Your SlideShare is downloading. ×
Codebits 2011 - The end of passwords...
Codebits 2011 - The end of passwords...
Codebits 2011 - The end of passwords...
Codebits 2011 - The end of passwords...
Codebits 2011 - The end of passwords...
Codebits 2011 - The end of passwords...
Codebits 2011 - The end of passwords...
Codebits 2011 - The end of passwords...
Codebits 2011 - The end of passwords...
Codebits 2011 - The end of passwords...
Codebits 2011 - The end of passwords...
Codebits 2011 - The end of passwords...
Codebits 2011 - The end of passwords...
Codebits 2011 - The end of passwords...
Codebits 2011 - The end of passwords...
Codebits 2011 - The end of passwords...
Codebits 2011 - The end of passwords...
Codebits 2011 - The end of passwords...
Codebits 2011 - The end of passwords...
Codebits 2011 - The end of passwords...
Codebits 2011 - The end of passwords...
Codebits 2011 - The end of passwords...
Codebits 2011 - The end of passwords...
Codebits 2011 - The end of passwords...
Codebits 2011 - The end of passwords...
Codebits 2011 - The end of passwords...
Codebits 2011 - The end of passwords...
Codebits 2011 - The end of passwords...
Codebits 2011 - The end of passwords...
Codebits 2011 - The end of passwords...
Codebits 2011 - The end of passwords...
Codebits 2011 - The end of passwords...
Codebits 2011 - The end of passwords...
Codebits 2011 - The end of passwords...
Codebits 2011 - The end of passwords...
Codebits 2011 - The end of passwords...
Codebits 2011 - The end of passwords...
Codebits 2011 - The end of passwords...
Codebits 2011 - The end of passwords...
Codebits 2011 - The end of passwords...
Codebits 2011 - The end of passwords...
Codebits 2011 - The end of passwords...
Codebits 2011 - The end of passwords...
Codebits 2011 - The end of passwords...
Codebits 2011 - The end of passwords...
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Codebits 2011 - The end of passwords...

970

Published on

The end of passwords... as we know it. …

The end of passwords... as we know it.

We talk about password alternatives, or 2-factor authentication and some trends that we are starting to see in regard to authentication.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
970
On Slideshare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
45
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Codebits 2011The End Of Passwords... 11/11/11
  • 2. Summary Summary: •  Mo&va&on •  Today’s  scenario •  Two-­‐Factor  Authen&ca&on -­‐  Biometrics -­‐  So>ware  Tokens -­‐  Hardware  Tokens •  TrendsSAPO  Websecurity  Team 2
  • 3. Motivation > Lots of accounts compromisedSAPO  Websecurity  Team 3
  • 4. Motivation > Lots of accounts compromisedSAPO  Websecurity  Team 4
  • 5. Motivation > People Reuse Passwords •    Password  Sharing:  73%  of  users  share  passwords  that  are  used  for  online  banking   with  at  least  one  non-­‐financial  website. •    Username  /  Password  Sharing:  42%  of  users  share  both  their  username  and   password  with  at  least  one  non-­‐financial  website Study  on  4M  PCs in  Reusing  Login  Creden.als,  Security  Advisor,    February  2010,  Trusteer  Inc.SAPO  Websecurity  Team 5
  • 6. Today Typical  choice  of  passwords  on  the  Web: • Weak  password  and  reused  in  different  sites • Strong  password  but  reused  in  different  sites • Weak  password  but  different  from  other  sites • Strong  password  for  criIcal  sites,  Weak  password  for  other  sites • Strong  or  weak  password  and  basic  derivaIons  on  other  sitesSAPO  Websecurity  Team 6
  • 7. Today Can  we  memorize  hundreds   of  strong  passwords?SAPO  Websecurity  Team 7
  • 8. Today No  way!SAPO  Websecurity  Team 8
  • 9. Today So  what  can  we  do?SAPO  Websecurity  Team 9
  • 10. Alternatives > Password Managers Password  Managers Use  a  password  manager  to  manage  all  your  passwords  instead  of  trying  to  memorize   them  all Types: •  Local •  Stateless •  Remote Pros: • easy  to  use • prac&cal • enable  you  to  use  strong  and   different  passwords  across  sites Cons: • If  a  hacker  breaks  your  password   manager,  ALL  your  passwords  are   compromised!SAPO  Websecurity  Team 10
  • 11. Passwords But   Passwords   per   se   are   not   a   secure   authenIcaIon  mechanism A  password  is   a  piece  of  informaIon,  that  can  be   shared,  leaked  or  stolen.   Someone  with  your  password  =  youSAPO  Websecurity  Team 11
  • 12. Alternatives What  is  the  alternaIve? MulL-­‐Factor  AuthenLcaLon Any  combinaIon  of  these: •  Something  you  know •  Something  you  have •  Something  you  areSAPO  Websecurity  Team 12
  • 13. Two-Factor Auth The  most  popular  combinaIon  is  the   2-­‐factor  authenIcaIon:  “something   you  know”  and  “something  you  have”SAPO  Websecurity  Team 13
  • 14. Two-Factor Auth ...  but  the  second  (physical)  factor  cannot  be  stolen?SAPO  Websecurity  Team 14
  • 15. Two-Factor Auth ...sure,  but  it  is  about  scale.SAPO  Websecurity  Team 15
  • 16. Two-Factor Authentication Two-­‐Factor  AuthenLcaLonSAPO  Websecurity  Team 16
  • 17. Two-Factor Auth > Examples Some  Examples •  Biometrics   •  Smart  cards •  SMS •  So>ware  OTP  Tokens: -­‐  Google  AuthenIcator -­‐  Verisign  VIP •  Hardware  OTP  Tokens: -­‐  Yubikey -­‐  CryptoCard -­‐  RSA  SecureID Pros: • More  secure  than  single-­‐ factor:) Cons: • Not  very  convenient • May  provide  a  false  sense  of  security • Typically  a  closed  market  (most   vendors  rip  you  off!)SAPO  Websecurity  Team 17
  • 18. Two-Factor Auth > Biometrics Biometrics Verifies  a  unique  personal  aYribute  or  behavior.  Divided  into  two  categories:   physiological  (iris,  re&na,  fingerprint)  or  behavioral  (signature,  keystroke,  voice  dynamics) Pros: • effec&ve  and  accurate  method  of  iden&fica&on Cons: • Cannot  be  re-­‐issued!   • Expensive  ($$$$$) • Privacy  concerns • Physical  and  Behavioral  aYributes  can  change • Not  suitable  for  all  scenarios • Can  be  dangerous!  (If  thief  cuts  your  finger  off)SAPO  Websecurity  Team 18
  • 19. Two-Factor Auth > Biometrics Biometrics Usage: • Could  be  used  for  Internet  banking,  to  confirm  the  authen&city  of  a  high-­‐value   transac&on • Can  be  used  for  authen&ca&on  in  computers,  other  systems  or  applica&onsSAPO  Websecurity  Team 19
  • 20. Two-Factor Auth > Smart Cards Smart  Cards A  smart  card  has  the  capability  of  processing  informa&on  because  it  has  a   microprocessor  and  integrated  circuits  incorporated  into  the  card  itself. Two-­‐factor  =  PIN  +  Smart  Card                      Types  =  contact  and  contactless Pros: • Good  security  offered,  the  secret   never  leaves  the  smartcard Cons: • Not  very  convenient • You  may  need  to  install  drivers   before  using • May  provide  a  false  sense  of  securitySAPO  Websecurity  Team 20
  • 21. Two-Factor Auth > Smart Cards Smart  Cards Usage: • Some  sites  allow  you  to  use  SSL  Client  cer&ficates  as  a   mean  of  authen&ca&on.  Cer&ficates  can  be  stored  in  a   Smart  Card.   • Some  sites  allow  you  to  authen&cate  through  the  smart   card  (some  government  sites  using  the  ci&zen  card) • You  can  use  a  smart  card  to  sign  email,  documents,   authen&cate  to  WiFi  networks  and  SSH,  use  them  with   PAM,  and  more...SAPO  Websecurity  Team 21
  • 22. Two-Factor Auth > Smart Cards SMS Some  sites  can  send  a  text  message  as  a  2nd  factor  of  authen&ca&on Pros: • Easy  to  implement • No  need  to  carry[/buy]  extra  devices  (your   mobile  phone  is  always  with  you) Cons: • It’s  probably  the  weakest  2nd-­‐factor  (easy  to  fake   and  intercept)SAPO  Websecurity  Team 22
  • 23. Two-Factor Auth > Google Authenticator One  Time  Passwords  (OATH) It  can  be  HOTP  (event-­‐based)  or  TOTP  (&me-­‐based). Pros: • It’s  an  Open  Standard • You  can  use  it  in  your  own  systems  (using  a  PAM   Module  or  integra&ng  it  with  RADIUS) • You  have  mul&ple  implementa&ons  that  work   on  a  panoply  of  devices  (e.g.  smartphone,   yubikey,  hardware  tokens) Cons: • Concerns  related  to  security  of  the  device  (in   so>ware  implementa&ons) • Your  baYery  may  die  when  you  most  need  an  OTP   (in  case  of  a  smartphone) • You  lose  some  &me  to  generate/enter  an  OTPSAPO  Websecurity  Team 23
  • 24. Two-Factor Auth > Yubikey > What is it?What  is  it? • The  Yubikey  is  a  small  USB  token  which  acts  as  a  regular  keyboard.  It  can   generate  StaIc  Passwords  and  One  Time  Passwords.  SAPO  Websecurity  Team 24
  • 25. Two-Factor Auth > Yubikey > How does it work? StaLc  Passwords • The  Yubikey  can  be  provisioned  with  a  staIc  password  with  up  to  64   chars.  This  password  can  be  used  with  applicaIons/services  that  do  not   support  OTPs.  You  should  use  an  addiIonal  password! One  Time  Passwords • Two  different  One  Time  Password  standards  are  supported:  event-­‐based   HOTP  and  Yubikey-­‐style  OTPs. • HOTP  is  a  be^er  known  standard,  but  it  is  more  limited  due  to  usability   concerns  (smaller  OTP,  sync  issues,  etc.). • The  Yubikey  OTP  standard  leverages  the  fact  that  the  Yubikey  inputs  the   OTPs  for  you. Two  slots • Short-­‐press  for  slot  1;  Long-­‐press  for  slot  2  (3  secs); Drivers • Any  OS  with  USB-­‐keyboard  support.  It  even  works  during  boot  (useful  for,   e.g.,  whole-­‐disk  encrypIon  soluIons  such  as  PGP-­‐WDE  and  TrueCrypt).SAPO  Websecurity  Team 25
  • 26. Two-Factor Auth > Yubikey > Where does it work?Lastpass  (h^p://www.lastpass.com)SAPO  Websecurity  Team 26
  • 27. Two-Factor Auth > Yubikey > Where does it work?Yubico  OpenID  (h^p://openid.yubico.com)SAPO  Websecurity  Team 27
  • 28. Yubikey > Where does it work?FastMail  (h^p://www.fastmail.fm)SAPO  Websecurity  Team 28
  • 29. Two-Factor Auth > Yubikey > Where does it work?Laptop    (h^p://127.0.0.1) One  Time  Password Sta&c  PasswordSAPO  Websecurity  Team 29
  • 30. Yubikey > Where could it work?ArchitectureSAPO  Websecurity  Team 30
  • 31. Two-Factor Auth > Yubikey > DetailsInner  workings  (Protocol  spec  is  Open)SAPO  Websecurity  Team 31
  • 32. Two-Factor Auth > Yubikey > Security ThreatsProtocol  a^acks • Generated  OTPs  consist  of  unique  128  bit  blocks  encrypted  with  a  shared   AES  key  between  Token  and  Server.  Protocol  security  depends  on  the   security  strength  of  the  AES  algorithm.SAPO  Websecurity  Team 32
  • 33. Two-Factor Auth > Yubikey > Security Threats Server  a^acks • Central  authenIcaIon  servers  store  symmetric  keys  for  all  Tokens.  If  successfully   a^acked,  this  can  be  catastrophic.  Yubico  miIgates  this  with  tamper-­‐proof  HSMs.   • A  DoS  a^ack  on  the  server  will  result  in  users  not  being  able  to  log  in.SAPO  Websecurity  Team 33
  • 34. Two-Factor Auth > Yubikey > Security Threats User  a^acks • Social  engineering; • Phishing; • “Borrowing”  the  Token.SAPO  Websecurity  Team 34
  • 35. Two-Factor Auth > Yubikey > Security Threats Host  a^acks • Soeware  key  extracIon  (very  hard  to  exploit); • Man-­‐in-­‐the-­‐browser.SAPO  Websecurity  Team 35
  • 36. Two-Factor Auth > Yubikey > Security Threats Hardware  a^acks • Hardware  key  extracIon  and  Token  duplicaIon.SAPO  Websecurity  Team 36
  • 37. Two-Factor Auth > Yubikey > AdvantagesConvenient • No  drivers  necessary • Types  the  key  for  youOpen • Open  standard  and  infrastructure • Soeware  released  under  permissive  license • Extensible  (PIN  opIon) • No  license  required  per  tokenAffordable • Around  10€  if  purchased  in  larger  quanIIesSecure • Provides  an  addiIonal  authenIcaIon  factor • OTP  generaIon  requires  manual  intervenIonSAPO  Websecurity  Team 37
  • 38. Two-Factor Auth > NFC/RFID NFC/RFID We  can  use  the  technology  for  many  purposes,  including  authen&ca&on Pros: • Could  be  very  convenient • No  need  to  carry[/buy]  extra  devices  (your   mobile  phone  is  always  with  you) Cons: • The  security  aspects  are  s&ll  being  discussed.   (Mifare  1K  and  DESFire  tags  can  be  cloned) • In  reality,  there  are  no  standard  mechanisms  on   devices  to  use  NFC  authen&ca&on.SAPO  Websecurity  Team 38
  • 39. Trends > PoCSAPO  Websecurity  Team 39
  • 40. Future TrendsSAPO  Websecurity  Team 40
  • 41. Trends Two-­‐factor  AuthenLcaLon  is  gecng  Popular:SAPO  Websecurity  Team 41
  • 42. Future QR  Codes Some  interesLng  ideas  are  brewing...SAPO  Websecurity  Team 42
  • 43. Trends > BMWʼs NFC PoCSAPO  Websecurity  Team 43
  • 44. LinksSmart  Cards • OpenSC  Project  -­‐  h^p://www.opensc-­‐project.orgYubikeys • Yubico  -­‐  h^p://www.yubico.comTime-­‐based  and  event-­‐based  OTPs • Google  AuthenIcator  -­‐  h^p://code.google.com/p/google-­‐authenIcator/NFC • libnfc-­‐  h^p://www.libnfc.org/documentaIon/introducIon QR  Codes • Iqr  -­‐  hYps://&qr.org/Biometrics • BioAPI  Consor&um  -­‐  hYp://www.bioapi.org/SAPO  Websecurity  Team 44
  • 45. The End QuesLons? Nuno  Loureiro  <nuno@co.sapo.pt> João  Poupino  <joao.poupino@co.sapo.pt>SAPO  Websecurity  Team 45

×