INA – Volume 1Sylvain MARETVersion 1.0 RC12013-02-17                  INA Volume 1 / @smaret 2013
INA Volume 1 / @smaret 2013
Who am I?   ICT Security Consultant     –   18 years of experience in ICT Security     –   Principal Consultant at MARET ...
Agenda Volume 1   C0 - Introduction   C1 - Definition   C2 - Tokens / Authentication factors   C3 – Password   C4 - O...
Digital Identity ?                     INA Volume 1 / @smaret 2013
Definition Wikipédia French                              INA Volume 1 / @smaret 2013
Definition             INA Volume 1 / @smaret 2013
Identity   A set of attributes that uniquely describe a    person or information system within a given    context.Source ...
Authentication   The process of establishing confidence in the    identity of users or information systems.Source = NIST ...
Electronic Authentication (E-Authentication)   The process of establishing confidence in user    identities electronicall...
Claimant   A party whose identity is to be verified using an    authentication protocol.Source = NIST Special Publication...
Subscriber   A party who has received a credential or token    from a CSP.Source = NIST Special Publication 800-63-1     ...
Token   Something that the Claimant possesses and    controls (typically a cryptographic module or    password) that is u...
Credential   An object or data structure that authoritatively    binds an identity (and optionally, additional    attribu...
Identity Proofing   The process by which a CSP and a Registration    Authority (RA) collect and verify information    abo...
Credential Service Provider (CSP)   A trusted entity that issues or registers Subscriber    tokens and issues electronic ...
Registration Authority (RA)   A trusted entity that establishes and vouches for    the identity or attributes of a Subscr...
Verifier   An entity that verifies the Claimant’s identity by    verifying the Claimant’s possession and control of    a ...
Relying Party (RP)   An entity that relies upon the Subscribers token    and credentials or a Verifiers assertion of a   ...
Authentication Protocol   A defined sequence of messages between a    Claimant and a Verifier that demonstrates that    t...
AuthN & AuthZ Aka authentication process Aka authorization process                               INA Volume 1 / @smaret ...
INA Volume 1 / @smaret 2013
Tokens / Authentication factors                            INA Volume 1 / @smaret 2013
Authentication factors Something you know Something you have Something you are                         INA Volume 1 / @...
Strong Authentication / Multi-factor authentication Multi-factor authentication refers to the use of  more than one of th...
Two-factor authentication Two-factor authentication  – TFA  – T-FA  – 2FA                              INA Volume 1 / @sm...
Knowledge factors: "something the user knows" Password  – password is a secret word or string of characters that    is us...
Possession factors: "something the user has"   Tokens with a display   USB tokens   Smartphone   Smartcards   Wireles...
Inherence factors: "something the user is or do" Physiological biometric   –   Fingerprint recognition   –   Facial recog...
PASSWORD           INA Volume 1 / @smaret 2013
http://www.wired.co.uk/magazine/archive/2013/01/features/hacked                                                    INA Vol...
http://www.wired.com/wiredenterprise/2013/01/google-password/                                                       INA Vo...
Password Factor   Something you know   PIN Code   Password   Passphrase Aka 1FA                         INA Volume 1 ...
Password Entropy / Password strength Password strength is a measure of the  effectiveness of a password in resisting gues...
Password Entropy / Password strength         http://en.wikipedia.org/wiki/Password_strength                               ...
Password Entropy / Password strength           http://en.wikipedia.org/wiki/Password_strength                             ...
Characteristics of weak passwords based on common dictionary words    – Including dictionary words that have been altered...
Characteristics of strong passwords Strong Passwords  – contain at least one of each of the following:     •   digit (0.....
Test your password!    https://www.microsoft.com/security/pc-security/password-checker.aspx                               ...
Password Manager          http://keepass.info/                                 INA Volume 1 / @smaret 2013
Password Manager        http://passwordsafe.sourceforge.net/                                               INA Volume 1 / ...
Password Generator                     INA Volume 1 / @smaret 2013
Threat Model AuthN 1FA                         INA Volume 1 / @smaret 2013
Password / Threats   Man In The Middle Attacks   Phishing Attacks   Pharming Attacks   DNS Cache Poisoning   Trojan A...
Password Attacks Password Cracking   – Brute force   – Dictionary attack   – Hybride Password sniffing Man-in-the-middl...
Password Cracking Tools   Caen & Abel   John the Ripper   L0phtCrack   Ophcrack   THC hydra   Aircrack (WEP/WPA crac...
Rainbow table A rainbow table is a precomputed table for  reversing cryptographic hash functions, usually  for cracking p...
Ophcrack           INA Volume 1 / @smaret 2013
Defense against rainbow tables A rainbow table is ineffective against one-way  hashes that include salts                 ...
Password Storage Cheat Sheet Password Storage Rules  – Rule 1: Use An Adaptive One-Way Function     • bcrypt, PBKDF2 or s...
Hashcat / GPU 25-GPU cluster cracks every standard Windows  password in <6 hours   – It achieves the 350 billion-guess-pe...
Password sniffing                    INA Volume 1 / @smaret 2013
DFD – Weak Protocol (Telnet)                           INA Volume 1 / @smaret 2013
Weak protocols   Telnet   FTP   IMAP   POP3   LDAP   Etc.                 INA Volume 1 / @smaret 2013
ARP Spoofing               INA Volume 1 / @smaret 2013
DFD - SSH            INA Volume 1 / @smaret 2013
Man-in-the-middle attack often abbreviated  – MITM, MitM, MIM, MiM, MITMA                                  INA Volume 1 /...
Man-in-the-middle attack   Ettercap   SSLStrip   SSLSniff   Mallory   Etc.                           INA Volume 1 / @...
Keylogger / Keystroke logging Software-based keyloggers  – Malware  – Mobile Hardware-based keyloggers                  ...
Wireless sniffing – TEMPEST          http://lasecwww.epfl.ch/keyboard/                                              INA Vo...
Malicious Code Evolution                           INA Volume 1 / @smaret 2013
Malware          INA Volume 1 / @smaret 2013
Zeus       INA Volume 1 / @smaret 2013
INA Volume 1 / @smaret 2013
Default Password                   INA Volume 1 / @smaret 2013
One Time Password - OTPStrong AuthN OTP                          INA Volume 1 / @smaret 2013
OTP Technology / Standards Based on a shared secret Key Approach   –   Time Based OTP   –   Event Based OTP   –   Challe...
Time Based OTPK=Secret Key / Seed                                              OTP T=UTC Time                      Hash fu...
Event Based OTPK=Secret Key / Seed                                               OTP  C = Counter         HASH Function   ...
OTP Challenge Response Based                          HASH FunctionK=Secret Key / Seed                                    ...
Out-of-band OTP   SMS OTP   TAN   Email   Etc.                  INA Volume 1 / @smaret 2013
Out-of-band - SMS OTP                        INA Volume 1 / @smaret 2013
Out-of-band - TAN                    INA Volume 1 / @smaret 2013
Bingo Card OTP                 INA Volume 1 / @smaret 2013
Other[s] OTP technologies…                             “Flicker code” Generator Software                                  ...
OTP / OATH standardsAuthentication Methods                         INA Volume 1 / @smaret 2013
OATH - Authentication Methods HOTP: An HMAC-Based OTP Algorithm (RFC 4226) TOTP - Time-based One-time Password Algorithm...
HOTP: An HMAC-Based One-Time Password Algorithm   RFC 4226   http://www.ietf.org/rfc/rfc4226.txt   Event Based OTP   U...
HOTP – Crypto 101                    INA Volume 1 / @smaret 2013
HOTP – Crypto 101                    INA Volume 1 / @smaret 2013
TOTP - Time-based One-time Password Algorithm   RFC 6238   http://www.ietf.org/rfc/rfc6238.txt   Time Based OTP   Use ...
TOTP – Crypto 101                    INA Volume 1 / @smaret 2013
Challenge Response OTP   RFC 6287   http://www.ietf.org/rfc/rfc6287.txt   OCRA   OATH Challenge-Response Algorithm    ...
OCRA – Crypto 101                    INA Volume 1 / @smaret 2013
OTP solution               INA Volume 1 / @smaret 2013
INA Volume 1 / @smaret 2013
INA Volume 1 / @smaret 2013
Software OTP for Smartphone         http://itunes.apple.com/us/app/iotp/id328973960                                       ...
OCRA on a mobile                   INA Volume 1 / @smaret 2013
google-authenticator These implementations support  – HMAC-Based One-time Password (HOTP) algorithm specified in    RFC 4...
google-authenticator                       INA Volume 1 / @smaret 2013
OCRA on Mobile                 INA Volume 1 / @smaret 2013
OTP without PIN                  INA Volume 1 / @smaret 2013
OTP Pin Protected                    INA Volume 1 / @smaret 2013
OTP on Smartcard                   INA Volume 1 / @smaret 2013
OTP with Smartcard                     INA Volume 1 / @smaret 2013
OTP hybrid (OTP & PKI)                         INA Volume 1 / @smaret 2013
YubiKey          INA Volume 1 / @smaret 2013
YubiKey          INA Volume 1 / @smaret 2013
PKIPKI Strong AuthN                   INA Volume 1 / @smaret 2013
PKI Tokens Storage                     INA Volume 1 / @smaret 2013
Public Key Cryptography 101                              INA Volume 1 / @smaret 2013
Signature 101                INA Volume 1 / @smaret 2013
Signature – Verification 101                               INA Volume 1 / @smaret 2013
Mutual AuthN SSL                   INA Volume 1 / @smaret 2013
PKI Certificate Validation CRL Delta CRL OCSP                             INA Volume 1 / @smaret 2013
OSCP Validation                  INA Volume 1 / @smaret 2013
INA Volume 1 / @smaret 2013
INA Volume 1 / @smaret 2013
INA Volume 1 / @smaret 2013
INA Volume 1 / @smaret 2013
INA Volume 1 / @smaret 2013
Smart Card             INA Volume 1 / @smaret 2013
Smart Card             INA Volume 1 / @smaret 2013
Smart Card - Crypto                      INA Volume 1 / @smaret 2013
INA Volume 1 / @smaret 2013
INA Volume 1 / @smaret 2013
BiometricsBIO AuthN             INA Volume 1 / @smaret 2013
Biometrics   Source: http://www.biometrics.gov/                                        INA Volume 1 / @smaret 2013
Biometric Terms   Source: http://www.biometrics.gov/                                        INA Volume 1 / @smaret 2013
Enrollment Process   Source: http://www.biometrics.gov/                                        INA Volume 1 / @smaret 2013
Components  Source: http://www.biometrics.gov/                                       INA Volume 1 / @smaret 2013
FRR / FAR            Source: http://www.biometrics.gov/                                                 INA Volume 1 / @sm...
TAR  Source: http://www.biometrics.gov/                                       INA Volume 1 / @smaret 2013
FAR  Source: http://www.biometrics.gov/                                       INA Volume 1 / @smaret 2013
Accept Rate Threshold           Source: http://www.biometrics.gov/                                                INA Volu...
Identification            Source: http://www.biometrics.gov/                                                 INA Volume 1 ...
Identification            Source: http://www.biometrics.gov/                                                 INA Volume 1 ...
Failure to Acquire            Source: http://www.biometrics.gov/                                                 INA Volum...
Biometric Modalities           Source: http://www.biometrics.gov/                                                INA Volum...
Dynamic Signature          Source: http://www.biometrics.gov/                                               INA Volume 1 /...
Dynamic Signature History           Source: http://www.biometrics.gov/                                                INA ...
Dynamic Signature Technology          Source: http://www.biometrics.gov/                                               INA...
Face Recognition           Source: http://www.biometrics.gov/                                                INA Volume 1 ...
Face Recognition History           Source: http://www.biometrics.gov/                                                INA V...
Face Recognition Technologies           Source: http://www.biometrics.gov/                                                ...
Principal Components Analysis (PCA)            Source: http://www.biometrics.gov/                                         ...
Linear Discriminant Analysis           Source: http://www.biometrics.gov/                                                I...
Elastic Bunch Graph Matching           Source: http://www.biometrics.gov/                                                I...
Fingerprinting           Source: http://www.biometrics.gov/                                                INA Volume 1 / ...
Fingerprinting History           Source: http://www.biometrics.gov/                                                INA Vol...
Fingerprinting Technology           Source: http://www.biometrics.gov/                                                INA ...
Fingerprint Sensor           Source: http://www.biometrics.gov/                                                INA Volume ...
Fingerprint Software           Source: http://www.biometrics.gov/                                                INA Volum...
INA Volume 1 / @smaret 2013
INA Volume 1 / @smaret 2013
Hand Geometry         Source: http://www.biometrics.gov/                                              INA Volume 1 / @smar...
Hand Geometry History          Source: http://www.biometrics.gov/                                               INA Volume...
Hand Geometry History          Source: http://www.biometrics.gov/                                               INA Volume...
Hand Geometry Technology          Source: http://www.biometrics.gov/                                               INA Vol...
Iris Recognition            Source: http://www.biometrics.gov/                                                 INA Volume ...
Iris Recognition History            Source: http://www.biometrics.gov/                                                 INA...
Iris Recognition Technology           Source: http://www.biometrics.gov/                                                IN...
Iris Recognition Technology           Source: http://www.biometrics.gov/                                                IN...
Palm Print             Source: http://www.biometrics.gov/                                                  INA Volume 1 / ...
Palm Print History           Source: http://www.biometrics.gov/                                                INA Volume ...
Palm Print Technology           Source: http://www.biometrics.gov/                                                INA Volu...
Palm Print Technology           Source: http://www.biometrics.gov/                                                INA Volu...
Speaker Verification                       INA Volume 1 / @smaret 2013
Speaker Verification History           Source: http://www.biometrics.gov/                                                I...
Speaker Verification Technology           Source: http://www.biometrics.gov/                                              ...
Speaker Verification Technology           Source: http://www.biometrics.gov/                                              ...
Speaker Verification Technology           Source: http://www.biometrics.gov/                                              ...
Vascular Pattern                   INA Volume 1 / @smaret 2013
Vascular Pattern History           Source: http://www.biometrics.gov/                                                INA V...
Vascular Pattern Technology           Source: http://www.biometrics.gov/                                                IN...
Vascular Pattern Technology           Source: http://www.biometrics.gov/                                                IN...
Vascular Pattern Technology                              INA Volume 1 / @smaret 2013
Biometrics Technology                        INA Volume 1 / @smaret 2013
Biometrics Technology                        INA Volume 1 / @smaret 2013
Match-on-Card                INA Volume 1 / @smaret 2013
INA Volume 1 / @smaret 2013
MOC      INA Volume 1 / @smaret 2013
MOC – Athena & Precise Biometrics                             INA Volume 1 / @smaret 2013
INA Volume 1 / @smaret 2013
End Volume 1Sylvain MARET / @smaretsylvain.maret@openid.chhttp://www.slideshare.net/smarethttp://www.linkedin.com/in/smare...
Appendices             INA Volume 1 / @smaret 2013
Threat ModelingDFDSTRIDE                  INA Volume 1 / @smaret 2013
Threat Modeling Process  Vision              Diagram                                 Identify           Validate          ...
DFD symbols              INA Volume 1 / @smaret 2013
DFD Symbols              INA Volume 1 / @smaret 2013
DFD Symbols              INA Volume 1 / @smaret 2013
Trust boundaries that intersect data flows Points/surfaces where an attacker can interject   – Machine boundaries, privil...
DFD Level Level 0 - Context Diagram   – Very high-level; entire component / product / system Level 1 Diagram   – High le...
STRIDE - ToolThreat                   Property          Definition             ExampleSpoofing                 Authenticat...
STRIDE – Security Controls                                   STRIDE Threat List                                           ...
SRIDE        INA Volume 1 / @smaret 2013
SRIDE        INA Volume 1 / @smaret 2013
DFD & STRIDE               INA Volume 1 / @smaret 2013
DFD AuthN 1FA                INA Volume 1 / @smaret 2013
DFD – AuthN 1FA / STRIDE                           INA Volume 1 / @smaret 2013
Upcoming SlideShare
Loading in...5
×

INA Volume 1/3 Version 1.0 RC / Digital Identity and Authentication

957

Published on

Digital Identity & Authentication training

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
957
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
12
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

INA Volume 1/3 Version 1.0 RC / Digital Identity and Authentication

  1. 1. INA – Volume 1Sylvain MARETVersion 1.0 RC12013-02-17 INA Volume 1 / @smaret 2013
  2. 2. INA Volume 1 / @smaret 2013
  3. 3. Who am I? ICT Security Consultant – 18 years of experience in ICT Security – Principal Consultant at MARET Consulting – Expert at Engineer School of Yverdon-les-Bains – Member of board OpenID Switzerland – Co-founder Application Security Forum #ASFWS – OWASP Member Switzerland – Author of the blog: la Citadelle Electronique – http://ch.linkedin.com/in/smaret or @smaret – http://www.slideshare.net/smaret Chosen field – AppSec & Digital Identity Security INA Volume 1 / @smaret 2013
  4. 4. Agenda Volume 1 C0 - Introduction C1 - Definition C2 - Tokens / Authentication factors C3 – Password C4 - One Time Password - OTP C5 - OTP / OATH standars C6 - OTP solution C7 - AuthN PKI C8 - Biometrics INA Volume 1 / @smaret 2013
  5. 5. Digital Identity ? INA Volume 1 / @smaret 2013
  6. 6. Definition Wikipédia French INA Volume 1 / @smaret 2013
  7. 7. Definition INA Volume 1 / @smaret 2013
  8. 8. Identity  A set of attributes that uniquely describe a person or information system within a given context.Source = NIST Special Publication 800-63-1 INA Volume 1 / @smaret 2013
  9. 9. Authentication  The process of establishing confidence in the identity of users or information systems.Source = NIST Special Publication 800-63-1 INA Volume 1 / @smaret 2013
  10. 10. Electronic Authentication (E-Authentication)  The process of establishing confidence in user identities electronically presented to an information system.Source = NIST Special Publication 800-63-1 INA Volume 1 / @smaret 2013
  11. 11. Claimant  A party whose identity is to be verified using an authentication protocol.Source = NIST Special Publication 800-63-1 INA Volume 1 / @smaret 2013
  12. 12. Subscriber  A party who has received a credential or token from a CSP.Source = NIST Special Publication 800-63-1 INA Volume 1 / @smaret 2013
  13. 13. Token  Something that the Claimant possesses and controls (typically a cryptographic module or password) that is used to authenticate the Claimant’s identity.Source = NIST Special Publication 800-63-1 INA Volume 1 / @smaret 2013
  14. 14. Credential  An object or data structure that authoritatively binds an identity (and optionally, additional attributes) to a token possessed and controlled by a Subscriber.Source = NIST Special Publication 800-63-1 INA Volume 1 / @smaret 2013
  15. 15. Identity Proofing  The process by which a CSP and a Registration Authority (RA) collect and verify information about a person for the purpose of issuing credentials to that person.Source = NIST Special Publication 800-63-1 INA Volume 1 / @smaret 2013
  16. 16. Credential Service Provider (CSP)  A trusted entity that issues or registers Subscriber tokens and issues electronic credentials to Subscribers. The CSP may encompass Registration Authorities (RAs) and Verifiers that it operates. A CSP may be an independent third party, or may issue credentials for its own use.Source = NIST Special Publication 800-63-1 INA Volume 1 / @smaret 2013
  17. 17. Registration Authority (RA)  A trusted entity that establishes and vouches for the identity or attributes of a Subscriber to a CSP. The RA may be an integral part of a CSP, or it may be independent of a CSP, but it has a relationship to the CSP(s).Source = NIST Special Publication 800-63-1 INA Volume 1 / @smaret 2013
  18. 18. Verifier  An entity that verifies the Claimant’s identity by verifying the Claimant’s possession and control of a token using an authentication protocol. To do this, the Verifier may also need to validate credentials that link the token and identity and check their status.Source = NIST Special Publication 800-63-1 INA Volume 1 / @smaret 2013
  19. 19. Relying Party (RP)  An entity that relies upon the Subscribers token and credentials or a Verifiers assertion of a Claimant’s identity, typically to process a transaction or grant access to information or a system.Source = NIST Special Publication 800-63-1 INA Volume 1 / @smaret 2013
  20. 20. Authentication Protocol  A defined sequence of messages between a Claimant and a Verifier that demonstrates that the Claimant has possession and control of a valid token to establish his/her identity, and optionally, demonstrates to the Claimant that he or she is communicating with the intended Verifier.Source = NIST Special Publication 800-63-1 INA Volume 1 / @smaret 2013
  21. 21. AuthN & AuthZ Aka authentication process Aka authorization process INA Volume 1 / @smaret 2013
  22. 22. INA Volume 1 / @smaret 2013
  23. 23. Tokens / Authentication factors INA Volume 1 / @smaret 2013
  24. 24. Authentication factors Something you know Something you have Something you are INA Volume 1 / @smaret 2013
  25. 25. Strong Authentication / Multi-factor authentication Multi-factor authentication refers to the use of more than one of the factors listed bellow: – Something you know – Something you have – Something you are INA Volume 1 / @smaret 2013
  26. 26. Two-factor authentication Two-factor authentication – TFA – T-FA – 2FA INA Volume 1 / @smaret 2013
  27. 27. Knowledge factors: "something the user knows" Password – password is a secret word or string of characters that is used for user authentication. PIN – personal identification number (PIN) is a secret numeric password. Pattern – Pattern is a sequence of cells in an array that is used for authenticating the users. INA Volume 1 / @smaret 2013
  28. 28. Possession factors: "something the user has" Tokens with a display USB tokens Smartphone Smartcards Wireless (RFID, NFC) Etc. INA Volume 1 / @smaret 2013
  29. 29. Inherence factors: "something the user is or do" Physiological biometric – Fingerprint recognition – Facial recognition system – Iris recognition – Etc. Behavioral biometrics – Keystroke dynamics – Speaker recognition – Geo Localization – Etc. INA Volume 1 / @smaret 2013
  30. 30. PASSWORD INA Volume 1 / @smaret 2013
  31. 31. http://www.wired.co.uk/magazine/archive/2013/01/features/hacked INA Volume 1 / @smaret 2013
  32. 32. http://www.wired.com/wiredenterprise/2013/01/google-password/ INA Volume 1 / @smaret 2013
  33. 33. Password Factor Something you know PIN Code Password Passphrase Aka 1FA INA Volume 1 / @smaret 2013
  34. 34. Password Entropy / Password strength Password strength is a measure of the effectiveness of a password in resisting guessing and brute-force attacks. INA Volume 1 / @smaret 2013
  35. 35. Password Entropy / Password strength http://en.wikipedia.org/wiki/Password_strength INA Volume 1 / @smaret 2013
  36. 36. Password Entropy / Password strength http://en.wikipedia.org/wiki/Password_strength INA Volume 1 / @smaret 2013
  37. 37. Characteristics of weak passwords based on common dictionary words – Including dictionary words that have been altered: • Reversed (e.g., “terces”) • Mixed case (e.g., SeCreT) • Character/Symbol replacement (e.g., “$ecret”) • Words with vowels removed (e.g., “scrt”) based on common names short (under 6 characters) based on keyboard patterns (e.g., “qwertz”) composed of single symbol type (e.g., all characters) INA Volume 1 / @smaret 2013
  38. 38. Characteristics of strong passwords Strong Passwords – contain at least one of each of the following: • digit (0..9) • letter (a..Z) • punctuation symbol (e.g., !) • control character (e.g., ^s, Ctrl-s) – are based on a verse (e.g., passphrase) from an obscure work where the password is formed from the characters in the verse INA Volume 1 / @smaret 2013
  39. 39. Test your password! https://www.microsoft.com/security/pc-security/password-checker.aspx INA Volume 1 / @smaret 2013
  40. 40. Password Manager http://keepass.info/ INA Volume 1 / @smaret 2013
  41. 41. Password Manager http://passwordsafe.sourceforge.net/ INA Volume 1 / @smaret 2013
  42. 42. Password Generator INA Volume 1 / @smaret 2013
  43. 43. Threat Model AuthN 1FA INA Volume 1 / @smaret 2013
  44. 44. Password / Threats Man In The Middle Attacks Phishing Attacks Pharming Attacks DNS Cache Poisoning Trojan Attacks Man-in-the-Phone Attacks (Man-in-the-Mobile/MitMo Attacks) Man-in-the-Browser Attacks Browser Poisoning Password Sniffing Brute Force Attack Dictionary Attacks INA Volume 1 / @smaret 2013
  45. 45. Password Attacks Password Cracking – Brute force – Dictionary attack – Hybride Password sniffing Man-in-the-middle attack Malware – Keylogger Default Password Phishing Etc. INA Volume 1 / @smaret 2013
  46. 46. Password Cracking Tools Caen & Abel John the Ripper L0phtCrack Ophcrack THC hydra Aircrack (WEP/WPA cracking tool) Etc. INA Volume 1 / @smaret 2013
  47. 47. Rainbow table A rainbow table is a precomputed table for reversing cryptographic hash functions, usually for cracking password hashes. INA Volume 1 / @smaret 2013
  48. 48. Ophcrack INA Volume 1 / @smaret 2013
  49. 49. Defense against rainbow tables A rainbow table is ineffective against one-way hashes that include salts INA Volume 1 / @smaret 2013
  50. 50. Password Storage Cheat Sheet Password Storage Rules – Rule 1: Use An Adaptive One-Way Function • bcrypt, PBKDF2 or scrypt – Rule 2: Use a Long Cryptographically Random Per- User Salt – Rule 3: Iterate the hash – Rule 4 : Encrypt the Hash Data With a Keyed Algorithm https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet INA Volume 1 / @smaret 2013
  51. 51. Hashcat / GPU 25-GPU cluster cracks every standard Windows password in <6 hours – It achieves the 350 billion-guess-per-second speed when cracking password hashes generated by the NTLM cryptographic algorithm that Microsoft has included in every version of Windows since Server 2003. http://arstechnica.com/security/2012/12/25-gpu-cluster-cracks-every-standard-windows-password-in-6-hours/ INA Volume 1 / @smaret 2013
  52. 52. Password sniffing INA Volume 1 / @smaret 2013
  53. 53. DFD – Weak Protocol (Telnet) INA Volume 1 / @smaret 2013
  54. 54. Weak protocols Telnet FTP IMAP POP3 LDAP Etc. INA Volume 1 / @smaret 2013
  55. 55. ARP Spoofing INA Volume 1 / @smaret 2013
  56. 56. DFD - SSH INA Volume 1 / @smaret 2013
  57. 57. Man-in-the-middle attack often abbreviated – MITM, MitM, MIM, MiM, MITMA INA Volume 1 / @smaret 2013
  58. 58. Man-in-the-middle attack Ettercap SSLStrip SSLSniff Mallory Etc. INA Volume 1 / @smaret 2013
  59. 59. Keylogger / Keystroke logging Software-based keyloggers – Malware – Mobile Hardware-based keyloggers INA Volume 1 / @smaret 2013
  60. 60. Wireless sniffing – TEMPEST http://lasecwww.epfl.ch/keyboard/ INA Volume 1 / @smaret 2013
  61. 61. Malicious Code Evolution INA Volume 1 / @smaret 2013
  62. 62. Malware INA Volume 1 / @smaret 2013
  63. 63. Zeus INA Volume 1 / @smaret 2013
  64. 64. INA Volume 1 / @smaret 2013
  65. 65. Default Password INA Volume 1 / @smaret 2013
  66. 66. One Time Password - OTPStrong AuthN OTP INA Volume 1 / @smaret 2013
  67. 67. OTP Technology / Standards Based on a shared secret Key Approach – Time Based OTP – Event Based OTP – Challenge Response OTP – Out-of-band OTP – Others Standards – OATH INA Volume 1 / @smaret 2013
  68. 68. Time Based OTPK=Secret Key / Seed OTP T=UTC Time Hash function INA Volume 1 / @smaret 2013
  69. 69. Event Based OTPK=Secret Key / Seed OTP C = Counter HASH Function INA Volume 1 / @smaret 2013
  70. 70. OTP Challenge Response Based HASH FunctionK=Secret Key / Seed OTP Challenge nonce INA Volume 1 / @smaret 2013
  71. 71. Out-of-band OTP SMS OTP TAN Email Etc. INA Volume 1 / @smaret 2013
  72. 72. Out-of-band - SMS OTP INA Volume 1 / @smaret 2013
  73. 73. Out-of-band - TAN INA Volume 1 / @smaret 2013
  74. 74. Bingo Card OTP INA Volume 1 / @smaret 2013
  75. 75. Other[s] OTP technologies… “Flicker code” Generator Software that converts already encrypted data into optical screen animation INA Volume 1 / @smaret 2013
  76. 76. OTP / OATH standardsAuthentication Methods INA Volume 1 / @smaret 2013
  77. 77. OATH - Authentication Methods HOTP: An HMAC-Based OTP Algorithm (RFC 4226) TOTP - Time-based One-time Password Algorithm (RFC 6238) OCRA - OATH Challenge/Response Algorithms Specification (RFC 6287) INA Volume 1 / @smaret 2013
  78. 78. HOTP: An HMAC-Based One-Time Password Algorithm RFC 4226 http://www.ietf.org/rfc/rfc4226.txt Event Based OTP Use HMAC: Keyed-Hashing for Message Authentication (RFC 2104) INA Volume 1 / @smaret 2013
  79. 79. HOTP – Crypto 101 INA Volume 1 / @smaret 2013
  80. 80. HOTP – Crypto 101 INA Volume 1 / @smaret 2013
  81. 81. TOTP - Time-based One-time Password Algorithm RFC 6238 http://www.ietf.org/rfc/rfc6238.txt Time Based OTP Use HMAC: Keyed-Hashing for Message Authentication (RFC 2104) INA Volume 1 / @smaret 2013
  82. 82. TOTP – Crypto 101 INA Volume 1 / @smaret 2013
  83. 83. Challenge Response OTP RFC 6287 http://www.ietf.org/rfc/rfc6287.txt OCRA OATH Challenge-Response Algorithm INA Volume 1 / @smaret 2013
  84. 84. OCRA – Crypto 101 INA Volume 1 / @smaret 2013
  85. 85. OTP solution INA Volume 1 / @smaret 2013
  86. 86. INA Volume 1 / @smaret 2013
  87. 87. INA Volume 1 / @smaret 2013
  88. 88. Software OTP for Smartphone http://itunes.apple.com/us/app/iotp/id328973960 INA Volume 1 / @smaret 2013
  89. 89. OCRA on a mobile INA Volume 1 / @smaret 2013
  90. 90. google-authenticator These implementations support – HMAC-Based One-time Password (HOTP) algorithm specified in RFC 4226 – Time-based One-time Password (TOTP) algorithm specified in RFC 6238 – Google Authenticator • Android, IOS and Blackberry http://code.google.com/p/google-authenticator/ INA Volume 1 / @smaret 2013
  91. 91. google-authenticator INA Volume 1 / @smaret 2013
  92. 92. OCRA on Mobile INA Volume 1 / @smaret 2013
  93. 93. OTP without PIN INA Volume 1 / @smaret 2013
  94. 94. OTP Pin Protected INA Volume 1 / @smaret 2013
  95. 95. OTP on Smartcard INA Volume 1 / @smaret 2013
  96. 96. OTP with Smartcard INA Volume 1 / @smaret 2013
  97. 97. OTP hybrid (OTP & PKI) INA Volume 1 / @smaret 2013
  98. 98. YubiKey INA Volume 1 / @smaret 2013
  99. 99. YubiKey INA Volume 1 / @smaret 2013
  100. 100. PKIPKI Strong AuthN INA Volume 1 / @smaret 2013
  101. 101. PKI Tokens Storage INA Volume 1 / @smaret 2013
  102. 102. Public Key Cryptography 101 INA Volume 1 / @smaret 2013
  103. 103. Signature 101 INA Volume 1 / @smaret 2013
  104. 104. Signature – Verification 101 INA Volume 1 / @smaret 2013
  105. 105. Mutual AuthN SSL INA Volume 1 / @smaret 2013
  106. 106. PKI Certificate Validation CRL Delta CRL OCSP INA Volume 1 / @smaret 2013
  107. 107. OSCP Validation INA Volume 1 / @smaret 2013
  108. 108. INA Volume 1 / @smaret 2013
  109. 109. INA Volume 1 / @smaret 2013
  110. 110. INA Volume 1 / @smaret 2013
  111. 111. INA Volume 1 / @smaret 2013
  112. 112. INA Volume 1 / @smaret 2013
  113. 113. Smart Card INA Volume 1 / @smaret 2013
  114. 114. Smart Card INA Volume 1 / @smaret 2013
  115. 115. Smart Card - Crypto INA Volume 1 / @smaret 2013
  116. 116. INA Volume 1 / @smaret 2013
  117. 117. INA Volume 1 / @smaret 2013
  118. 118. BiometricsBIO AuthN INA Volume 1 / @smaret 2013
  119. 119. Biometrics Source: http://www.biometrics.gov/ INA Volume 1 / @smaret 2013
  120. 120. Biometric Terms Source: http://www.biometrics.gov/ INA Volume 1 / @smaret 2013
  121. 121. Enrollment Process Source: http://www.biometrics.gov/ INA Volume 1 / @smaret 2013
  122. 122. Components Source: http://www.biometrics.gov/ INA Volume 1 / @smaret 2013
  123. 123. FRR / FAR Source: http://www.biometrics.gov/ INA Volume 1 / @smaret 2013
  124. 124. TAR Source: http://www.biometrics.gov/ INA Volume 1 / @smaret 2013
  125. 125. FAR Source: http://www.biometrics.gov/ INA Volume 1 / @smaret 2013
  126. 126. Accept Rate Threshold Source: http://www.biometrics.gov/ INA Volume 1 / @smaret 2013
  127. 127. Identification Source: http://www.biometrics.gov/ INA Volume 1 / @smaret 2013
  128. 128. Identification Source: http://www.biometrics.gov/ INA Volume 1 / @smaret 2013
  129. 129. Failure to Acquire Source: http://www.biometrics.gov/ INA Volume 1 / @smaret 2013
  130. 130. Biometric Modalities Source: http://www.biometrics.gov/ INA Volume 1 / @smaret 2013
  131. 131. Dynamic Signature Source: http://www.biometrics.gov/ INA Volume 1 / @smaret 2013
  132. 132. Dynamic Signature History Source: http://www.biometrics.gov/ INA Volume 1 / @smaret 2013
  133. 133. Dynamic Signature Technology Source: http://www.biometrics.gov/ INA Volume 1 / @smaret 2013
  134. 134. Face Recognition Source: http://www.biometrics.gov/ INA Volume 1 / @smaret 2013
  135. 135. Face Recognition History Source: http://www.biometrics.gov/ INA Volume 1 / @smaret 2013
  136. 136. Face Recognition Technologies Source: http://www.biometrics.gov/ INA Volume 1 / @smaret 2013
  137. 137. Principal Components Analysis (PCA) Source: http://www.biometrics.gov/ INA Volume 1 / @smaret 2013
  138. 138. Linear Discriminant Analysis Source: http://www.biometrics.gov/ INA Volume 1 / @smaret 2013
  139. 139. Elastic Bunch Graph Matching Source: http://www.biometrics.gov/ INA Volume 1 / @smaret 2013
  140. 140. Fingerprinting Source: http://www.biometrics.gov/ INA Volume 1 / @smaret 2013
  141. 141. Fingerprinting History Source: http://www.biometrics.gov/ INA Volume 1 / @smaret 2013
  142. 142. Fingerprinting Technology Source: http://www.biometrics.gov/ INA Volume 1 / @smaret 2013
  143. 143. Fingerprint Sensor Source: http://www.biometrics.gov/ INA Volume 1 / @smaret 2013
  144. 144. Fingerprint Software Source: http://www.biometrics.gov/ INA Volume 1 / @smaret 2013
  145. 145. INA Volume 1 / @smaret 2013
  146. 146. INA Volume 1 / @smaret 2013
  147. 147. Hand Geometry Source: http://www.biometrics.gov/ INA Volume 1 / @smaret 2013
  148. 148. Hand Geometry History Source: http://www.biometrics.gov/ INA Volume 1 / @smaret 2013
  149. 149. Hand Geometry History Source: http://www.biometrics.gov/ INA Volume 1 / @smaret 2013
  150. 150. Hand Geometry Technology Source: http://www.biometrics.gov/ INA Volume 1 / @smaret 2013
  151. 151. Iris Recognition Source: http://www.biometrics.gov/ INA Volume 1 / @smaret 2013
  152. 152. Iris Recognition History Source: http://www.biometrics.gov/ INA Volume 1 / @smaret 2013
  153. 153. Iris Recognition Technology Source: http://www.biometrics.gov/ INA Volume 1 / @smaret 2013
  154. 154. Iris Recognition Technology Source: http://www.biometrics.gov/ INA Volume 1 / @smaret 2013
  155. 155. Palm Print Source: http://www.biometrics.gov/ INA Volume 1 / @smaret 2013
  156. 156. Palm Print History Source: http://www.biometrics.gov/ INA Volume 1 / @smaret 2013
  157. 157. Palm Print Technology Source: http://www.biometrics.gov/ INA Volume 1 / @smaret 2013
  158. 158. Palm Print Technology Source: http://www.biometrics.gov/ INA Volume 1 / @smaret 2013
  159. 159. Speaker Verification INA Volume 1 / @smaret 2013
  160. 160. Speaker Verification History Source: http://www.biometrics.gov/ INA Volume 1 / @smaret 2013
  161. 161. Speaker Verification Technology Source: http://www.biometrics.gov/ INA Volume 1 / @smaret 2013
  162. 162. Speaker Verification Technology Source: http://www.biometrics.gov/ INA Volume 1 / @smaret 2013
  163. 163. Speaker Verification Technology Source: http://www.biometrics.gov/ INA Volume 1 / @smaret 2013
  164. 164. Vascular Pattern INA Volume 1 / @smaret 2013
  165. 165. Vascular Pattern History Source: http://www.biometrics.gov/ INA Volume 1 / @smaret 2013
  166. 166. Vascular Pattern Technology Source: http://www.biometrics.gov/ INA Volume 1 / @smaret 2013
  167. 167. Vascular Pattern Technology Source: http://www.biometrics.gov/ INA Volume 1 / @smaret 2013
  168. 168. Vascular Pattern Technology INA Volume 1 / @smaret 2013
  169. 169. Biometrics Technology INA Volume 1 / @smaret 2013
  170. 170. Biometrics Technology INA Volume 1 / @smaret 2013
  171. 171. Match-on-Card INA Volume 1 / @smaret 2013
  172. 172. INA Volume 1 / @smaret 2013
  173. 173. MOC INA Volume 1 / @smaret 2013
  174. 174. MOC – Athena & Precise Biometrics INA Volume 1 / @smaret 2013
  175. 175. INA Volume 1 / @smaret 2013
  176. 176. End Volume 1Sylvain MARET / @smaretsylvain.maret@openid.chhttp://www.slideshare.net/smarethttp://www.linkedin.com/in/smaret INA Volume 1 / @smaret 2013
  177. 177. Appendices INA Volume 1 / @smaret 2013
  178. 178. Threat ModelingDFDSTRIDE INA Volume 1 / @smaret 2013
  179. 179. Threat Modeling Process Vision Diagram Identify Validate Threats Mitigate INA Volume 1 / @smaret 2013
  180. 180. DFD symbols INA Volume 1 / @smaret 2013
  181. 181. DFD Symbols INA Volume 1 / @smaret 2013
  182. 182. DFD Symbols INA Volume 1 / @smaret 2013
  183. 183. Trust boundaries that intersect data flows Points/surfaces where an attacker can interject – Machine boundaries, privilege boundaries, integrity boundaries are examples of trust boundaries – Threads in a native process are often inside a trust boundary, because they share the same privs, rights, identifiers and access Processes talking across a network always have a trust boundary INA Volume 1 / @smaret 2013
  184. 184. DFD Level Level 0 - Context Diagram – Very high-level; entire component / product / system Level 1 Diagram – High level; single feature / scenario Level 2 Diagram – Low level; detailed sub-components of features Level 3 Diagram – More detailed – Rare to need more layers, except in huge projects or when you’re drawing more trust boundaries INA Volume 1 / @smaret 2013
  185. 185. STRIDE - ToolThreat Property Definition ExampleSpoofing Authentication Impersonating Pretending to be any of billg, xbox.com or a something or system update someone else.Tampering Integrity Modifying data or Modifying a game config file on disk, or a code packet as it traverses the networkRepudiation Non-repudiation Claiming to have not “I didn’t cheat!” performed an actionInformation Confidentiality Exposing information Reading key material from an appDisclosure to someone not authorized to see itDenial of Service Availability Deny or degrade Crashing the web site, sending a packet and service to users absorbing seconds of CPU time, or routing packets into a black holeElevation of Privilege Authorization Gain capabilities Allowing a remote internet user to run without proper commands is the classic example, but running authorization kernel code from lower trust1levels is also EoP INA Volume / @smaret 2013
  186. 186. STRIDE – Security Controls STRIDE Threat List Security Type Examples Control Threat action aimed to illegally access and use anotherSpoofing Authentication users credentials, such as username and password. Threat action aimed to maliciously change/modify persistent data, such as persistent data in a database, andTampering Integrity the alteration of data in transit between two computers over an open network, such as the Internet. Threat action aimed to perform illegal operations in a Non-Repudiation system that lacks the ability to trace the prohibited Repudiation operations.Information Threat action to read a file that one was not granted Confidentialitydisclosure access to, or to read data in transit.Denial of Threat aimed to deny access to valid users, such as by Availabilityservice making a web server temporarily unavailable or unusable. Threat aimed to gain privileged access to resources forElevation of gaining unauthorized access to information or to Authorizationprivilege compromise a system. INA Volume 1 / @smaret 2013
  187. 187. SRIDE INA Volume 1 / @smaret 2013
  188. 188. SRIDE INA Volume 1 / @smaret 2013
  189. 189. DFD & STRIDE INA Volume 1 / @smaret 2013
  190. 190. DFD AuthN 1FA INA Volume 1 / @smaret 2013
  191. 191. DFD – AuthN 1FA / STRIDE INA Volume 1 / @smaret 2013
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×