INA Volume 1/3 Version 1.0 Released / Digital Identity and Authentication
Upcoming SlideShare
Loading in...5
×

Like this? Share it with your network

Share

INA Volume 1/3 Version 1.0 Released / Digital Identity and Authentication

  • 1,266 views
Uploaded on

Training Digital Identity and Strong Authentication Volume 1

Training Digital Identity and Strong Authentication Volume 1

More in: Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads

Views

Total Views
1,266
On Slideshare
1,266
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
52
Comments
0
Likes
3

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. INA – Volume 1Sylvain MARETVersion 1.0 Released2013-04-08 INA Volume 1 – Version 1.0 / @smaret 2013
  • 2. INA Volume 1 – Version 1.0 / @smaret 2013
  • 3. Who am I? ICT Security Consultant – 18 years of experience in ICT Security – Principal Consultant at MARET Consulting – Expert at Engineer School of Yverdon-les-Bains – Member of board OpenID Switzerland – Co-founder Application Security Forum #ASFWS – OWASP Member Switzerland – Author of the blog: la Citadelle Electronique – http://ch.linkedin.com/in/smaret or @smaret – http://www.slideshare.net/smaret Chosen field – AppSec & Digital Identity Security INA Volume 1 – Version 1.0 / @smaret 2013
  • 4. Agenda Volume 1 C0 - Introduction C1 - Definition C2 - Tokens / Authentication factors C3 – Password C4 - One Time Password - OTP C5 - OTP / OATH standars C6 - OTP solution C7 - AuthN PKI C8 - Biometrics C9 - OATH approach INA Volume 1 – Version 1.0 / @smaret 2013
  • 5. Digital Identity ? INA Volume 1 – Version 1.0 / @smaret 2013
  • 6. Definition Wikipédia French INA Volume 1 – Version 1.0 / @smaret 2013
  • 7. Definition INA Volume 1 – Version 1.0 / @smaret 2013
  • 8. Identity  A set of attributes that uniquely describe a person or information system within a given context.Source = NIST Special Publication 800-63-1 INA Volume 1 – Version 1.0 / @smaret 2013
  • 9. Authentication  The process of establishing confidence in the identity of users or information systems.Source = NIST Special Publication 800-63-1 INA Volume 1 – Version 1.0 / @smaret 2013
  • 10. Electronic Authentication (E-Authentication)  The process of establishing confidence in user identities electronically presented to an information system.Source = NIST Special Publication 800-63-1 INA Volume 1 – Version 1.0 / @smaret 2013
  • 11. Claimant  A party whose identity is to be verified using an authentication protocol.Source = NIST Special Publication 800-63-1 INA Volume 1 – Version 1.0 / @smaret 2013
  • 12. Subscriber  A party who has received a credential or token from a CSP.Source = NIST Special Publication 800-63-1 INA Volume 1 – Version 1.0 / @smaret 2013
  • 13. Token  Something that the Claimant possesses and controls (typically a cryptographic module or password) that is used to authenticate the Claimant’s identity.Source = NIST Special Publication 800-63-1 INA Volume 1 – Version 1.0 / @smaret 2013
  • 14. Credential  An object or data structure that authoritatively binds an identity (and optionally, additional attributes) to a token possessed and controlled by a Subscriber.Source = NIST Special Publication 800-63-1 INA Volume 1 – Version 1.0 / @smaret 2013
  • 15. Identity Proofing  The process by which a CSP and a Registration Authority (RA) collect and verify information about a person for the purpose of issuing credentials to that person.Source = NIST Special Publication 800-63-1 INA Volume 1 – Version 1.0 / @smaret 2013
  • 16. Credential Service Provider (CSP)  A trusted entity that issues or registers Subscriber tokens and issues electronic credentials to Subscribers. The CSP may encompass Registration Authorities (RAs) and Verifiers that it operates. A CSP may be an independent third party, or may issue credentials for its own use.Source = NIST Special Publication 800-63-1 INA Volume 1 – Version 1.0 / @smaret 2013
  • 17. Registration Authority (RA)  A trusted entity that establishes and vouches for the identity or attributes of a Subscriber to a CSP. The RA may be an integral part of a CSP, or it may be independent of a CSP, but it has a relationship to the CSP(s).Source = NIST Special Publication 800-63-1 INA Volume 1 – Version 1.0 / @smaret 2013
  • 18. Verifier  An entity that verifies the Claimant’s identity by verifying the Claimant’s possession and control of a token using an authentication protocol. To do this, the Verifier may also need to validate credentials that link the token and identity and check their status.Source = NIST Special Publication 800-63-1 INA Volume 1 – Version 1.0 / @smaret 2013
  • 19. Relying Party (RP)  An entity that relies upon the Subscribers token and credentials or a Verifiers assertion of a Claimant’s identity, typically to process a transaction or grant access to information or a system.Source = NIST Special Publication 800-63-1 INA Volume 1 – Version 1.0 / @smaret 2013
  • 20. Authentication Protocol  A defined sequence of messages between a Claimant and a Verifier that demonstrates that the Claimant has possession and control of a valid token to establish his/her identity, and optionally, demonstrates to the Claimant that he or she is communicating with the intended Verifier.Source = NIST Special Publication 800-63-1 INA Volume 1 – Version 1.0 / @smaret 2013
  • 21. AuthN & AuthZ Aka authentication process Aka authorization process INA Volume 1 – Version 1.0 / @smaret 2013
  • 22. INA Volume 1 – Version 1.0 / @smaret 2013
  • 23. Tokens / Authentication factors INA Volume 1 – Version 1.0 / @smaret 2013
  • 24. Authentication factors Something you know Something you have Something you are INA Volume 1 – Version 1.0 / @smaret 2013
  • 25. Strong Authentication / Multi-factor authentication Multi-factor authentication refers to the use of more than one of the factors listed bellow: – Something you know – Something you have – Something you are INA Volume 1 – Version 1.0 / @smaret 2013
  • 26. Two-factor authentication Two-factor authentication – TFA – T-FA – 2FA INA Volume 1 – Version 1.0 / @smaret 2013
  • 27. Knowledge factors: "something the user knows" Password – password is a secret word or string of characters that is used for user authentication. PIN – personal identification number (PIN) is a secret numeric password. Pattern – Pattern is a sequence of cells in an array that is used for authenticating the users. INA Volume 1 – Version 1.0 / @smaret 2013
  • 28. Possession factors: "something the user has" Tokens with a display USB tokens Smartphone Smartcards Wireless (RFID, NFC) Etc. INA Volume 1 – Version 1.0 / @smaret 2013
  • 29. Inherence factors: "something the user is or do" Physiological biometric – Fingerprint recognition – Facial recognition system – Iris recognition – Etc. Behavioral biometrics – Keystroke dynamics – Speaker recognition – Geo Localization – Etc. INA Volume 1 – Version 1.0 / @smaret 2013
  • 30. PASSWORD INA Volume 1 – Version 1.0 / @smaret 2013
  • 31. http://www.wired.co.uk/magazine/archive/2013/01/features/hacked INA Volume 1 – Version 1.0 / @smaret 2013
  • 32. http://www.wired.com/wiredenterprise/2013/01/google-password/ INA Volume 1 – Version 1.0 / @smaret 2013
  • 33. Password Factor Something you know PIN Code Password Passphrase Aka 1FA INA Volume 1 – Version 1.0 / @smaret 2013
  • 34. Password Entropy / Password strength Password strength is a measure of the effectiveness of a password in resisting guessing and brute-force attacks. INA Volume 1 – Version 1.0 / @smaret 2013
  • 35. Password Entropy / Password strength http://en.wikipedia.org/wiki/Password_strength INA Volume 1 – Version 1.0 / @smaret 2013
  • 36. Password Entropy / Password strength http://en.wikipedia.org/wiki/Password_strength INA Volume 1 – Version 1.0 / @smaret 2013
  • 37. Characteristics of weak passwords based on common dictionary words – Including dictionary words that have been altered: • Reversed (e.g., “terces”) • Mixed case (e.g., SeCreT) • Character/Symbol replacement (e.g., “$ecret”) • Words with vowels removed (e.g., “scrt”) based on common names short (under 6 characters) based on keyboard patterns (e.g., “qwertz”) composed of single symbol type (e.g., all characters) INA Volume 1 – Version 1.0 / @smaret 2013
  • 38. Characteristics of strong passwords Strong Passwords – contain at least one of each of the following: • digit (0..9) • letter (a..Z) • punctuation symbol (e.g., !) • control character (e.g., ^s, Ctrl-s) – are based on a verse (e.g., passphrase) from an obscure work where the password is formed from the characters in the verse INA Volume 1 – Version 1.0 / @smaret 2013
  • 39. Test your password! https://www.microsoft.com/security/pc-security/password-checker.aspx INA Volume 1 – Version 1.0 / @smaret 2013
  • 40. Password Manager http://keepass.info/ INA Volume 1 – Version 1.0 / @smaret 2013
  • 41. Password Manager http://passwordsafe.sourceforge.net/ INA Volume 1 – Version 1.0 / @smaret 2013
  • 42. Password Generator INA Volume 1 – Version 1.0 / @smaret 2013
  • 43. Threat Model AuthN 1FA INA Volume 1 – Version 1.0 / @smaret 2013
  • 44. Password / Threats Man In The Middle Attacks Phishing Attacks Pharming Attacks DNS Cache Poisoning Trojan Attacks Man-in-the-Phone Attacks (Man-in-the-Mobile/MitMo Attacks) Man-in-the-Browser Attacks Browser Poisoning Password Sniffing Brute Force Attack Dictionary Attacks INA Volume 1 – Version 1.0 / @smaret 2013
  • 45. Password Attacks Password Cracking – Brute force – Dictionary attack – Hybride Password sniffing Man-in-the-middle attack Malware – Keylogger Default Password Phishing Etc. INA Volume 1 – Version 1.0 / @smaret 2013
  • 46. Password Cracking Tools Caen & Abel John the Ripper L0phtCrack Ophcrack THC hydra Aircrack (WEP/WPA cracking tool) Etc. INA Volume 1 – Version 1.0 / @smaret 2013
  • 47. Rainbow table A rainbow table is a precomputed table for reversing cryptographic hash functions, usually for cracking password hashes. INA Volume 1 – Version 1.0 / @smaret 2013
  • 48. Ophcrack INA Volume 1 – Version 1.0 / @smaret 2013
  • 49. Defense against rainbow tables A rainbow table is ineffective against one-way hashes that include salts INA Volume 1 – Version 1.0 / @smaret 2013
  • 50. Password Storage Cheat Sheet Password Storage Rules – Rule 1: Use An Adaptive One-Way Function • bcrypt, PBKDF2 or scrypt – Rule 2: Use a Long Cryptographically Random Per- User Salt – Rule 3: Iterate the hash – Rule 4 : Encrypt the Hash Data With a Keyed Algorithm https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet INA Volume 1 – Version 1.0 / @smaret 2013
  • 51. Hashcat / GPU 25-GPU cluster cracks every standard Windows password in <6 hours – It achieves the 350 billion-guess-per-second speed when cracking password hashes generated by the NTLM cryptographic algorithm that Microsoft has included in every version of Windows since Server 2003. http://arstechnica.com/security/2012/12/25-gpu-cluster-cracks-every-standard-windows-password-in-6-hours/ INA Volume 1 – Version 1.0 / @smaret 2013
  • 52. Password sniffing INA Volume 1 – Version 1.0 / @smaret 2013
  • 53. DFD – Weak Protocol (Telnet) INA Volume 1 – Version 1.0 / @smaret 2013
  • 54. Weak protocols Telnet FTP IMAP POP3 LDAP Etc. INA Volume 1 – Version 1.0 / @smaret 2013
  • 55. ARP Spoofing INA Volume 1 – Version 1.0 / @smaret 2013
  • 56. DFD - SSH INA Volume 1 – Version 1.0 / @smaret 2013
  • 57. Man-in-the-middle attack often abbreviated – MITM, MitM, MIM, MiM, MITMA INA Volume 1 – Version 1.0 / @smaret 2013
  • 58. Man-in-the-middle attack Ettercap SSLStrip SSLSniff Mallory Etc. INA Volume 1 – Version 1.0 / @smaret 2013
  • 59. Keylogger / Keystroke logging Software-based keyloggers – Malware – Mobile Hardware-based keyloggers INA Volume 1 – Version 1.0 / @smaret 2013
  • 60. Wireless sniffing – TEMPEST http://lasecwww.epfl.ch/keyboard/ INA Volume 1 – Version 1.0 / @smaret 2013
  • 61. Malicious Code Evolution INA Volume 1 – Version 1.0 / @smaret 2013
  • 62. Malware INA Volume 1 – Version 1.0 / @smaret 2013
  • 63. Zeus INA Volume 1 – Version 1.0 / @smaret 2013
  • 64. INA Volume 1 – Version 1.0 / @smaret 2013
  • 65. Default Password INA Volume 1 – Version 1.0 / @smaret 2013
  • 66. One Time Password - OTPStrong AuthN OTP INA Volume 1 – Version 1.0 / @smaret 2013
  • 67. OTP Technology / Standards Based on a shared secret Key (symmetric Crypto) Approach – Time Based OTP – Event Based OTP – Challenge Response OTP – Out-of-band OTP – Transaction Signing OTP – Others Standards – OATH INA Volume 1 – Version 1.0 / @smaret 2013
  • 68. Time Based OTPK=Secret Key / Seed OTP T=UTC Time Hash function INA Volume 1 – Version 1.0 / @smaret 2013
  • 69. Event Based OTPK=Secret Key / Seed OTP C = Counter HASH Function INA Volume 1 – Version 1.0 / @smaret 2013
  • 70. Token OTP pin protected Source: Richard E. Smith / Authentication INA Volume 1 – Version 1.0 / @smaret 2013
  • 71. Token OTP pin protected Source: Richard E. Smith / Authentication INA Volume 1 – Version 1.0 / @smaret 2013
  • 72. OTP Challenge Response Based HASH FunctionK=Secret Key / Seed OTP Challenge nonce INA Volume 1 – Version 1.0 / @smaret 2013
  • 73. Transaction Signing OTP INA Volume 1 – Version 1.0 / @smaret 2013
  • 74. Others OTP Out-of-Band – SMS OTP – TAN Bingo Card Etc. INA Volume 1 – Version 1.0 / @smaret 2013
  • 75. Out-of-band - SMS OTP INA Volume 1 – Version 1.0 / @smaret 2013
  • 76. Out-of-band - TAN OTP INA Volume 1 – Version 1.0 / @smaret 2013
  • 77. Bingo Card OTP INA Volume 1 – Version 1.0 / @smaret 2013
  • 78. Other[s] OTP technologies… “Flicker code” Generator Software that converts already encrypted data into optical screen animation INA Volume 1 – Version 1.0 / @smaret 2013
  • 79. OTP / OATH standardsAuthentication Methods INA Volume 1 – Version 1.0 / @smaret 2013
  • 80. OATH - Authentication Methods HOTP: An HMAC-Based OTP Algorithm (RFC 4226) TOTP - Time-based One-time Password Algorithm (RFC 6238) OCRA - OATH Challenge/Response Algorithms Specification (RFC 6287) INA Volume 1 – Version 1.0 / @smaret 2013
  • 81. HOTP: An HMAC-Based One-Time Password Algorithm RFC 4226 http://www.ietf.org/rfc/rfc4226.txt Event Based OTP Use HMAC: Keyed-Hashing for Message Authentication (RFC 2104) INA Volume 1 – Version 1.0 / @smaret 2013
  • 82. HOTP – Crypto 101 INA Volume 1 – Version 1.0 / @smaret 2013
  • 83. HOTP – Crypto 101 INA Volume 1 – Version 1.0 / @smaret 2013
  • 84. TOTP - Time-based One-time Password Algorithm RFC 6238 http://www.ietf.org/rfc/rfc6238.txt Time Based OTP Use HMAC: Keyed-Hashing for Message Authentication (RFC 2104) INA Volume 1 – Version 1.0 / @smaret 2013
  • 85. TOTP – Crypto 101 INA Volume 1 – Version 1.0 / @smaret 2013
  • 86. Challenge Response OTP RFC 6287 http://www.ietf.org/rfc/rfc6287.txt OCRA OATH Challenge-Response Algorithm INA Volume 1 – Version 1.0 / @smaret 2013
  • 87. OCRA – Crypto 101 INA Volume 1 – Version 1.0 / @smaret 2013
  • 88. OTP solutionOTP AuthN INA Volume 1 – Version 1.0 / @smaret 2013
  • 89. INA Volume 1 – Version 1.0 / @smaret 2013
  • 90. INA Volume 1 – Version 1.0 / @smaret 2013
  • 91. Software OTP for Smartphone http://itunes.apple.com/us/app/iotp/id328973960 INA Volume 1 – Version 1.0 / @smaret 2013
  • 92. OCRA on a mobile INA Volume 1 – Version 1.0 / @smaret 2013
  • 93. google-authenticator These implementations support – HMAC-Based One-time Password (HOTP) algorithm specified in RFC 4226 – Time-based One-time Password (TOTP) algorithm specified in RFC 6238 – Google Authenticator • Android, IOS and Blackberry http://code.google.com/p/google-authenticator/ INA Volume 1 – Version 1.0 / @smaret 2013
  • 94. google-authenticator INA Volume 1 – Version 1.0 / @smaret 2013
  • 95. OCRA on Mobile INA Volume 1 – Version 1.0 / @smaret 2013
  • 96. OTP without PIN INA Volume 1 – Version 1.0 / @smaret 2013
  • 97. OTP Pin Protected INA Volume 1 – Version 1.0 / @smaret 2013
  • 98. OTP on Smartcard INA Volume 1 – Version 1.0 / @smaret 2013
  • 99. OTP with Smartcard INA Volume 1 – Version 1.0 / @smaret 2013
  • 100. OTP hybrid (OTP & PKI) INA Volume 1 – Version 1.0 / @smaret 2013
  • 101. YubiKey INA Volume 1 – Version 1.0 / @smaret 2013
  • 102. YubiKey INA Volume 1 – Version 1.0 / @smaret 2013
  • 103. INA Volume 1 – Version 1.0 / @smaret 2013
  • 104. Yubikey http://www.yubico.com/support/documentation/ http://forum.yubico.com/ http://code.google.com/p/yubico-pam/ INA Volume 1 – Version 1.0 / @smaret 2013
  • 105. PKIPKI AuthN INA Volume 1 – Version 1.0 / @smaret 2013
  • 106. PKI AuthN Based on asymmetric encryption INA Volume 1 – Version 1.0 / @smaret 2013
  • 107. PKI Tokens Storage INA Volume 1 – Version 1.0 / @smaret 2013
  • 108. Public Key Cryptography 101 INA Volume 1 – Version 1.0 / @smaret 2013
  • 109. Signature 101 INA Volume 1 – Version 1.0 / @smaret 2013
  • 110. Signature – Verification 101 INA Volume 1 – Version 1.0 / @smaret 2013
  • 111. Mutual AuthN SSL INA Volume 1 – Version 1.0 / @smaret 2013
  • 112. PKI Certificate Validation CRL Delta CRL OCSP INA Volume 1 – Version 1.0 / @smaret 2013
  • 113. OSCP Validation INA Volume 1 – Version 1.0 / @smaret 2013
  • 114. INA Volume 1 – Version 1.0 / @smaret 2013
  • 115. INA Volume 1 – Version 1.0 / @smaret 2013
  • 116. INA Volume 1 – Version 1.0 / @smaret 2013
  • 117. Crypto Processor Source: Richard E. Smith / Authentication INA Volume 1 – Version 1.0 / @smaret 2013
  • 118. INA Volume 1 – Version 1.0 / @smaret 2013
  • 119. INA Volume 1 – Version 1.0 / @smaret 2013
  • 120. Smart Card INA Volume 1 – Version 1.0 / @smaret 2013
  • 121. Smart Card INA Volume 1 – Version 1.0 / @smaret 2013
  • 122. Smart Card - Crypto INA Volume 1 – Version 1.0 / @smaret 2013
  • 123. INA Volume 1 – Version 1.0 / @smaret 2013
  • 124. INA Volume 1 – Version 1.0 / @smaret 2013
  • 125. BiometricsBIO AuthN INA Volume 1 – Version 1.0 / @smaret 2013
  • 126. Biometrics Source: http://www.biometrics.gov/ INA Volume 1 – Version 1.0 / @smaret 2013
  • 127. Biometric Terms Source: http://www.biometrics.gov/ INA Volume 1 – Version 1.0 / @smaret 2013
  • 128. Enrollment Process Source: http://www.biometrics.gov/ INA Volume 1 – Version 1.0 / @smaret 2013
  • 129. Components Source: http://www.biometrics.gov/ INA Volume 1 – Version 1.0 / @smaret 2013
  • 130. FRR / FAR Source: http://www.biometrics.gov/ INA Volume 1 – Version 1.0 / @smaret 2013
  • 131. TAR Source: http://www.biometrics.gov/ INA Volume 1 – Version 1.0 / @smaret 2013
  • 132. FAR Source: http://www.biometrics.gov/ INA Volume 1 – Version 1.0 / @smaret 2013
  • 133. Accept Rate Threshold Source: http://www.biometrics.gov/ INA Volume 1 – Version 1.0 / @smaret 2013
  • 134. Identification Source: http://www.biometrics.gov/ INA Volume 1 – Version 1.0 / @smaret 2013
  • 135. Identification Source: http://www.biometrics.gov/ INA Volume 1 – Version 1.0 / @smaret 2013
  • 136. Failure to Acquire Source: http://www.biometrics.gov/ INA Volume 1 – Version 1.0 / @smaret 2013
  • 137. Biometric Modalities Source: http://www.biometrics.gov/ INA Volume 1 – Version 1.0 / @smaret 2013
  • 138. Dynamic Signature Source: http://www.biometrics.gov/ INA Volume 1 – Version 1.0 / @smaret 2013
  • 139. Dynamic Signature History Source: http://www.biometrics.gov/ INA Volume 1 – Version 1.0 / @smaret 2013
  • 140. Dynamic Signature Technology Source: http://www.biometrics.gov/ INA Volume 1 – Version 1.0 / @smaret 2013
  • 141. Face Recognition Source: http://www.biometrics.gov/ INA Volume 1 – Version 1.0 / @smaret 2013
  • 142. Face Recognition History Source: http://www.biometrics.gov/ INA Volume 1 – Version 1.0 / @smaret 2013
  • 143. Face Recognition Technologies Source: http://www.biometrics.gov/ INA Volume 1 – Version 1.0 / @smaret 2013
  • 144. Principal Components Analysis (PCA) Source: http://www.biometrics.gov/ INA Volume 1 – Version 1.0 / @smaret 2013
  • 145. Linear Discriminant Analysis Source: http://www.biometrics.gov/ INA Volume 1 – Version 1.0 / @smaret 2013
  • 146. Elastic Bunch Graph Matching Source: http://www.biometrics.gov/ INA Volume 1 – Version 1.0 / @smaret 2013
  • 147. Fingerprinting Source: http://www.biometrics.gov/ INA Volume 1 – Version 1.0 / @smaret 2013
  • 148. Fingerprinting History Source: http://www.biometrics.gov/ INA Volume 1 – Version 1.0 / @smaret 2013
  • 149. Fingerprinting Technology Source: http://www.biometrics.gov/ INA Volume 1 – Version 1.0 / @smaret 2013
  • 150. Fingerprint Sensor Source: http://www.biometrics.gov/ INA Volume 1 – Version 1.0 / @smaret 2013
  • 151. Sensors USB INA Volume 1 – Version 1.0 / @smaret 2013
  • 152. Chipset INA Volume 1 – Version 1.0 / @smaret 2013
  • 153. PIV-FIPS 201 Sensors INA Volume 1 – Version 1.0 / @smaret 2013
  • 154. Tablet approach INA Volume 1 – Version 1.0 / @smaret 2013
  • 155. Fingerprint Software Source: http://www.biometrics.gov/ INA Volume 1 – Version 1.0 / @smaret 2013
  • 156. INA Volume 1 – Version 1.0 / @smaret 2013
  • 157. INA Volume 1 – Version 1.0 / @smaret 2013
  • 158. Hand Geometry Source: http://www.biometrics.gov/ INA Volume 1 – Version 1.0 / @smaret 2013
  • 159. Hand Geometry History Source: http://www.biometrics.gov/ INA Volume 1 – Version 1.0 / @smaret 2013
  • 160. Hand Geometry History Source: http://www.biometrics.gov/ INA Volume 1 – Version 1.0 / @smaret 2013
  • 161. Hand Geometry Technology Source: http://www.biometrics.gov/ INA Volume 1 – Version 1.0 / @smaret 2013
  • 162. Iris Recognition Source: http://www.biometrics.gov/ INA Volume 1 – Version 1.0 / @smaret 2013
  • 163. Iris Recognition History Source: http://www.biometrics.gov/ INA Volume 1 – Version 1.0 / @smaret 2013
  • 164. Iris Recognition Technology Source: http://www.biometrics.gov/ INA Volume 1 – Version 1.0 / @smaret 2013
  • 165. Iris Recognition Technology Source: http://www.biometrics.gov/ INA Volume 1 – Version 1.0 / @smaret 2013
  • 166. Palm Print Source: http://www.biometrics.gov/ INA Volume 1 – Version 1.0 / @smaret 2013
  • 167. Palm Print History Source: http://www.biometrics.gov/ INA Volume 1 – Version 1.0 / @smaret 2013
  • 168. Palm Print Technology Source: http://www.biometrics.gov/ INA Volume 1 – Version 1.0 / @smaret 2013
  • 169. Palm Print Technology Source: http://www.biometrics.gov/ INA Volume 1 – Version 1.0 / @smaret 2013
  • 170. Speaker Verification INA Volume 1 – Version 1.0 / @smaret 2013
  • 171. Speaker Verification History Source: http://www.biometrics.gov/ INA Volume 1 – Version 1.0 / @smaret 2013
  • 172. Speaker Verification Technology Source: http://www.biometrics.gov/ INA Volume 1 – Version 1.0 / @smaret 2013
  • 173. Speaker Verification Technology Source: http://www.biometrics.gov/ INA Volume 1 – Version 1.0 / @smaret 2013
  • 174. Speaker Verification Technology Source: http://www.biometrics.gov/ INA Volume 1 – Version 1.0 / @smaret 2013
  • 175. Vascular Pattern INA Volume 1 – Version 1.0 / @smaret 2013
  • 176. Vascular Pattern History Source: http://www.biometrics.gov/ INA Volume 1 – Version 1.0 / @smaret 2013
  • 177. Vascular Pattern Technology Source: http://www.biometrics.gov/ INA Volume 1 – Version 1.0 / @smaret 2013
  • 178. Vascular Pattern Technology Source: http://www.biometrics.gov/ INA Volume 1 – Version 1.0 / @smaret 2013
  • 179. Vascular Pattern Technology INA Volume 1 – Version 1.0 / @smaret 2013
  • 180. Device fingerprint A device fingerprint or machine fingerprint or browser fingerprint is information collected about a remote computing device for the purpose of identification INA Volume 1 – Version 1.0 / @smaret 2013
  • 181. Biometrics Technology INA Volume 1 – Version 1.0 / @smaret 2013
  • 182. Biometrics Technology INA Volume 1 – Version 1.0 / @smaret 2013
  • 183. Match-on-Card INA Volume 1 – Version 1.0 / @smaret 2013
  • 184. INA Volume 1 – Version 1.0 / @smaret 2013
  • 185. MOC INA Volume 1 – Version 1.0 / @smaret 2013
  • 186. MOC – Athena & Precise Biometrics INA Volume 1 – Version 1.0 / @smaret 2013
  • 187. INA Volume 1 – Version 1.0 / @smaret 2013
  • 188. OATH approachOpen Authentication INA Volume 1 – Version 1.0 / @smaret 2013
  • 189. OATH Approach INA Volume 1 – Version 1.0 / @smaret 2013
  • 190. OATH Logical view INA Volume 1 – Version 1.0 / @smaret 2013
  • 191. OATH Physical view INA Volume 1 – Version 1.0 / @smaret 2013
  • 192. OATH Authentication Framework INA Volume 1 – Version 1.0 / @smaret 2013
  • 193. OATH Client framework INA Volume 1 – Version 1.0 / @smaret 2013
  • 194. OATH AuthN methods 1/2 INA Volume 1 – Version 1.0 / @smaret 2013
  • 195. OATH AuthN methods 2/2 INA Volume 1 – Version 1.0 / @smaret 2013
  • 196. OATH AuthN protocols 1/3 INA Volume 1 – Version 1.0 / @smaret 2013
  • 197. OATH AuthN protocols 2/3 INA Volume 1 – Version 1.0 / @smaret 2013
  • 198. OATH AuthN protocols 3/3 INA Volume 1 – Version 1.0 / @smaret 2013
  • 199. OATH AuthN validation framework INA Volume 1 – Version 1.0 / @smaret 2013
  • 200. OATH validation protocols INA Volume 1 – Version 1.0 / @smaret 2013
  • 201. OATH provisioning INA Volume 1 – Version 1.0 / @smaret 2013
  • 202. Existing Credential Provisioning Protocols 1/2 INA Volume 1 – Version 1.0 / @smaret 2013
  • 203. Existing Credential Provisioning Protocols 2/2 INA Volume 1 – Version 1.0 / @smaret 2013
  • 204. Software Provisioning Protocols INA Volume 1 – Version 1.0 / @smaret 2013
  • 205. End Volume 1Sylvain MARET / @smaretsylvain.maret@openid.chhttp://www.slideshare.net/smarethttp://www.linkedin.com/in/smaret INA Volume 1 – Version 1.0 / @smaret 2013
  • 206. Appendices INA Volume 1 – Version 1.0 / @smaret 2013
  • 207. Threat ModelingDFDSTRIDE INA Volume 1 – Version 1.0 / @smaret 2013
  • 208. Threat Modeling Process Vision Diagram Identify Validate Threats Mitigate INA Volume 1 – Version 1.0 / @smaret 2013
  • 209. DFD symbols INA Volume 1 – Version 1.0 / @smaret 2013
  • 210. DFD Symbols INA Volume 1 – Version 1.0 / @smaret 2013
  • 211. DFD Symbols INA Volume 1 – Version 1.0 / @smaret 2013
  • 212. Trust boundaries that intersect data flows Points/surfaces where an attacker can interject – Machine boundaries, privilege boundaries, integrity boundaries are examples of trust boundaries – Threads in a native process are often inside a trust boundary, because they share the same privs, rights, identifiers and access Processes talking across a network always have a trust boundary INA Volume 1 – Version 1.0 / @smaret 2013
  • 213. DFD Level Level 0 - Context Diagram – Very high-level; entire component / product / system Level 1 Diagram – High level; single feature / scenario Level 2 Diagram – Low level; detailed sub-components of features Level 3 Diagram – More detailed – Rare to need more layers, except in huge projects or when you’re drawing more trust boundaries INA Volume 1 – Version 1.0 / @smaret 2013
  • 214. STRIDE - ToolThreat Property Definition ExampleSpoofing Authentication Impersonating Pretending to be any of billg, xbox.com or a something or system update someone else.Tampering Integrity Modifying data or Modifying a game config file on disk, or a code packet as it traverses the networkRepudiation Non-repudiation Claiming to have not “I didn’t cheat!” performed an actionInformation Confidentiality Exposing information Reading key material from an appDisclosure to someone not authorized to see itDenial of Service Availability Deny or degrade Crashing the web site, sending a packet and service to users absorbing seconds of CPU time, or routing packets into a black holeElevation of Privilege Authorization Gain capabilities Allowing a remote internet user to run without proper commands is the classic example, but running authorization kernel codeINA Volume 1 – Version 1.0 / @smaret 2013 from lower trust levels is also EoP
  • 215. STRIDE – Security Controls STRIDE Threat List Security Type Examples Control Threat action aimed to illegally access and use anotherSpoofing Authentication users credentials, such as username and password. Threat action aimed to maliciously change/modify persistent data, such as persistent data in a database, andTampering Integrity the alteration of data in transit between two computers over an open network, such as the Internet. Threat action aimed to perform illegal operations in a Non-Repudiation system that lacks the ability to trace the prohibited Repudiation operations.Information Threat action to read a file that one was not granted Confidentialitydisclosure access to, or to read data in transit.Denial of Threat aimed to deny access to valid users, such as by Availabilityservice making a web server temporarily unavailable or unusable. Threat aimed to gain privileged access to resources forElevation of gaining unauthorized access to information or to Authorizationprivilege compromise a system. INA Volume 1 – Version 1.0 / @smaret 2013
  • 216. SRIDE INA Volume 1 – Version 1.0 / @smaret 2013
  • 217. SRIDE INA Volume 1 – Version 1.0 / @smaret 2013
  • 218. DFD & STRIDE INA Volume 1 – Version 1.0 / @smaret 2013
  • 219. DFD AuthN 1FA INA Volume 1 – Version 1.0 / @smaret 2013
  • 220. DFD – AuthN 1FA / STRIDE INA Volume 1 – Version 1.0 / @smaret 2013
  • 221. HSPD-12PIV AuthN INA Volume 1 – Version 1.0 / @smaret 2013
  • 222. Homeland Security Presidential Directive/Hspd-12 http://www.dhs.gov/homeland-security-presidential-directive-12 INA Volume 1 – Version 1.0 / @smaret 2013
  • 223. FIPS 201 / PIV Federal Information Processing Standard 201, Personal Identity Verification (PIV) of Federal Employees and Contractors, March 2006. – (See http://csrc.nist.gov) FIPS 201 (Federal Information Processing Standard Publication 201) is a United States federal government standard that specifies Personal Identity Verification (PIV) requirements for Federal employees and contractors. http://www.idmanagement.gov/ INA Volume 1 – Version 1.0 / @smaret 2013
  • 224. FICAM Roadmap INA Volume 1 – Version 1.0 / @smaret 2013
  • 225. FICAM Roadmap INA Volume 1 – Version 1.0 / @smaret 2013
  • 226. FICAM Roadmap INA Volume 1 – Version 1.0 / @smaret 2013
  • 227. FICAM Roadmap INA Volume 1 – Version 1.0 / @smaret 2013