Sylvain’s talk will focus on risk based authentication, biometry, OTP for smartphones, PKIs, Mobile-OTP, OATH-HOTP, TOTP and the open-source approach to this subjet.
PHP Demo with multiotp class.
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Strong Authentication in Web Applications: State of the Art 2011
1. MARET Consulting | Boulevard Georges Favon 43 | CH 1204 Geneva | Tél +41 22 575 30 35 | info@maret-consulting.ch | www.maret-consulting.ch
Strong Authentication in Web Application
“State of the Art 2011”
Sylvain Maret / Digital Security Expert / OpenID Switzerland
Yverdon - IT Security Days / 16-03-2011
Conseil en technologies
3. Who am I?
Security Expert
17 years of experience in ICT Security
Principal Consultant at MARET Consulting
Expert at Engineer School of Yverdon & Geneva University
Swiss French Area delegate at OpenID Switzerland
Co-founder Geneva Application Security Forum
OWASP Member
Author of the blog: la Citadelle Electronique
http://ch.linkedin.com/in/smaret or @smaret
http://www.slideshare.net/smaret
Chosen field
AppSec & Digital Identity Security
www.maret-consulting.ch Conseil en technologies
4. Protection of digital identities: a topical issue…
Strong Auth
www.maret-consulting.ch Conseil en technologies
5. Definition of strong authentication
Strong Authentication on Wikipedia
www.maret-consulting.ch Conseil en technologies
6. «Digital identity is the cornerstone of trust»
http://fr.wikipedia.org/wiki/Authentification_forte
www.maret-consulting.ch Conseil en technologies
7. MARET Consulting | Boulevard Georges Favon 43 | CH 1204 Geneva | Tél +41 22 575 30 35 | info@maret-consulting.ch | www.maret-consulting.ch
Strong Authentication
A new paradigm !
Conseil en technologies
8. Which Strong Authentication technology ?
Legacy Token / Old Model ? / Open Source Solution ?
www.maret-consulting.ch Conseil en technologies
10. OTP PKI (HW) Biometry
Strong *
authentication
Encryption
Digital signature
Non repudiation
Strong link with
the user
* Biometry type Fingerprinting
www.maret-consulting.ch Conseil en technologies
12. PKI: Digital Certificate
Hardware Token (Crypto PKI)
Strong Authentication
Software Certificate
(PKCS#12;PFX)
www.maret-consulting.ch Conseil en technologies
13. SSL/TLS Mutual Authentication : how does it work?
Validation
Authority
CRL
or
OCSP Request
Valid
Invalid
Unknown
SSL / TLS Mutual Authentication
Alice
Web Server
www.maret-consulting.ch Conseil en technologies
14. Demo #1: OpenID and Software Certificate using Clavid.ch
http://www.clavid.com/
www.maret-consulting.ch Conseil en technologies
15. Strong Authentication with Biometry (Match on Card technology)
A reader
Biometry
SmartCard
A card with chip
Technology MOC
Crypto Processor
PC/SC
PKCS#11
Digital certificate X509
www.maret-consulting.ch Conseil en technologies
16. Strong Authentication
With
(O)ne (T)ime (P)assword
www.maret-consulting.ch Conseil en technologies
17. (O)ne (T)ime (P)assword
OTP Time Based Others:
OTP Event Based OTP via SMS
OTP via email
Biometry and OTP
OTP Challenge
Bingo Card
Response Based
Etc.
www.maret-consulting.ch Conseil en technologies
19. Crypto-101 / Time Based OTP
HASH Function
K=Secret Key / Seed
OTP
T=UTC Time
ie = OTP(K,T) = Truncate(HMAC-SHA-1(K,T))
www.maret-consulting.ch Conseil en technologies
20. Crypto-101 / Event Based OTP
HASH Function
K=Secret Key / Seed
OTP
C = Counter
ie = OTP(K,C) = Truncate(HMAC-SHA-1(K,C))
www.maret-consulting.ch Conseil en technologies
21. Crypto-101 / OTP Challenge Response Based
HASH Function
K=Secret Key / Seed
OTP
Challenge
nonce
www.maret-consulting.ch Conseil en technologies
ie:
22. Others OTP technologies…
OTP Via SMS
“Flicker code” Generator Software
that converts already
encrypted data into
optical screen animation
By Elcard
www.maret-consulting.ch Conseil en technologies
23. Demo #2: Protect WordPress (OTP Via SMS)
www.maret-consulting.ch Conseil en technologies
24. How to Store
my Secret Key ?
A Token !
www.maret-consulting.ch Conseil en technologies
25. OTP Token: Software vs Hardware ?
www.maret-consulting.ch Conseil en technologies
26. Software OTP for Smartphone
http://itunes.apple.com/us/app/iotp/id328973960
www.maret-consulting.ch Conseil en technologies
27. New Standards
&
Open Source
www.maret-consulting.ch Conseil en technologies
28. Technologies accessible to everyone
Initiative for Open AuTHentication (OATH)
HOTP
TOTP
OCRA
Etc.
Mobile OTP
(Use MD5 …..)
www.maret-consulting.ch Conseil en technologies
33. 2 Step Verification from Google !
Use OATH-HOTP & TOTP
http://code.google.com/p/google-authenticator/
www.maret-consulting.ch Conseil en technologies
34. Integration with
web application
www.maret-consulting.ch Conseil en technologies
35. Web application: basic authentication model
www.maret-consulting.ch Conseil en technologies
36. Web application: Strong Authentication model
www.maret-consulting.ch Conseil en technologies
42. Multi OTP PHP Class Demo
www.maret-consulting.ch Conseil en technologies
43. Proof of Concept Code by
Anne Gosselin, Antonio Fontes, Sylvain Maret !
if (! empty($_REQUEST['pma_username'])) {
// The user just logged in
$GLOBALS['PHP_AUTH_USER'] = $_REQUEST['pma_username'];
// we combine both OTP + PIN code for the token verification
$fooPass = empty($_REQUEST['pma_password']) ? '' : $_REQUEST['pma_password'];
$fooOtp = empty($_REQUEST['pma_otp']) ? '' : $_REQUEST['pma_otp'];
$GLOBALS['PHP_AUTH_PW'] = $fooPass.''.$fooOtp;
// OTP CHECK
require_once('./libraries/multiotp.class.php');
$multiotp = new Multiotp();
$multiotp->SetUser($GLOBALS['PHP_AUTH_USER']);
$multiotp->SetEncryptionKey('DefaultCliEncryptionKey');
$multiotp->SetUsersFolder('./libraries/users/');
$multiotp->SetLogFolder('./libraries/log/');
$multiotp->EnableVerboseLog();
$otpCheckResult = $multiotp->CheckToken($GLOBALS['PHP_AUTH_PW']);
// the PIN code use kept for accessing the database
$GLOBALS['PHP_AUTH_PW'] = substr($GLOBALS['PHP_AUTH_PW'], 0, strlen($GLOBALS['PHP_AUTH_PW']
if($otpCheckResult == 0)
return true;
else
die("auth failed.");
www.maret-consulting.ch Conseil en technologies
44. Step1: Add a new method using cookie authentication
In config.inc.php
Howto #1
www.maret-consulting.ch Conseil en technologies
45. Step2: Add pma_otp field
In common.inc.php
www.maret-consulting.ch Conseil en technologies
46. Step3: Add new input
File ori: cookie.auth.lib.php
www.maret-consulting.ch New file: cookieotp.auth.lib.php
Conseil en technologies
49. Demo 3#: PHP Integration for phpmyadmin
www.maret-consulting.ch Conseil en technologies
50. Multi OTP PHP Class by André Liechti (Switzerland)
Source Code will be publish soon:
http://www.citadelle-electronique.net/
http://www.multiotp.net/
www.maret-consulting.ch Conseil en technologies
51. Strong Authentication
Strong Authentication and Application Security
&
Application Security
www.maret-consulting.ch Conseil en technologies
52. Threat Modeling
“detecting web application
threats before coding”
14h30: Antonio Fontes
"Threat modeling your web application: mitigating risks right from the start!"
www.maret-consulting.ch Conseil en technologies
53. Federated identities:
a changing paradigm
on authentication
www.maret-consulting.ch Conseil en technologies
54. Federation of identity approach a change of paradigm:
using IDP for Authentication and Strong Authentication
Identity Provider
Web App X
Web App Y
www.maret-consulting.ch Conseil en technologies
55. SECTION 2
OpenID
> What is it?
> How does it work?
> How to integrate?
www.maret-consulting.ch Conseil en technologies
56. OpenID - What is it?
> Internet SingleSignOn > Free Choice of Identity Provider
> Relatively Simple Protocol > No License Fee
> User-Centric Identity Management > Independent of Identification Methods
> Internet Scalable > Non-Profit Organization
www.maret-consulting.ch Conseil en technologies
57. OpenID - How does it work?
User Hans Muster
3
4, 4a Identity Provider
e.g. clavid.com
hans.muster.clavid.com 5 6
1 2 Identity URL
Caption https://hans.muster.clavid.com
1. User enters OpenID
2. Discovery
3. Authentication
4. Approval
4a. Change Attributes
5. Send Attributes
6. Validation Enabled Service
www.maret-consulting.ch Conseil en technologies
58. Surprise! You may already
have an OpenID !
www.maret-consulting.ch Conseil en technologies
59. Other Well Known
&
Simple Providers
http://en.wikipedia.org/wiki/List_of_OpenID_providers
www.maret-consulting.ch Conseil en technologies
60. Get an OpenID with Strong Authentication for free !
www.maret-consulting.ch Conseil en technologies
62. Resources on Internet 1/2
http://motp.sourceforge.net/
http://www.clavid.ch/otp
http://code.google.com/p/mod-authn-otp/
http://www.multiotp.net/
http://www.openauthentication.org/
http://wiki.openid.net/
http://www.citadelle-electronique.net/
http://code.google.com/p/mod-authn-otp/
www.maret-consulting.ch Conseil en technologies
63. Resources on Internet 2/2
http://rcdevs.com/products/openotp/
https://github.com/adulau/paper-token
http://www.yubico.com/yubikey
http://code.google.com/p/mod-authn-otp/
http://www.nongnu.org/oath-toolkit/
http://www.nongnu.org/oath-toolkit/
http://www.gpaterno.com/publications/2010/dublin_oss
barcamp_2010_otp_with_oss.pdf
www.maret-consulting.ch Conseil en technologies
64. "Le conseil et l'expertise pour le choix et la mise
en oeuvre des technologies innovantes dans la sécurité
des systèmes d'information et de l'identité numérique"
www.maret-consulting.ch Conseil en technologies
65. Une conviction forte !
Authentification forte
www.maret-consulting.ch Conseil en technologies
66. SECTION 1
SAML
>What is it?
>How does it work?
www.maret-consulting.ch Conseil en technologies
67. Using SAML for Authentication and Strong Authentication
(Assertion
Consumer Service)
www.maret-consulting.ch Conseil en technologies
68. SAML – What is it?
SAML (Security Assertion Markup Language):
> Defined by the Oasis Group
> Well and Academically Designed Specification
> Uses XML Syntax
> Used for Authentication & Authorization
> SAML Assertions
> Statements: Authentication, Attribute, Authorization
> SAML Protocols
> Queries: Authentication, Artifact, Name Identifier Mapping, etc.
> SAML Bindings
> SOAP, Reverse-SOAP, HTTP-Get, HTTP-Post, HTTP-Artifact
> SAML Profiles
> Web Browser SingleSignOn Profile, Identity Provider Discovery Profile, Assertion Query
/ Request Profile, Attribute Profile
www.maret-consulting.ch Conseil en technologies
69. SAML – How does it work?
User Hans Muster
3
2
4 Identity Provider
e.g. clavid.ch
4
2
1
6
Enabled Service
e.g. Google Apps
for Business
www.maret-consulting.ch Conseil en technologies
70. Example with HTTP POST Binding
Access Resource
Browser Web App SAML Ready
1
AuthN
2
<AuthnRequest>
3
+ PIN Redirect 302
ACS
POST
<Response> 7
Ressource
Ressource 8
<Response>
in HTML Form 6
Single Sign On
Service
<AuthnRequest> 4
Credential
Challenge 5a
User Login IDP MC Conseil en technologies
www.maret-consulting.ch
5b
71. A major event in the world of strong authentication
12 October 2005: the Federal Financial Institutions Examination
Council (FFIEC) issues a directive
« Single Factor Authentication » is not enough for the web financial
applications
Before end 2006 it is compulsory to implement a strong
authentication system
http://www.ffiec.gov/press/pr101205.htm
And the PCI DSS norm
Compulsory strong authentication for distant accesses
And now European regulations
Payment Services (2007/64/CE) for banks
Social Networks, Open Source
www.maret-consulting.ch Conseil en technologies
72. Out of Band Authentication
www.maret-consulting.ch Conseil en technologies