Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Authentication without Authentication - AppSec California

290 views

Published on

Authentication is important, but how do you authenticate when user interaction is not an option? For example, an IoT app without a user interface. We need to authenticate the app ― without any predefined credentials. But how?

Published in: Technology
  • Be the first to comment

Authentication without Authentication - AppSec California

  1. 1. Authentication Without Authentication AppSec California 2018 @omerlh
  2. 2. We help people get the most out of their technology
  3. 3. “Logins are tricky. They account for a significant amount of drop-off in app usage, losing up to 56% of users, but are pretty much essential for the majority of apps out there today...” Source: Optimizely
  4. 4. What will you choose? Security or usability? Source: The Matrix
  5. 5. Why not both?
  6. 6. Source: Pinterest
  7. 7. Source: https://www.engadget.com/2016/01/08/samsung-family-hub-smart-fridge-hands-on/
  8. 8. Source: https://turcomusa.com/turcom-smart-home-camera-kit-with-motion-sensor-door-sensor-and-alarm-key-fob.html
  9. 9. User authentication/authorization ● User credentials ● User name ● Group ● Role ● Etc.
  10. 10. Device authentication/authorization ● Credentials? ● Identifier? ● No user information
  11. 11. Building blocks ● OpenID connect ● Digital signature ● One time password
  12. 12. Goals ● Authentication/authorization standard ● End user identity validation ● End user profile information ● RFC
  13. 13. Can we eliminate the end user?
  14. 14. Supported authentication flows Authorization/implicit/hybrid Client credentials Resource owner
  15. 15. We need a new authentication flow
  16. 16. Requirements  Strong authentication solution  Unique device identification  Simple  Unique per request  Replay attacks  Fault tolerant
  17. 17. Potential threats  Stolen/compromised device:  Existing OS protections  Man-in-the-middle  HTTPS (TLS)  Certificate pinning Temporary device access Reverse engineering/code tampering Sensitive data exposure (server side)
  18. 18. Digital signature
  19. 19. Why digital signature? ●Wide spread ●Existing implementations
  20. 20. High-level design ●One-time registration ●Authentication request
  21. 21. Registration request 1 2 3 4 5
  22. 22. Authentication request 1 2 3 4 5
  23. 23. So far we have:  Strong authentication solution  Unique device identification  Simple  Unique per request  Fault tolerant
  24. 24. Potential threats  Stolen/compromised device:  Existing OS protections  Man-in-the-middle  HTTPS (TLS)  Certificate pinning Temporary device access Reverse engineering/code tampering  Sensitive data exposure (server side)
  25. 25. One time password
  26. 26. Reminder: Authentication request
  27. 27. Device Authentication API Old 5 New 2 Old 5 New 2 Old 2 New 42 Old 5 New 2 Old 2 New 42 Token Authentication request
  28. 28. So far we have…  Strong authentication solution  Unique device identification  Simple  Unique per request Fault tolerant
  29. 29. Potential threats  Stolen/compromised device:  Existing OS protections  Man-in-the-middle  HTTPS (TLS)  Certificate pinning Temporary device access  Reverse engineering/code tampering  Sensitive data exposure (server side)
  30. 30. Questions?
  31. 31. Fault tolerance
  32. 32. Network requests can fail ● Reasons ○ Timeout ○ Network failure ○ Temporary server errors ● Unknown server state ○ State did not change ○ State did change
  33. 33. Case A: Server state did not change
  34. 34. Case B: Server state did change
  35. 35. Case B: Server state did change
  36. 36. So far we have…  Strong authentication solution  Unique device identification  Simple  Unique per request  Fault tolerant
  37. 37. Mitigating temporary access threats
  38. 38. OpenId --- Digital Signature --- One Time Password --- Demo --- Edges Cases
  39. 39. OpenId --- Digital Signature --- One Time Password --- Demo --- Edges Cases
  40. 40. Potential threats  Stolen/compromised device:  Existing OS protections  Man-in-the-middle  HTTPS (TLS)  Certificate pinning  Temporary device access  Reverse engineering/code tampering  Sensitive data exposure (server side)
  41. 41. Questions?
  42. 42. Demo time
  43. 43. Very-Cool-IoT-Project ● Show device’s nickname ● Highly sensitive ● Only the device can see it’s name
  44. 44. 1 2 3 4
  45. 45. How does authorization work?
  46. 46. eyJhbGciOiJSUzI1NiIsImtpZCI6IjI5N2ZhMDhiNmY5YzlhN2NhZj M2YWRkZTRlOWQ3ZDQ5IiwidHlwIjoiSldUIn0.eyJuYmYiOjE1M TQ4OTgzODgsImV4cCI6MTUxNDkwMTk4OCwiaXNzIjoiaHR0c DovL2F1dGhvcml6YXRpb24tc2VydmVyIiwiYXVkIjpbImh0dHA6 Ly9hdXRob3JpemF0aW9uLXNlcnZlci9yZXNvdXJjZXMiLCJzZW 5zaXRpdmUucmVhZCJdLCJjbGllbnRfaWQiOiJydWJ5Iiwic3ViIj oiNTc2NjYiLCJhdXRoX3RpbWUiOjE1MTQ4OTgzODgsImlkcCI 6ImxvY2FsIiwic2NvcGUiOlsic2Vuc2l0aXZlLnJlYWQiXSwiYW1y IjpbInB3ZCJdfQ.eW_OreVsqHAzGs3DARVBAQowr7gn71ScOr zikdhw5_G_EHnSPN7fqjh4mp4FZOZZhx476H8oZtGBEQUf6W w6ZM824rm8d7IZQF3dE308tIa3VgbC0h1MpQilVf7xBZG5Cpt7 FWlkSIr5Dc9ihcOQivne4EWy- M6a8GZGIpDcSKtQ99uuMk5bBi- HlHx53m5llygxuUbKRTJvOsPG4cpB6CyC4J3MGT0hzmWTru2 IFRhIh6B1hiaUXp7z6mCULeGwRu64X31DGqGIFTdZQpkAb5E VF45gLcvwXVmouPsaiXNiJiMUD_38Vho4iIbn9zl87FQjdvRAJ1 JyFoGS1mMjCQ Let’s look at the token… https://jwt.io
  47. 47. Technology
  48. 48. Let’s see it in action... All the code is available on GitHub
  49. 49. Let’s test authorization…
  50. 50. Questions?
  51. 51. Acknowledgments The information in this presentation is based on my work at Soluto by Asurion, and I'd to thank the whole company for being awesome. I'd also like to give a special thanks to the following colleagues for their help: ● Oded Welgreen ● Asaf Kotzer ● Mark Geeslin ● Guy Segal ● Michael Kruglos
  52. 52. How can you use it? @omerlh
  53. 53. Feedback is much appreciated!
  54. 54. Responsible disclosure security@soluto.com @omerlh S/MIME certificate
  55. 55. What will you choose? Security or usability
  56. 56. Thank you! @omerlh @SolutoEng

×