Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Authentication without Authentication - Peerlyst meetup

84 views

Published on

Authentication is important, but how do you authenticate when user interaction is not an option? For example, an IoT app without a user interface. We need to authenticate the app - without any predefined credentials.
Join us to this meetup to learn how!
This talk was given at Peerlyst meetup.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Authentication without Authentication - Peerlyst meetup

  1. 1. Authentication Without Authentication December 2017 @omerlh #MeetupAtSoluto
  2. 2. Agenda ● Introduction ● OpenID ● Digital Signature ● One Time Password ● Demo ● Edge Cases
  3. 3. Can we Authenticate without Authentication?
  4. 4. - Helping people get the most out of their technology
  5. 5. “...a significant amount of drop-off in app usage, losing up to 56% of users, but are pretty much essential for the majority of apps out there today...” Source: Optimizely
  6. 6. Source: pinterest
  7. 7. Authentication Requests Per Second
  8. 8. Source: https://www.engadget.com/2016/01/08/samsung-family-hub-smart-fridge-hands-on/
  9. 9. Source: https://turcomusa.com/turcom-smart-home-camera-kit-with-motion-sensor-door-sensor-and-alarm-key-fob.html
  10. 10. User Id Application Server
  11. 11. Device Id Application Server
  12. 12. ● “Simple Identity Layer” ● Token-based authentication ● Widely supported ● Modularity - many authentication flows
  13. 13. Authorization Server Application ServerDevice
  14. 14. Supported Authentication Methods Authorization/Implicit/Hybrid Client credentials Resource Owner JWT client assertion
  15. 15. We need a new authentication flow
  16. 16. Authorization Server Device
  17. 17. Authorization Server Application ServerDevice
  18. 18. Requirements ❏ Strong authentication solution ❏ Unique device identification ❏ Simple ❏ Unique per request ❏ Replay Attacks ❏ Fault tolerant
  19. 19. Questions?
  20. 20. Let’s use Digital Signature
  21. 21. Dear Bob Dear BobSign Verify Leo Bob the BuilderTM Source: Bob the Buildertm Official Site
  22. 22. This sounds familiar...
  23. 23. How we can use it?
  24. 24. Authorization Server Device Public Key, Id Public Key, Id Id: 5467
  25. 25. Authorization ServerDevice Digital Signature, Id Public Key, Id Id: 5467
  26. 26. So far we have: ✓ Strong authentication solution ✓ Unique device identification ✓ Simple ❏ Unique per request ❏ Fault tolerant
  27. 27. Questions?
  28. 28. One Time Password
  29. 29. Authorization ServerDevice Digital Signature, Id Public Key, Id Id: 5467
  30. 30. Let’s build our own OTP
  31. 31. Client State Server State Old 5 New 2 Old 5 New 2 Old 2 New 42 Old 5 New 2 Old 2 New 42 Token
  32. 32. So far we have… ✓ Strong authentication solution ✓ Unique device identification ✓ Simple ✓ Unique per request ✓ Fault tolerant
  33. 33. Questions?
  34. 34. Demo Time
  35. 35. Client Authorization Server Application Server (Sensitive API)
  36. 36. Let’s see it in action... All the code is available on GitHub
  37. 37. Network request can fail ● Reasons: ○ Timeout ○ Network failure ○ Temporary server errors ● Unknown server state ○ State did not changed ○ State changed
  38. 38. Client State Server State Old 2 New 42 Old 1 New 2 Old 2 New 42 Old 2 New 42 Old 1 New 2 Token Error
  39. 39. Client State Server State Old 2 New 42 Old 2 New 42 Old 1 New 2 Old 2 New 42Old 2 New 42Old 2 New 42 Error
  40. 40. Client State Server State Old 2 New 42 Old 2 New 42 Old 42 New 86 Old 42 New 86 Old 2 New 42 Bad Request (400) Token
  41. 41. Questions?
  42. 42. Detecting Compromised Devices
  43. 43. Client State Server State Old 2 New 42 Old 1 New 2 Eve Old 2 New 42 Old 1 New 2 Old 2 New 42 Old 2 New 42 Token
  44. 44. Client State Server State Old 2 New 42 Old 2 New 42 Eve Old 42 New 56 Old 2 New 42 Old 2 New 42 Bad Request (400)
  45. 45. Client State Server State Old 42 New 78 Old 2 New 42 Eve Old 42 New 56 Old 2 New 42 Old 42 New 78 Old 42 New 78Token
  46. 46. Client State Server State Old 78 New 4 Old 7 New 78 Eve Old 7 New 56 Old 7 New 78 Old 7 New 93 400 Bad Request
  47. 47. Questions?
  48. 48. Conclusion
  49. 49. Responsible Disclosure
  50. 50. Requirements ✓ Strong authentication solution ✓ Unique device identification ✓ Simple ✓ Unique per request ✓ Fault tolerant
  51. 51. Authorization Server Device
  52. 52. Authorization Server Application ServerDevice
  53. 53. How can you use it? @omerlh #MeetupAtSoluto
  54. 54. @omerlh #MeetupAtSoluto We’re hiring! Thank You!

×