INA Volume 1/3 Version 1.02 Released / Digital Identity and Authentication

1,671 views

Published on

C0 - Introduction
C1 - Definition
C2 - Tokens / Authentication factors
C3 – Password
C4 - One Time Password - OTP
C5 - OTP / OATH standars
C6 - OTP solution
C7 - AuthN PKI
C8 - Biometrics
C9 - OATH approach

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,671
On SlideShare
0
From Embeds
0
Number of Embeds
25
Actions
Shares
0
Downloads
46
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

INA Volume 1/3 Version 1.02 Released / Digital Identity and Authentication

  1. 1. INA – Volume 1Sylvain MARETVersion 1.02 Released2013-03-13 INA Volume 1 – Version 1.02 / @smaret 2013
  2. 2. INA Volume 1 – Version 1.02 / @smaret 2013
  3. 3. Who am I? ICT Security Consultant – 18 years of experience in ICT Security – Principal Consultant at MARET Consulting – Expert at Engineer School of Yverdon-les-Bains – Member of board OpenID Switzerland – Co-founder Application Security Forum #ASFWS – OWASP Member Switzerland – Author of the blog: la Citadelle Electronique – http://ch.linkedin.com/in/smaret or @smaret – http://www.slideshare.net/smaret Chosen field – AppSec & Digital Identity Security INA Volume 1 – Version 1.02 / @smaret 2013
  4. 4. Agenda Volume 1 C0 - Introduction C1 - Definition C2 - Tokens / Authentication factors C3 – Password C4 - One Time Password - OTP C5 - OTP / OATH standars C6 - OTP solution C7 - AuthN PKI C8 - Biometrics C9 - OATH approach INA Volume 1 – Version 1.02 / @smaret 2013
  5. 5. Digital Identity ? INA Volume 1 – Version 1.02 / @smaret 2013
  6. 6. Definition Wikipédia French INA Volume 1 – Version 1.02 / @smaret 2013
  7. 7. Definition INA Volume 1 – Version 1.02 / @smaret 2013
  8. 8. Identity  A set of attributes that uniquely describe a person or information system within a given context.Source = NIST Special Publication 800-63-1 INA Volume 1 – Version 1.02 / @smaret 2013
  9. 9. Authentication  The process of establishing confidence in the identity of users or information systems.Source = NIST Special Publication 800-63-1 INA Volume 1 – Version 1.02 / @smaret 2013
  10. 10. Electronic Authentication (E-Authentication)  The process of establishing confidence in user identities electronically presented to an information system.Source = NIST Special Publication 800-63-1 INA Volume 1 – Version 1.02 / @smaret 2013
  11. 11. Claimant  A party whose identity is to be verified using an authentication protocol.Source = NIST Special Publication 800-63-1 INA Volume 1 – Version 1.02 / @smaret 2013
  12. 12. Subscriber  A party who has received a credential or token from a CSP.Source = NIST Special Publication 800-63-1 INA Volume 1 – Version 1.02 / @smaret 2013
  13. 13. Token  Something that the Claimant possesses and controls (typically a cryptographic module or password) that is used to authenticate the Claimant’s identity.Source = NIST Special Publication 800-63-1 INA Volume 1 – Version 1.02 / @smaret 2013
  14. 14. TokenCode / PassCode TokenCode = OTP Display PassCode = PIN Code * TokenCode INA Volume 1 – Version 1.02 / @smaret 2013
  15. 15. Credential  An object or data structure that authoritatively binds an identity (and optionally, additional attributes) to a token possessed and controlled by a Subscriber.Source = NIST Special Publication 800-63-1 INA Volume 1 – Version 1.02 / @smaret 2013
  16. 16. Identity Proofing  The process by which a CSP and a Registration Authority (RA) collect and verify information about a person for the purpose of issuing credentials to that person.Source = NIST Special Publication 800-63-1 INA Volume 1 – Version 1.02 / @smaret 2013
  17. 17. Credential Service Provider (CSP)  A trusted entity that issues or registers Subscriber tokens and issues electronic credentials to Subscribers. The CSP may encompass Registration Authorities (RAs) and Verifiers that it operates. A CSP may be an independent third party, or may issue credentials for its own use.Source = NIST Special Publication 800-63-1 INA Volume 1 – Version 1.02 / @smaret 2013
  18. 18. Registration Authority (RA)  A trusted entity that establishes and vouches for the identity or attributes of a Subscriber to a CSP. The RA may be an integral part of a CSP, or it may be independent of a CSP, but it has a relationship to the CSP(s).Source = NIST Special Publication 800-63-1 INA Volume 1 – Version 1.02 / @smaret 2013
  19. 19. Verifier  An entity that verifies the Claimant’s identity by verifying the Claimant’s possession and control of a token using an authentication protocol. To do this, the Verifier may also need to validate credentials that link the token and identity and check their status.Source = NIST Special Publication 800-63-1 INA Volume 1 – Version 1.02 / @smaret 2013
  20. 20. Relying Party (RP)  An entity that relies upon the Subscribers token and credentials or a Verifiers assertion of a Claimant’s identity, typically to process a transaction or grant access to information or a system.Source = NIST Special Publication 800-63-1 INA Volume 1 – Version 1.02 / @smaret 2013
  21. 21. Authentication Protocol  A defined sequence of messages between a Claimant and a Verifier that demonstrates that the Claimant has possession and control of a valid token to establish his/her identity, and optionally, demonstrates to the Claimant that he or she is communicating with the intended Verifier.Source = NIST Special Publication 800-63-1 INA Volume 1 – Version 1.02 / @smaret 2013
  22. 22. AuthN & AuthZ Aka authentication process Aka authorization process INA Volume 1 – Version 1.02 / @smaret 2013
  23. 23. INA Volume 1 – Version 1.02 / @smaret 2013
  24. 24. Tokens / Authentication factors INA Volume 1 – Version 1.02 / @smaret 2013
  25. 25. Authentication factors Something you know Something you have Something you are INA Volume 1 – Version 1.02 / @smaret 2013
  26. 26. Strong Authentication / Multi-factor authentication Multi-factor authentication refers to the use of more than one of the factors listed bellow: – Something you know – Something you have – Something you are INA Volume 1 – Version 1.02 / @smaret 2013
  27. 27. Two-factor authentication Two-factor authentication – TFA – T-FA – 2FA INA Volume 1 – Version 1.02 / @smaret 2013
  28. 28. Knowledge factors: "something the user knows" Password – password is a secret word or string of characters that is used for user authentication. PIN – personal identification number (PIN) is a secret numeric password. Pattern – Pattern is a sequence of cells in an array that is used for authenticating the users. INA Volume 1 – Version 1.02 / @smaret 2013
  29. 29. Possession factors: "something the user has" Tokens with a display USB tokens Smartphone Smartcards Wireless (RFID, NFC) Etc. INA Volume 1 – Version 1.02 / @smaret 2013
  30. 30. Inherence factors: "something the user is or do" Physiological biometric – Fingerprint recognition – Facial recognition system – Iris recognition – Etc. Behavioral biometrics – Keystroke dynamics – Speaker recognition – Geo Localization – Etc. INA Volume 1 – Version 1.02 / @smaret 2013
  31. 31. PASSWORD INA Volume 1 – Version 1.02 / @smaret 2013
  32. 32. http://www.wired.co.uk/magazine/archive/2013/01/features/hacked INA Volume 1 – Version 1.02 / @smaret 2013
  33. 33. http://www.wired.com/wiredenterprise/2013/01/google-password/ INA Volume 1 – Version 1.02 / @smaret 2013
  34. 34. Password Factor Something you know PIN Code Password Passphrase Aka 1FA INA Volume 1 – Version 1.02 / @smaret 2013
  35. 35. Password Entropy / Password strength Password strength is a measure of the effectiveness of a password in resisting guessing and brute-force attacks. INA Volume 1 – Version 1.02 / @smaret 2013
  36. 36. Password Entropy / Password strength http://en.wikipedia.org/wiki/Password_strength INA Volume 1 – Version 1.02 / @smaret 2013
  37. 37. Password Entropy / Password strength http://en.wikipedia.org/wiki/Password_strength INA Volume 1 – Version 1.02 / @smaret 2013
  38. 38. Characteristics of weak passwords based on common dictionary words – Including dictionary words that have been altered: • Reversed (e.g., “terces”) • Mixed case (e.g., SeCreT) • Character/Symbol replacement (e.g., “$ecret”) • Words with vowels removed (e.g., “scrt”) based on common names short (under 6 characters) based on keyboard patterns (e.g., “qwertz”) composed of single symbol type (e.g., all characters) INA Volume 1 – Version 1.02 / @smaret 2013
  39. 39. Characteristics of strong passwords Strong Passwords – contain at least one of each of the following: • digit (0..9) • letter (a..Z) • punctuation symbol (e.g., !) • control character – are based on a verse (e.g., passphrase) from an obscure work where the password is formed from the characters in the verse INA Volume 1 – Version 1.02 / @smaret 2013
  40. 40. https://xkcd.com/936/ INA Volume 1 – Version 1.02 / @smaret 2013
  41. 41. Test your password! https://www.microsoft.com/security/pc-security/password-checker.aspx INA Volume 1 – Version 1.02 / @smaret 2013
  42. 42. Password Manager http://keepass.info/ INA Volume 1 – Version 1.02 / @smaret 2013
  43. 43. Password Manager http://passwordsafe.sourceforge.net/ INA Volume 1 – Version 1.02 / @smaret 2013
  44. 44. Password Generator INA Volume 1 – Version 1.02 / @smaret 2013
  45. 45. Threat Model AuthN 1FA INA Volume 1 – Version 1.02 / @smaret 2013
  46. 46. Password / Threats Man In The Middle Attacks Phishing Attacks Pharming Attacks – DNS Cache Poisoning Trojan Attacks Man-in-the-Phone Attacks (Man-in-the-Mobile/MitMo Attacks) Man-in-the-Browser Attacks Browser Poisoning Password Sniffing Brute Force Attack Dictionary Attacks Default Password Social Engineering INA Volume 1 – Version 1.02 / @smaret 2013
  47. 47. Password Cracking Tools Caen & Abel John the Ripper L0phtCrack Ophcrack THC hydra Aircrack (WEP/WPA cracking tool) Etc. INA Volume 1 – Version 1.02 / @smaret 2013
  48. 48. Rainbow table A rainbow table is a precomputed table for reversing cryptographic hash functions, usually for cracking password hashes. INA Volume 1 – Version 1.02 / @smaret 2013
  49. 49. Ophcrack INA Volume 1 – Version 1.02 / @smaret 2013
  50. 50. Defense against rainbow tables A rainbow table is ineffective against one-way hashes that include salts INA Volume 1 – Version 1.02 / @smaret 2013
  51. 51. Password Storage Cheat Sheet Password Storage Rules – Rule 1: Use An Adaptive One-Way Function • bcrypt, PBKDF2 or scrypt – Rule 2: Use a Long Cryptographically Random Per- User Salt – Rule 3: Iterate the hash – Rule 4 : Encrypt the Hash Data With a Keyed Algorithm https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet INA Volume 1 – Version 1.02 / @smaret 2013
  52. 52. Hashcat / GPU 25-GPU cluster cracks every standard Windows password in <6 hours – It achieves the 350 billion-guess-per-second speed when cracking password hashes generated by the NTLM cryptographic algorithm that Microsoft has included in every version of Windows since Server 2003. http://arstechnica.com/security/2012/12/25-gpu-cluster-cracks-every-standard-windows-password-in-6-hours/ INA Volume 1 – Version 1.02 / @smaret 2013
  53. 53. Password sniffing INA Volume 1 – Version 1.02 / @smaret 2013
  54. 54. DFD – Weak Protocol (Telnet) INA Volume 1 – Version 1.02 / @smaret 2013
  55. 55. Weak protocols Telnet FTP IMAP POP3 LDAP Etc. INA Volume 1 – Version 1.02 / @smaret 2013
  56. 56. ARP Spoofing INA Volume 1 – Version 1.02 / @smaret 2013
  57. 57. DFD - SSH INA Volume 1 – Version 1.02 / @smaret 2013
  58. 58. Man-in-the-middle attack often abbreviated – MITM, MitM, MIM, MiM, MITMA INA Volume 1 – Version 1.02 / @smaret 2013
  59. 59. Man-in-the-middle attack Ettercap SSLStrip SSLSniff Mallory Etc. INA Volume 1 – Version 1.02 / @smaret 2013
  60. 60. Keylogger / Keystroke logging Software-based keyloggers – Malware – Mobile Hardware-based keyloggers INA Volume 1 – Version 1.02 / @smaret 2013
  61. 61. Wireless sniffing – TEMPEST http://lasecwww.epfl.ch/keyboard/ INA Volume 1 – Version 1.02 / @smaret 2013
  62. 62. Malicious Code Evolution INA Volume 1 – Version 1.02 / @smaret 2013
  63. 63. Malware INA Volume 1 – Version 1.02 / @smaret 2013
  64. 64. Zeus INA Volume 1 – Version 1.02 / @smaret 2013
  65. 65. INA Volume 1 – Version 1.02 / @smaret 2013
  66. 66. Default Password INA Volume 1 – Version 1.02 / @smaret 2013
  67. 67. One Time Password - OTPStrong AuthN OTP INA Volume 1 – Version 1.02 / @smaret 2013
  68. 68. OTP Technology / Standards Based on a shared secret Key (symmetric Crypto) Approach – Time Based OTP – Event Based OTP – Challenge Response OTP – Out-of-band OTP – Transaction Signing OTP – Others Standards – OATH INA Volume 1 – Version 1.02 / @smaret 2013
  69. 69. Time Based OTPK=Secret Key / Seed OTP T=UTC Time HMAC INA Volume 1 – Version 1.02 / @smaret 2013
  70. 70. Event Based OTPK=Secret Key / Seed OTP C = Counter HMAC INA Volume 1 – Version 1.02 / @smaret 2013
  71. 71. OTP Challenge Response Based HASH FunctionK=Secret Key / Seed OTP Challenge nonce INA Volume 1 – Version 1.02 / @smaret 2013
  72. 72. Source= CSE331: Introduction to Networks and Security INA Volume 1 – Version 1.02 / @smaret 2013
  73. 73. Transaction Signing OTP Source= Safenet INA Volume 1 – Version 1.02 / @smaret 2013
  74. 74. Token OTP pin protected Source: Richard E. Smith / Authentication INA Volume 1 – Version 1.02 / @smaret 2013
  75. 75. Token OTP pin protected Source: Richard E. Smith / Authentication INA Volume 1 – Version 1.02 / @smaret 2013
  76. 76. Others OTP SMS OTP TAN paper-based OTP Bingo Card Etc. INA Volume 1 – Version 1.02 / @smaret 2013
  77. 77. Out-of-band - SMS OTP INA Volume 1 – Version 1.02 / @smaret 2013
  78. 78. Out-of-band - TAN OTP INA Volume 1 – Version 1.02 / @smaret 2013
  79. 79. paper-based OTP https://github.com/adulau/paper-token INA Volume 1 – Version 1.02 / @smaret 2013
  80. 80. Bingo Card OTP INA Volume 1 – Version 1.02 / @smaret 2013
  81. 81. Other[s] OTP technologies… “Flicker code” Generator Software that converts already encrypted data into optical screen animation INA Volume 1 – Version 1.02 / @smaret 2013
  82. 82. OTP / OATH standardsAuthentication Methods INA Volume 1 – Version 1.02 / @smaret 2013
  83. 83. HMAC – 101 (Keyed-Hashing for Message Authentication) http://www.ietf.org/rfc/rfc2104.txt INA Volume 1 – Version 1.02 / @smaret 2013
  84. 84. OATH - Authentication Methods HOTP: An HMAC-Based OTP Algorithm (RFC 4226) TOTP - Time-based One-time Password Algorithm (RFC 6238) OCRA - OATH Challenge/Response Algorithms Specification (RFC 6287) INA Volume 1 – Version 1.02 / @smaret 2013
  85. 85. HOTP: An HMAC-Based One-Time Password Algorithm RFC 4226 http://www.ietf.org/rfc/rfc4226.txt Event Based OTP Use HMAC: Keyed-Hashing for Message Authentication (RFC 2104) INA Volume 1 – Version 1.02 / @smaret 2013
  86. 86. HOTP – Crypto 101 INA Volume 1 – Version 1.02 / @smaret 2013
  87. 87. HOTP – Crypto 101 INA Volume 1 – Version 1.02 / @smaret 2013
  88. 88. TOTP - Time-based One-time Password Algorithm RFC 6238 http://www.ietf.org/rfc/rfc6238.txt Time Based OTP Use HMAC: Keyed-Hashing for Message Authentication (RFC 2104) INA Volume 1 – Version 1.02 / @smaret 2013
  89. 89. TOTP – Crypto 101 INA Volume 1 – Version 1.02 / @smaret 2013
  90. 90. Challenge Response OTP RFC 6287 http://www.ietf.org/rfc/rfc6287.txt OCRA OATH Challenge-Response Algorithm INA Volume 1 – Version 1.02 / @smaret 2013
  91. 91. OCRA – Crypto 101 INA Volume 1 – Version 1.02 / @smaret 2013
  92. 92. OCRA – Crypto 101 INA Volume 1 – Version 1.02 / @smaret 2013
  93. 93. OCRA – Crypto 101 INA Volume 1 – Version 1.02 / @smaret 2013
  94. 94. OATH module 1/2 http://packages.debian.org/source/testing/oath-toolkit https://pypi.python.org/pypi/oath/1.0 http://www.nongnu.org/oath-toolkit/ https://github.com/jennings/OATH.Net http://search.cpan.org/~sifukurt/Authen-OATH- v1.0.0/lib/Authen/OATH.pm http://code.google.com/p/mod-authn-otp/ https://code.google.com/p/oathtoken/ http://code.google.com/p/oathtoken/wiki/WebProvisioning INA Volume 1 – Version 1.02 / @smaret 2013
  95. 95. OATH module 2/2 http://freecode.com/projects/linotp http://sourceforge.net/projects/rcdevs-openotp/ http://www.multiotp.net/ http://www.rcdevs.com/products/openotp/ http://blog.josefsson.org/2011/01/20/introducing-the- oath-toolkit/ http://www.linotp.org/ INA Volume 1 – Version 1.02 / @smaret 2013
  96. 96. MobileOTP Based on MD5 Time Based OTP http://motp.sourceforge.net/ http://security.edu.pl/motp-as/login.php INA Volume 1 – Version 1.02 / @smaret 2013
  97. 97. OTP solutionOTP AuthN INA Volume 1 – Version 1.02 / @smaret 2013
  98. 98. INA Volume 1 – Version 1.02 / @smaret 2013
  99. 99. INA Volume 1 – Version 1.02 / @smaret 2013
  100. 100. Software OTP for Smartphone http://itunes.apple.com/us/app/iotp/id328973960 INA Volume 1 – Version 1.02 / @smaret 2013
  101. 101. google-authenticator These implementations support – HMAC-Based One-time Password (HOTP) algorithm specified in RFC 4226 – Time-based One-time Password (TOTP) algorithm specified in RFC 6238 – Google Authenticator • Android, IOS and Blackberry http://code.google.com/p/google-authenticator/ INA Volume 1 – Version 1.02 / @smaret 2013
  102. 102. google-authenticator INA Volume 1 – Version 1.02 / @smaret 2013
  103. 103. OCRA on a mobile INA Volume 1 – Version 1.02 / @smaret 2013
  104. 104. OCRA on Mobile INA Volume 1 – Version 1.02 / @smaret 2013
  105. 105. OTP without PIN INA Volume 1 – Version 1.02 / @smaret 2013
  106. 106. OTP Pin Protected INA Volume 1 – Version 1.02 / @smaret 2013
  107. 107. OTP on Smartcard INA Volume 1 – Version 1.02 / @smaret 2013
  108. 108. OTP with Smartcard INA Volume 1 – Version 1.02 / @smaret 2013
  109. 109. OTP hybrid (OTP & PKI) INA Volume 1 – Version 1.02 / @smaret 2013
  110. 110. YubiKey INA Volume 1 – Version 1.02 / @smaret 2013
  111. 111. YubiKey INA Volume 1 – Version 1.02 / @smaret 2013
  112. 112. INA Volume 1 – Version 1.02 / @smaret 2013
  113. 113. Yubikey http://www.yubico.com/support/documentation/ http://forum.yubico.com/ http://code.google.com/p/yubico-pam/ INA Volume 1 – Version 1.02 / @smaret 2013
  114. 114. RSA SecurID 1/3 INA Volume 1 – Version 1.02 / @smaret 2013
  115. 115. RSA SecurID 2/3 INA Volume 1 – Version 1.02 / @smaret 2013
  116. 116. RSA SecurID 3/3 INA Volume 1 – Version 1.02 / @smaret 2013
  117. 117. INA Volume 1 – Version 1.02 / @smaret 2013
  118. 118. Where are[is] the seed ? INA Volume 1 – Version 1.02 / @smaret 2013
  119. 119. INA Volume 1 – Version 1.02 / @smaret 2013
  120. 120. Seed generation & distribution ? Still a good model ? K1 Threat Agent Editor / Vendor (APT) Secret Key are[is] generated on premise K1 K1 INA Volume 1 – Version 1.02 / @smaret 2013
  121. 121. RSA SecurID INA Volume 1 – Version 1.02 / @smaret 2013
  122. 122. TokenCodeINA Volume 1 – Version 1.02 / @smaret 2013
  123. 123. Generate Seed on premise INA Volume 1 – Version 1.02 / @smaret 2013
  124. 124. INA Volume 1 – Version 1.02 / @smaret 2013
  125. 125. PKIPKI AuthN INA Volume 1 – Version 1.02 / @smaret 2013
  126. 126. PKI AuthN Based on asymmetric encryption INA Volume 1 – Version 1.02 / @smaret 2013
  127. 127. PKI Tokens Storage INA Volume 1 – Version 1.02 / @smaret 2013
  128. 128. Public Key Cryptography 101 INA Volume 1 – Version 1.02 / @smaret 2013
  129. 129. Signature 101 INA Volume 1 – Version 1.02 / @smaret 2013
  130. 130. Signature – Verification 101 INA Volume 1 – Version 1.02 / @smaret 2013
  131. 131. Mutual AuthN SSL INA Volume 1 – Version 1.02 / @smaret 2013
  132. 132. PKI Certificate Validation CRL Delta CRL OCSP INA Volume 1 – Version 1.02 / @smaret 2013
  133. 133. OSCP Validation INA Volume 1 – Version 1.02 / @smaret 2013
  134. 134. INA Volume 1 – Version 1.02 / @smaret 2013
  135. 135. INA Volume 1 – Version 1.02 / @smaret 2013
  136. 136. INA Volume 1 – Version 1.02 / @smaret 2013
  137. 137. Crypto Processor Source: Richard E. Smith / Authentication INA Volume 1 – Version 1.02 / @smaret 2013
  138. 138. INA Volume 1 – Version 1.02 / @smaret 2013
  139. 139. INA Volume 1 – Version 1.02 / @smaret 2013
  140. 140. Smart Card INA Volume 1 – Version 1.02 / @smaret 2013
  141. 141. Smart Card INA Volume 1 – Version 1.02 / @smaret 2013
  142. 142. Smart Card - Crypto INA Volume 1 – Version 1.02 / @smaret 2013
  143. 143. INA Volume 1 – Version 1.02 / @smaret 2013
  144. 144. INA Volume 1 – Version 1.02 / @smaret 2013
  145. 145. PKI Tokens INA Volume 1 – Version 1.02 / @smaret 2013
  146. 146. BiometricsBIO AuthN INA Volume 1 – Version 1.02 / @smaret 2013
  147. 147. Biometrics Source: http://www.biometrics.gov/ INA Volume 1 – Version 1.02 / @smaret 2013
  148. 148. Biometric Terms Source: http://www.biometrics.gov/ INA Volume 1 – Version 1.02 / @smaret 2013
  149. 149. Enrollment Process Source: http://www.biometrics.gov/ INA Volume 1 – Version 1.02 / @smaret 2013
  150. 150. Components Source: http://www.biometrics.gov/ INA Volume 1 – Version 1.02 / @smaret 2013
  151. 151. FRR / FAR Source: http://www.biometrics.gov/ INA Volume 1 – Version 1.02 / @smaret 2013
  152. 152. TAR Source: http://www.biometrics.gov/ INA Volume 1 – Version 1.02 / @smaret 2013
  153. 153. FAR Source: http://www.biometrics.gov/ INA Volume 1 – Version 1.02 / @smaret 2013
  154. 154. Accept Rate Threshold Source: http://www.biometrics.gov/ INA Volume 1 – Version 1.02 / @smaret 2013
  155. 155. Identification Source: http://www.biometrics.gov/ INA Volume 1 – Version 1.02 / @smaret 2013
  156. 156. Identification Source: http://www.biometrics.gov/ INA Volume 1 – Version 1.02 / @smaret 2013
  157. 157. Failure to Acquire Source: http://www.biometrics.gov/ INA Volume 1 – Version 1.02 / @smaret 2013
  158. 158. Biometric Modalities Source: http://www.biometrics.gov/ INA Volume 1 – Version 1.02 / @smaret 2013
  159. 159. Dynamic Signature Source: http://www.biometrics.gov/ INA Volume 1 – Version 1.02 / @smaret 2013
  160. 160. Dynamic Signature History Source: http://www.biometrics.gov/ INA Volume 1 – Version 1.02 / @smaret 2013
  161. 161. Dynamic Signature Technology Source: http://www.biometrics.gov/ INA Volume 1 – Version 1.02 / @smaret 2013
  162. 162. Face Recognition Source: http://www.biometrics.gov/ INA Volume 1 – Version 1.02 / @smaret 2013
  163. 163. Face Recognition History Source: http://www.biometrics.gov/ INA Volume 1 – Version 1.02 / @smaret 2013
  164. 164. Face Recognition Technologies Source: http://www.biometrics.gov/ INA Volume 1 – Version 1.02 / @smaret 2013
  165. 165. Principal Components Analysis (PCA) Source: http://www.biometrics.gov/ INA Volume 1 – Version 1.02 / @smaret 2013
  166. 166. Linear Discriminant Analysis Source: http://www.biometrics.gov/ INA Volume 1 – Version 1.02 / @smaret 2013
  167. 167. Elastic Bunch Graph Matching Source: http://www.biometrics.gov/ INA Volume 1 – Version 1.02 / @smaret 2013
  168. 168. Fingerprinting Source: http://www.biometrics.gov/ INA Volume 1 – Version 1.02 / @smaret 2013
  169. 169. Fingerprinting History Source: http://www.biometrics.gov/ INA Volume 1 – Version 1.02 / @smaret 2013
  170. 170. Fingerprinting Technology Source: http://www.biometrics.gov/ INA Volume 1 – Version 1.02 / @smaret 2013
  171. 171. Fingerprint Sensor Source: http://www.biometrics.gov/ INA Volume 1 – Version 1.02 / @smaret 2013
  172. 172. Sensors USB INA Volume 1 – Version 1.02 / @smaret 2013
  173. 173. Chipset INA Volume 1 – Version 1.02 / @smaret 2013
  174. 174. PIV-FIPS 201 Sensors INA Volume 1 – Version 1.02 / @smaret 2013
  175. 175. Tablet approach INA Volume 1 – Version 1.02 / @smaret 2013
  176. 176. Windows Biometric Framework Source= Microsoft INA Volume 1 – Version 1.02 / @smaret 2013
  177. 177. Fingerprint Software Source: http://www.biometrics.gov/ INA Volume 1 – Version 1.02 / @smaret 2013
  178. 178. INA Volume 1 – Version 1.02 / @smaret 2013
  179. 179. INA Volume 1 – Version 1.02 / @smaret 2013
  180. 180. Hand Geometry Source: http://www.biometrics.gov/ INA Volume 1 – Version 1.02 / @smaret 2013
  181. 181. Hand Geometry History Source: http://www.biometrics.gov/ INA Volume 1 – Version 1.02 / @smaret 2013
  182. 182. Hand Geometry History Source: http://www.biometrics.gov/ INA Volume 1 – Version 1.02 / @smaret 2013
  183. 183. Hand Geometry Technology Source: http://www.biometrics.gov/ INA Volume 1 – Version 1.02 / @smaret 2013
  184. 184. Iris Recognition Source: http://www.biometrics.gov/ INA Volume 1 – Version 1.02 / @smaret 2013
  185. 185. Iris Recognition History Source: http://www.biometrics.gov/ INA Volume 1 – Version 1.02 / @smaret 2013
  186. 186. Iris Recognition Technology Source: http://www.biometrics.gov/ INA Volume 1 – Version 1.02 / @smaret 2013
  187. 187. Iris Recognition Technology Source: http://www.biometrics.gov/ INA Volume 1 – Version 1.02 / @smaret 2013
  188. 188. Palm Print Source: http://www.biometrics.gov/ INA Volume 1 – Version 1.02 / @smaret 2013
  189. 189. Palm Print History Source: http://www.biometrics.gov/ INA Volume 1 – Version 1.02 / @smaret 2013
  190. 190. Palm Print Technology Source: http://www.biometrics.gov/ INA Volume 1 – Version 1.02 / @smaret 2013
  191. 191. Palm Print Technology Source: http://www.biometrics.gov/ INA Volume 1 – Version 1.02 / @smaret 2013
  192. 192. Speaker Verification INA Volume 1 – Version 1.02 / @smaret 2013
  193. 193. Speaker Verification History Source: http://www.biometrics.gov/ INA Volume 1 – Version 1.02 / @smaret 2013
  194. 194. Speaker Verification Technology Source: http://www.biometrics.gov/ INA Volume 1 – Version 1.02 / @smaret 2013
  195. 195. Speaker Verification Technology Source: http://www.biometrics.gov/ INA Volume 1 – Version 1.02 / @smaret 2013
  196. 196. Speaker Verification Technology Source: http://www.biometrics.gov/ INA Volume 1 – Version 1.02 / @smaret 2013
  197. 197. Vascular Pattern INA Volume 1 – Version 1.02 / @smaret 2013
  198. 198. Vascular Pattern History Source: http://www.biometrics.gov/ INA Volume 1 – Version 1.02 / @smaret 2013
  199. 199. Vascular Pattern Technology Source: http://www.biometrics.gov/ INA Volume 1 – Version 1.02 / @smaret 2013
  200. 200. Vascular Pattern Technology Source: http://www.biometrics.gov/ INA Volume 1 – Version 1.02 / @smaret 2013
  201. 201. Vascular Pattern Technology INA Volume 1 – Version 1.02 / @smaret 2013
  202. 202. Device fingerprint - DNA A device fingerprint or machine fingerprint or browser fingerprint is information collected about a remote computing device for the purpose of identification INA Volume 1 – Version 1.02 / @smaret 2013
  203. 203. Fingerprint a Computer Source = The Wall Street Journa INA Volume 1 – Version 1.02 / @smaret 2013
  204. 204. Biometrics Technology INA Volume 1 – Version 1.02 / @smaret 2013
  205. 205. Match-on-Card INA Volume 1 – Version 1.02 / @smaret 2013
  206. 206. INA Volume 1 – Version 1.02 / @smaret 2013
  207. 207. MOC INA Volume 1 – Version 1.02 / @smaret 2013
  208. 208. MOC – Athena & Precise Biometrics INA Volume 1 – Version 1.02 / @smaret 2013
  209. 209. INA Volume 1 – Version 1.02 / @smaret 2013
  210. 210. OATH approachOpen Authentication INA Volume 1 – Version 1.02 / @smaret 2013
  211. 211. OATH Approach INA Volume 1 – Version 1.02 / @smaret 2013
  212. 212. OATH Logical view INA Volume 1 – Version 1.02 / @smaret 2013
  213. 213. OATH Physical view INA Volume 1 – Version 1.02 / @smaret 2013
  214. 214. OATH Authentication Framework INA Volume 1 – Version 1.02 / @smaret 2013
  215. 215. OATH Client framework INA Volume 1 – Version 1.02 / @smaret 2013
  216. 216. OATH AuthN methods 1/2 INA Volume 1 – Version 1.02 / @smaret 2013
  217. 217. OATH AuthN methods 2/2 INA Volume 1 – Version 1.02 / @smaret 2013
  218. 218. OATH AuthN protocols 1/3 INA Volume 1 – Version 1.02 / @smaret 2013
  219. 219. OATH AuthN protocols 2/3 INA Volume 1 – Version 1.02 / @smaret 2013
  220. 220. OATH AuthN protocols 3/3 INA Volume 1 – Version 1.02 / @smaret 2013
  221. 221. OATH AuthN validation framework INA Volume 1 – Version 1.02 / @smaret 2013
  222. 222. OATH validation protocols INA Volume 1 – Version 1.02 / @smaret 2013
  223. 223. OATH provisioning INA Volume 1 – Version 1.02 / @smaret 2013
  224. 224. Existing Credential Provisioning Protocols 1/2 INA Volume 1 – Version 1.02 / @smaret 2013
  225. 225. Existing Credential Provisioning Protocols 2/2 INA Volume 1 – Version 1.02 / @smaret 2013
  226. 226. Software Provisioning Protocols INA Volume 1 – Version 1.02 / @smaret 2013
  227. 227. End Volume 1Sylvain MARET / @smaretsylvain.maret@openid.chhttp://www.slideshare.net/smarethttp://www.linkedin.com/in/smaret INA Volume 1 – Version 1.02 / @smaret 2013
  228. 228. Appendices INA Volume 1 – Version 1.02 / @smaret 2013
  229. 229. Threat ModelingDFDSTRIDE INA Volume 1 – Version 1.02 / @smaret 2013
  230. 230. Threat Modeling Process Vision Diagram Identify Validate Threats Mitigate INA Volume 1 – Version 1.02 / @smaret 2013
  231. 231. DFD symbols INA Volume 1 – Version 1.02 / @smaret 2013
  232. 232. DFD Symbols INA Volume 1 – Version 1.02 / @smaret 2013
  233. 233. DFD Symbols INA Volume 1 – Version 1.02 / @smaret 2013
  234. 234. Trust boundaries that intersect data flows Points/surfaces where an attacker can interject – Machine boundaries, privilege boundaries, integrity boundaries are examples of trust boundaries – Threads in a native process are often inside a trust boundary, because they share the same privs, rights, identifiers and access Processes talking across a network always have a trust boundary INA Volume 1 – Version 1.02 / @smaret 2013
  235. 235. DFD Level Level 0 - Context Diagram – Very high-level; entire component / product / system Level 1 Diagram – High level; single feature / scenario Level 2 Diagram – Low level; detailed sub-components of features Level 3 Diagram – More detailed – Rare to need more layers, except in huge projects or when you’re drawing more trust boundaries INA Volume 1 – Version 1.02 / @smaret 2013
  236. 236. STRIDE - ToolThreat Property Definition ExampleSpoofing Authentication Impersonating Pretending to be any of billg, xbox.com or a something or system update someone else.Tampering Integrity Modifying data or Modifying a game config file on disk, or a code packet as it traverses the networkRepudiation Non-repudiation Claiming to have not “I didn’t cheat!” performed an actionInformation Confidentiality Exposing information Reading key material from an appDisclosure to someone not authorized to see itDenial of Service Availability Deny or degrade Crashing the web site, sending a packet and service to users absorbing seconds of CPU time, or routing packets into a black holeElevation of Privilege Authorization Gain capabilities Allowing a remote internet user to run without proper commands is the classic example, but running authorization kernel code from lower trust levels is also EoP INA Volume 1 – Version 1.02 / @smaret 2013
  237. 237. STRIDE – Security Controls STRIDE Threat List Security Type Examples Control Threat action aimed to illegally access and use anotherSpoofing Authentication users credentials, such as username and password. Threat action aimed to maliciously change/modify persistent data, such as persistent data in a database, andTampering Integrity the alteration of data in transit between two computers over an open network, such as the Internet. Threat action aimed to perform illegal operations in a Non-Repudiation system that lacks the ability to trace the prohibited Repudiation operations.Information Threat action to read a file that one was not granted Confidentialitydisclosure access to, or to read data in transit.Denial of Threat aimed to deny access to valid users, such as by Availabilityservice making a web server temporarily unavailable or unusable. Threat aimed to gain privileged access to resources forElevation of gaining unauthorized access to information or to Authorizationprivilege compromise a system. INA Volume 1 – Version 1.02 / @smaret 2013
  238. 238. SRIDE INA Volume 1 – Version 1.02 / @smaret 2013
  239. 239. SRIDE INA Volume 1 – Version 1.02 / @smaret 2013
  240. 240. DFD & STRIDE INA Volume 1 – Version 1.02 / @smaret 2013
  241. 241. DFD AuthN 1FA INA Volume 1 – Version 1.02 / @smaret 2013
  242. 242. DFD – AuthN 1FA / STRIDE INA Volume 1 – Version 1.02 / @smaret 2013
  243. 243. HSPD-12PIV AuthN INA Volume 1 – Version 1.02 / @smaret 2013
  244. 244. Homeland Security Presidential Directive/Hspd-12 http://www.dhs.gov/homeland-security-presidential-directive-12 INA Volume 1 – Version 1.02 / @smaret 2013
  245. 245. FIPS 201 / PIV Federal Information Processing Standard 201, Personal Identity Verification (PIV) of Federal Employees and Contractors, March 2006. – (See http://csrc.nist.gov) FIPS 201 (Federal Information Processing Standard Publication 201) is a United States federal government standard that specifies Personal Identity Verification (PIV) requirements for Federal employees and contractors. http://www.idmanagement.gov/ INA Volume 1 – Version 1.02 / @smaret 2013
  246. 246. FICAM Roadmap INA Volume 1 – Version 1.02 / @smaret 2013
  247. 247. INA Volume 1 – Version 1.02 / @smaret 2013
  248. 248. INA Volume 1 – Version 1.02 / @smaret 2013
  249. 249. LOA http://www.idmanagement.gov/ INA Volume 1 – Version 1.02 / @smaret 2013
  250. 250. LOA INA Volume 1 – Version 1.02 / @smaret 2013
  251. 251. FICAM Roadmap - PACS INA Volume 1 – Version 1.02 / @smaret 2013
  252. 252. FICAM Roadmap - PACS INA Volume 1 – Version 1.02 / @smaret 2013
  253. 253. FICAM Roadmap INA Volume 1 – Version 1.02 / @smaret 2013
  254. 254. PIV Card & Reader INA Volume 1 – Version 1.02 / @smaret 2013
  255. 255. PIVMAN – FIPS 201 INA Volume 1 – Version 1.02 / @smaret 2013

×