Strong Authentication in Web Application         “State of the Art 2011”      Sylvain Maret / Digital Security Expert / Op...
RSA FAILED ?
Who am I?   Security Expert        17 years of experience in ICT Security        Principal Consultant at MARET Consulti...
Protection of digital identities: a topical issue…                                    Strong Auth
«Digital identity is the cornerstone of trust»         http://fr.wikipedia.org/wiki/Authentification_forte
Definition of strong authentication       Strong Authentication on Wikipedia
Strong Authentication A new paradigm?
Which Strong Authentication technology ?Legacy Token / OTP / PKI / SuisseID ? / Open Source Solution ?
OTP   PKI (HW)   Biometry    Strong authentication  EncryptionDigital signatureNon repudiationStrong link with    the user
Strong Authentication      with PKI
PKI: Digital Certificate                           Hardware Token (Crypto PKI)                              Strong Authent...
SSL/TLS Mutual Authentication : how does it work?                     Validation                     Authority   CRL     o...
Demo #1: Software Certificate Auth using an IDP OpenID          http://www.clavid.com/
Strong Authentication with Biometry (Match on Card technology)   A reader       Biometry       SmartCard   A card with...
Strong Authentication         With(O)ne (T)ime (P)assword
(O)ne (T)ime (P)assword   OTP Time Based           Others:       Like SecurID                                 OTP via ...
OTP T-B?OTP E-B?OTP C-R-B?Crypto - 101
Crypto-101 / Time Based OTP                                     HASH FunctionK=Secret Key / Seed                          ...
Crypto-101 / Event Based OTP                                      HASH FunctionK=Secret Key / Seed                        ...
Crypto-101 / OTP Challenge Response Based                                    HASH FunctionK=Secret Key / Seed             ...
Other[s] OTP technologies…OTP Via SMS                             “Flicker code” Generator Software                       ...
Demo #2: Protect WordPress (OTP Via SMS)
How to Storemy Secret Key ?   A Token !
OTP Token: Software vs Hardware ?
Software OTP for Smartphone       http://itunes.apple.com/us/app/iotp/id328973960
Where are[is] the seed ?
Seed generation & distribution ? Still a good model ?                                                  K1    Threat    Age...
TokenCode
New Standards     &Open Source
Technologies accessible to everyone    Initiative for Open AuTHentication (OATH)       HOTP       TOTP       OCRA    ...
Initiative for Open AuTHentication (OATH)   HOTP       Event Based OTP                       Token Identifier       RF...
(R)isk(B)ased(A)uthentication
RBA (Risk-Based Authentication) = Behavior Model
Use OATH-HOTP & TOTPhttp://code.google.com/p/google-authenticator/
Integration withweb application
Web application: basic authentication model
Web application: Strong Authentication Implementation Blueprint
“Shielding" approach: perimetric authentication using Reverse Proxy / WAF
Module/Agent-based approach (example)
Demo #3: Apache and Mod_OpenID (Using Biometry / OTP)
Demo #3: Challenge / Response OTP with Biometry
API/SDK based approach (example)
Multi OTP PHP Class Demo #4 & Hardening OS
Proof of Concept Code by           Anne Gosselin, Antonio Fontes, Sylvain Maret !if (! empty($_REQUEST[pma_username])) {  ...
Step1: Add a new method using cookie authentication                            In config.inc.phpHowto #1
Step2: Add pma_otp field  In common.inc.php
Step3: Add new input File ori: cookie.auth.lib.phpNew file: cookieotp.auth.lib.php
File ori: cookie.auth.lib.php
New file: cookieotp.auth.lib.php   Step3: Call multiotp
Demo 4#: PHP[OTP] integration for[in] phpmyadmin
Multi OTP PHP Class by André Liechti (Switzerland)      Source Code will be publish soon:      http://www.citadelle-electr...
SSH Hardening with OTP Multi OTP PHP Class                               AES 256                                          ...
Strong AuthenticationStrong Authentication and Application Security                                     &   Application Se...
Threat Modeling“detecting web applicationthreats before coding”
ICAM:a changing paradigmon Strong Authentication
Federation of identity approach a change of paradigm:using IDP for Authentication and Strong Authentication               ...
SECTION 2OpenID> What is it?> How does it work?> How to integrate?
OpenID - What is it?>   Internet SingleSignOn              >   Free Choice of Identity Provider>   Relatively Simple Proto...
OpenID - How does it work?     User Hans Muster                                    3                                   4, ...
Surprise! You may already    have an OpenID !
Other Well Known       &Simple Providers      http://en.wikipedia.org/wiki/List_of_OpenID_providers
Get an OpenID with Strong Authentication for free !
Questions ?
Resources on Internet 1/2   http://motp.sourceforge.net/   http://www.clavid.ch/otp   http://code.google.com/p/mod-auth...
Resources on Internet 2/2   http://rcdevs.com/products/openotp/   https://github.com/adulau/paper-token   http://www.yu...
Backup Slides
Kerckhoffss Principle ?
Une conviction forte !Authentification forte
SECTION 1SAML>What is it?>How does it work?
Using SAML for Authentication and Strong Authentication                                                             (Asser...
SAML – What is it?SAML (Security Assertion Markup Language):> Defined by the Oasis Group> Well and Academically Designed S...
SAML – How does it work?    User Hans Muster                                 3                                 2          ...
Example with HTTP POST Binding                                       Access Resource          Browser                     ...
A major event in the world of strong authentication     12 October 2005: the Federal Financial Institutions Examination  ...
Out of Band Authentication
Phone Factor
SAML
SAML AuthnRequst Transfer via BrowserRedirect-BindingPOST-Binding
A SAML AuthnRequest (no magic, just XML)<?xml version="1.0" encoding="UTF-8"?><samlp:AuthnRequest xmlns:samlp="urn:oasis:n...
SAML Assertion Transfer via BrowserPOST-Binding
A SAML Assertion Response (no magic, just XML)<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"     ID="s...
A SAML Assertion Response (no magic, just XML)   ...   <saml:Subject>      <saml:NameID         NameQualifier="http://idp....
A SAML Assertion Response (no magic, just XML)    ...     <saml:Conditions NotBefore="2008-10-15T17:14:46Z"               ...
Strong Authentication in Web Application #SCS III
Strong Authentication in Web Application #SCS III
Strong Authentication in Web Application #SCS III
Strong Authentication in Web Application #SCS III
Strong Authentication in Web Application #SCS III
Strong Authentication in Web Application #SCS III
Upcoming SlideShare
Loading in …5
×

Strong Authentication in Web Application #SCS III

3,338
-1

Published on

Swiss Cyber Storm 3 Security Conference / OWASP Track

Strong Authentication: State of the Art 2011

Risk Based Authentication
Biometry - Match on Card
OTP for Smartphones
OTP SMS
PKI
SuisseID
Mobile-OTP
OATH (HOTP, TOTP, OCRA)
Open Source approach

How to integrate Strong Authentication in Web Application?

OpenID, SAML, Identity Federation for Strong Authentication
API, SDK, Agents, Web Services, Modules
PAM, Radius, JAAS
Reverse Proxy (WAF) and WebSSO
PKI / SSL client authentication
PHP example with Multi-OTP PHP class
AppSec (Threat Modeling - OWASP)

Published in: Technology, Education
0 Comments
3 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
3,338
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
80
Comments
0
Likes
3
Embeds 0
No embeds

No notes for slide

Strong Authentication in Web Application #SCS III

  1. 1. Strong Authentication in Web Application “State of the Art 2011” Sylvain Maret / Digital Security Expert / OpenID Switzerland @smaret Version 1.0 / 2PM
  2. 2. RSA FAILED ?
  3. 3. Who am I? Security Expert  17 years of experience in ICT Security  Principal Consultant at MARET Consulting  Expert at Engineer School of Yverdon & Geneva University  Swiss French Area delegate at OpenID Switzerland  Co-founder Geneva Application Security Forum  OWASP Member  Author of the blog: la Citadelle Electronique  http://ch.linkedin.com/in/smaret or @smaret  http://www.slideshare.net/smaret Chosen field  AppSec & Digital Identity Security
  4. 4. Protection of digital identities: a topical issue… Strong Auth
  5. 5. «Digital identity is the cornerstone of trust» http://fr.wikipedia.org/wiki/Authentification_forte
  6. 6. Definition of strong authentication Strong Authentication on Wikipedia
  7. 7. Strong Authentication A new paradigm?
  8. 8. Which Strong Authentication technology ?Legacy Token / OTP / PKI / SuisseID ? / Open Source Solution ?
  9. 9. OTP PKI (HW) Biometry Strong authentication EncryptionDigital signatureNon repudiationStrong link with the user
  10. 10. Strong Authentication with PKI
  11. 11. PKI: Digital Certificate Hardware Token (Crypto PKI) Strong AuthenticationSoftware Certificate (PKCS#12;PFX)
  12. 12. SSL/TLS Mutual Authentication : how does it work? Validation Authority CRL orOCSP Request Valid Invalid Unknown SSL / TLS Mutual Authentication Alice Web Server
  13. 13. Demo #1: Software Certificate Auth using an IDP OpenID http://www.clavid.com/
  14. 14. Strong Authentication with Biometry (Match on Card technology) A reader  Biometry  SmartCard A card with chip  Technology MOC  Crypto Processor  PC/SC  PKCS#11  Digital certificate X509
  15. 15. Strong Authentication With(O)ne (T)ime (P)assword
  16. 16. (O)ne (T)ime (P)assword OTP Time Based  Others:  Like SecurID  OTP via SMS OTP Event Based  OTP via email  Biometry and OTP  Bingo Card OTP Challenge  Etc. Response Based
  17. 17. OTP T-B?OTP E-B?OTP C-R-B?Crypto - 101
  18. 18. Crypto-101 / Time Based OTP HASH FunctionK=Secret Key / Seed OTP T=UTC Time ie = OTP(K,T) = Truncate(HMAC-SHA-1(K,T))
  19. 19. Crypto-101 / Event Based OTP HASH FunctionK=Secret Key / Seed OTP C = Counter ie = OTP(K,C) = Truncate(HMAC-SHA-1(K,C))
  20. 20. Crypto-101 / OTP Challenge Response Based HASH FunctionK=Secret Key / Seed OTP Challenge nonce ie:
  21. 21. Other[s] OTP technologies…OTP Via SMS “Flicker code” Generator Software that converts already encrypted data into optical screen animation By Elcard
  22. 22. Demo #2: Protect WordPress (OTP Via SMS)
  23. 23. How to Storemy Secret Key ? A Token !
  24. 24. OTP Token: Software vs Hardware ?
  25. 25. Software OTP for Smartphone http://itunes.apple.com/us/app/iotp/id328973960
  26. 26. Where are[is] the seed ?
  27. 27. Seed generation & distribution ? Still a good model ? K1 Threat Agent Editor / Vendor (APT) Secret Key are[is] generated on promise K1 K1
  28. 28. TokenCode
  29. 29. New Standards &Open Source
  30. 30. Technologies accessible to everyone  Initiative for Open AuTHentication (OATH)  HOTP  TOTP  OCRA  Etc. Mobile OTP  (Use MD5 …..)
  31. 31. Initiative for Open AuTHentication (OATH) HOTP  Event Based OTP  Token Identifier  RFC 4226 Specification TOTP  IETF KeyProv Working Group  Time Based OTP  PSKC - Portable Symmetric Key Container, RFC 6030  Draft IETF Version 8  DSKPP - Dynamic Symmetric Key Provisioning Protocol, RFC 6063 OCRA  Challenge/Response OTP  And more !  Draft IETF Version 13 http://www.openauthentication.org/specifications
  32. 32. (R)isk(B)ased(A)uthentication
  33. 33. RBA (Risk-Based Authentication) = Behavior Model
  34. 34. Use OATH-HOTP & TOTPhttp://code.google.com/p/google-authenticator/
  35. 35. Integration withweb application
  36. 36. Web application: basic authentication model
  37. 37. Web application: Strong Authentication Implementation Blueprint
  38. 38. “Shielding" approach: perimetric authentication using Reverse Proxy / WAF
  39. 39. Module/Agent-based approach (example)
  40. 40. Demo #3: Apache and Mod_OpenID (Using Biometry / OTP)
  41. 41. Demo #3: Challenge / Response OTP with Biometry
  42. 42. API/SDK based approach (example)
  43. 43. Multi OTP PHP Class Demo #4 & Hardening OS
  44. 44. Proof of Concept Code by Anne Gosselin, Antonio Fontes, Sylvain Maret !if (! empty($_REQUEST[pma_username])) { // The user just logged in $GLOBALS[PHP_AUTH_USER] = $_REQUEST[pma_username]; // we combine both OTP + PIN code for the token verification $fooPass = empty($_REQUEST[pma_password]) ? : $_REQUEST[pma_password]; $fooOtp = empty($_REQUEST[pma_otp]) ? : $_REQUEST[pma_otp]; $GLOBALS[PHP_AUTH_PW] = $fooPass..$fooOtp; // OTP CHECK require_once(./libraries/multiotp.class.php); $multiotp = new Multiotp(); $multiotp->SetUser($GLOBALS[PHP_AUTH_USER]); $multiotp->SetEncryptionKey(DefaultCliEncryptionKey); $multiotp->SetUsersFolder(./libraries/users/); $multiotp->SetLogFolder(./libraries/log/); $multiotp->EnableVerboseLog(); $otpCheckResult = $multiotp->CheckToken($GLOBALS[PHP_AUTH_PW]); // the PIN code use kept for accessing the database $GLOBALS[PHP_AUTH_PW] = substr($GLOBALS[PHP_AUTH_PW], 0, strlen($GLOBALS[PHP_AUTH_PW] if($otpCheckResult == 0) return true; else die("auth failed.");
  45. 45. Step1: Add a new method using cookie authentication In config.inc.phpHowto #1
  46. 46. Step2: Add pma_otp field In common.inc.php
  47. 47. Step3: Add new input File ori: cookie.auth.lib.phpNew file: cookieotp.auth.lib.php
  48. 48. File ori: cookie.auth.lib.php
  49. 49. New file: cookieotp.auth.lib.php Step3: Call multiotp
  50. 50. Demo 4#: PHP[OTP] integration for[in] phpmyadmin
  51. 51. Multi OTP PHP Class by André Liechti (Switzerland) Source Code will be publish soon: http://www.citadelle-electronique.net/ http://www.multiotp.net/
  52. 52. SSH Hardening with OTP Multi OTP PHP Class AES 256 PAM
  53. 53. Strong AuthenticationStrong Authentication and Application Security & Application Security
  54. 54. Threat Modeling“detecting web applicationthreats before coding”
  55. 55. ICAM:a changing paradigmon Strong Authentication
  56. 56. Federation of identity approach a change of paradigm:using IDP for Authentication and Strong Authentication Identity Provider SAML, OpenID, etc
  57. 57. SECTION 2OpenID> What is it?> How does it work?> How to integrate?
  58. 58. OpenID - What is it?> Internet SingleSignOn > Free Choice of Identity Provider> Relatively Simple Protocol > No License Fee> User-Centric Identity Management > Independent of Identification Methods> Internet Scalable > Non-Profit Organization
  59. 59. OpenID - How does it work? User Hans Muster 3 4, 4a Identity Provider e.g. clavid.com hans.muster.clavid.com 5 6 1 2 Identity URL Caption https://hans.muster.clavid.com 1. User enters OpenID 2. Discovery 3. Authentication 4. Approval 4a. Change Attributes 5. Send Attributes 6. Validation Enabled Service
  60. 60. Surprise! You may already have an OpenID !
  61. 61. Other Well Known &Simple Providers http://en.wikipedia.org/wiki/List_of_OpenID_providers
  62. 62. Get an OpenID with Strong Authentication for free !
  63. 63. Questions ?
  64. 64. Resources on Internet 1/2 http://motp.sourceforge.net/ http://www.clavid.ch/otp http://code.google.com/p/mod-authn-otp/ http://www.multiotp.net/ http://www.openauthentication.org/ http://wiki.openid.net/ http://www.citadelle-electronique.net/ http://code.google.com/p/mod-authn-otp/
  65. 65. Resources on Internet 2/2 http://rcdevs.com/products/openotp/ https://github.com/adulau/paper-token http://www.yubico.com/yubikey http://code.google.com/p/mod-authn-otp/ http://www.nongnu.org/oath-toolkit/ http://www.nongnu.org/oath-toolkit/ http://www.gpaterno.com/publications/2010/dublin_oss barcamp_2010_otp_with_oss.pdf
  66. 66. Backup Slides
  67. 67. Kerckhoffss Principle ?
  68. 68. Une conviction forte !Authentification forte
  69. 69. SECTION 1SAML>What is it?>How does it work?
  70. 70. Using SAML for Authentication and Strong Authentication (Assertion Consumer Service)
  71. 71. SAML – What is it?SAML (Security Assertion Markup Language):> Defined by the Oasis Group> Well and Academically Designed Specification> Uses XML Syntax> Used for Authentication & Authorization> SAML Assertions > Statements: Authentication, Attribute, Authorization> SAML Protocols > Queries: Authentication, Artifact, Name Identifier Mapping, etc.> SAML Bindings > SOAP, Reverse-SOAP, HTTP-Get, HTTP-Post, HTTP-Artifact> SAML Profiles > Web Browser SingleSignOn Profile, Identity Provider Discovery Profile, Assertion Query / Request Profile, Attribute Profile
  72. 72. SAML – How does it work? User Hans Muster 3 2 4 Identity Provider e.g. clavid.ch 4 2 1 6 Enabled Service e.g. Google Apps for Business
  73. 73. Example with HTTP POST Binding Access Resource Browser Web App SAML Ready 1 AuthN 2 <AuthnRequest> 3 + PIN Redirect 302 ACS POST <Response> 7 Ressource Ressource 8 <Response> in HTML Form 6 Single Sign On Service <AuthnRequest> 4 Credential Challenge 5a User Login IDP MC 5b
  74. 74. A major event in the world of strong authentication 12 October 2005: the Federal Financial Institutions Examination Council (FFIEC) issues a directive  « Single Factor Authentication » is not enough for the web financial applications  Before end 2006 it is compulsory to implement a strong authentication system  http://www.ffiec.gov/press/pr101205.htm And the PCI DSS norm  Compulsory strong authentication for distant accesses And now European regulations  Payment Services (2007/64/CE) for banks Social Networks, Open Source
  75. 75. Out of Band Authentication
  76. 76. Phone Factor
  77. 77. SAML
  78. 78. SAML AuthnRequst Transfer via BrowserRedirect-BindingPOST-Binding
  79. 79. A SAML AuthnRequest (no magic, just XML)<?xml version="1.0" encoding="UTF-8"?><samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol“ ID="glcmfhikbbhohichialilnnpjakbeljekmkhppkb“ Version="2.0” IssueInstant="2008-10-14T00:57:14Z” ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST” ProviderName="google.com” ForceAuthn="false” IsPassive="false” AssertionConsumerServiceURL="https://www.google.com/a/unopass.net/acs"> <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"> google.com </saml:Issuer> <samlp:NameIDPolicy AllowCreate="true" Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" /></samlp:AuthnRequest>
  80. 80. SAML Assertion Transfer via BrowserPOST-Binding
  81. 81. A SAML Assertion Response (no magic, just XML)<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="s247893b2ec90665dfd5d9bd4a092f5e3a7194fef4" InResponseTo="hkcmljnccpheoobdofbjcngjbadmgcfhaapdbnni" Version="2.0" IssueInstant="2008-10-15T17:24:46Z" Destination="https://www.google.com/a/unopass.net/acs"> <saml:Issuer> http://idp.unopass.net:80/opensso </saml:Issuer> <samlp:Status> <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/> </samlp:Status> <saml:Assertion ID="s295c56ccd7872209ae336b934d1eed5be52a8e6ec" IssueInstant="2008-10-15T17:24:46Z" Version="2.0"> <saml:Issuer>http://idp.unopass.net:80/opensso</saml:Issuer> <Signature> … A DIGITAL SIGNATURE … </Signature> ...
  82. 82. A SAML Assertion Response (no magic, just XML) ... <saml:Subject> <saml:NameID NameQualifier="http://idp.unopass.net:80/opensso"> sylvain.maret </saml:NameID> <saml:SubjectConfirmation Method="urn:oasis:...:bearer"> <saml:SubjectConfirmationData InResponseTo="hkcmljnccpheoobdofbjcngjbadmgcfhaapdbnni" NotOnOrAfter="2008-10-15T17:34:46Z" Recipient="https://www.google.com/a/unopass.net/acs"/> </saml:SubjectConfirmation> </saml:Subject> ...
  83. 83. A SAML Assertion Response (no magic, just XML) ... <saml:Conditions NotBefore="2008-10-15T17:14:46Z" NotOnOrAfter="2008-10-15T17:34:46Z"> <saml:AudienceRestriction> <saml:Audience>google.com</saml:Audience> </saml:AudienceRestriction> </saml:Conditions> <saml:AuthnStatement AuthnInstant="2008-10-15T17:24:46Z“ SessionIndex="s2bb816b5a8852dcc29f3301784c1640f245a9ec01"> <saml:AuthnContext> <saml:AuthnContextClassRef> urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport </saml:AuthnContextClassRef> </saml:AuthnContext> </saml:AuthnStatement> </saml:Assertion></samlp:Response>
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×