me to generate/enter an OTP
Two-Factor Auth > Google Authenticator
It can be HOTP (event-‐based) or TOTP (&me-‐based).
SAPO Websecurity Team
Two-Factor Auth > Yubikey > What is it?
24
• The Yubikey is a small USB token which acts as a regular keyboard. It can generate StaIc Passwords and One Time Passwords.
What is it?
SAPO Websecurity Team 25
• The Yubikey can be provisioned with a staIc password with up to 64 chars. This password can be used with applicaIons/services that do not support OTPs. You should use an addiIonal password!
StaLc Passwords
One Time Passwords
• Two different One Time Password standards are supported: event-‐based HOTP and Yubikey-‐style OTPs.
• HOTP is a be^er known standard, but it is more limited due to usability concerns (smaller OTP, sync issues, etc.).
• The Yubikey OTP standard leverages the fact that the Yubikey inputs the OTPs for you.
Two slots• Short-‐press for slot 1; Long-‐press for slot 2 (3 secs);
Drivers• Any OS with USB-‐keyboard support. It even works during boot (useful for,
e.g., whole-‐disk encrypIon soluIons such as PGP-‐WDE and TrueCrypt).
Two-Factor Auth > Yubikey > How does it work?
SAPO Websecurity Team 26
Lastpass (h^p://www.lastpass.com)
Two-Factor Auth > Yubikey > Where does it work?
SAPO Websecurity Team 27
Yubico OpenID (h^p://openid.yubico.com)
Two-Factor Auth > Yubikey > Where does it work?
SAPO Websecurity Team
Yubikey > Where does it work?
28
FastMail (h^p://www.fastmail.fm)
SAPO Websecurity Team 29
Laptop (h^p://127.0.0.1)
One Time Password Sta&c Password
Two-Factor Auth > Yubikey > Where does it work?
SAPO Websecurity Team
Yubikey > Where could it work?
30
Architecture
SAPO Websecurity Team 31
Inner workings (Protocol spec is Open)
Two-Factor Auth > Yubikey > Details
SAPO Websecurity Team 32
Protocol a^acks• Generated OTPs consist of unique 128 bit blocks encrypted with a shared
AES key between Token and Server. Protocol security depends on the security strength of the AES algorithm.
Two-Factor Auth > Yubikey > Security Threats
SAPO Websecurity Team 33
Server a^acks• Central authenIcaIon servers store symmetric keys for all Tokens. If successfully
a^acked, this can be catastrophic. Yubico miIgates this with tamper-‐proof HSMs.
• A DoS a^ack on the server will result in users not being able to log in.
Two-Factor Auth > Yubikey > Security Threats
SAPO Websecurity Team 34
User a^acks• Social engineering;
• Phishing;• “Borrowing” the Token.
Two-Factor Auth > Yubikey > Security Threats
SAPO Websecurity Team 35
Host a^acks• Soeware key extracIon (very hard to exploit);
• Man-‐in-‐the-‐browser.
Two-Factor Auth > Yubikey > Security Threats
SAPO Websecurity Team 36
• Hardware key extracIon and Token duplicaIon.Hardware a^acks
Two-Factor Auth > Yubikey > Security Threats
SAPO Websecurity Team 37
Convenient• No drivers necessary
• Types the key for you
Open• Open standard and infrastructure
• Soeware released under permissive license• Extensible (PIN opIon)
• No license required per token
Secure• Provides an addiIonal authenIcaIon factor
• OTP generaIon requires manual intervenIon
Affordable• Around 10€ if purchased in larger quanIIes
Two-Factor Auth > Yubikey > Advantages
SAPO Websecurity Team 38
NFC/RFIDTwo-Factor Auth > NFC/RFID
We can use the technology for many purposes, including authen&ca&on
Pros:
Cons:
• Could be very convenient• No need to carry[/buy] extra devices (your
mobile phone is always with you)
• The security aspects are s&ll being discussed. (Mifare 1K and DESFire tags can be cloned)
• In reality, there are no standard mechanisms on devices to use NFC authen&ca&on.
SAPO Websecurity Team 39
Trends > PoC
SAPO Websecurity Team 40
Trends
Future
SAPO Websecurity Team 41
Trends
Two-‐factor AuthenLcaLon is gecng Popular:
SAPO Websecurity Team 42
QR CodesFuture
Some interesLng ideas are brewing...
SAPO Websecurity Team 43
Trends > BMWʼs NFC PoC
SAPO Websecurity Team 44
Smart Cards• OpenSC Project -‐ h^p://www.opensc-‐project.org
Yubikeys• Yubico -‐ h^p://www.yubico.com
NFC
Time-‐based and event-‐based OTPs• Google AuthenIcator -‐ h^p://code.google.com/p/google-‐authenIcator/
Links
• libnfc-‐ h^p://www.libnfc.org/documentaIon/introducIon
Biometrics
• BioAPI Consor&um -‐ hYp://www.bioapi.org/
QR Codes• Iqr -‐ hYps://&qr.org/
SAPO Websecurity Team
The End
45
QuesLons?
Nuno Loureiro <[email protected]> João Poupino <[email protected]>