SlideShare a Scribd company logo
1 of 39
Download to read offline
ROOTS, 27. April 2012

André N. Klingsheim
@klingsen
   Some motivation
   Authentication/identities defined
   Where authentication fits in
   Authentication factors
   Passwords
   Two-factor authentication
   Keeping your shields up
   Fun and demos
   Verizon Data Breach Investigations Report*
     Based on 855 incidents (that resulted in)
     174 million compromized records
     Leads to some interesting statistics
      ▪ Curiosity: One organized criminal group in Eastern
        Europe worked on average three days per week
     Go read it when you get home!



    * http://www.verizonbusiness.com/dbir/
Source: Verizon Data Breach Investigations Report, p. 26
Source: Verizon Data Breach Investigations Report, p. 32
   TL;DR: How sure are you that it’s the correct
    user who’s logging in?
     You’re never 100% sure!
   Authentication is the process of establishing
    an understood level of trust in whether the
    user is who she claims to be
   An identifier such as a name, national identity
    number, or a customer number, points to an
    identity
   The identity of an individual is the set of
    information associated with that individual in
    a particular computer system
Someone claims to be «klings»!




Authentication tries to establish whether that someone is this guy! 
1.       You don’t know who the user is
2.       The user authenticates (now you’re pretty
         sure who the user is)
3.       The user gets a security token in return
         You associate the user’s identity with this token
         Think session cookies (and username written to
          session)
4.       Now you «remember» the outcome of the
         authentication
   You’re done with authentication, and then
    have to rely on session security
   So, authentication helps you figure out
    whether an unkown person/computer can
    safely be assosciated with a digital identity
   Session security deals with remembering who
    the users is in a secure manner
   Your trust in that you’re talking to the right
    person is at its peak in the authentication
    instant
   Session security takes over, remember this is
    «cached» trust
   Re-authentication
     Rebuilds your trust in that it’s still the correct
      person acting as the logged in user
   Something you know («Pa$$W0rd1»)
   Something you have
   Something you are




    * Fingerprint shared by Wilfredor under CC BY-SA 3.0 lisence
   In practice a static, shared secret
     Password
     Security questions
      ▪ Mother’s maiden name
      ▪ Where did you go to school
      ▪ And so on...
     PINs (debit/credit cards)
   Code generators
     Sequence based
     Time-based
   Your mobile phone
     SMS
     Google Authenticator
   You’re debit/credit card (physical/VVC2)
   Cards with printed PIN-codes
   Biometrics
     Fingerprint
     Retina scan
     Etc..
   Not widely deployed on the web...
   Something you know: a password or PIN
   Why?
     Very cheap (no devices)
      ▪ Do note that password resets can cost you…
     In some cases available off-the-shelf (e.g.
      ASP.NET has the SqlMembershipProvider)
   Scales well
   Users are well accustomed to
    passwords/PINs!
   Som critical aspects of a password based
    authentication procedure
     How passwords are stored
     How users sign up
     How passwords are validated
     How passwords are reset
     Application security
     The security of all other password based IT-
     systems in the world
   The easiest way to store a password is, well,
    to store the password in a database in
    cleartext
     DBA’s can easily steal the passwords.
     A breach of the database will immediately reveal
     all passwords (think Sony)
   So, encryption or hashing to the rescue!
   PS! Forgot password -> mail with old
    password -> most likely cleartext passwords
   Encrypted passwords mean only one thing
   They must be decrypted to be verified
   Encryption key + database -> all passwords
   There is most likely a sysadmin with access to
    both the key, and the db
   Password encryption is not recommended!
   A hash function is a deterministic one way
    function with a fixed output length
   Commonly used: MD5, Sha-1, Sha-256
   MD5(‘Password’) =>           3GR+tl5nEeFVN1IYISs5ZA==
       Look it up on Google 



   It’s easy to compute the hash value of an
    input. It should be impossible to calculate the
    input based on a hash value (hence one way)
   Two users with the same password, will have
    the same hash values in the db
   You can compute the hash value for common
    passwords, and store the values
   If you get hold of password hashes – just look
    them up against known values!
   The precomputation step is the essence of
    Rainbow tables
     Let’s you crack common passwords in no time
   We need salts!
 Salts add a bit of uniqueness to the input to the
  hash function
 Salts can be stored besides the password hash in
  the db
   Salt: 3GR+tl5nEeFVN1IYISs5ZA==
   Hash = Sha-256(salt+password)

   Hampers rainbow table attacks
   Does not hamper dictionary attacks/brute force
    attacks
   If you get your hands on a list of salted
    password hashes you can
     Run a dictionary attack (calculate password
      hashes for a wordlist, and compare the hashes)
     Run a brute force attack (calculate hashes for all
      possible passwords aaaaaa, aaaaab, aaaaac so on)
   If it’s not your list of password hashes, do
    consider the legal aspects
   Are very efficient against common hashes
    such as MD5/Sha-family
     Millions of hashes checked per second (single cpu)
   Due to the fact that hash functions were
    designed to be fast (not to store passwords)
   We need to add a workload!
   PBKDF2
     Password based key derivation function
     Runs X iterations of an HMAC (based on SHA-1) to
      generate a key
     Computational penalty for password crackers
   Bcrypt
     Also adds computational load => time penalty
   Scrypt
     Based on a memory trade-off, to hamper special
     purpose hardware w/limited memory
   You’ve stored your passwords securely
     The password crackers now hate you


   Then some other site gets hacked and all
    their passwords are leaked
     Who cares, you’re secure right?
   Your users used the same password on your
    site...
   Users tend to reuse their passwords across
    websites
   Other sites get hacked for various reasons
   Leads to the compromise of accounts on your
    site!
   But that’s not fair!
     No it isn’t. The world is not fair, in case you
      haven’t noticed.
 Something you have
 Is NOT shared
  between sites
 Solves the «other sites
  were hacked» problem
   Time-based
     Code typically generated based on a secret key,
      and the current time
     Requires reliable clocks on both server and the
      code generating device
   Sequence based
     Pseudo random number generator, seeded with a
      secret key
     Code generator and server generate same
      sequence of codes
   Go with time-based if you can
     Limited TTL for your codes
     Limited number of valid codes at any given time
   Sequence based generators
     Let’s you compute many codes that will be valid
      until used
     E.g. take someone’s token, generate 5 codes,
      they’ll be valid until the victim tries to use a code
   Very important that security cannot be
    degraded in your system
     Fallback from two-factor to single factor
      authentication
     Disabling of security mechanisms without
      requiring authentication
   E.g. to change the password, you need to
    enter the correct current password
   More complicated for two-factor
    authentication
     If you can reset one factor with the other, it’s not
      really two-factor
     Forgot password -> set new password, confirm
      with one time code
     Lost mobile phone -> log in with password to
      change mobile number for one time codes
   Beware such dependencies in your system!
   “Forgotten password”
     Secret questions (are not)
     E-mail
     Snail mail
     SMS
   Require re-authentication for all critical
    updates
   Such as change of
     Password
     Phone number
     E-mail address
     Disabling of security mechanisms
   And not with just one factor!
   If you have an optional security mechanism
    (e.g. one time codes)
     You must require the user to use the security
      mechanism in order to turn it off
     Else it’s useless!
   So changing the «security level» must be
    done according to the current level of security
   Tutorial/demo! 
   Scenario: Someone is logged in to their
    Google account
     Two-factor authentication enabled
     You have figured out their password but don’t
     have access to their OTPs
   Can you find any way to gain access to their
    acount, without OTPs, from another
    computer?
   Thank you for listening!
   Find me on the web:
     www.dotnetnoob.com
     @klingsen

More Related Content

What's hot

Brute force attack
Brute force attackBrute force attack
Brute force attackjoycruiser
 
Securing Database Passwords Using a Combination of hashing and Salting Techni...
Securing Database Passwords Using a Combination of hashing and Salting Techni...Securing Database Passwords Using a Combination of hashing and Salting Techni...
Securing Database Passwords Using a Combination of hashing and Salting Techni...Fego Ogwara
 
Password Cracking
Password Cracking Password Cracking
Password Cracking Sina Manavi
 
3D Password M Sc BHU Sem 1
3D Password M Sc BHU Sem 13D Password M Sc BHU Sem 1
3D Password M Sc BHU Sem 1Swagato Dey
 
Why is password protection a fallacy a point of view
Why is password protection a fallacy   a point of viewWhy is password protection a fallacy   a point of view
Why is password protection a fallacy a point of viewYury Chemerkin
 
Password hacking
Password hackingPassword hacking
Password hackingAbhay pal
 
Password Strength Policy Query
Password Strength Policy QueryPassword Strength Policy Query
Password Strength Policy QueryGloria Stoilova
 
Welcome to the world of hacking
Welcome to the world of hackingWelcome to the world of hacking
Welcome to the world of hackingTjylen Veselyj
 
password cracking and Key logger
password cracking and Key loggerpassword cracking and Key logger
password cracking and Key loggerPatel Mit
 
Greater Wheeling AITP Web Security
Greater Wheeling AITP Web SecurityGreater Wheeling AITP Web Security
Greater Wheeling AITP Web SecurityJohn Parkinson
 
3d authentication system
3d authentication system3d authentication system
3d authentication systemRicha Agarwal
 
Password Attack
Password Attack Password Attack
Password Attack Sina Manavi
 
An Enhanced Security System for Web Authentication
An Enhanced Security System for Web Authentication An Enhanced Security System for Web Authentication
An Enhanced Security System for Web Authentication IJMER
 

What's hot (20)

Brute force attack
Brute force attackBrute force attack
Brute force attack
 
Password Attack
Password AttackPassword Attack
Password Attack
 
Securing Database Passwords Using a Combination of hashing and Salting Techni...
Securing Database Passwords Using a Combination of hashing and Salting Techni...Securing Database Passwords Using a Combination of hashing and Salting Techni...
Securing Database Passwords Using a Combination of hashing and Salting Techni...
 
Password Cracking
Password Cracking Password Cracking
Password Cracking
 
Password craking techniques
Password craking techniques Password craking techniques
Password craking techniques
 
Password Management
Password ManagementPassword Management
Password Management
 
3D Password M Sc BHU Sem 1
3D Password M Sc BHU Sem 13D Password M Sc BHU Sem 1
3D Password M Sc BHU Sem 1
 
Why is password protection a fallacy a point of view
Why is password protection a fallacy   a point of viewWhy is password protection a fallacy   a point of view
Why is password protection a fallacy a point of view
 
Password hacking
Password hackingPassword hacking
Password hacking
 
Password Strength Policy Query
Password Strength Policy QueryPassword Strength Policy Query
Password Strength Policy Query
 
J0704055058
J0704055058J0704055058
J0704055058
 
Encryption by fastech
Encryption by fastechEncryption by fastech
Encryption by fastech
 
Welcome to the world of hacking
Welcome to the world of hackingWelcome to the world of hacking
Welcome to the world of hacking
 
password cracking and Key logger
password cracking and Key loggerpassword cracking and Key logger
password cracking and Key logger
 
Greater Wheeling AITP Web Security
Greater Wheeling AITP Web SecurityGreater Wheeling AITP Web Security
Greater Wheeling AITP Web Security
 
3D PASSWORD
3D PASSWORD 3D PASSWORD
3D PASSWORD
 
3d authentication system
3d authentication system3d authentication system
3d authentication system
 
Password Attack
Password Attack Password Attack
Password Attack
 
Brute force
Brute forceBrute force
Brute force
 
An Enhanced Security System for Web Authentication
An Enhanced Security System for Web Authentication An Enhanced Security System for Web Authentication
An Enhanced Security System for Web Authentication
 

Similar to Getting authentication right

Authentication and session v4
Authentication and session v4Authentication and session v4
Authentication and session v4skimil
 
Top Ten Tips For Tenacious Defense In Asp.Net
Top Ten Tips For Tenacious Defense In Asp.NetTop Ten Tips For Tenacious Defense In Asp.Net
Top Ten Tips For Tenacious Defense In Asp.Netalsmola
 
Why is password protection a fallacy a point of view
Why is password protection a fallacy a point of viewWhy is password protection a fallacy a point of view
Why is password protection a fallacy a point of viewSTO STRATEGY
 
Password cracking and brute force tools
Password cracking and brute force toolsPassword cracking and brute force tools
Password cracking and brute force toolszeus7856
 
CHAPTER 7 Authentication and Authorization On
CHAPTER  7 Authentication and Authorization OnCHAPTER  7 Authentication and Authorization On
CHAPTER 7 Authentication and Authorization OnMaximaSheffield592
 
Introduction to Web Application Security Principles
Introduction to Web Application Security Principles Introduction to Web Application Security Principles
Introduction to Web Application Security Principles Dr. P. Mohana Priya
 
Password and Account Management Strategies - April 2019
Password and Account Management Strategies - April 2019Password and Account Management Strategies - April 2019
Password and Account Management Strategies - April 2019Kimberley Dray
 
Secure password - CYBER SECURITY
Secure password - CYBER SECURITYSecure password - CYBER SECURITY
Secure password - CYBER SECURITYSupanShah2
 
Ethical hacking for Business or Management.pptx
Ethical hacking for Business or Management.pptxEthical hacking for Business or Management.pptx
Ethical hacking for Business or Management.pptxFarhanaMariyam1
 
Chapter 6Authenticating PeopleChapter 6 OverviewThe th
Chapter 6Authenticating PeopleChapter 6 OverviewThe thChapter 6Authenticating PeopleChapter 6 OverviewThe th
Chapter 6Authenticating PeopleChapter 6 OverviewThe thsamirapdcosden
 
Technology Training - Security, Passwords & More
Technology Training - Security, Passwords & MoreTechnology Training - Security, Passwords & More
Technology Training - Security, Passwords & MoreWilliam Mann
 
11 Commandments of Cyber Security for the Home
11 Commandments of Cyber Security for the Home11 Commandments of Cyber Security for the Home
11 Commandments of Cyber Security for the Homezaimorkai
 
Password Management
Password ManagementPassword Management
Password ManagementDavon Smart
 
1208 wp-two-factor-and-swivel-whitepaper
1208 wp-two-factor-and-swivel-whitepaper1208 wp-two-factor-and-swivel-whitepaper
1208 wp-two-factor-and-swivel-whitepaperHai Nguyen
 
It security in healthcare
It security in healthcareIt security in healthcare
It security in healthcareNicholas Davis
 
Password hacking
Password hackingPassword hacking
Password hackingMr. FM
 
"Inter- application vulnerabilities. hunting for bugs in secure applications"...
"Inter- application vulnerabilities. hunting for bugs in secure applications"..."Inter- application vulnerabilities. hunting for bugs in secure applications"...
"Inter- application vulnerabilities. hunting for bugs in secure applications"...PROIDEA
 

Similar to Getting authentication right (20)

Authentication and session v4
Authentication and session v4Authentication and session v4
Authentication and session v4
 
Top Ten Tips For Tenacious Defense In Asp.Net
Top Ten Tips For Tenacious Defense In Asp.NetTop Ten Tips For Tenacious Defense In Asp.Net
Top Ten Tips For Tenacious Defense In Asp.Net
 
How encryption works
How encryption worksHow encryption works
How encryption works
 
Why is password protection a fallacy a point of view
Why is password protection a fallacy a point of viewWhy is password protection a fallacy a point of view
Why is password protection a fallacy a point of view
 
Password cracking and brute force tools
Password cracking and brute force toolsPassword cracking and brute force tools
Password cracking and brute force tools
 
CHAPTER 7 Authentication and Authorization On
CHAPTER  7 Authentication and Authorization OnCHAPTER  7 Authentication and Authorization On
CHAPTER 7 Authentication and Authorization On
 
Introduction to Web Application Security Principles
Introduction to Web Application Security Principles Introduction to Web Application Security Principles
Introduction to Web Application Security Principles
 
Password and Account Management Strategies - April 2019
Password and Account Management Strategies - April 2019Password and Account Management Strategies - April 2019
Password and Account Management Strategies - April 2019
 
Secure password - CYBER SECURITY
Secure password - CYBER SECURITYSecure password - CYBER SECURITY
Secure password - CYBER SECURITY
 
Ethical hacking for Business or Management.pptx
Ethical hacking for Business or Management.pptxEthical hacking for Business or Management.pptx
Ethical hacking for Business or Management.pptx
 
Chapter 6Authenticating PeopleChapter 6 OverviewThe th
Chapter 6Authenticating PeopleChapter 6 OverviewThe thChapter 6Authenticating PeopleChapter 6 OverviewThe th
Chapter 6Authenticating PeopleChapter 6 OverviewThe th
 
Information Security
Information SecurityInformation Security
Information Security
 
Technology Training - Security, Passwords & More
Technology Training - Security, Passwords & MoreTechnology Training - Security, Passwords & More
Technology Training - Security, Passwords & More
 
11 Commandments of Cyber Security for the Home
11 Commandments of Cyber Security for the Home11 Commandments of Cyber Security for the Home
11 Commandments of Cyber Security for the Home
 
Password Management
Password ManagementPassword Management
Password Management
 
C0210014017
C0210014017C0210014017
C0210014017
 
1208 wp-two-factor-and-swivel-whitepaper
1208 wp-two-factor-and-swivel-whitepaper1208 wp-two-factor-and-swivel-whitepaper
1208 wp-two-factor-and-swivel-whitepaper
 
It security in healthcare
It security in healthcareIt security in healthcare
It security in healthcare
 
Password hacking
Password hackingPassword hacking
Password hacking
 
"Inter- application vulnerabilities. hunting for bugs in secure applications"...
"Inter- application vulnerabilities. hunting for bugs in secure applications"..."Inter- application vulnerabilities. hunting for bugs in secure applications"...
"Inter- application vulnerabilities. hunting for bugs in secure applications"...
 

Recently uploaded

"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rick Flair
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESmohitsingh558521
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersRaghuram Pandurangan
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embeddingZilliz
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxBkGupta21
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 

Recently uploaded (20)

"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information Developers
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embedding
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptx
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 

Getting authentication right

  • 1. ROOTS, 27. April 2012 André N. Klingsheim @klingsen
  • 2. Some motivation  Authentication/identities defined  Where authentication fits in  Authentication factors  Passwords  Two-factor authentication  Keeping your shields up  Fun and demos
  • 3. Verizon Data Breach Investigations Report*  Based on 855 incidents (that resulted in)  174 million compromized records  Leads to some interesting statistics ▪ Curiosity: One organized criminal group in Eastern Europe worked on average three days per week  Go read it when you get home! * http://www.verizonbusiness.com/dbir/
  • 4. Source: Verizon Data Breach Investigations Report, p. 26
  • 5. Source: Verizon Data Breach Investigations Report, p. 32
  • 6. TL;DR: How sure are you that it’s the correct user who’s logging in?  You’re never 100% sure!  Authentication is the process of establishing an understood level of trust in whether the user is who she claims to be
  • 7. An identifier such as a name, national identity number, or a customer number, points to an identity  The identity of an individual is the set of information associated with that individual in a particular computer system
  • 8. Someone claims to be «klings»! Authentication tries to establish whether that someone is this guy! 
  • 9. 1. You don’t know who the user is 2. The user authenticates (now you’re pretty sure who the user is) 3. The user gets a security token in return  You associate the user’s identity with this token  Think session cookies (and username written to session) 4. Now you «remember» the outcome of the authentication
  • 10. You’re done with authentication, and then have to rely on session security  So, authentication helps you figure out whether an unkown person/computer can safely be assosciated with a digital identity  Session security deals with remembering who the users is in a secure manner
  • 11.
  • 12. Your trust in that you’re talking to the right person is at its peak in the authentication instant  Session security takes over, remember this is «cached» trust  Re-authentication  Rebuilds your trust in that it’s still the correct person acting as the logged in user
  • 13.
  • 14. Something you know («Pa$$W0rd1»)  Something you have  Something you are * Fingerprint shared by Wilfredor under CC BY-SA 3.0 lisence
  • 15. In practice a static, shared secret  Password  Security questions ▪ Mother’s maiden name ▪ Where did you go to school ▪ And so on...  PINs (debit/credit cards)
  • 16. Code generators  Sequence based  Time-based  Your mobile phone  SMS  Google Authenticator  You’re debit/credit card (physical/VVC2)  Cards with printed PIN-codes
  • 17. Biometrics  Fingerprint  Retina scan  Etc..  Not widely deployed on the web...
  • 18. Something you know: a password or PIN  Why?  Very cheap (no devices) ▪ Do note that password resets can cost you…  In some cases available off-the-shelf (e.g. ASP.NET has the SqlMembershipProvider)  Scales well  Users are well accustomed to passwords/PINs!
  • 19. Som critical aspects of a password based authentication procedure  How passwords are stored  How users sign up  How passwords are validated  How passwords are reset  Application security  The security of all other password based IT- systems in the world
  • 20. The easiest way to store a password is, well, to store the password in a database in cleartext  DBA’s can easily steal the passwords.  A breach of the database will immediately reveal all passwords (think Sony)  So, encryption or hashing to the rescue!  PS! Forgot password -> mail with old password -> most likely cleartext passwords
  • 21. Encrypted passwords mean only one thing  They must be decrypted to be verified  Encryption key + database -> all passwords  There is most likely a sysadmin with access to both the key, and the db  Password encryption is not recommended!
  • 22. A hash function is a deterministic one way function with a fixed output length  Commonly used: MD5, Sha-1, Sha-256  MD5(‘Password’) => 3GR+tl5nEeFVN1IYISs5ZA==  Look it up on Google   It’s easy to compute the hash value of an input. It should be impossible to calculate the input based on a hash value (hence one way)
  • 23. Two users with the same password, will have the same hash values in the db  You can compute the hash value for common passwords, and store the values  If you get hold of password hashes – just look them up against known values!  The precomputation step is the essence of Rainbow tables  Let’s you crack common passwords in no time  We need salts!
  • 24.  Salts add a bit of uniqueness to the input to the hash function  Salts can be stored besides the password hash in the db  Salt: 3GR+tl5nEeFVN1IYISs5ZA==  Hash = Sha-256(salt+password)  Hampers rainbow table attacks  Does not hamper dictionary attacks/brute force attacks
  • 25. If you get your hands on a list of salted password hashes you can  Run a dictionary attack (calculate password hashes for a wordlist, and compare the hashes)  Run a brute force attack (calculate hashes for all possible passwords aaaaaa, aaaaab, aaaaac so on)  If it’s not your list of password hashes, do consider the legal aspects
  • 26. Are very efficient against common hashes such as MD5/Sha-family  Millions of hashes checked per second (single cpu)  Due to the fact that hash functions were designed to be fast (not to store passwords)  We need to add a workload!
  • 27. PBKDF2  Password based key derivation function  Runs X iterations of an HMAC (based on SHA-1) to generate a key  Computational penalty for password crackers  Bcrypt  Also adds computational load => time penalty  Scrypt  Based on a memory trade-off, to hamper special purpose hardware w/limited memory
  • 28. You’ve stored your passwords securely  The password crackers now hate you  Then some other site gets hacked and all their passwords are leaked  Who cares, you’re secure right?  Your users used the same password on your site...
  • 29. Users tend to reuse their passwords across websites  Other sites get hacked for various reasons  Leads to the compromise of accounts on your site!  But that’s not fair!  No it isn’t. The world is not fair, in case you haven’t noticed.
  • 30.  Something you have  Is NOT shared between sites  Solves the «other sites were hacked» problem
  • 31. Time-based  Code typically generated based on a secret key, and the current time  Requires reliable clocks on both server and the code generating device  Sequence based  Pseudo random number generator, seeded with a secret key  Code generator and server generate same sequence of codes
  • 32. Go with time-based if you can  Limited TTL for your codes  Limited number of valid codes at any given time  Sequence based generators  Let’s you compute many codes that will be valid until used  E.g. take someone’s token, generate 5 codes, they’ll be valid until the victim tries to use a code
  • 33. Very important that security cannot be degraded in your system  Fallback from two-factor to single factor authentication  Disabling of security mechanisms without requiring authentication  E.g. to change the password, you need to enter the correct current password
  • 34. More complicated for two-factor authentication  If you can reset one factor with the other, it’s not really two-factor  Forgot password -> set new password, confirm with one time code  Lost mobile phone -> log in with password to change mobile number for one time codes  Beware such dependencies in your system!
  • 35. “Forgotten password”  Secret questions (are not)  E-mail  Snail mail  SMS
  • 36. Require re-authentication for all critical updates  Such as change of  Password  Phone number  E-mail address  Disabling of security mechanisms  And not with just one factor!
  • 37. If you have an optional security mechanism (e.g. one time codes)  You must require the user to use the security mechanism in order to turn it off  Else it’s useless!  So changing the «security level» must be done according to the current level of security
  • 38. Tutorial/demo!   Scenario: Someone is logged in to their Google account  Two-factor authentication enabled  You have figured out their password but don’t have access to their OTPs  Can you find any way to gain access to their acount, without OTPs, from another computer?
  • 39. Thank you for listening!  Find me on the web:  www.dotnetnoob.com  @klingsen