Strong Authentication in Web Application / ConFoo.ca 2011

  • 3,019 views
Uploaded on

Strong Authentication in Web Application: State of the Art 2011 …

Strong Authentication in Web Application: State of the Art 2011

* Risk Based Authentication
* Biometry - Match on Card
* OTP for Smartphones
* PKI
* Mobile-OTP
* OATH-HOTP
* TOTP
* Open Source approach

How to integrate Strong Authentication in Web Application

* OpenID, SAML, Liberty Alliance / Kantara
* API, Agents, Web Services, Modules
* PAM, Radius, JAAS
* Reverse Proxy (WAF) and WebSSO
* PKI / SSL client authentication

* PHP example with Multi-OTP PHP class

More in: Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads

Views

Total Views
3,019
On Slideshare
0
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
38
Comments
0
Likes
1

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. MARET Consulting | Boulevard Georges Favon 43 | CH 1204 Geneva | Tél +41 22 575 30 35 | info@maret-consulting.ch | www.maret-consulting.chStrong Authentication in Web Application Sylvain Maret / Digital Security Expert / OpenID Switzerland ConFoo.ca / 2011-03-10 Conseil en technologies
  • 2. Agendawww.maret-consulting.ch Conseil en technologies
  • 3. Who am I?  Security Expert  17 years of experience in ICT Security  Principal Consultant at MARET Consulting  Expert at Engineer School of Yverdon & Geneva University  Swiss French Area delegate at OpenID Switzerland  Co-founder Geneva Application Security Forum  OWASP Member  Author of the blog: la Citadelle Electronique  http://ch.linkedin.com/in/smaret or @smaret  Chosen field  AppSec & Digital Identity Securitywww.maret-consulting.ch Conseil en technologies
  • 4. Protection of digital identities: a topical issue… Strong Authenticationwww.maret-consulting.ch Conseil en technologies
  • 5. Multi-factor Authentication-101: Talk by Philippe Gamache 2011-03-08 Montréal 2011-03-09 Montréal OWASP Meetingwww.maret-consulting.ch Conseil en technologies
  • 6. «Digital identity is the cornerstone of trust» http://fr.wikipedia.org/wiki/Authentification_fortewww.maret-consulting.ch Conseil en technologies
  • 7. MARET Consulting | Boulevard Georges Favon 43 | CH 1204 Geneva | Tél +41 22 575 30 35 | info@maret-consulting.ch | www.maret-consulting.chStrong Authentication A new paradigm ! Conseil en technologies
  • 8. Which Strong Authentication technology ? Legacy Token / Old Model ? / Open Source Solution ?www.maret-consulting.ch Conseil en technologies
  • 9. www.maret-consulting.ch Conseil en technologies
  • 10. OTP PKI (HW) Biometry Strong * authentication Encryption Digital signature Non repudiation Strong link with the user * Biometry type Fingerprintingwww.maret-consulting.ch Conseil en technologies
  • 11. Strong Authentication with PKIwww.maret-consulting.ch Conseil en technologies
  • 12. PKI: Digital Certificate Hardware Token (Crypto PKI) Strong Authentication Software Certificate (PKCS#12;PFX) TPMwww.maret-consulting.ch Conseil en technologies
  • 13. SSL/TLS Mutual Athentication : how does it work? Validation Authority OCSP request Valid Invalid Unknown SSL / TLS Mutual Authentication Alice Web Serverwww.maret-consulting.ch Conseil en technologies
  • 14. Demo #1: OpenID and Software Certificate using Clavid.ch http://www.clavid.com/www.maret-consulting.ch Conseil en technologies
  • 15. Strong Authentication with Biometry (Match on Card technology)  A reader  Biometry  SmartCard  A card with chip  Technology MOC  Crypto Processor  PC/SC  PKCS#11  Digital certificate X509www.maret-consulting.ch Conseil en technologies
  • 16. Strong Authentication With(O)ne (T)ime (P)assword www.maret-consulting.ch Conseil en technologies
  • 17. (O)ne (T)ime (P)assword  OTP Time Based  Others:  OTP Event Based  OTP via SMS  OTP via email  Biometry and OTP  OTP Challenge  Bingo Card Response Based  Etc.www.maret-consulting.ch Conseil en technologies
  • 18. OTP T-B? OTP E-B? OTP C-R-B?www.maret-consulting.ch Crypto - 101 Conseil en technologies
  • 19. Crypto-101 / Time Based OTP HASH FunctionK=Secret Key / Seed OTP T=UTC Time ie = OTP(K,T) = Truncate(HMAC-SHA-1(K,T)) www.maret-consulting.ch Conseil en technologies
  • 20. Crypto-101 / Event Based OTP HASH FunctionK=Secret Key / Seed OTP C = Counter ie = OTP(K,C) = Truncate(HMAC-SHA-1(K,C)) www.maret-consulting.ch Conseil en technologies
  • 21. Crypto-101 / OTP Challenge Response Based HASH FunctionK=Secret Key / Seed OTP Challenge nonce www.maret-consulting.ch Conseil en technologies
  • 22. Others OTP technologies… OTP Via SMS “Flicker code” Generator Software that converts already encrypted data into optical screen animation By Elcardwww.maret-consulting.ch Conseil en technologies
  • 23. Demo #2: Protect WordPress (OTP Via SMS)www.maret-consulting.ch Conseil en technologies
  • 24. How to Storemy Secret Key ? A Token !www.maret-consulting.ch Conseil en technologies
  • 25. OTP Token: Software vs Hardware ?www.maret-consulting.ch Conseil en technologies
  • 26. Software OTP for Smartphone http://itunes.apple.com/us/app/iotp/id328973960www.maret-consulting.ch Conseil en technologies
  • 27. New Standards & Open Sourcewww.maret-consulting.ch Conseil en technologies
  • 28. Technologies accessible to everyone   Initiative for Open AuTHentication (OATH)  HOTP  TOTP  OCRA  Etc.  Mobile OTP  (Use MD5 …..)www.maret-consulting.ch Conseil en technologies
  • 29. OATH Reference Architecture, Release 2.0 http://www.openauthentication.org/www.maret-consulting.ch Conseil en technologies
  • 30. Initiative for Open AuTHentication (OATH)  HOTP  OCRA  Event Based OTP  Challenge/Response  RFC 4226 OTP  Draft IETF Version 13  TOTP  Time Based OTP  Token Identifier  Draft IETF Version 8 Specificationwww.maret-consulting.ch  Etc. Conseil en technologies
  • 31. (R)isk (B)ased (A)uthenticationwww.maret-consulting.ch Conseil en technologies
  • 32. RBA (Risk-Based Authentication) = Behavior Modelwww.maret-consulting.ch Conseil en technologies
  • 33. 2 Step Verification from Google !Use OATH-HOTP & TOTPhttp://code.google.com/p/google-authenticator/ www.maret-consulting.ch Conseil en technologies
  • 34. Integration with web applicationwww.maret-consulting.ch Conseil en technologies
  • 35. Web application: basic authentication modelwww.maret-consulting.ch Conseil en technologies
  • 36. Web application: Strong Authentication modelwww.maret-consulting.ch Conseil en technologies
  • 37. “Shielding" approach: perimetric authentication using WAFwww.maret-consulting.ch Conseil en technologies
  • 38. Module/Agent-based approach (example)www.maret-consulting.ch Conseil en technologies
  • 39. API/SDK based approach (example)www.maret-consulting.ch Conseil en technologies
  • 40. Demo 3#: PHP Integration for phpmyadminwww.maret-consulting.ch Conseil en technologies
  • 41. Multi OTP PHP Class by André Liechti (Switzerland) Source Code will be publish soon: http://www.citadelle-electronique.net/ http://www.multiotp.net/www.maret-consulting.ch Conseil en technologies
  • 42. Proof of Concept Code by Anne Gosselin, Antonio Fontes !if (! empty($_REQUEST[pma_username])) { // The user just logged in $GLOBALS[PHP_AUTH_USER] = $_REQUEST[pma_username]; // we combine both OTP + PIN code for the token verification $fooPass = empty($_REQUEST[pma_password]) ? : $_REQUEST[pma_password]; $fooOtp = empty($_REQUEST[pma_otp]) ? : $_REQUEST[pma_otp]; $GLOBALS[PHP_AUTH_PW] = $fooPass..$fooOtp; // OTP CHECK require_once(./libraries/multiotp.class.php); $multiotp = new Multiotp(); $multiotp->SetUser($GLOBALS[PHP_AUTH_USER]); $multiotp->SetEncryptionKey(DefaultCliEncryptionKey); $multiotp->SetUsersFolder(./libraries/users/); $multiotp->SetLogFolder(./libraries/log/); $multiotp->EnableVerboseLog(); $otpCheckResult = $multiotp->CheckToken($GLOBALS[PHP_AUTH_PW]); // the PIN code use kept for accessing the database $GLOBALS[PHP_AUTH_PW] = substr($GLOBALS[PHP_AUTH_PW], 0, strlen($GLOBALS[PHP_AUTH_PW] if($otpCheckResult == 0) return true; else die("auth failed."); www.maret-consulting.ch Conseil en technologies
  • 43. Think about Software Security ! Cf Talk Antonio Fontes Cf Talk Philippe GamacheCf Talk Sébastien Giorawww.maret-consulting.ch Conseil en technologies
  • 44. Federated identities: a changing paradigm on authenticationwww.maret-consulting.ch Conseil en technologies
  • 45. Federation of identity approach a change of paradigm: using IDP for Authentication and Strong Authentication Identity Provider Web App X Web App Ywww.maret-consulting.ch Conseil en technologies
  • 46. SECTION 2 OpenID > What is it? > How does it work? > How to integrate?www.maret-consulting.ch Conseil en technologies
  • 47. OpenID - What is it?> Internet SingleSignOn > Free Choice of Identity Provider> Relatively Simple Protocol > No License Fee> User-Centric Identity Management > Independent of Identification Methods> Internet Scalable > Non-Profit Organization www.maret-consulting.ch Conseil en technologies
  • 48. OpenID - How does it work? User Hans Muster 3 4, 4a Identity Provider e.g. clavid.com hans.muster.clavid.com 5 6 1 2 Identity URL Caption https://hans.muster.clavid.com 1. User enters OpenID 2. Discovery 3. Authentication 4. Approval 4a. Change Attributes 5. Send Attributes 6. Validation Enabled Servicewww.maret-consulting.ch Conseil en technologies
  • 49. Demo #4: Apache and Mod_OpenID (Using Biometry / OTP)www.maret-consulting.ch Conseil en technologies
  • 50. Demo #4: Challenge / Response OTP with Biometrywww.maret-consulting.ch Conseil en technologies
  • 51. Surprise! You may already have an OpenID !www.maret-consulting.ch Conseil en technologies
  • 52. Other Well Known & Simple Providers http://en.wikipedia.org/wiki/List_of_OpenID_providerswww.maret-consulting.ch Conseil en technologies
  • 53. Get an OpenID with Strong Authentication for free !www.maret-consulting.ch Conseil en technologies
  • 54. SECTION 1 SAML >What is it? >How does it work?www.maret-consulting.ch Conseil en technologies
  • 55. Using SAML for Authentication and Strong Authentication (Assertion Consumer Service)www.maret-consulting.ch Conseil en technologies
  • 56. SAML – What is it? SAML (Security Assertion Markup Language): > Defined by the Oasis Group > Well and Academically Designed Specification > Uses XML Syntax > Used for Authentication & Authorization > SAML Assertions > Statements: Authentication, Attribute, Authorization > SAML Protocols > Queries: Authentication, Artifact, Name Identifier Mapping, etc. > SAML Bindings > SOAP, Reverse-SOAP, HTTP-Get, HTTP-Post, HTTP-Artifact > SAML Profiles > Web Browser SingleSignOn Profile, Identity Provider Discovery Profile, Assertion Query / Request Profile, Attribute Profilewww.maret-consulting.ch Conseil en technologies
  • 57. SAML – How does it work? User Hans Muster 3 2 4 Identity Provider e.g. clavid.ch 4 2 1 6 Enabled Service e.g. Google Apps for Businesswww.maret-consulting.ch Conseil en technologies
  • 58. Example with HTTP POST Binding Access Resource Browser Web App SAML Ready 1 AuthN 2 <AuthnRequest> 3 + PIN Redirect 302 ACS POST <Response> 7 Ressource Ressource 8 <Response> in HTML Form 6 Single Sign On Service <AuthnRequest> 4 Credential Challenge 5awww.maret-consulting.ch User Login IDP MC Conseil en technologies 5b
  • 59. Questions ? www.maret-consulting.ch Conseil en technologies
  • 60. Resources on Internet 1/2  http://motp.sourceforge.net/  http://www.clavid.ch/otp  http://code.google.com/p/mod-authn-otp/  http://www.multiotp.net/  http://www.openauthentication.org/  http://wiki.openid.net/  http://www.citadelle-electronique.net/  http://code.google.com/p/mod-authn-otp/www.maret-consulting.ch Conseil en technologies
  • 61. Resources on Internet 2/2  http://rcdevs.com/products/openotp/  https://github.com/adulau/paper-token  http://www.yubico.com/yubikey  http://code.google.com/p/mod-authn-otp/  http://www.nongnu.org/oath-toolkit/  http://www.nongnu.org/oath-toolkit/  http://www.gpaterno.com/publications/2010/dublin_oss barcamp_2010_otp_with_oss.pdfwww.maret-consulting.ch Conseil en technologies
  • 62. "Le conseil et lexpertise pour le choix et la mise en oeuvre des technologies innovantes dans la sécurité des systèmes dinformation et de lidentité numérique"www.maret-consulting.ch Conseil en technologies
  • 63. Une conviction forte !Authentification fortewww.maret-consulting.ch Conseil en technologies
  • 64. A major event in the world of strong authentication  12 October 2005: the Federal Financial Institutions Examination Council (FFIEC) issues a directive  « Single Factor Authentication » is not enough for the web financial applications  Before end 2006 it is compulsory to implement a strong authentication system  http://www.ffiec.gov/press/pr101205.htm  And the PCI DSS norm  Compulsory strong authentication for distant accesses  And now European regulations  Payment Services (2007/64/CE) for banks  Social Networks, Open Sourcewww.maret-consulting.ch Conseil en technologies
  • 65. Out of Band Authenticationwww.maret-consulting.ch Conseil en technologies
  • 66. Phone Factorwww.maret-consulting.ch Conseil en technologies
  • 67. SAMLwww.maret-consulting.ch Conseil en technologies
  • 68. SAML AuthnRequst Transfer via Browser Redirect-Binding POST-Bindingwww.maret-consulting.ch Conseil en technologies
  • 69. A SAML AuthnRequest (no magic, just XML) <?xml version="1.0" encoding="UTF-8"?> <samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol“ ID="glcmfhikbbhohichialilnnpjakbeljekmkhppkb“ Version="2.0” IssueInstant="2008-10-14T00:57:14Z” ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST” ProviderName="google.com” ForceAuthn="false” IsPassive="false” AssertionConsumerServiceURL="https://www.google.com/a/unopass.net/acs"> <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"> google.com </saml:Issuer> <samlp:NameIDPolicy AllowCreate="true" Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" /> </samlp:AuthnRequest>www.maret-consulting.ch Conseil en technologies
  • 70. SAML Assertion Transfer via Browser POST-Bindingwww.maret-consulting.ch Conseil en technologies
  • 71. A SAML Assertion Response (no magic, just XML) <samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="s247893b2ec90665dfd5d9bd4a092f5e3a7194fef4" InResponseTo="hkcmljnccpheoobdofbjcngjbadmgcfhaapdbnni" Version="2.0" IssueInstant="2008-10-15T17:24:46Z" Destination="https://www.google.com/a/unopass.net/acs"> <saml:Issuer> http://idp.unopass.net:80/opensso </saml:Issuer> <samlp:Status> <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/> </samlp:Status> <saml:Assertion ID="s295c56ccd7872209ae336b934d1eed5be52a8e6ec" IssueInstant="2008-10-15T17:24:46Z" Version="2.0"> <saml:Issuer>http://idp.unopass.net:80/opensso</saml:Issuer> <Signature> … A DIGITAL SIGNATURE … </Signature> ...www.maret-consulting.ch Conseil en technologies
  • 72. A SAML Assertion Response (no magic, just XML) ... <saml:Subject> <saml:NameID NameQualifier="http://idp.unopass.net:80/opensso"> sylvain.maret </saml:NameID> <saml:SubjectConfirmation Method="urn:oasis:...:bearer"> <saml:SubjectConfirmationData InResponseTo="hkcmljnccpheoobdofbjcngjbadmgcfhaapdbnni" NotOnOrAfter="2008-10-15T17:34:46Z" Recipient="https://www.google.com/a/unopass.net/acs"/> </saml:SubjectConfirmation> </saml:Subject> ...www.maret-consulting.ch Conseil en technologies
  • 73. A SAML Assertion Response (no magic, just XML) ... <saml:Conditions NotBefore="2008-10-15T17:14:46Z" NotOnOrAfter="2008-10-15T17:34:46Z"> <saml:AudienceRestriction> <saml:Audience>google.com</saml:Audience> </saml:AudienceRestriction> </saml:Conditions> <saml:AuthnStatement AuthnInstant="2008-10-15T17:24:46Z“ SessionIndex="s2bb816b5a8852dcc29f3301784c1640f245a9ec01"> <saml:AuthnContext> <saml:AuthnContextClassRef> urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport </saml:AuthnContextClassRef> </saml:AuthnContext> </saml:AuthnStatement> </saml:Assertion> </samlp:Response>www.maret-consulting.ch Conseil en technologies