Sylvain Maret is a digital security expert who gave a presentation on strong authentication in web applications. He discussed threats to authentication like keyloggers and social engineering. New standards like FFIEC and PCI DSS require strong authentication for financial applications and remote access. Strong authentication can use biometrics or one-time passwords. Standards like SAML and OpenID allow for identity federation where users can authenticate with an identity provider and access multiple applications.

1. Sylvain Maret / Digital Security Expert @ MARET Consulting BrightTALK - October 7th 2010 Authentication and Strong Authentication in Web Application

2. Agenda Protecting digital identities strong authentication? Strong Authentication: A new paradigm ! New Standards Integration with web applications Identity Federation for Authentication SAML / OpenID

3. Who am I? Security Expert 15 years of experience in ICT Security CEO and Founder of MARET Consulting Expert at Engineer School of Yverdon & Geneva University Swiss French Area delegate at OpenID Switzerland Co-founder Geneva Application Security Forum OWASP Member Author of the blog: la Citadelle Electronique http://ch.linkedin.com/in/smaret Chosen field Digital Identity Security

4. Protection of digital identities: a topical issue…

5. threats on the authentication

6. Facts ! Keylogger (hard and soft) Malware Man in the Middle Browser in the Middle Password Sniffer Social Engineering Phishing / Pharming The number of identity thefts is increasing dramatically!

7. A major event in the world of strong authentication 12 October 2005: the Federal Financial Institutions Examination Council (FFIEC) issues a directive « Single Factor Authentication » is not enough for the web financial applications Before end 2006 it is compulsory to implement a strong authentication system http://www.ffiec.gov/press/pr101205.htm And the PCI DSS norm Compulsory strong authentication for distant accesses And now European regulations Payment Services (2007/64/CE) for banks Social Networks, Open Source

8. Definition of strong authentication Strong Authentication on Wikipedia

9. «Digital identity is the cornerstone of trust» More information on the subject

10. Strong Authentication A new paradigm !

11. Which strong authentication technology? (Legacy Token …..)

13. * * Biometry type Fingerprinting OTP PKI (HW) Biometry Strong authentication Encryption Digital signature Non repudiation Strong link with the user

14. Strong Authentication with Biometry (Match on Card technology) A reader Biometry SmartCard A card with chip Technology MOC Crypto processor PC/SC PKCS#11 Digital certificate X509

15. Authentication Server must be agnostic

16. New Standards & Open Source

17. Technologies accessible to everyone Based on Standards Open Authentication (OATH) OATH authentication algorithms HOTP (HMAC Event Based) OCRA (Challenge/Response) TOTP (Time Based) OATH Token Identifier Specification Open Solutions Mobile One Time Passwords strong, two-factor authentication with mobile phones

18. Integration with web application

19. Web applications: basic authentication model

20. Web application: strong authentication model

21. “ Shielding" approach: perimetric authentication

22. Module/Agent-based approach

23. API/SDK based approach

24. SSL PKI: how does it work? Web Server Alice Validation Authority Valid Invalid Unknown OCSP request SSL / TLS Mutual Authentication

25. Federated identities: a changing paradigm on authentication

26. Federation of identity approach a change of paradigm: using IDP for Authentication and Strong Authentication Web App X Web App Y Identity Provider

27. SECTION 1 SAML What is it? How does it work?

28. Using SAML for Authentication and Strong Authentication (Assertion Consumer Service)

29. SAML – What is it? SAML (Security Assertion Markup Language): Defined by t he Oasis Group Well and Academically Designed Specification Uses XML Syntax Used for Authentication & Authorization SAML Assertions Statements: Authentication, Attribute, Authorization SAML Protocols Queries: Authentication, Artifact, N a me Identifier Mapping, etc. SAML Bindings SOAP, Reverse-SOAP, HTTP-Get, HTTP-Post, HTTP-Artifact SAML Profiles Web Browser SingleSignOn Profile , Identity Provider Discovery Profile, Assertion Query / Request Profile, Attribute Profile

30. SAML – How does it work? Identity Provider e.g. clavid.ch User Hans Muster Enabled Service e.g. Google Apps for Business 1 2 2 6 3 4 4

31. Example with HTTP POST Binding

32. SAML AuthN & ACS integration in Web Application

33. OpenID What is it? How does it work? How to integrate? SECTION 2

34. OpenID - What is it? Internet SingleSignOn Relatively Simple Protocol User-Centric Identity Management Internet Scalable Free Choice of Identity Provider No License Fee Independent of Identification Methods Non-Profit Organization

35. OpenID - How does it work? 1 3 5 Enabled Service 6 4, 4a User Hans Muster Caption 1. User enters OpenID 2. Discovery 3. Authentication 4. Approval 4a. Change Attributes 5. Send Attributes 6. Validation 2 Identity URL https://hans.muster.clavid.com Identity Provider e.g. clavid.com hans.muster.clavid.com

36. Architecture IPD Authentication Server

37. Unique Interface Agnostic / Easy SAML

39. Conclusion #1 Authentication Server need to be agnostic to any Token Support Open Standards Federation of identity: a change of paradigm for authentication Not Only for Federation or Web SSO SAML and OpenID can support all authentication technologies Develop only one authentication interface for all Web Application

40. Conclusion #2 Users can choose his Strong Authentication Token Users Friendly and Reduce Costs New Standards and Open Source Solution OTP Software Token is no free  Strong Authentication for Social Networks (OpenID IPD & Strong Authentication) Think about Web Application Security OWASP - Application Security Verification Standard Project OWASP - Best Practices: Use of Web Application Firewalls 2010 CWE/SANS - Top 25 Most Dangerous Software Errors

41. Quelques liens pour aller approfondir le sujet MARET Consulting http://maret-consulting.ch/ La Citadelle Electronique (le blog sur les identités numériques) http://www.citadelle-electronique.net/ Articles banque et finance: Usurper une identité? Impossible avec la biométrie! http://www.banque-finance.ch/numeros/88/59.pdf Biométrie et Mobilité http://www.banque-finance.ch/numeros/97/62.pdf Présentations publiques OSSIR Paris 2009: Retour d'expérience sur le déploiement de biométrie à grande échelle http://www.ossir.org/paris/supports/2009/2009-10-13/Sylvain_Maret_Biometrie.pdf ISACA, Clusis: Accès à l’information : Rôles et responsabilités http://blog.b3b.ch/wp-content/uploads/mise-en-oeuvre-de28099une-solution-biometrique-de28099authentification-forte.pdf

42. "Le conseil et l'expertise pour le choix et la mise en oeuvre des technologies innovantes dans la sécurité des systèmes d'information et de l'identité numérique"