Date post: | 04-Apr-2018 |
Category: |
Documents |
Upload: | sylvain-maret |
View: | 224 times |
Download: | 0 times |
of 53
7/30/2019 Smaret Strong AuthN 22.11.12 Version 1.01
1/53
Consultants of Security Operations d.o.o. SarajevoConsultants of Security Operations d.o.o. Sarajevo
7/30/2019 Smaret Strong AuthN 22.11.12 Version 1.01
2/53
Strong Authentication in Web Application
State of the Art 2012
Sylvain Maret / Digital Security Expert / OpenID Switzerland
@smaret
Version 1.01 / 22.11.2012
7/30/2019 Smaret Strong AuthN 22.11.12 Version 1.01
3/53
Who am I?
Security Expert
17 years of experience in ICT Security
Principal Consultant at MARET Consulting
Expert at Engineer School of Yverdon & Geneva University Swiss French Area delegate at OpenID Switzerland
Co-founder Geneva Application Security Forum
OWASP Member
Author of the blog: la Citadelle Electronique
http://ch.linkedin.com/in/smaret or@smaret
http://www.slideshare.net/smaret
Chosen field
AppSec & Digital Identity Security
http://www.citadelle-electronique.net/http://ch.linkedin.com/in/smarethttp://twitter.com/smarethttp://www.slideshare.net/smarethttp://www.slideshare.net/smarethttp://twitter.com/smarethttp://twitter.com/smarethttp://ch.linkedin.com/in/smarethttp://www.citadelle-electronique.net/7/30/2019 Smaret Strong AuthN 22.11.12 Version 1.01
4/53
7/30/2019 Smaret Strong AuthN 22.11.12 Version 1.01
5/53
22 per minute
7/30/2019 Smaret Strong AuthN 22.11.12 Version 1.01
6/53
Protection of digital identities: a
topical issue
Strong AuthN
7/30/2019 Smaret Strong AuthN 22.11.12 Version 1.01
7/53
7/30/2019 Smaret Strong AuthN 22.11.12 Version 1.01
8/53
7/30/2019 Smaret Strong AuthN 22.11.12 Version 1.01
9/53
7/30/2019 Smaret Strong AuthN 22.11.12 Version 1.01
10/53
Definition of strong authentication
Strong Authentication on Wikipedia
http://fr.wikipedia.org/wiki/Authentification_fortehttp://fr.wikipedia.org/wiki/Authentification_fortehttp://fr.wikipedia.org/wiki/Authentification_fortehttp://fr.wikipedia.org/wiki/Authentification_fortehttp://fr.wikipedia.org/wiki/Authentification_fortehttp://fr.wikipedia.org/wiki/Authentification_fortehttp://fr.wikipedia.org/wiki/Authentification_forte7/30/2019 Smaret Strong AuthN 22.11.12 Version 1.01
11/53
Strong Authentication
A new paradigm?
7/30/2019 Smaret Strong AuthN 22.11.12 Version 1.01
12/53
Which Strong Authentication
technology ?
7/30/2019 Smaret Strong AuthN 22.11.12 Version 1.01
13/53
7/30/2019 Smaret Strong AuthN 22.11.12 Version 1.01
14/53
OTP PKI (HW) Biometry
Strong
authentication
Encryption
Digital signature
Non repudiation
Strong link with
the user
7/30/2019 Smaret Strong AuthN 22.11.12 Version 1.01
15/53
Strong Authentication
with PKI
7/30/2019 Smaret Strong AuthN 22.11.12 Version 1.01
16/53
PKI: Digital Certificate
Software Certificate
(PKCS#12;PFX)
Hardware Token (Crypto PKI)Strong Authentication
7/30/2019 Smaret Strong AuthN 22.11.12 Version 1.01
17/53
SSL/TLS Mutual Authentication :
how does it work?
Web Server
Alice
Validation
Authority
Valid
Invalid
Unknown
CRL
or
OCSP Request
SSL / TLS Mutual Authentication
7/30/2019 Smaret Strong AuthN 22.11.12 Version 1.01
18/53
Strong Authentication with
Biometry (Match on Card
technology)
A reader
Biometry
SmartCard
A card with chip Technology MOC
Crypto Processor
PC/SC
PKCS#11
Digital certificate X509
St A th ti ti
7/30/2019 Smaret Strong AuthN 22.11.12 Version 1.01
19/53
Strong Authentication
With
(O)ne (T)ime (P)assword
7/30/2019 Smaret Strong AuthN 22.11.12 Version 1.01
20/53
(O)ne (T)ime (P)assword
OTP Time Based
Like SecurID
OTP Event Based
OTP ChallengeResponse Based
Others:
OTP via SMS
OTP via email
Biometry and OTP
Phone
Bingo Card
Etc.
OTP T B?
7/30/2019 Smaret Strong AuthN 22.11.12 Version 1.01
21/53
OTP T-B?
OTP E-B?OTP C-R-B?
Crypto - 101
7/30/2019 Smaret Strong AuthN 22.11.12 Version 1.01
22/53
Crypto-101 / Time Based OTP
ie = OTP(K,T) = Truncate(HMAC-SHA-1(K,T))
K=Secret Key / Seed
T=UTC Time
HASH Function
OTP
7/30/2019 Smaret Strong AuthN 22.11.12 Version 1.01
23/53
Crypto-101 / Event Based OTP
ie = OTP(K,C) = Truncate(HMAC-SHA-1(K,C))
K=Secret Key / Seed
C = Counter
HASH Function
OTP
C 101 / OTP Ch ll
7/30/2019 Smaret Strong AuthN 22.11.12 Version 1.01
24/53
Crypto-101 / OTP Challenge
Response Based
K=Secret Key / Seed
nonce
HASH Function
OTPChallenge
ie:
7/30/2019 Smaret Strong AuthN 22.11.12 Version 1.01
25/53
Other[s] OTP technologies
OTP Via SMS
Flicker code GeneratorSoftware
that converts already
encrypted data into
optical screen animation
H t St d
7/30/2019 Smaret Strong AuthN 22.11.12 Version 1.01
26/53
How to Store and
Generate
my Secret Key ?
A Token !
7/30/2019 Smaret Strong AuthN 22.11.12 Version 1.01
27/53
OTP Token: Software vs Hardware ?
7/30/2019 Smaret Strong AuthN 22.11.12 Version 1.01
28/53
Software OTP for Smartphone
http://itunes.apple.com/us/app/iotp/id328973960
http://itunes.apple.com/us/app/iotp/id328973960http://itunes.apple.com/us/app/iotp/id3289739607/30/2019 Smaret Strong AuthN 22.11.12 Version 1.01
29/53
Where are[is] the seed
7/30/2019 Smaret Strong AuthN 22.11.12 Version 1.01
30/53
Seed generation & distribution ?
7/30/2019 Smaret Strong AuthN 22.11.12 Version 1.01
31/53
Seed generation & distribution ?
Still a good model ?
Editor / Vendor
Secret Key are[is]
generated on promise
K1
K1 K1
Threat
Agent
(APT)
K1
7/30/2019 Smaret Strong AuthN 22.11.12 Version 1.01
32/53
TokenCode
N St d d
7/30/2019 Smaret Strong AuthN 22.11.12 Version 1.01
33/53
New Standards
&
Open Source
7/30/2019 Smaret Strong AuthN 22.11.12 Version 1.01
34/53
Technologies accessible to
everyone Initiative for Open AuTHentication (OATH)
HOTP
TOTP
OCRA
Etc.
Mobile OTP (Use MD5 ..)
7/30/2019 Smaret Strong AuthN 22.11.12 Version 1.01
35/53
Initiative for Open AuTHentication
(OATH)
HOTP
Event Based OTP
RFC 4226
TOTP
Time Based OTP
Draft IETF Version 8
OCRA
Challenge/Response OTP
Draft IETF Version 13
Token Identifier
Specification
IETF KeyProv Working
Group
PSKC - Portable Symmetric
Key Container, RFC 6030
DSKPP - Dynamic
Symmetric Key ProvisioningProtocol, RFC 6063
And more !
http://www.openauthentication.org/specifications
http://www.openauthentication.org/specificationshttp://www.openauthentication.org/specifications7/30/2019 Smaret Strong AuthN 22.11.12 Version 1.01
36/53
(R)isk
(B)ased
(A)uthentication
7/30/2019 Smaret Strong AuthN 22.11.12 Version 1.01
37/53
RBA (Risk-Based Authentication)
= Behavior Model
7/30/2019 Smaret Strong AuthN 22.11.12 Version 1.01
38/53
http://code.google.com/p/google-authenticator/
Use OATH-HOTP & TOTP
http://code.google.com/p/google-authenticator/http://code.google.com/p/google-authenticator/http://code.google.com/p/google-authenticator/http://code.google.com/p/google-authenticator/7/30/2019 Smaret Strong AuthN 22.11.12 Version 1.01
39/53
7/30/2019 Smaret Strong AuthN 22.11.12 Version 1.01
40/53
Integration withweb application
Web application: basic
7/30/2019 Smaret Strong AuthN 22.11.12 Version 1.01
41/53
Web application: basicauthentication model
W b li ti St
7/30/2019 Smaret Strong AuthN 22.11.12 Version 1.01
42/53
Web application: Strong
Authentication Implementation
Blueprint
Shi ldi " h i t i
7/30/2019 Smaret Strong AuthN 22.11.12 Version 1.01
43/53
Shielding" approach: perimetric
authentication using Reverse
Proxy / WAF
7/30/2019 Smaret Strong AuthN 22.11.12 Version 1.01
44/53
Module/Agent-based approach
7/30/2019 Smaret Strong AuthN 22.11.12 Version 1.01
45/53
API/SDK based approach
7/30/2019 Smaret Strong AuthN 22.11.12 Version 1.01
46/53
ICAM:
a changing paradigm
on Strong Authentication
7/30/2019 Smaret Strong AuthN 22.11.12 Version 1.01
47/53
Federation of identity approach a
change of paradigm:
using IDP for Authentication and
Strong Authentication
7/30/2019 Smaret Strong AuthN 22.11.12 Version 1.01
48/53
Identity Provider
SAML, OpenID, etc
7/30/2019 Smaret Strong AuthN 22.11.12 Version 1.01
49/53
Strong Authentication and
Application Security
Strong Authentication
&
Application Security
7/30/2019 Smaret Strong AuthN 22.11.12 Version 1.01
50/53
Threat Modeling
detecting web application
threats before coding
7/30/2019 Smaret Strong AuthN 22.11.12 Version 1.01
51/53
Questions ?
7/30/2019 Smaret Strong AuthN 22.11.12 Version 1.01
52/53
Resources on Internet 1/2
http://motp.sourceforge.net/
http://www.clavid.ch/otp
http://code.google.com/p/mod-authn-otp/
http://www.multiotp.net/
http://www.openauthentication.org/
http://wiki.openid.net/
http://www.citadelle-electronique.net/
http://code.google.com/p/mod-authn-otp/
http://motp.sourceforge.net/http://www.clavid.ch/otphttp://code.google.com/p/mod-authn-otp/http://www.multiotp.net/http://www.openauthentication.org/http://wiki.openid.net/http://www.citadelle-electronique.net/http://code.google.com/p/mod-authn-otp/http://code.google.com/p/mod-authn-otp/http://code.google.com/p/mod-authn-otp/http://code.google.com/p/mod-authn-otp/http://code.google.com/p/mod-authn-otp/http://code.google.com/p/mod-authn-otp/http://www.citadelle-electronique.net/http://www.citadelle-electronique.net/http://www.citadelle-electronique.net/http://wiki.openid.net/http://www.openauthentication.org/http://www.multiotp.net/http://code.google.com/p/mod-authn-otp/http://code.google.com/p/mod-authn-otp/http://code.google.com/p/mod-authn-otp/http://code.google.com/p/mod-authn-otp/http://code.google.com/p/mod-authn-otp/http://www.clavid.ch/otphttp://motp.sourceforge.net/7/30/2019 Smaret Strong AuthN 22.11.12 Version 1.01
53/53
Resources on Internet 2/2
http://rcdevs.com/products/openotp/
https://github.com/adulau/paper-token
http://www.yubico.com/yubikey
http://code.google.com/p/mod-authn-otp/
http://www.nongnu.org/oath-toolkit/
http://www.nongnu.org/oath-toolkit/ http://www.gpaterno.com/publications/2010/du
blin_ossbarcamp_2010_otp_with_oss.pdf
http://rcdevs.com/products/openotp/https://github.com/adulau/paper-tokenhttp://www.yubico.com/yubikeyhttp://code.google.com/p/mod-authn-otp/http://www.nongnu.org/oath-toolkit/http://www.nongnu.org/oath-toolkit/http://www.gpaterno.com/publications/2010/dublin_ossbarcamp_2010_otp_with_oss.pdfhttp://www.gpaterno.com/publications/2010/dublin_ossbarcamp_2010_otp_with_oss.pdfhttp://www.gpaterno.com/publications/2010/dublin_ossbarcamp_2010_otp_with_oss.pdfhttp://www.gpaterno.com/publications/2010/dublin_ossbarcamp_2010_otp_with_oss.pdfhttp://www.nongnu.org/oath-toolkit/http://www.nongnu.org/oath-toolkit/http://www.nongnu.org/oath-toolkit/http://www.nongnu.org/oath-toolkit/http://www.nongnu.org/oath-toolkit/http://www.nongnu.org/oath-toolkit/http://code.google.com/p/mod-authn-otp/http://code.google.com/p/mod-authn-otp/http://code.google.com/p/mod-authn-otp/http://code.google.com/p/mod-authn-otp/http://code.google.com/p/mod-authn-otp/http://www.yubico.com/yubikeyhttps://github.com/adulau/paper-tokenhttps://github.com/adulau/paper-tokenhttps://github.com/adulau/paper-tokenhttp://rcdevs.com/products/openotp/