Smaret Strong AuthN 22.11.12 Version 1.01

7/30/2019 Smaret Strong AuthN 22.11.12 Version 1.01

1/53

Consultants of Security Operations d.o.o. SarajevoConsultants of Security Operations d.o.o. Sarajevo


2/53

Strong Authentication in Web Application

State of the Art 2012

Sylvain Maret / Digital Security Expert / OpenID Switzerland

@smaret

Version 1.01 / 22.11.2012


3/53

Who am I?

Security Expert

17 years of experience in ICT Security

Principal Consultant at MARET Consulting

Expert at Engineer School of Yverdon & Geneva University Swiss French Area delegate at OpenID Switzerland

Co-founder Geneva Application Security Forum

OWASP Member

Author of the blog: la Citadelle Electronique

http://ch.linkedin.com/in/smaret or@smaret

http://www.slideshare.net/smaret

Chosen field

AppSec & Digital Identity Security
http://www.citadelle-electronique.net/http://ch.linkedin.com/in/smarethttp://twitter.com/smarethttp://www.slideshare.net/smarethttp://www.slideshare.net/smarethttp://twitter.com/smarethttp://twitter.com/smarethttp://ch.linkedin.com/in/smarethttp://www.citadelle-electronique.net/


4/53


5/53

22 per minute


6/53

Protection of digital identities: a

topical issue

Strong AuthN


7/53


8/53


9/53


10/53

Definition of strong authentication

Strong Authentication on Wikipedia
http://fr.wikipedia.org/wiki/Authentification_fortehttp://fr.wikipedia.org/wiki/Authentification_fortehttp://fr.wikipedia.org/wiki/Authentification_fortehttp://fr.wikipedia.org/wiki/Authentification_fortehttp://fr.wikipedia.org/wiki/Authentification_fortehttp://fr.wikipedia.org/wiki/Authentification_fortehttp://fr.wikipedia.org/wiki/Authentification_forte


11/53

Strong Authentication

A new paradigm?


12/53

Which Strong Authentication

technology ?


13/53


14/53

OTP PKI (HW) Biometry

Strong

authentication

Encryption

Digital signature

Non repudiation

Strong link with

the user


15/53


with PKI


16/53

PKI: Digital Certificate

Software Certificate

(PKCS#12;PFX)

Hardware Token (Crypto PKI)Strong Authentication


17/53

SSL/TLS Mutual Authentication :

how does it work?

Web Server

Alice

Validation

Authority

Valid

Invalid

Unknown

CRL

or

OCSP Request

SSL / TLS Mutual Authentication


18/53

Strong Authentication with

Biometry (Match on Card

technology)

A reader

Biometry

SmartCard

A card with chip Technology MOC

Crypto Processor

PC/SC

PKCS#11

Digital certificate X509

St A th ti ti


19/53


With

(O)ne (T)ime (P)assword


20/53

(O)ne (T)ime (P)assword

OTP Time Based

Like SecurID

OTP Event Based

OTP ChallengeResponse Based

Others:

OTP via SMS

OTP via email

Biometry and OTP

Phone

Bingo Card

Etc.

OTP T B?


21/53

OTP T-B?

OTP E-B?OTP C-R-B?

Crypto - 101


22/53

Crypto-101 / Time Based OTP

ie = OTP(K,T) = Truncate(HMAC-SHA-1(K,T))

K=Secret Key / Seed

T=UTC Time

HASH Function

OTP


23/53

Crypto-101 / Event Based OTP

ie = OTP(K,C) = Truncate(HMAC-SHA-1(K,C))

K=Secret Key / Seed

C = Counter

HASH Function

OTP

C 101 / OTP Ch ll


24/53

Crypto-101 / OTP Challenge

Response Based

K=Secret Key / Seed

nonce

HASH Function

OTPChallenge

ie:


25/53

Other[s] OTP technologies

OTP Via SMS

Flicker code GeneratorSoftware

that converts already

encrypted data into

optical screen animation

H t St d


26/53

How to Store and

Generate

my Secret Key ?

A Token !


27/53

OTP Token: Software vs Hardware ?


28/53

Software OTP for Smartphone

http://itunes.apple.com/us/app/iotp/id328973960
http://itunes.apple.com/us/app/iotp/id328973960http://itunes.apple.com/us/app/iotp/id328973960


29/53

Where are[is] the seed


30/53

Seed generation & distribution ?


31/53

Seed generation & distribution ?

Still a good model ?

Editor / Vendor

Secret Key are[is]

generated on promise

K1

K1 K1

Threat

Agent

(APT)

K1


32/53

TokenCode

N St d d


33/53

New Standards

&

Open Source


34/53

Technologies accessible to

everyone Initiative for Open AuTHentication (OATH)

HOTP

TOTP

OCRA

Etc.

Mobile OTP (Use MD5 ..)


35/53

Initiative for Open AuTHentication

(OATH)

HOTP

Event Based OTP

RFC 4226

TOTP

Time Based OTP

Draft IETF Version 8

OCRA

Challenge/Response OTP

Draft IETF Version 13

Token Identifier

Specification

IETF KeyProv Working

Group

PSKC - Portable Symmetric

Key Container, RFC 6030

DSKPP - Dynamic

Symmetric Key ProvisioningProtocol, RFC 6063

And more !

http://www.openauthentication.org/specifications
http://www.openauthentication.org/specificationshttp://www.openauthentication.org/specifications


36/53

(R)isk

(B)ased

(A)uthentication


37/53

RBA (Risk-Based Authentication)

= Behavior Model


38/53

http://code.google.com/p/google-authenticator/

Use OATH-HOTP & TOTP
http://code.google.com/p/google-authenticator/http://code.google.com/p/google-authenticator/http://code.google.com/p/google-authenticator/http://code.google.com/p/google-authenticator/


39/53


40/53

Integration withweb application

Web application: basic


41/53

Web application: basicauthentication model

W b li ti St


42/53

Web application: Strong

Authentication Implementation

Blueprint

Shi ldi " h i t i


43/53

Shielding" approach: perimetric

authentication using Reverse

Proxy / WAF


44/53

Module/Agent-based approach


45/53

API/SDK based approach


46/53

ICAM:

a changing paradigm

on Strong Authentication


47/53

Federation of identity approach a

change of paradigm:

using IDP for Authentication and



48/53

Identity Provider

SAML, OpenID, etc


49/53

Strong Authentication and

Application Security


&

Application Security


50/53

Threat Modeling

detecting web application

threats before coding


51/53

Questions ?


52/53

Resources on Internet 1/2

http://motp.sourceforge.net/

http://www.clavid.ch/otp

http://code.google.com/p/mod-authn-otp/

http://www.multiotp.net/

http://www.openauthentication.org/

http://wiki.openid.net/

http://www.citadelle-electronique.net/

http://motp.sourceforge.net/http://www.clavid.ch/otphttp://code.google.com/p/mod-authn-otp/http://www.multiotp.net/http://www.openauthentication.org/http://wiki.openid.net/http://www.citadelle-electronique.net/http://code.google.com/p/mod-authn-otp/http://code.google.com/p/mod-authn-otp/http://code.google.com/p/mod-authn-otp/http://code.google.com/p/mod-authn-otp/http://code.google.com/p/mod-authn-otp/http://code.google.com/p/mod-authn-otp/http://www.citadelle-electronique.net/http://www.citadelle-electronique.net/http://www.citadelle-electronique.net/http://wiki.openid.net/http://www.openauthentication.org/http://www.multiotp.net/http://code.google.com/p/mod-authn-otp/http://code.google.com/p/mod-authn-otp/http://code.google.com/p/mod-authn-otp/http://code.google.com/p/mod-authn-otp/http://code.google.com/p/mod-authn-otp/http://www.clavid.ch/otphttp://motp.sourceforge.net/


53/53

Resources on Internet 2/2

http://rcdevs.com/products/openotp/

https://github.com/adulau/paper-token

http://www.yubico.com/yubikey


http://www.nongnu.org/oath-toolkit/

http://www.nongnu.org/oath-toolkit/ http://www.gpaterno.com/publications/2010/du

blin_ossbarcamp_2010_otp_with_oss.pdf
http://rcdevs.com/products/openotp/https://github.com/adulau/paper-tokenhttp://www.yubico.com/yubikeyhttp://code.google.com/p/mod-authn-otp/http://www.nongnu.org/oath-toolkit/http://www.nongnu.org/oath-toolkit/http://www.gpaterno.com/publications/2010/dublin_ossbarcamp_2010_otp_with_oss.pdfhttp://www.gpaterno.com/publications/2010/dublin_ossbarcamp_2010_otp_with_oss.pdfhttp://www.gpaterno.com/publications/2010/dublin_ossbarcamp_2010_otp_with_oss.pdfhttp://www.gpaterno.com/publications/2010/dublin_ossbarcamp_2010_otp_with_oss.pdfhttp://www.nongnu.org/oath-toolkit/http://www.nongnu.org/oath-toolkit/http://www.nongnu.org/oath-toolkit/http://www.nongnu.org/oath-toolkit/http://www.nongnu.org/oath-toolkit/http://www.nongnu.org/oath-toolkit/http://code.google.com/p/mod-authn-otp/http://code.google.com/p/mod-authn-otp/http://code.google.com/p/mod-authn-otp/http://code.google.com/p/mod-authn-otp/http://code.google.com/p/mod-authn-otp/http://www.yubico.com/yubikeyhttps://github.com/adulau/paper-tokenhttps://github.com/adulau/paper-tokenhttps://github.com/adulau/paper-tokenhttp://rcdevs.com/products/openotp/

Date post:	04-Apr-2018
Category:	Documents
Upload:	sylvain-maret
View:	224 times
Download:	0 times

Smaret Strong AuthN 22.11.12 Version 1.01

Documents