SlideShare a Scribd company logo

Online Authentication

Download as PPTX, PDF
Marc-Andre Heroux
Marc-Andre Heroux

In this article we explain how to increase your security posture against online spoofing.

InternetTechnology
1 of 10
Marc-Andre Heroux, CGEIT, CISA, CRMA, CRMP, ABCP, CISSP, NSA-IAM, NSA-IEM LinkedIn: http://ca.linkedin.com/in/herouxma Twitter: @herouxma | IRC: herouxma on irc.freenode.net There are many types of spoofing attacks online In this article we explain how to increase your security posture against online spoofing Date: May 16th, 2014 Draft Version 1 Online Authentication Federated information technology systems
Prerequisites • In this presentation, the clients and servers were not compromised; • for critical Web applications, all communications must be in a tunnel (ex.: VPN); • for critical activities accessing sensitive information, using a RSA Secure ID is strongly suggested; • all exchanges must be done with the corrected SSL if not in a tunnel. 2
Validating against a server, a nonce at layer 5 can prevent: CSRF and spoofing (ex.: SAML). Web servers cluster Identity Provider (IdP) If authentication successful (receive secret) Receive requests based on a secret Verify and validate Secret (ex.: SAML ID) Use Web Application Directory (ex.: secure LDAP) 1 2 3 4 Deliver authorized content6 Server validation (SAML) Threat Agent Sends email with malicious codes and conduct various external attacks from layer 3 to 7. 3 JavaScript/Ajax Authentication Hijacking 5
● Comparing server generated nonce vs nonce submitted in hidden HTML form field value is also considered a good practice; ● then we have Web authentication as follow: something you receive from web server (nonce) and something you send to web server as a client (nonce). Server validation (CSRF) Threat Web Server SAML TTL Web Server Read cookie SAML ID Cookie in browser Web Brower Nonce hidden field Malicious code sent in custom form and post to Web server 1. The attacker doesn’t know the nonce; 2. The attacker can’t guess the nonce; 3. The attacker cannot send the nonce in a hidden field; 4. Server or WAF reject the post.Confidentiality, integrity and accessibility of the SAML ID 1. The IdP must always be available so well protected (hardened, monitored, etc.); 2. The ID can be retrieve in header by a Man-in-the-middle attack (VPN and correct SSL can protect); 3. The ID must be long enough and not be guessable; 4. The ID must be compared between Web server and IdP before authorizing access. Likelihood of the attack If the SAML ID is compromised: 1. The attacker will gain access to your Web application for the time-to-live of the SAML ID; 2. If the IdP or the LDAP server are compromised, the overall solution is compromised; 3. To prevent a complete take over of your infrastructure by an attacker, never use a critical account without a RSA Secure ID. Compare nonce post vs set by server Success 4 Cookie
Subject and object: always make sure to identify and authenticate your subject or your object and provide proper authorization to reduce potential false negative results and security incidents; JavaScript/AJAX: can be easily injected and you cannot rely on it without server validation (ex: IdP); The cookie: name and values must not be guessable or stealable; The maximum cookie size: about 4K. Few basics principles 5
Among others, when using cookies its important to follow these principles: • Limit the amount of sensitive information stored in the cookie; • Limit the subdomains and paths to prevent interception by another application; • Enforce SSL so the cookie isn’t sent in cleartext; • Use values hard to guess (name, IDs, etc.) and set expiration value (the more critical, the shorter); • Make the cookie HttpOnly so its not accessible to javascript. 6 Who stole my cookies?
If form hidden nonce value different than server nonce set for current client session, it's a threat; if SAML ID in header is different than server xml http request result of ID stored @identity server provider, a threat tried to forged the SAML ID; else, the context can be considered acceptable. Exemple of a SAML ID: <saml:Assertion ID="_b07b205c-7c29-gr16-4300-5f3e6f7923vc " IssueInstant="2014-18-05T18:35:10.728Z" Version="2.0"> <saml:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"> https://saml.oracle.com </saml:Issuer> Pseudocode 7
Also and not new: most common IP spoofing can usually be dropped and logged by a basic packet layer 3 firewall. # netfilter/iptablesRule 0 (eth0) # # anti spoofing rule # $IPTABLES -N In_RULE_0 $IPTABLES -A INPUT -i eth0 -s 192.0.2.1 -j In_RULE0 $IPTABLES -A INPUT -i eth0 -s 192.168.1.1 -j In_RULE_0 $IPTABLES -A INPUT -i eth0 -s 192.168.1.0/24 -j In_RULE_0 $IPTABLES -A FORWARD -i eth0 -s 192.0.2.1 -j In_RULE_0 $IPTABLES -A FORWARD -i eth0 -s 192.168.1.1 -j In_RULE_0 $IPTABLES -A FORWARD -i eth0 -s 192.168.1.0/24 -j In_RULE_0 $IPTABLES -A In_RULE_0 -j LOG --log-level info --log-prefix "RULE 0 -- DENY " $IPTABLES -A In_RULE_0 -j DROP ! Cisco Rule 0 (Ethernet1/0) ! anti-spoofing rule ! access-list outside_acl_in remark 0 (Ethernet1/0) access-list outside_acl_in remark anti-spoofing rule access-list outside_acl_in deny ip host 192.0.2.1 any access-list outside_acl_in deny ip host 192.168.2.1 any access-list outside_acl_in deny ip host 192.168.1.1 any access-list outside_acl_in deny ip 192.168.1.0 255.255.255.0 any access-group outside_acl_in in interface outside Here is an example of iptables and cisco rules for internal network (match all addresses of the firewall (192.168.1.1, 192.0.2.1) and network behind it (192.168.1.0/24): State-full Packet firewall 8
Integrity and confidentiality are very important in the authentication process and avoid the use of cookies is suggested, especially for critical applications; In order to support the authentication, authentication systems must be available at all time (ex: IdP server); The likelihood of an attack in this scenario is considered the duration of the session SAML ID key, little bit similar to the likelihood of a RSA secure ID token; Restrict POST from legitimate and acceptable source only and use nonce; While using an RSA Secure ID device for critical activities, we increase the security posture to a very interesting level; Many security appliances are using the same CA private key across all devices. This is particularly dangerous, since the universal CA private key can be extracted from any single device by an attacker. With the private key, the attacker can be seen as trustable by all devices using the public key to secure transport as well as payload. Conclusion 9
Carnegie Mellon University, Analyzing Forged SSL Certificates in the Wild, Lin-Shung Huang, Alex Rice, Erling Ellingsen, Collin Jackson Oracle, Developing Security Providers for WebLogic Server, Identity Assertion Providers, http://docs.oracle.com/cd/E15051_01/wls/docs103/dvspisec/ia.html Robert Hafner, How to Create Totally Secure Cookies, http://blog.teamtreehouse.com/how-to-create-totally-secure-cookies FirewallBuilder, Anti-spoofing rule, http://www.fwbuilder.org/4.0/docs/users_guide5/anti-spoofing-rules.shtml IBM Research - India, Security Analysis of Web-based Identity Federation, Apurva Kumar Cisco, SAML SSO Deployment Guide for Cisco Unified Communications, Applications, Release 10.0(1), First Published: December 06, 2013, Last Modified: May 08, 2014 OASIS, Assertions and Protocols for the OASIS, Security Assertion Markup Language, (SAML) V2.0, OASIS Standard, 15 March 2005 I want to thanks the following sources and authors: 10 References

Recommended

Content Analysis System and Advanced Threat Protection
Content Analysis System and Advanced Threat ProtectionContent Analysis System and Advanced Threat Protection
Content Analysis System and Advanced Threat ProtectionBlue Coat
 
Microsoft Avanced Threat Analytics
Microsoft Avanced Threat AnalyticsMicrosoft Avanced Threat Analytics
Microsoft Avanced Threat AnalyticsAdeo Security
 
Anatomy of an Attack
Anatomy of an AttackAnatomy of an Attack
Anatomy of an AttackCisco Canada
 
Building the Security Operations and SIEM Use CAse
Building the Security Operations and SIEM Use CAseBuilding the Security Operations and SIEM Use CAse
Building the Security Operations and SIEM Use CAseDon Murdoch GSE CyberGuardian CISSP
 
Anatomy Of An Attack
Anatomy Of An AttackAnatomy Of An Attack
Anatomy Of An AttackCisco Canada
 
SBA Live Academy - Passwords: Policy and Storage with NIST SP800-63b by Jim M...
SBA Live Academy - Passwords: Policy and Storage with NIST SP800-63b by Jim M...SBA Live Academy - Passwords: Policy and Storage with NIST SP800-63b by Jim M...
SBA Live Academy - Passwords: Policy and Storage with NIST SP800-63b by Jim M...SBA Research
 
Certificate Pinning in Mobile Applications
Certificate Pinning in Mobile ApplicationsCertificate Pinning in Mobile Applications
Certificate Pinning in Mobile ApplicationsLuca Bongiorni
 
Azlan Security Offering
Azlan Security OfferingAzlan Security Offering
Azlan Security OfferingGianandrea Daverio
 

Recommended

Content Analysis System and Advanced Threat Protection
Content Analysis System and Advanced Threat ProtectionContent Analysis System and Advanced Threat Protection
Content Analysis System and Advanced Threat ProtectionBlue Coat
 
Microsoft Avanced Threat Analytics
Microsoft Avanced Threat AnalyticsMicrosoft Avanced Threat Analytics
Microsoft Avanced Threat AnalyticsAdeo Security
 
Anatomy of an Attack
Anatomy of an AttackAnatomy of an Attack
Anatomy of an AttackCisco Canada
 
Building the Security Operations and SIEM Use CAse
Building the Security Operations and SIEM Use CAseBuilding the Security Operations and SIEM Use CAse
Building the Security Operations and SIEM Use CAseDon Murdoch GSE CyberGuardian CISSP
 
Anatomy Of An Attack
Anatomy Of An AttackAnatomy Of An Attack
Anatomy Of An AttackCisco Canada
 
SBA Live Academy - Passwords: Policy and Storage with NIST SP800-63b by Jim M...
SBA Live Academy - Passwords: Policy and Storage with NIST SP800-63b by Jim M...SBA Live Academy - Passwords: Policy and Storage with NIST SP800-63b by Jim M...
SBA Live Academy - Passwords: Policy and Storage with NIST SP800-63b by Jim M...SBA Research
 
Certificate Pinning in Mobile Applications
Certificate Pinning in Mobile ApplicationsCertificate Pinning in Mobile Applications
Certificate Pinning in Mobile ApplicationsLuca Bongiorni
 
Azlan Security Offering
Azlan Security OfferingAzlan Security Offering
Azlan Security OfferingGianandrea Daverio
 
How to find Zero day vulnerabilities
How to find Zero day vulnerabilitiesHow to find Zero day vulnerabilities
How to find Zero day vulnerabilitiesMohammed A. Imran
 
Mastering Next Gen SIEM Use Cases (Part 3)
Mastering Next Gen SIEM Use Cases (Part 3)Mastering Next Gen SIEM Use Cases (Part 3)
Mastering Next Gen SIEM Use Cases (Part 3)DNIF
 
CAS MAA Infographic
CAS MAA InfographicCAS MAA Infographic
CAS MAA InfographicBlue Coat
 
Top 10 Web Application vulnerabilities
Top 10 Web Application vulnerabilitiesTop 10 Web Application vulnerabilities
Top 10 Web Application vulnerabilitiesTerrance Medina
 
Advanced Threat Protection - Sandboxing 101
Advanced Threat Protection - Sandboxing 101Advanced Threat Protection - Sandboxing 101
Advanced Threat Protection - Sandboxing 101Blue Coat
 
Preventing Today's Malware
Preventing Today's MalwarePreventing Today's Malware
Preventing Today's MalwareDavid Perkins
 
Cisco connect winnipeg 2018 anatomy of an attack
Cisco connect winnipeg 2018 anatomy of an attackCisco connect winnipeg 2018 anatomy of an attack
Cisco connect winnipeg 2018 anatomy of an attackCisco Canada
 
Client side encryption without knowing its limits is a ticking time bomb!
Client side encryption without knowing its limits is a ticking time bomb!Client side encryption without knowing its limits is a ticking time bomb!
Client side encryption without knowing its limits is a ticking time bomb!Priyanka Aash
 
Advanced Threat Protection Lifecycle Infographic
Advanced Threat Protection Lifecycle InfographicAdvanced Threat Protection Lifecycle Infographic
Advanced Threat Protection Lifecycle InfographicBlue Coat
 
News Bytes - December 2015
News Bytes - December 2015News Bytes - December 2015
News Bytes - December 2015n|u - The Open Security Community
 
How to Make Your NodeJS Application Secure (24 Best Security Tips )
How to Make Your NodeJS Application Secure (24 Best Security Tips )How to Make Your NodeJS Application Secure (24 Best Security Tips )
How to Make Your NodeJS Application Secure (24 Best Security Tips )Katy Slemon
 
Certificate Pinning: Not as Simple as It Sounds
Certificate Pinning: Not as Simple as It Sounds Certificate Pinning: Not as Simple as It Sounds
Certificate Pinning: Not as Simple as It Sounds Synopsys Software Integrity Group
 
Standards and methodology for application security assessment
Standards and methodology for application security assessment Standards and methodology for application security assessment
Standards and methodology for application security assessment Mykhailo Antonishyn
 
개발자가 알아야 할 보안
개발자가 알아야 할 보안개발자가 알아야 할 보안
개발자가 알아야 할 보안Johnny Cho
 
Web Security - Introduction v.1.3
Web Security - Introduction v.1.3Web Security - Introduction v.1.3
Web Security - Introduction v.1.3Oles Seheda
 
Cisco Web and Email Security Overview
Cisco Web and Email Security OverviewCisco Web and Email Security Overview
Cisco Web and Email Security OverviewCisco Security
 
Owasp Mobile Risk Series : M3 : Insufficient Transport Layer Protection
Owasp Mobile Risk Series : M3 : Insufficient Transport Layer ProtectionOwasp Mobile Risk Series : M3 : Insufficient Transport Layer Protection
Owasp Mobile Risk Series : M3 : Insufficient Transport Layer ProtectionAnant Shrivastava
 
OWASP Top 10 - 2017 Top 10 web application security risks
OWASP Top 10 - 2017 Top 10 web application security risksOWASP Top 10 - 2017 Top 10 web application security risks
OWASP Top 10 - 2017 Top 10 web application security risksKun-Da Wu
 
OWASP Top 10 2017
OWASP Top 10 2017OWASP Top 10 2017
OWASP Top 10 2017Siddharth Phatarphod
 
Web application security: Threats & Countermeasures
Web application security: Threats & CountermeasuresWeb application security: Threats & Countermeasures
Web application security: Threats & CountermeasuresAung Thu Rha Hein
 
Méthodologie - adoption d'une norme en 7 étapes
Méthodologie - adoption d'une norme en 7 étapesMéthodologie - adoption d'une norme en 7 étapes
Méthodologie - adoption d'une norme en 7 étapesMarc-Andre Heroux
 
Assurance compliance management system
Assurance compliance management systemAssurance compliance management system
Assurance compliance management systemMarc-Andre Heroux
 

More Related Content

What's hot

How to find Zero day vulnerabilities
How to find Zero day vulnerabilitiesHow to find Zero day vulnerabilities
How to find Zero day vulnerabilitiesMohammed A. Imran
 
Mastering Next Gen SIEM Use Cases (Part 3)
Mastering Next Gen SIEM Use Cases (Part 3)Mastering Next Gen SIEM Use Cases (Part 3)
Mastering Next Gen SIEM Use Cases (Part 3)DNIF
 
CAS MAA Infographic
CAS MAA InfographicCAS MAA Infographic
CAS MAA InfographicBlue Coat
 
Top 10 Web Application vulnerabilities
Top 10 Web Application vulnerabilitiesTop 10 Web Application vulnerabilities
Top 10 Web Application vulnerabilitiesTerrance Medina
 
Advanced Threat Protection - Sandboxing 101
Advanced Threat Protection - Sandboxing 101Advanced Threat Protection - Sandboxing 101
Advanced Threat Protection - Sandboxing 101Blue Coat
 
Preventing Today's Malware
Preventing Today's MalwarePreventing Today's Malware
Preventing Today's MalwareDavid Perkins
 
Cisco connect winnipeg 2018 anatomy of an attack
Cisco connect winnipeg 2018 anatomy of an attackCisco connect winnipeg 2018 anatomy of an attack
Cisco connect winnipeg 2018 anatomy of an attackCisco Canada
 
Client side encryption without knowing its limits is a ticking time bomb!
Client side encryption without knowing its limits is a ticking time bomb!Client side encryption without knowing its limits is a ticking time bomb!
Client side encryption without knowing its limits is a ticking time bomb!Priyanka Aash
 
Advanced Threat Protection Lifecycle Infographic
Advanced Threat Protection Lifecycle InfographicAdvanced Threat Protection Lifecycle Infographic
Advanced Threat Protection Lifecycle InfographicBlue Coat
 
How to Make Your NodeJS Application Secure (24 Best Security Tips )
How to Make Your NodeJS Application Secure (24 Best Security Tips )How to Make Your NodeJS Application Secure (24 Best Security Tips )
How to Make Your NodeJS Application Secure (24 Best Security Tips )Katy Slemon
 
Standards and methodology for application security assessment
Standards and methodology for application security assessment Standards and methodology for application security assessment
Standards and methodology for application security assessment Mykhailo Antonishyn
 
개발자가 알아야 할 보안
개발자가 알아야 할 보안개발자가 알아야 할 보안
개발자가 알아야 할 보안Johnny Cho
 
Web Security - Introduction v.1.3
Web Security - Introduction v.1.3Web Security - Introduction v.1.3
Web Security - Introduction v.1.3Oles Seheda
 
Cisco Web and Email Security Overview
Cisco Web and Email Security OverviewCisco Web and Email Security Overview
Cisco Web and Email Security OverviewCisco Security
 
Owasp Mobile Risk Series : M3 : Insufficient Transport Layer Protection
Owasp Mobile Risk Series : M3 : Insufficient Transport Layer ProtectionOwasp Mobile Risk Series : M3 : Insufficient Transport Layer Protection
Owasp Mobile Risk Series : M3 : Insufficient Transport Layer ProtectionAnant Shrivastava
 
OWASP Top 10 - 2017 Top 10 web application security risks
OWASP Top 10 - 2017 Top 10 web application security risksOWASP Top 10 - 2017 Top 10 web application security risks
OWASP Top 10 - 2017 Top 10 web application security risksKun-Da Wu
 
Web application security: Threats & Countermeasures
Web application security: Threats & CountermeasuresWeb application security: Threats & Countermeasures
Web application security: Threats & CountermeasuresAung Thu Rha Hein
 

What's hot (20)

How to find Zero day vulnerabilities
How to find Zero day vulnerabilitiesHow to find Zero day vulnerabilities
How to find Zero day vulnerabilities
 
Mastering Next Gen SIEM Use Cases (Part 3)
Mastering Next Gen SIEM Use Cases (Part 3)Mastering Next Gen SIEM Use Cases (Part 3)
Mastering Next Gen SIEM Use Cases (Part 3)
 
CAS MAA Infographic
CAS MAA InfographicCAS MAA Infographic
CAS MAA Infographic
 
Top 10 Web Application vulnerabilities
Top 10 Web Application vulnerabilitiesTop 10 Web Application vulnerabilities
Top 10 Web Application vulnerabilities
 
Advanced Threat Protection - Sandboxing 101
Advanced Threat Protection - Sandboxing 101Advanced Threat Protection - Sandboxing 101
Advanced Threat Protection - Sandboxing 101
 
Preventing Today's Malware
Preventing Today's MalwarePreventing Today's Malware
Preventing Today's Malware
 
Cisco connect winnipeg 2018 anatomy of an attack
Cisco connect winnipeg 2018 anatomy of an attackCisco connect winnipeg 2018 anatomy of an attack
Cisco connect winnipeg 2018 anatomy of an attack
 
Client side encryption without knowing its limits is a ticking time bomb!
Client side encryption without knowing its limits is a ticking time bomb!Client side encryption without knowing its limits is a ticking time bomb!
Client side encryption without knowing its limits is a ticking time bomb!
 
Advanced Threat Protection Lifecycle Infographic
Advanced Threat Protection Lifecycle InfographicAdvanced Threat Protection Lifecycle Infographic
Advanced Threat Protection Lifecycle Infographic
 
News Bytes - December 2015
News Bytes - December 2015News Bytes - December 2015
News Bytes - December 2015
 
How to Make Your NodeJS Application Secure (24 Best Security Tips )
How to Make Your NodeJS Application Secure (24 Best Security Tips )How to Make Your NodeJS Application Secure (24 Best Security Tips )
How to Make Your NodeJS Application Secure (24 Best Security Tips )
 
Certificate Pinning: Not as Simple as It Sounds
Certificate Pinning: Not as Simple as It Sounds Certificate Pinning: Not as Simple as It Sounds
Certificate Pinning: Not as Simple as It Sounds
 
Standards and methodology for application security assessment
Standards and methodology for application security assessment Standards and methodology for application security assessment
Standards and methodology for application security assessment
 
개발자가 알아야 할 보안
개발자가 알아야 할 보안개발자가 알아야 할 보안
개발자가 알아야 할 보안
 
Web Security - Introduction v.1.3
Web Security - Introduction v.1.3Web Security - Introduction v.1.3
Web Security - Introduction v.1.3
 
Cisco Web and Email Security Overview
Cisco Web and Email Security OverviewCisco Web and Email Security Overview
Cisco Web and Email Security Overview
 
Owasp Mobile Risk Series : M3 : Insufficient Transport Layer Protection
Owasp Mobile Risk Series : M3 : Insufficient Transport Layer ProtectionOwasp Mobile Risk Series : M3 : Insufficient Transport Layer Protection
Owasp Mobile Risk Series : M3 : Insufficient Transport Layer Protection
 
OWASP Top 10 - 2017 Top 10 web application security risks
OWASP Top 10 - 2017 Top 10 web application security risksOWASP Top 10 - 2017 Top 10 web application security risks
OWASP Top 10 - 2017 Top 10 web application security risks
 
OWASP Top 10 2017
OWASP Top 10 2017OWASP Top 10 2017
OWASP Top 10 2017
 
Web application security: Threats & Countermeasures
Web application security: Threats & CountermeasuresWeb application security: Threats & Countermeasures
Web application security: Threats & Countermeasures
 

Viewers also liked

Méthodologie - adoption d'une norme en 7 étapes
Méthodologie - adoption d'une norme en 7 étapesMéthodologie - adoption d'une norme en 7 étapes
Méthodologie - adoption d'une norme en 7 étapesMarc-Andre Heroux
 
Assurance compliance management system
Assurance compliance management systemAssurance compliance management system
Assurance compliance management systemMarc-Andre Heroux
 
BUSINESS MATURITY LIFE CYCLE
BUSINESS MATURITY LIFE CYCLEBUSINESS MATURITY LIFE CYCLE
BUSINESS MATURITY LIFE CYCLEMarc-Andre Heroux
 
Monitoring your organization against threats - Critical System Control
Monitoring your organization against threats - Critical System ControlMonitoring your organization against threats - Critical System Control
Monitoring your organization against threats - Critical System ControlMarc-Andre Heroux
 
Enterprise Security Critical Security Functions version 1.0
Enterprise Security Critical Security Functions version 1.0Enterprise Security Critical Security Functions version 1.0
Enterprise Security Critical Security Functions version 1.0Marc-Andre Heroux
 
Modèle de sécurité organisationnelle
Modèle de sécurité organisationnelleModèle de sécurité organisationnelle
Modèle de sécurité organisationnelleMarc-Andre Heroux
 
Frame - MAC Address Threats & Vulnerabilities
Frame - MAC Address Threats & VulnerabilitiesFrame - MAC Address Threats & Vulnerabilities
Frame - MAC Address Threats & VulnerabilitiesMarc-Andre Heroux
 

Viewers also liked (8)

Méthodologie - adoption d'une norme en 7 étapes
Méthodologie - adoption d'une norme en 7 étapesMéthodologie - adoption d'une norme en 7 étapes
Méthodologie - adoption d'une norme en 7 étapes
 
Assurance compliance management system
Assurance compliance management systemAssurance compliance management system
Assurance compliance management system
 
BUSINESS MATURITY LIFE CYCLE
BUSINESS MATURITY LIFE CYCLEBUSINESS MATURITY LIFE CYCLE
BUSINESS MATURITY LIFE CYCLE
 
Monitoring your organization against threats - Critical System Control
Monitoring your organization against threats - Critical System ControlMonitoring your organization against threats - Critical System Control
Monitoring your organization against threats - Critical System Control
 
Enterprise Security Critical Security Functions version 1.0
Enterprise Security Critical Security Functions version 1.0Enterprise Security Critical Security Functions version 1.0
Enterprise Security Critical Security Functions version 1.0
 
Modèle de sécurité organisationnelle
Modèle de sécurité organisationnelleModèle de sécurité organisationnelle
Modèle de sécurité organisationnelle
 
Frame - MAC Address Threats & Vulnerabilities
Frame - MAC Address Threats & VulnerabilitiesFrame - MAC Address Threats & Vulnerabilities
Frame - MAC Address Threats & Vulnerabilities
 
Succession “Losers”: What Happens to Executives Passed Over for the CEO Job?
Succession “Losers”: What Happens to Executives Passed Over for the CEO Job? Succession “Losers”: What Happens to Executives Passed Over for the CEO Job?
Succession “Losers”: What Happens to Executives Passed Over for the CEO Job?
 

Similar to Online Authentication

Understanding Application Threat Modelling & Architecture
Understanding Application Threat Modelling & Architecture Understanding Application Threat Modelling & Architecture
Understanding Application Threat Modelling & ArchitecturePriyanka Aash
 
Chapter 2 System Security.pptx
Chapter 2 System Security.pptxChapter 2 System Security.pptx
Chapter 2 System Security.pptxRushikeshChikane2
 
the-most-dangerous-code-in-the-world
the-most-dangerous-code-in-the-worldthe-most-dangerous-code-in-the-world
the-most-dangerous-code-in-the-worldMartin Georgiev
 
the-most-dangerous-code-in-the-world
the-most-dangerous-code-in-the-worldthe-most-dangerous-code-in-the-world
the-most-dangerous-code-in-the-worldMartin Georgiev
 
hashicorp-virtualdays-vaultkeeping-a-secret-200409143039.pptx
hashicorp-virtualdays-vaultkeeping-a-secret-200409143039.pptxhashicorp-virtualdays-vaultkeeping-a-secret-200409143039.pptx
hashicorp-virtualdays-vaultkeeping-a-secret-200409143039.pptxhamzaaqqa7
 
How to 2FA-enable Open Source Applications
How to 2FA-enable Open Source ApplicationsHow to 2FA-enable Open Source Applications
How to 2FA-enable Open Source ApplicationsAll Things Open
 
Penetration Testing Basics
Penetration Testing BasicsPenetration Testing Basics
Penetration Testing BasicsRick Wanner
 
Enterprise Cloud Security - Concepts Mash-up
Enterprise Cloud Security - Concepts Mash-upEnterprise Cloud Security - Concepts Mash-up
Enterprise Cloud Security - Concepts Mash-upDileep Kalidindi
 
Security in the cloud protecting your cloud apps
Security in the cloud protecting your cloud appsSecurity in the cloud protecting your cloud apps
Security in the cloud protecting your cloud appsCenzic
 
Building Cloud Applications Based On Zero Trust
Building Cloud Applications Based On Zero TrustBuilding Cloud Applications Based On Zero Trust
Building Cloud Applications Based On Zero TrustMahesh Patil
 
2017 Cyber Risk Grades by Industry: Normshield Executive Presentation
2017 Cyber Risk Grades by Industry: Normshield Executive Presentation2017 Cyber Risk Grades by Industry: Normshield Executive Presentation
2017 Cyber Risk Grades by Industry: Normshield Executive PresentationNormShield, Inc.
 
LIFT OFF 2017: Ransomware and IR Overview
LIFT OFF 2017: Ransomware and IR OverviewLIFT OFF 2017: Ransomware and IR Overview
LIFT OFF 2017: Ransomware and IR OverviewRobert Herjavec
 
Gain visibility & real-time actionable security alerts with VPC Flow Logs & A...
Gain visibility & real-time actionable security alerts with VPC Flow Logs & A...Gain visibility & real-time actionable security alerts with VPC Flow Logs & A...
Gain visibility & real-time actionable security alerts with VPC Flow Logs & A...Amazon Web Services
 
TrustLeap Multipass - Unbreakable Passwords For Cloud Services
TrustLeap Multipass - Unbreakable Passwords For Cloud ServicesTrustLeap Multipass - Unbreakable Passwords For Cloud Services
TrustLeap Multipass - Unbreakable Passwords For Cloud ServicesTWD Industries AG
 
Certificates and Web of Trust
Certificates and Web of TrustCertificates and Web of Trust
Certificates and Web of TrustYousof Alsatom
 
Gain visibility and real-time security alerts with VPC Flow Logs & AWS - DEM0...
Gain visibility and real-time security alerts with VPC Flow Logs & AWS - DEM0...Gain visibility and real-time security alerts with VPC Flow Logs & AWS - DEM0...
Gain visibility and real-time security alerts with VPC Flow Logs & AWS - DEM0...Amazon Web Services
 
Cloud security privacy- org
Cloud security privacy- orgCloud security privacy- org
Cloud security privacy- orgDharmalingam S
 
Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Moataz Kamel
 

Similar to Online Authentication (20)

Understanding Application Threat Modelling & Architecture
Understanding Application Threat Modelling & Architecture Understanding Application Threat Modelling & Architecture
Understanding Application Threat Modelling & Architecture
 
Web Apps Security
Web Apps SecurityWeb Apps Security
Web Apps Security
 
Chapter 2 System Security.pptx
Chapter 2 System Security.pptxChapter 2 System Security.pptx
Chapter 2 System Security.pptx
 
Shmat ccs12
Shmat ccs12Shmat ccs12
Shmat ccs12
 
the-most-dangerous-code-in-the-world
the-most-dangerous-code-in-the-worldthe-most-dangerous-code-in-the-world
the-most-dangerous-code-in-the-world
 
the-most-dangerous-code-in-the-world
the-most-dangerous-code-in-the-worldthe-most-dangerous-code-in-the-world
the-most-dangerous-code-in-the-world
 
hashicorp-virtualdays-vaultkeeping-a-secret-200409143039.pptx
hashicorp-virtualdays-vaultkeeping-a-secret-200409143039.pptxhashicorp-virtualdays-vaultkeeping-a-secret-200409143039.pptx
hashicorp-virtualdays-vaultkeeping-a-secret-200409143039.pptx
 
How to 2FA-enable Open Source Applications
How to 2FA-enable Open Source ApplicationsHow to 2FA-enable Open Source Applications
How to 2FA-enable Open Source Applications
 
Penetration Testing Basics
Penetration Testing BasicsPenetration Testing Basics
Penetration Testing Basics
 
Enterprise Cloud Security - Concepts Mash-up
Enterprise Cloud Security - Concepts Mash-upEnterprise Cloud Security - Concepts Mash-up
Enterprise Cloud Security - Concepts Mash-up
 
Security in the cloud protecting your cloud apps
Security in the cloud protecting your cloud appsSecurity in the cloud protecting your cloud apps
Security in the cloud protecting your cloud apps
 
Building Cloud Applications Based On Zero Trust
Building Cloud Applications Based On Zero TrustBuilding Cloud Applications Based On Zero Trust
Building Cloud Applications Based On Zero Trust
 
2017 Cyber Risk Grades by Industry: Normshield Executive Presentation
2017 Cyber Risk Grades by Industry: Normshield Executive Presentation2017 Cyber Risk Grades by Industry: Normshield Executive Presentation
2017 Cyber Risk Grades by Industry: Normshield Executive Presentation
 
LIFT OFF 2017: Ransomware and IR Overview
LIFT OFF 2017: Ransomware and IR OverviewLIFT OFF 2017: Ransomware and IR Overview
LIFT OFF 2017: Ransomware and IR Overview
 
Gain visibility & real-time actionable security alerts with VPC Flow Logs & A...
Gain visibility & real-time actionable security alerts with VPC Flow Logs & A...Gain visibility & real-time actionable security alerts with VPC Flow Logs & A...
Gain visibility & real-time actionable security alerts with VPC Flow Logs & A...
 
TrustLeap Multipass - Unbreakable Passwords For Cloud Services
TrustLeap Multipass - Unbreakable Passwords For Cloud ServicesTrustLeap Multipass - Unbreakable Passwords For Cloud Services
TrustLeap Multipass - Unbreakable Passwords For Cloud Services
 
Certificates and Web of Trust
Certificates and Web of TrustCertificates and Web of Trust
Certificates and Web of Trust
 
Gain visibility and real-time security alerts with VPC Flow Logs & AWS - DEM0...
Gain visibility and real-time security alerts with VPC Flow Logs & AWS - DEM0...Gain visibility and real-time security alerts with VPC Flow Logs & AWS - DEM0...
Gain visibility and real-time security alerts with VPC Flow Logs & AWS - DEM0...
 
Cloud security privacy- org
Cloud security privacy- orgCloud security privacy- org
Cloud security privacy- org
 
Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020
 

Recently uploaded

一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制pxcywzqs
 
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...gajnagarg
 
Local Call Girls in Gomati 9332606886 HOT & SEXY Models beautiful and charmi...
Local Call Girls in Gomati 9332606886 HOT & SEXY Models beautiful and charmi...Local Call Girls in Gomati 9332606886 HOT & SEXY Models beautiful and charmi...
Local Call Girls in Gomati 9332606886 HOT & SEXY Models beautiful and charmi...Sareena Khatun
 
一比一原版奥兹学院毕业证如何办理
一比一原版奥兹学院毕业证如何办理一比一原版奥兹学院毕业证如何办理
一比一原版奥兹学院毕业证如何办理F
 
在线制作约克大学毕业证(yu毕业证)在读证明认证可查
在线制作约克大学毕业证(yu毕业证)在读证明认证可查在线制作约克大学毕业证(yu毕业证)在读证明认证可查
在线制作约克大学毕业证(yu毕业证)在读证明认证可查ydyuyu
 
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样ayvbos
 
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac RoomVip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Roommeghakumariji156
 
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
20240507 QFM013 Machine Intelligence Reading List April 2024.pdfMatthew Sinclair
 
Indian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi EscortsIndian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi EscortsMonica Sydney
 
Ballia Escorts Service Girl ^ 9332606886, WhatsApp Anytime Ballia
Ballia Escorts Service Girl ^ 9332606886, WhatsApp Anytime BalliaBallia Escorts Service Girl ^ 9332606886, WhatsApp Anytime Ballia
Ballia Escorts Service Girl ^ 9332606886, WhatsApp Anytime Balliameghakumariji156
 
Leading-edge AI Image Generators of 2024
Leading-edge AI Image Generators of 2024Leading-edge AI Image Generators of 2024
Leading-edge AI Image Generators of 2024SOFTTECHHUB
 
Real Men Wear Diapers T Shirts sweatshirt
Real Men Wear Diapers T Shirts sweatshirtReal Men Wear Diapers T Shirts sweatshirt
Real Men Wear Diapers T Shirts sweatshirtrahman018755
 
Call girls Service in Ajman 0505086370 Ajman call girls
Call girls Service in Ajman 0505086370 Ajman call girlsCall girls Service in Ajman 0505086370 Ajman call girls
Call girls Service in Ajman 0505086370 Ajman call girlsMonica Sydney
 
20240508 QFM014 Elixir Reading List April 2024.pdf
20240508 QFM014 Elixir Reading List April 2024.pdf20240508 QFM014 Elixir Reading List April 2024.pdf
20240508 QFM014 Elixir Reading List April 2024.pdfMatthew Sinclair
 
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查ydyuyu
 
Russian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
Russian Escort Abu Dhabi 0503464457 Abu DHabi EscortsRussian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
Russian Escort Abu Dhabi 0503464457 Abu DHabi EscortsMonica Sydney
 
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
20240509 QFM015 Engineering Leadership Reading List April 2024.pdfMatthew Sinclair
 
一比一原版(Dundee毕业证书)英国爱丁堡龙比亚大学毕业证如何办理
一比一原版(Dundee毕业证书)英国爱丁堡龙比亚大学毕业证如何办理一比一原版(Dundee毕业证书)英国爱丁堡龙比亚大学毕业证如何办理
一比一原版(Dundee毕业证书)英国爱丁堡龙比亚大学毕业证如何办理AS
 
Tadepalligudem Escorts Service Girl ^ 9332606886, WhatsApp Anytime Tadepallig...
Tadepalligudem Escorts Service Girl ^ 9332606886, WhatsApp Anytime Tadepallig...Tadepalligudem Escorts Service Girl ^ 9332606886, WhatsApp Anytime Tadepallig...
Tadepalligudem Escorts Service Girl ^ 9332606886, WhatsApp Anytime Tadepallig...meghakumariji156
 

Recently uploaded (20)

一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
 
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
 
Local Call Girls in Gomati 9332606886 HOT & SEXY Models beautiful and charmi...
Local Call Girls in Gomati 9332606886 HOT & SEXY Models beautiful and charmi...Local Call Girls in Gomati 9332606886 HOT & SEXY Models beautiful and charmi...
Local Call Girls in Gomati 9332606886 HOT & SEXY Models beautiful and charmi...
 
一比一原版奥兹学院毕业证如何办理
一比一原版奥兹学院毕业证如何办理一比一原版奥兹学院毕业证如何办理
一比一原版奥兹学院毕业证如何办理
 
在线制作约克大学毕业证(yu毕业证)在读证明认证可查
在线制作约克大学毕业证(yu毕业证)在读证明认证可查在线制作约克大学毕业证(yu毕业证)在读证明认证可查
在线制作约克大学毕业证(yu毕业证)在读证明认证可查
 
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
 
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac RoomVip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
 
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
 
Indian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi EscortsIndian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
 
Ballia Escorts Service Girl ^ 9332606886, WhatsApp Anytime Ballia
Ballia Escorts Service Girl ^ 9332606886, WhatsApp Anytime BalliaBallia Escorts Service Girl ^ 9332606886, WhatsApp Anytime Ballia
Ballia Escorts Service Girl ^ 9332606886, WhatsApp Anytime Ballia
 
Leading-edge AI Image Generators of 2024
Leading-edge AI Image Generators of 2024Leading-edge AI Image Generators of 2024
Leading-edge AI Image Generators of 2024
 
Real Men Wear Diapers T Shirts sweatshirt
Real Men Wear Diapers T Shirts sweatshirtReal Men Wear Diapers T Shirts sweatshirt
Real Men Wear Diapers T Shirts sweatshirt
 
Call girls Service in Ajman 0505086370 Ajman call girls
Call girls Service in Ajman 0505086370 Ajman call girlsCall girls Service in Ajman 0505086370 Ajman call girls
Call girls Service in Ajman 0505086370 Ajman call girls
 
20240508 QFM014 Elixir Reading List April 2024.pdf
20240508 QFM014 Elixir Reading List April 2024.pdf20240508 QFM014 Elixir Reading List April 2024.pdf
20240508 QFM014 Elixir Reading List April 2024.pdf
 
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
 
Russian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
Russian Escort Abu Dhabi 0503464457 Abu DHabi EscortsRussian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
Russian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
 
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
 
一比一原版(Dundee毕业证书)英国爱丁堡龙比亚大学毕业证如何办理
一比一原版(Dundee毕业证书)英国爱丁堡龙比亚大学毕业证如何办理一比一原版(Dundee毕业证书)英国爱丁堡龙比亚大学毕业证如何办理
一比一原版(Dundee毕业证书)英国爱丁堡龙比亚大学毕业证如何办理
 
call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7
call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7
call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7
 
Tadepalligudem Escorts Service Girl ^ 9332606886, WhatsApp Anytime Tadepallig...
Tadepalligudem Escorts Service Girl ^ 9332606886, WhatsApp Anytime Tadepallig...Tadepalligudem Escorts Service Girl ^ 9332606886, WhatsApp Anytime Tadepallig...
Tadepalligudem Escorts Service Girl ^ 9332606886, WhatsApp Anytime Tadepallig...
 

Online Authentication

  • 1. Marc-Andre Heroux, CGEIT, CISA, CRMA, CRMP, ABCP, CISSP, NSA-IAM, NSA-IEM LinkedIn: http://ca.linkedin.com/in/herouxma Twitter: @herouxma | IRC: herouxma on irc.freenode.net There are many types of spoofing attacks online In this article we explain how to increase your security posture against online spoofing Date: May 16th, 2014 Draft Version 1 Online Authentication Federated information technology systems
  • 2. Prerequisites • In this presentation, the clients and servers were not compromised; • for critical Web applications, all communications must be in a tunnel (ex.: VPN); • for critical activities accessing sensitive information, using a RSA Secure ID is strongly suggested; • all exchanges must be done with the corrected SSL if not in a tunnel. 2
  • 3. Validating against a server, a nonce at layer 5 can prevent: CSRF and spoofing (ex.: SAML). Web servers cluster Identity Provider (IdP) If authentication successful (receive secret) Receive requests based on a secret Verify and validate Secret (ex.: SAML ID) Use Web Application Directory (ex.: secure LDAP) 1 2 3 4 Deliver authorized content6 Server validation (SAML) Threat Agent Sends email with malicious codes and conduct various external attacks from layer 3 to 7. 3 JavaScript/Ajax Authentication Hijacking 5
  • 4. ● Comparing server generated nonce vs nonce submitted in hidden HTML form field value is also considered a good practice; ● then we have Web authentication as follow: something you receive from web server (nonce) and something you send to web server as a client (nonce). Server validation (CSRF) Threat Web Server SAML TTL Web Server Read cookie SAML ID Cookie in browser Web Brower Nonce hidden field Malicious code sent in custom form and post to Web server 1. The attacker doesn’t know the nonce; 2. The attacker can’t guess the nonce; 3. The attacker cannot send the nonce in a hidden field; 4. Server or WAF reject the post.Confidentiality, integrity and accessibility of the SAML ID 1. The IdP must always be available so well protected (hardened, monitored, etc.); 2. The ID can be retrieve in header by a Man-in-the-middle attack (VPN and correct SSL can protect); 3. The ID must be long enough and not be guessable; 4. The ID must be compared between Web server and IdP before authorizing access. Likelihood of the attack If the SAML ID is compromised: 1. The attacker will gain access to your Web application for the time-to-live of the SAML ID; 2. If the IdP or the LDAP server are compromised, the overall solution is compromised; 3. To prevent a complete take over of your infrastructure by an attacker, never use a critical account without a RSA Secure ID. Compare nonce post vs set by server Success 4 Cookie
  • 5. Subject and object: always make sure to identify and authenticate your subject or your object and provide proper authorization to reduce potential false negative results and security incidents; JavaScript/AJAX: can be easily injected and you cannot rely on it without server validation (ex: IdP); The cookie: name and values must not be guessable or stealable; The maximum cookie size: about 4K. Few basics principles 5
  • 6. Among others, when using cookies its important to follow these principles: • Limit the amount of sensitive information stored in the cookie; • Limit the subdomains and paths to prevent interception by another application; • Enforce SSL so the cookie isn’t sent in cleartext; • Use values hard to guess (name, IDs, etc.) and set expiration value (the more critical, the shorter); • Make the cookie HttpOnly so its not accessible to javascript. 6 Who stole my cookies?
  • 7. If form hidden nonce value different than server nonce set for current client session, it's a threat; if SAML ID in header is different than server xml http request result of ID stored @identity server provider, a threat tried to forged the SAML ID; else, the context can be considered acceptable. Exemple of a SAML ID: <saml:Assertion ID="_b07b205c-7c29-gr16-4300-5f3e6f7923vc " IssueInstant="2014-18-05T18:35:10.728Z" Version="2.0"> <saml:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"> https://saml.oracle.com </saml:Issuer> Pseudocode 7
  • 8. Also and not new: most common IP spoofing can usually be dropped and logged by a basic packet layer 3 firewall. # netfilter/iptablesRule 0 (eth0) # # anti spoofing rule # $IPTABLES -N In_RULE_0 $IPTABLES -A INPUT -i eth0 -s 192.0.2.1 -j In_RULE0 $IPTABLES -A INPUT -i eth0 -s 192.168.1.1 -j In_RULE_0 $IPTABLES -A INPUT -i eth0 -s 192.168.1.0/24 -j In_RULE_0 $IPTABLES -A FORWARD -i eth0 -s 192.0.2.1 -j In_RULE_0 $IPTABLES -A FORWARD -i eth0 -s 192.168.1.1 -j In_RULE_0 $IPTABLES -A FORWARD -i eth0 -s 192.168.1.0/24 -j In_RULE_0 $IPTABLES -A In_RULE_0 -j LOG --log-level info --log-prefix "RULE 0 -- DENY " $IPTABLES -A In_RULE_0 -j DROP ! Cisco Rule 0 (Ethernet1/0) ! anti-spoofing rule ! access-list outside_acl_in remark 0 (Ethernet1/0) access-list outside_acl_in remark anti-spoofing rule access-list outside_acl_in deny ip host 192.0.2.1 any access-list outside_acl_in deny ip host 192.168.2.1 any access-list outside_acl_in deny ip host 192.168.1.1 any access-list outside_acl_in deny ip 192.168.1.0 255.255.255.0 any access-group outside_acl_in in interface outside Here is an example of iptables and cisco rules for internal network (match all addresses of the firewall (192.168.1.1, 192.0.2.1) and network behind it (192.168.1.0/24): State-full Packet firewall 8
  • 9. Integrity and confidentiality are very important in the authentication process and avoid the use of cookies is suggested, especially for critical applications; In order to support the authentication, authentication systems must be available at all time (ex: IdP server); The likelihood of an attack in this scenario is considered the duration of the session SAML ID key, little bit similar to the likelihood of a RSA secure ID token; Restrict POST from legitimate and acceptable source only and use nonce; While using an RSA Secure ID device for critical activities, we increase the security posture to a very interesting level; Many security appliances are using the same CA private key across all devices. This is particularly dangerous, since the universal CA private key can be extracted from any single device by an attacker. With the private key, the attacker can be seen as trustable by all devices using the public key to secure transport as well as payload. Conclusion 9
  • 10. Carnegie Mellon University, Analyzing Forged SSL Certificates in the Wild, Lin-Shung Huang, Alex Rice, Erling Ellingsen, Collin Jackson Oracle, Developing Security Providers for WebLogic Server, Identity Assertion Providers, http://docs.oracle.com/cd/E15051_01/wls/docs103/dvspisec/ia.html Robert Hafner, How to Create Totally Secure Cookies, http://blog.teamtreehouse.com/how-to-create-totally-secure-cookies FirewallBuilder, Anti-spoofing rule, http://www.fwbuilder.org/4.0/docs/users_guide5/anti-spoofing-rules.shtml IBM Research - India, Security Analysis of Web-based Identity Federation, Apurva Kumar Cisco, SAML SSO Deployment Guide for Cisco Unified Communications, Applications, Release 10.0(1), First Published: December 06, 2013, Last Modified: May 08, 2014 OASIS, Assertions and Protocols for the OASIS, Security Assertion Markup Language, (SAML) V2.0, OASIS Standard, 15 March 2005 I want to thanks the following sources and authors: 10 References