Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Authentication Without
Authentication
AppSec Israel
@omerlh
Source: Nissan
Troy Hunt - Hack Yourself First
Source: Troy Hunt's Blog
- Helping people get the most out of their technology
“...a significant amount of drop-off in app usage,
losing up to 56% of users,
but are pretty much essential for the majori...
Source: pinterest
Authenticate Request Per Second
Source: https://www.engadget.com/2016/01/08/samsung-family-hub-smart-fridge-hands-on/
Source: https://turcomusa.com/turcom-smart-home-camera-kit-with-motion-sensor-door-sensor-and-alarm-key-fob.html
User Id
Application Server
Device Id
Application Server
Agenda
● OpenID
● Digital Signature
● One Time Password
● Demo
● Edge Cases
OpenId --- Digital Signature --- One Time Pass...
● “Simple Identity Layer”
● Token-based authentication
● Widely supported
● Modularity - many authentication flows
OpenId ...
Authorization Server
Application ServerDevice
OpenId --- Digital Signature --- One Time Password --- Demo --- Edges Cases
Supported Authentication Methods
Authorization/Implicit/Hybrid
Client credentials
Resource Owner
JWT client assertion
Open...
We need a new authentication flow
OpenId --- Digital Signature --- One Time Password --- Demo --- Edges Cases
Authorization Server
Device
OpenId --- Digital Signature --- One Time Password --- Demo --- Edges Cases
Authorization Server
Application ServerDevice
OpenId --- Digital Signature --- One Time Password --- Demo --- Edges Cases
Requirements
❏ Strong authentication solution
❏ Unique device identification
❏ Simple
❏ Unique per request
❏ Replay Attack...
Questions?
Let’s use Digital Signature
OpenId --- Digital Signature --- One Time Password --- Demo --- Edges Cases
Dear Bob
Dear BobSign Verify
OpenId --- Digital Signature --- One Time Password --- Demo --- Edges Cases
Leo Bob the Build...
This sounds familiar...
OpenId --- Digital Signature --- One Time Password --- Demo --- Edges Cases
How we can use it?
OpenId --- Digital Signature --- One Time Password --- Demo --- Edges Cases
Authorization Server
Device
Public Key, Id
Public Key, Id
OpenId --- Digital Signature --- One Time Password --- Demo --- ...
Authorization ServerDevice
Digital Signature, Id
Public Key, Id
OpenId --- Digital Signature --- One Time Password --- Dem...
So far we have:
✓ Strong authentication solution
✓ Unique device identification
✓ Simple
❏ Unique per request
❏ Fault tole...
Questions?
One Time Password
OpenId --- Digital Signature --- One Time Password --- Demo --- Edges Cases
Authorization ServerDevice
Digital Signature, Id
Public Key, Id
OpenId --- Digital Signature --- One Time Password --- Dem...
Time Based
● Use current timestamp
● Allowed time range (e.g. +- 1
min)
● 2FA Solution
● Start with a random seed
● Increa...
Synchronization Issues
Let’s build our own OTP
OpenId --- Digital Signature --- One Time Password --- Demo --- Edges Cases
Client State Server State
Old 5
New 2
Old 5
New 2
Old 2
New 42
Old 5
New 2
Old 2
New 42
Token
OpenId --- Digital Signature...
So far we have…
✓ Strong authentication solution
✓ Unique device identification
✓ Simple
✓ Unique per request
✓ Fault tole...
Questions?
Demo Time
OpenId --- Digital Signature --- One Time Password --- Demo --- Edges Cases
Client
Authorization
Server
Application Server
(Sensitive API)
OpenId --- Digital Signature --- One Time Password --- Demo...
Let’s see it in action...
All the code is available on GitHub
OpenId --- Digital Signature --- One Time Password --- Demo ...
Network request can fail
● Reasons:
○ Timeout
○ Network failure
○ Temporary server errors
● Unknown server state
○ State d...
Client State Server State
Old 2
New 42
Old 1
New 2
Old 2
New 42
Old 2
New 42
Old 1
New 2
Token
Error
OpenId --- Digital Si...
Client State Server State
Old 2
New 42
Old 2
New 42
Old 1
New 2
Old 2
New 42Old 2
New 42Old 2
New 42
Error
OpenId --- Digi...
Client State Server State
Old 2
New 42
Old 2
New 42
Old 42
New 86
Old 42
New 86
Old 2
New 42
Bad Request (400)
Token
OpenI...
Questions?
What is the weakest link in the chain?
Detecting Compromised Devices
OpenId --- Digital Signature --- One Time Password --- Demo --- Edges Cases
OpenId --- Digital Signature --- One Time Password --- Demo --- Edges Cases
Client State Server State
Old 2
New 42
Old 1
New 2
Eve
Old 2
New 42
Old 1
New 2
Old 2
New 42
Old 2
New 42 Token
OpenId ---...
Client State Server State
Old 2
New 42
Old 2
New 42
Eve
Old 42
New 56
Old 2
New 42
Old 2
New 42
Bad
Request
(400)
OpenId -...
Client State Server State
Old 42
New 78
Old 2
New 42
Eve
Old 42
New 56
Old 2
New 42
Old 42
New 78
Old 42
New 78Token
OpenI...
Client State Server State
Old 78
New 4
Old 7
New 78
Eve
Old 7
New 56
Old 7
New 78
Old 7
New 93
400 Bad
Request
OpenId --- ...
OpenId --- Digital Signature --- One Time Password --- Demo --- Edges Cases
Questions?
Conclusion
Responsible Disclosure
Requirements
✓ Strong authentication solution
✓ Unique device identification
✓ Simple
✓ Unique per request
✓ Fault tolerant
Authorization Server
Device
Authorization Server
Application ServerDevice
How can you use it?
@omerlh
Authentication Without Authentication
Authentication Without Authentication
Authentication Without Authentication
Authentication Without Authentication
Authentication Without Authentication
Upcoming SlideShare
Loading in …5
×

Authentication Without Authentication

227 views

Published on

How can you authenticate without authentication? Is there another way to perform authentication?
Those are the slides for a talk I gave at OWASP AppSec Israel.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Authentication Without Authentication

  1. 1. Authentication Without Authentication AppSec Israel @omerlh
  2. 2. Source: Nissan
  3. 3. Troy Hunt - Hack Yourself First
  4. 4. Source: Troy Hunt's Blog
  5. 5. - Helping people get the most out of their technology
  6. 6. “...a significant amount of drop-off in app usage, losing up to 56% of users, but are pretty much essential for the majority of apps out there today...” Source: Optimizely
  7. 7. Source: pinterest
  8. 8. Authenticate Request Per Second
  9. 9. Source: https://www.engadget.com/2016/01/08/samsung-family-hub-smart-fridge-hands-on/
  10. 10. Source: https://turcomusa.com/turcom-smart-home-camera-kit-with-motion-sensor-door-sensor-and-alarm-key-fob.html
  11. 11. User Id Application Server
  12. 12. Device Id Application Server
  13. 13. Agenda ● OpenID ● Digital Signature ● One Time Password ● Demo ● Edge Cases OpenId --- Digital Signature --- One Time Password --- Demo --- Edges Cases
  14. 14. ● “Simple Identity Layer” ● Token-based authentication ● Widely supported ● Modularity - many authentication flows OpenId --- Digital Signature --- One Time Password --- Demo --- Edges Cases
  15. 15. Authorization Server Application ServerDevice OpenId --- Digital Signature --- One Time Password --- Demo --- Edges Cases
  16. 16. Supported Authentication Methods Authorization/Implicit/Hybrid Client credentials Resource Owner JWT client assertion OpenId --- Digital Signature --- One Time Password --- Demo --- Edges Cases
  17. 17. We need a new authentication flow OpenId --- Digital Signature --- One Time Password --- Demo --- Edges Cases
  18. 18. Authorization Server Device OpenId --- Digital Signature --- One Time Password --- Demo --- Edges Cases
  19. 19. Authorization Server Application ServerDevice OpenId --- Digital Signature --- One Time Password --- Demo --- Edges Cases
  20. 20. Requirements ❏ Strong authentication solution ❏ Unique device identification ❏ Simple ❏ Unique per request ❏ Replay Attacks ❏ Fault tolerant OpenId --- Digital Signature --- One Time Password --- Demo --- Edges Cases
  21. 21. Questions?
  22. 22. Let’s use Digital Signature OpenId --- Digital Signature --- One Time Password --- Demo --- Edges Cases
  23. 23. Dear Bob Dear BobSign Verify OpenId --- Digital Signature --- One Time Password --- Demo --- Edges Cases Leo Bob the BuilderTM Source: Bob the Buildertm Official Site
  24. 24. This sounds familiar... OpenId --- Digital Signature --- One Time Password --- Demo --- Edges Cases
  25. 25. How we can use it? OpenId --- Digital Signature --- One Time Password --- Demo --- Edges Cases
  26. 26. Authorization Server Device Public Key, Id Public Key, Id OpenId --- Digital Signature --- One Time Password --- Demo --- Edges Cases Id: 5467
  27. 27. Authorization ServerDevice Digital Signature, Id Public Key, Id OpenId --- Digital Signature --- One Time Password --- Demo --- Edges Cases Id: 5467
  28. 28. So far we have: ✓ Strong authentication solution ✓ Unique device identification ✓ Simple ❏ Unique per request ❏ Fault tolerant OpenId --- Digital Signature --- One Time Password --- Demo --- Edges Cases
  29. 29. Questions?
  30. 30. One Time Password OpenId --- Digital Signature --- One Time Password --- Demo --- Edges Cases
  31. 31. Authorization ServerDevice Digital Signature, Id Public Key, Id OpenId --- Digital Signature --- One Time Password --- Demo --- Edges Cases Id: 5467
  32. 32. Time Based ● Use current timestamp ● Allowed time range (e.g. +- 1 min) ● 2FA Solution ● Start with a random seed ● Increase by one after each request ● Allowed value range (e.g. +- 5) OpenId --- Digital Signature --- One Time Password --- Demo --- Edges Cases Counter Based
  33. 33. Synchronization Issues
  34. 34. Let’s build our own OTP OpenId --- Digital Signature --- One Time Password --- Demo --- Edges Cases
  35. 35. Client State Server State Old 5 New 2 Old 5 New 2 Old 2 New 42 Old 5 New 2 Old 2 New 42 Token OpenId --- Digital Signature --- One Time Password --- Demo --- Edges Cases
  36. 36. So far we have… ✓ Strong authentication solution ✓ Unique device identification ✓ Simple ✓ Unique per request ✓ Fault tolerant
  37. 37. Questions?
  38. 38. Demo Time OpenId --- Digital Signature --- One Time Password --- Demo --- Edges Cases
  39. 39. Client Authorization Server Application Server (Sensitive API) OpenId --- Digital Signature --- One Time Password --- Demo --- Edges Cases
  40. 40. Let’s see it in action... All the code is available on GitHub OpenId --- Digital Signature --- One Time Password --- Demo --- Edges Cases
  41. 41. Network request can fail ● Reasons: ○ Timeout ○ Network failure ○ Temporary server errors ● Unknown server state ○ State did not changed ○ State changed OpenId --- Digital Signature --- One Time Password --- Demo --- Edges Cases
  42. 42. Client State Server State Old 2 New 42 Old 1 New 2 Old 2 New 42 Old 2 New 42 Old 1 New 2 Token Error OpenId --- Digital Signature --- One Time Password --- Demo --- Edges Cases
  43. 43. Client State Server State Old 2 New 42 Old 2 New 42 Old 1 New 2 Old 2 New 42Old 2 New 42Old 2 New 42 Error OpenId --- Digital Signature --- One Time Password --- Demo --- Edges Cases
  44. 44. Client State Server State Old 2 New 42 Old 2 New 42 Old 42 New 86 Old 42 New 86 Old 2 New 42 Bad Request (400) Token OpenId --- Digital Signature --- One Time Password --- Demo --- Edges Cases
  45. 45. Questions?
  46. 46. What is the weakest link in the chain?
  47. 47. Detecting Compromised Devices OpenId --- Digital Signature --- One Time Password --- Demo --- Edges Cases
  48. 48. OpenId --- Digital Signature --- One Time Password --- Demo --- Edges Cases
  49. 49. Client State Server State Old 2 New 42 Old 1 New 2 Eve Old 2 New 42 Old 1 New 2 Old 2 New 42 Old 2 New 42 Token OpenId --- Digital Signature --- One Time Password --- Demo --- Edges Cases
  50. 50. Client State Server State Old 2 New 42 Old 2 New 42 Eve Old 42 New 56 Old 2 New 42 Old 2 New 42 Bad Request (400) OpenId --- Digital Signature --- One Time Password --- Demo --- Edges Cases
  51. 51. Client State Server State Old 42 New 78 Old 2 New 42 Eve Old 42 New 56 Old 2 New 42 Old 42 New 78 Old 42 New 78Token OpenId --- Digital Signature --- One Time Password --- Demo --- Edges Cases
  52. 52. Client State Server State Old 78 New 4 Old 7 New 78 Eve Old 7 New 56 Old 7 New 78 Old 7 New 93 400 Bad Request OpenId --- Digital Signature --- One Time Password --- Demo --- Edges Cases
  53. 53. OpenId --- Digital Signature --- One Time Password --- Demo --- Edges Cases
  54. 54. Questions?
  55. 55. Conclusion
  56. 56. Responsible Disclosure
  57. 57. Requirements ✓ Strong authentication solution ✓ Unique device identification ✓ Simple ✓ Unique per request ✓ Fault tolerant
  58. 58. Authorization Server Device
  59. 59. Authorization Server Application ServerDevice
  60. 60. How can you use it? @omerlh

×