The Sibyl

495 views

Published on

The Sibyl: Another layer of security for authentication.
Presentation given at NoCoName 2011.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
495
On SlideShare
0
From Embeds
0
Number of Embeds
112
Actions
Shares
0
Downloads
2
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

The Sibyl

  1. 1. Another layer of security [for authentication]The SibylPedro Fortuny Ayuso (Uniovi)Rafael Casado Sánchez (Freelance)16/17 September 2011
  2. 2. The Sibyl: another layer of securitythe burden of security
  3. 3. The Sibyl: another layer of security[I stopped collecting logos after Military Meltdown Monday]
  4. 4. The Sibyl: another layer of securitywhat is the common pattern?
  5. 5. The Sibyl: another layer of securitya hashed copy of your password hasbeen compromisedwhat is the common pattern?
  6. 6. The Sibyl: another layer of securitya hashed copy of your password has beencompromised
  7. 7. The Sibyl: another layer of securitya hashed copy of your password has beencompromised⇓if your password is “easy”, it has been discovered
  8. 8. The Sibyl: another layer of securitya hashed copy of your password has beencompromised⇓if your password is “easy”, it has been discovered“your password is YOUR PROBLEM”
  9. 9. The Sibyl: another layer of security“your password is YOUR PROBLEM”
  10. 10. The Sibyl: another layer of security“your password is YOUR PROBLEM”is this reasonable?
  11. 11. The Sibyl: another layer of security“your password is YOUR PROBLEM”is this reasonable?login: pfortunypassword: 02Mustremembermyd@*!*dpassword
  12. 12. The Sibyl: another layer of securityhonestly
  13. 13. The Sibyl: another layer of securityhonestlyis it reasonable?
  14. 14. The Sibyl: another layer of securityhashes are bad for passwords
  15. 15. The Sibyl: another layer of securityhashes are bad for passwordsmantra
  16. 16. The Sibyl: another layer of securityhashes are bad for passwordsmantrahashes are bad for passwords
  17. 17. The Sibyl: another layer of securityhashes are bad for passwordsmantrahashes are bad for passwordshashes are bad for passwords
  18. 18. The Sibyl: another layer of securityhashes are bad for passwordsmantrahashes are bad for passwordshashes are bad for passwordshashes are bad for passwords
  19. 19. The Sibyl: another layer of securityhashes are bad for passwordsmantrahashes are bad for passwordshashes are bad for passwordshashes are bad for passwordshashes are bad for passwords
  20. 20. The Sibyl: another layer of securityhashes are bad for passwordsmantrahashes are bad for passwordshashes are bad for passwordshashes are bad for passwordshashes are bad for passwordshashes are bad for passwords
  21. 21. The Sibyl: another layer of securityhashes are bad for passwordsmantrahashes are bad for passwordshashes are bad for passwordshashes are bad for passwordshashes are bad for passwordshashes are bad for passwordsno, really: hashes are bad for passwords
  22. 22. The Sibyl: another layer of securityhashes are bad for passwordsmantrahashes are bad for passwordshashes are bad for passwordshashes are bad for passwordshashes are bad for passwordshashes are bad for passwordsno, really: hashes are bad for passwordsbecause userschoosebadpasswords
  23. 23. The Sibyl: another layer of securitypasswordlogy [Troy Hunt]in brief (the Sony/Gawker hack):
  24. 24. The Sibyl: another layer of securitypasswordlogy [Troy Hunt]in brief (the Sony/Gawker hack):99% alphanumeric
  25. 25. The Sibyl: another layer of securitypasswordlogy [Troy Hunt]in brief (the Sony/Gawker hack):93% ≤ 10 chars99% alphanumeric
  26. 26. The Sibyl: another layer of securitypasswordlogy [Troy Hunt]in brief (the Sony/Gawker hack):93% ≤ 10 chars99% alphanumeric82% are ≤ 9 chars long
  27. 27. The Sibyl: another layer of securitypasswordlogy [Troy Hunt]in brief (the Sony/Gawker hack):93% ≤ 10 chars99% alphanumeric92% reuse82% are ≤ 9 chars long
  28. 28. The Sibyl: another layer of securitypasswordlogy [Troy Hunt]in brief (the Sony/Gawker hack):93% ≤ 10 chars99% alphanumeric36% in English dictionary...92% reuse82% are ≤ 9 chars long
  29. 29. The Sibyl: another layer of securitycan be done
  30. 30. The Sibyl: another layer of securitysecurityCANbe doneeasy secret code
  31. 31. axiom 0:do NOT allowINFINITElogin attemptsThe Sibyl: another layer of security[we are assuming this in the remainder]
  32. 32. The Sibyl: another layer of securitycan be done
  33. 33. The Sibyl: another layer of securitycan be done2011
  34. 34. The Sibyl: another layer of securitycan be done2011ever heard of distributed computing?
  35. 35. The Sibyl: another layer of securitycan be done2011ever heard of distributed computing?Software as a Service?
  36. 36. The Sibyl: another layer of securitycan be done2011ever heard of distributed computing?Software as a Service?outsourcing??????
  37. 37. The Sibyl: another layer of securitytoday’s authentication
  38. 38. 1-store hash(password) in login serverThe Sibyl: another layer of securitytoday’s authentication
  39. 39. 1-store hash(password) in login server2-fetch login+pwdThe Sibyl: another layer of securitytoday’s authentication
  40. 40. 1-store hash(password) in login server2-fetch login+pwd3-hash(pwd) == hash(password)The Sibyl: another layer of securitytoday’s authentication
  41. 41. 1-store hash(password) in login server2-fetch login+pwd3-hash(pwd) == hash(password)4-grant/deny accessThe Sibyl: another layer of securitytoday’s authentication
  42. 42. 1-store hash(password) in login server2-fetch login+pwd3-hash(pwd) == hash(password)4-grant/deny accessThe Sibyl: another layer of securitytoday’s authenticationthe login serverisoverburdened
  43. 43. 1-store hash(password) in login server2-fetch login+pwd3-hash(pwd) == hash(password)4-grant/deny accessThe Sibyl: another layer of securitytoday’s authentication+ hashes are bad for passwords (mantra)the login serverisoverburdened
  44. 44. The Sibyl: another layer of securitymodern ideas (2011)
  45. 45. The Sibyl: another layer of securitymodern ideas (2011)1-randomize the authentication token:[rand:easy] ~ [rand:difficult]** analogue to random salt but better
  46. 46. The Sibyl: another layer of securitymodern ideas (2011)2-delegate the authentication step1-randomize the authentication token:[rand:easy] ~ [rand:difficult]** analogue to random salt but better
  47. 47. The Sibyl: another layer of security2-delegate the authentication step
  48. 48. The Sibyl: another layer of security2-delegate the authentication stepdelegation allows use ofPublic Key Crypto (RSA)
  49. 49. The Sibyl: another layer of security2-delegate the authentication stepdelegation allows use ofPublic Key Crypto (RSA)oh!
  50. 50. The Sibyl: another layer of security1-randomize the authentication token
  51. 51. The Sibyl: another layer of security1-randomize the authentication tokenRSA-OAEP padding:“add 160 random bits”+ encrypt
  52. 52. The Sibyl: another layer of security1-randomize the authentication tokenRSA-OAEP padding:“add 160 random bits”+ encryptcompare:
  53. 53. The Sibyl: another layer of security1-randomize the authentication tokenRSA-OAEP padding:“add 160 random bits”+ encrypthash(salt+easy) = a little complicatedcompare:
  54. 54. The Sibyl: another layer of security1-randomize the authentication tokenRSA-OAEP padding:“add 160 random bits”+ encrypthash(salt+easy) = a little complicatedRSA(easy+160 rand bits) ~ RSA(160 rand bits)[volunteers?]compare:
  55. 55. delegated authenticationThe Sibyl: another layer of security
  56. 56. delegated authenticationThe Sibyl: another layer of security1-store OAEP-RSA(hash(password)) in server[only needs public key]
  57. 57. delegated authenticationThe Sibyl: another layer of security2-fetch login+pwd1-store OAEP-RSA(hash(password)) in server[only needs public key]
  58. 58. delegated authenticationThe Sibyl: another layer of security2-fetch login+pwd1-store OAEP-RSA(hash(password)) in server[only needs public key]3-compute OAEP-RSA(hash(pwd))[only needs public key]
  59. 59. delegated authenticationThe Sibyl: another layer of security2-fetch login+pwd1-store OAEP-RSA(hash(password)) in server[only needs public key]3-compute OAEP-RSA(hash(pwd))[only needs public key]3.5- ask someone else[the owner of the private key]
  60. 60. delegated authenticationThe Sibyl: another layer of security2-fetch login+pwd4-grant/deny access1-store OAEP-RSA(hash(password)) in server[only needs public key]3-compute OAEP-RSA(hash(pwd))[only needs public key]3.5- ask someone else[the owner of the private key]
  61. 61. delegated authenticationThe Sibyl: another layer of security2-fetch login+pwd4-grant/deny accessyeah, the server isstill overburdened...1-store OAEP-RSA(hash(password)) in server[only needs public key]3-compute OAEP-RSA(hash(pwd))[only needs public key]3.5- ask someone else[the owner of the private key]
  62. 62. The Sibyl: another layer of security3.5- ask someone else
  63. 63. The Sibyl: another layer of security3.5- ask someone elsethe Sibyl: dummy computer,[like an Oracle (Sibyl)]
  64. 64. The Sibyl: another layer of security3.5- ask someone elsethe Sibyl: dummy computer,[like an Oracle (Sibyl)]computer: can decrypt RSA messages(owns the private key)
  65. 65. The Sibyl: another layer of security3.5- ask someone elsethe Sibyl: dummy computer,[like an Oracle (Sibyl)]computer: can decrypt RSA messages(owns the private key)dummy: can only do that(and answer yes/no to queries)
  66. 66. The Sibyl: another layer of security3.5- ask someone elsethe Sibyl: dummy computer,[like an Oracle (Sibyl)]computer: can decrypt RSA messages(owns the private key)dummy: can only do that(and answer yes/no to queries)the UNIXway of life
  67. 67. The Sibyl: another layer of securitythe data is secure(server)the Sibyl is secure
  68. 68. The Sibyl: another layer of securitythe data is secure(server)the Sibyl is secure-RSA(random)[no brute force]
  69. 69. The Sibyl: another layer of securitythe data is secure(server)the Sibyl is secure-RSA(random)[no brute force]-public RSA Key[can’t decrypt]
  70. 70. The Sibyl: another layer of securitythe data is secure(server)the Sibyl is secure-RSA(random)[no brute force]-public RSA Key[can’t decrypt]dummyprotocol~unhackable
  71. 71. The Sibyl: another layer of securitythe data is secure(server)the Sibyl is secure[...I’ll deny ever having said this...]-RSA(random)[no brute force]-public RSA Key[can’t decrypt]dummyprotocol~unhackable
  72. 72. The Sibyl: another layer of securitywhy OAEP-RSA is safer than salt?saltOAEP
  73. 73. The Sibyl: another layer of securitywhy OAEP-RSA is safer than salt?SHA-1(salt$m) = SHA-1(salt$m) [obvious]saltOAEP
  74. 74. The Sibyl: another layer of securitywhy OAEP-RSA is safer than salt?SHA-1(salt$m) = SHA-1(salt$m) [obvious]m~8 chars brute force feasiblesaltOAEP
  75. 75. The Sibyl: another layer of securitywhy OAEP-RSA is safer than salt?crypt() adds 160 random bits each timeSHA-1(salt$m) = SHA-1(salt$m) [obvious]m~8 chars brute force feasiblesaltOAEP
  76. 76. The Sibyl: another layer of securitywhy OAEP-RSA is safer than salt?crypt() adds 160 random bits each timeOAEP-crypt(m) ≠ OAEP-crypt(m)SHA-1(salt$m) = SHA-1(salt$m) [obvious]m~8 chars brute force feasiblesaltOAEP
  77. 77. The Sibyl: another layer of securitywhy OAEP-RSA is safer than salt?crypt() adds 160 random bits each timeOAEP-crypt(m) ≠ OAEP-crypt(m)SHA-1(salt$m) = SHA-1(salt$m) [obvious]m~8 chars brute force feasiblecannot be brute-forced: 160 unknown bitssaltOAEP
  78. 78. The Sibyl: another layer of securitywhy OAEP-RSA is safer than salt?crypt() adds 160 random bits each timeOAEP-crypt(m) ≠ OAEP-crypt(m)SHA-1(salt$m) = SHA-1(salt$m) [obvious]m~8 chars brute force feasiblecannot be brute-forced: 160 unknown bitslength(pwd) irrelevantsaltOAEP
  79. 79. mypera:~$  for  i  in  1  2  3  4  5  6  ;  do  echo  “-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐  round  $i”  ;  echo  patata  |                openssl  rsautl  -­‐encrypt  -­‐inkey  trial  -­‐oaep  -­‐hexdump  ;  done-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐  round  10000  -­‐  63  ef  c7  10  bd  23  90  85-­‐f1  27  bf  58  b6  b2  ad  1a      c....#....X....0010  -­‐  e5  9e  ce  9e  89  3d  d9  eb-­‐f3  35  fc  dc  e9  a4  f6  b1      .....=...5......0020  -­‐  b1  a3  c6  95  e6  d5  6e  e9-­‐4f  0f  59  0c  a1  81  1e  7d      ......n.O.Y....}0030  -­‐  ad  36  25  5f  96  b7  b9  6e-­‐84  96  7d  db  53  26  8d  bd      .6%_...n..}.S&..-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐  round  20000  -­‐  43  fc  d4  ce  b0  8a  ad  f7-­‐c8  61  24  d6  41  1e  bb  70      C........a$.A..p0010  -­‐  25  e7  0c  ed  9c  a4  7c  34-­‐d9  c7  d2  ad  44  da  ee  01      %.....|4....D...0020  -­‐  6d  00  12  55  6d  35  44  87-­‐70  64  2a  8a  80  9b  ae  df      m..Um5D.pd*.....0030  -­‐  03  1c  1f  ee  74  3b  f1  b6-­‐62  88  ec  3b  85  cc  9a  15      ....t;..b..;....-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐  round  30000  -­‐  9b  2c  34  e2  99  e0  78  82-­‐6a  c6  38  38  ac  36  c6  bf      .,4...x.j.88.6..0010  -­‐  2d  56  9f  17  0a  ef  c9  1f-­‐94  60  49  d7  eb  68  a3  53      -­‐V.......`I..h.S0020  -­‐  29  7b  60  b8  2c  13  cf  43-­‐4a  9b  86  d5  3d  48  66  50      ){`.,..CJ...=HfP0030  -­‐  59  30  89  28  22  09  a8  1e-­‐ed  f8  f6  22  3d  c7  0d  81      Y0.("......"=...-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐  round  40000  -­‐  b3  76  1a  7c  01  ea  78  68-­‐ff  b9  fe  fe  80  21  e6  c5      .v.|..xh.....!..0010  -­‐  2c  97  17  e2  36  5f  30  5b-­‐60  b3  69  0b  aa  ba  50  a3      ,...6_0[`.i...P.0020  -­‐  b2  f3  ac  f4  ed  6c  bd  9f-­‐29  33  0e  2f  1c  58  1d  7a      .....l..)3./.X.z0030  -­‐  07  3f  68  d8  b2  7f  f7  d8-­‐7e  76  de  d7  a4  8d  ae  d8      .?h.....~v......-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐  round  50000  -­‐  46  22  8e  9b  3d  af  d6  56-­‐e5  f4  55  29  5d  98  e5  43      F"..=..V..U)]..C0010  -­‐  b3  55  6a  96  5a  57  1b  3f-­‐0b  fa  6a  a0  d5  65  93  f0      .Uj.ZW.?..j..e..0020  -­‐  c2  ae  3b  6d  7c  ad  56  16-­‐c2  82  e2  e6  96  79  be  77      ..;m|.V......y.w0030  -­‐  52  1c  0b  e1  95  a4  dd  99-­‐46  7a  e2  51  69  87  58  42      R.......Fz.Qi.XB-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐  round  60000  -­‐  56  77  d7  bc  32  2f  39  f8-­‐86  06  68  74  3d  54  8f  ae      Vw..2/9...ht=T..0010  -­‐  cf  b3  e5  fc  fc  50  78  98-­‐88  a4  cd  8d  e9  cd  86  48      .....Px........H0020  -­‐  b1  46  af  8e  28  de  59  5a-­‐96  81  53  36  5f  f4  ef  b1      .F..(.YZ..S6_...0030  -­‐  12  bd  e1  a3  39  1c  00  94-­‐a1  14  3a  0b  3d  30  af  d6      ....9.....:.=0..sameencryptiondifferentresults(2160)
  80. 80. internalsThe Sibyl: another layer of security
  81. 81. client server sibylThe Sibyl: another layer of security
  82. 82. client server sibyllogin+pwd (TLS)The Sibyl: another layer of security
  83. 83. client server sibyllogin+pwd (TLS)The Sibyl: another layer of securityv1=RSA(pwd)v2=RSA(pass) [stored]
  84. 84. client server sibyllogin+pwd (TLS)The Sibyl: another layer of security(v1,v2)v1=RSA(pwd)v2=RSA(pass) [stored]
  85. 85. client server sibyllogin+pwd (TLS)The Sibyl: another layer of security(v1,v2)v1=RSA(pwd)v2=RSA(pass) [stored]decrypt(v1)==decrypt(v2)
  86. 86. client server sibyllogin+pwd (TLS)The Sibyl: another layer of security(v1,v2)v1=RSA(pwd)v2=RSA(pass) [stored]decrypt(v1)==decrypt(v2)reply (OK/NOOK)
  87. 87. client server sibyllogin+pwd (TLS)The Sibyl: another layer of security(v1,v2)v1=RSA(pwd)v2=RSA(pass) [stored]decrypt(v1)==decrypt(v2)reply (OK/NOOK)grant/not login
  88. 88. The Sibyl: another layer of securityserver sibyl
  89. 89. The Sibyl: another layer of securityrequest nonceserver sibyl
  90. 90. The Sibyl: another layer of securityrequest noncenonce [n]server sibyl
  91. 91. The Sibyl: another layer of securityrequest noncenonce [n]v1=RSAE(pwd:n)v2=[stored]m=nonceserver sibyl
  92. 92. The Sibyl: another layer of securityrequest noncenonce [n]v1=RSAE(pwd:n)v2=[stored]m=nonce(m,v1,v2)server sibyl
  93. 93. The Sibyl: another layer of securityrequest noncenonce [n]v1=RSAE(pwd:n)v2=[stored]m=nonce(m,v1,v2)decryptE(v1)==decryptE(v2)server sibyl
  94. 94. The Sibyl: another layer of securityrequest noncenonce [n]v1=RSAE(pwd:n)v2=[stored]m=nonce(m,v1,v2)decryptE(v1)==decryptE(v2)u=signS(m,OK/NOOK)server sibyl
  95. 95. The Sibyl: another layer of securityrequest noncenonce [n]v1=RSAE(pwd:n)v2=[stored]m=nonce(m,v1,v2)decryptE(v1)==decryptE(v2)u=signS(m,OK/NOOK)userver sibyl
  96. 96. The Sibyl: another layer of securityrequest noncenonce [n]v1=RSAE(pwd:n)v2=[stored]m=nonce(m,v1,v2)decryptE(v1)==decryptE(v2)u=signS(m,OK/NOOK)uverifyS(u)server sibyl
  97. 97. The Sibyl: another layer of securityrequest noncenonce [n]v1=RSAE(pwd:n)v2=[stored]m=nonce(m,v1,v2)decryptE(v1)==decryptE(v2)u=signS(m,OK/NOOK)uverifyS(u)server sibyltwo keys, two nonces [this is important]
  98. 98. The Sibyl: another layer of securitya call to all developers
  99. 99. The Sibyl: another layer of securitystopthenonsense
  100. 100. The Sibyl: another layer of securitywhat we have· device: bifferboard (essentially POC)· sibyl server· pam client: pam_sibyl.so· demo client· scripts [shadow file]⟹[sibyl file]
  101. 101. The Sibyl: another layer of securitywhat we have· device: bifferboard (essentially POC)· sibyl server· pam client: pam_sibyl.so· demo clientwill have: sql library, php module· scripts [shadow file]⟹[sibyl file]
  102. 102. ThanksThe Sibyl: another layer of securitydemo time: welcome rafacaswww.thesibyl.netPedro Fortuny Ayuso (Uniovi)Rafael Casado Sánchez (Freelance)2011 - september - No cON Name

×