Sylvain Maret is a security expert with 17 years of experience who gave a presentation on strong authentication in web applications in 2012. He discussed various strong authentication technologies like PKI with digital certificates, biometrics, and one-time passwords. He explained how these technologies work at a technical level and emphasized standards from the Initiative for Open AuTHentication. Maret also touched on topics like token-based key generation and storage, and how strong authentication integrates with web applications and impacts application security best practices.
Strong Authentication in Web Application #SCS IIISylvain Maret
Swiss Cyber Storm 3 Security Conference / OWASP Track
Strong Authentication: State of the Art 2011
Risk Based Authentication
Biometry - Match on Card
OTP for Smartphones
OTP SMS
PKI
SuisseID
Mobile-OTP
OATH (HOTP, TOTP, OCRA)
Open Source approach
How to integrate Strong Authentication in Web Application?
OpenID, SAML, Identity Federation for Strong Authentication
API, SDK, Agents, Web Services, Modules
PAM, Radius, JAAS
Reverse Proxy (WAF) and WebSSO
PKI / SSL client authentication
PHP example with Multi-OTP PHP class
AppSec (Threat Modeling - OWASP)
Presented at Seminar at Bahria University June 2007
Cryptography Simplified - Symmetric Key, Public Key, PKI, Digital Signature, Certification Authority, Secure Socket Layer (SSL), Secure Electronic Transaction (SET)
How to do Cryptography right in Android Part OneArash Ramez
Cryptography is an indispensable tool used to protect information in computing systems. It is used everywhere and by billions of people worldwide on a daily basis. It is used to protect data at rest and data in motion. While extremely useful, cryptography is also highly brittle. The most secure cryptographic system can be rendered completely insecure by a single specification or programming error.to argue that a cryptosystem is secure, we rely on mathematical modeling and proofs to show that a particular system satisfies the security properties attributed to it.
We often need to introduce certain plausible assumptions to push our security arguments through.
This presentation is about exactly that: constructing practical cryptosystems in android platform for which we can argue security under plausible assumptions.part one just covers fundamentals topics in cryptography world.
Youtube playlist:
https://www.youtube.com/playlist?list=PLT2xIm2X7W7gJgHWhKrIhS-L05xHVCPh2
gist:
https://gist.github.com/aramezx
How to do right cryptography in android part 3 / Gated Authentication reviewedArash Ramez
Android Gated-Authentication Architecture and User Authentication using finger-print has been reviewed in this part.
youtube playlist:
https://www.youtube.com/playlist?list=PLT2xIm2X7W7jyqMXjSpNeRRzgoW_1iJg5
aparat:
https://www.aparat.com/v/LvVtZ
Certificate pinning in android applicationsArash Ramez
How to do cryptography right in android
Part #4 / How to mitigate MITM attacks in SSL/TLS channels using server certification validation
watch it on youtube:
https://www.youtube.com/playlist?list=PLT2xIm2X7W7gZ0mtoAA8JrfFrvOKr1Qlp
Strong Authentication in Web Application #SCS IIISylvain Maret
Swiss Cyber Storm 3 Security Conference / OWASP Track
Strong Authentication: State of the Art 2011
Risk Based Authentication
Biometry - Match on Card
OTP for Smartphones
OTP SMS
PKI
SuisseID
Mobile-OTP
OATH (HOTP, TOTP, OCRA)
Open Source approach
How to integrate Strong Authentication in Web Application?
OpenID, SAML, Identity Federation for Strong Authentication
API, SDK, Agents, Web Services, Modules
PAM, Radius, JAAS
Reverse Proxy (WAF) and WebSSO
PKI / SSL client authentication
PHP example with Multi-OTP PHP class
AppSec (Threat Modeling - OWASP)
Presented at Seminar at Bahria University June 2007
Cryptography Simplified - Symmetric Key, Public Key, PKI, Digital Signature, Certification Authority, Secure Socket Layer (SSL), Secure Electronic Transaction (SET)
How to do Cryptography right in Android Part OneArash Ramez
Cryptography is an indispensable tool used to protect information in computing systems. It is used everywhere and by billions of people worldwide on a daily basis. It is used to protect data at rest and data in motion. While extremely useful, cryptography is also highly brittle. The most secure cryptographic system can be rendered completely insecure by a single specification or programming error.to argue that a cryptosystem is secure, we rely on mathematical modeling and proofs to show that a particular system satisfies the security properties attributed to it.
We often need to introduce certain plausible assumptions to push our security arguments through.
This presentation is about exactly that: constructing practical cryptosystems in android platform for which we can argue security under plausible assumptions.part one just covers fundamentals topics in cryptography world.
Youtube playlist:
https://www.youtube.com/playlist?list=PLT2xIm2X7W7gJgHWhKrIhS-L05xHVCPh2
gist:
https://gist.github.com/aramezx
How to do right cryptography in android part 3 / Gated Authentication reviewedArash Ramez
Android Gated-Authentication Architecture and User Authentication using finger-print has been reviewed in this part.
youtube playlist:
https://www.youtube.com/playlist?list=PLT2xIm2X7W7jyqMXjSpNeRRzgoW_1iJg5
aparat:
https://www.aparat.com/v/LvVtZ
Certificate pinning in android applicationsArash Ramez
How to do cryptography right in android
Part #4 / How to mitigate MITM attacks in SSL/TLS channels using server certification validation
watch it on youtube:
https://www.youtube.com/playlist?list=PLT2xIm2X7W7gZ0mtoAA8JrfFrvOKr1Qlp
PLEASE NOTE: there is an updated version of this deck at https://www.slideshare.net/TorstenLodderstedt/nextgenpsd2-oauth-sca-mode-security-recommendations-186812074
The talk gives an introduction to the NextGenPSD2 OAuth SCA mode and explains security considerations implementors should take into account when implementing it. This advice will go beyond the text of the NextGenPSD2 Spec and will be based on the latest OAuth Security Guidelines (https://tools.ietf.org/html/draft-ietf-oauth-security-topics) and work being conducted at OpenID Foundations FAPI working group.
Case VC+: Como tornar seguro um aplicativo mobile payment sem penalizar a exp...Márcio Rosa
Nessa apresentação falamos do estudo de caso da fintech VC+, abordamos o que fizemos para nos proteger e as principais lições aprendidas, assim como abordaremos o que não fazer. Demonstraremos também um Account Hijacking em um dos aplicativos mais conhecidos do mercado (anonimizado)
How to do Cryptography right in Android Part TwoArash Ramez
Cryptography is an indispensable tool used to protect information in computing systems. It is used everywhere and by billions of people worldwide on a daily basis. It is used to protect data at rest and data in motion. While extremely useful, cryptography is also highly brittle. The most secure cryptographic system can be rendered completely insecure by a single specification or programming error.to argue that a cryptosystem is secure, we rely on mathematical modeling and proofs to show that a particular system satisfies the security properties attributed to it.
We often need to introduce certain plausible assumptions to push our security arguments through.
This presentation is about exactly that: constructing practical cryptosystems in android platform for which we can argue security under plausible assumptions.part one just covers fundamentals topics in cryptography world.
see videos :
https://www.youtube.com/playlist?list=PLT2xIm2X7W7j-arpnN90cuwBcNN_5L3AU
https://www.aparat.com/v/gtlHP
DEFERLANTE. Le 19 juillet 2001, Code Red infectait 250000 ordinateurs en l'espace de 9 heures. Quelque temps après,
c'était au tour de Nimda. Puis, cette année, du virus Klez, qui se propage par la messagerie.
Strong Authentication in Web Application / ConFoo.ca 2011Sylvain Maret
Strong Authentication in Web Application: State of the Art 2011
* Risk Based Authentication
* Biometry - Match on Card
* OTP for Smartphones
* PKI
* Mobile-OTP
* OATH-HOTP
* TOTP
* Open Source approach
How to integrate Strong Authentication in Web Application
* OpenID, SAML, Liberty Alliance / Kantara
* API, Agents, Web Services, Modules
* PAM, Radius, JAAS
* Reverse Proxy (WAF) and WebSSO
* PKI / SSL client authentication
* PHP example with Multi-OTP PHP class
PLEASE NOTE: there is an updated version of this deck at https://www.slideshare.net/TorstenLodderstedt/nextgenpsd2-oauth-sca-mode-security-recommendations-186812074
The talk gives an introduction to the NextGenPSD2 OAuth SCA mode and explains security considerations implementors should take into account when implementing it. This advice will go beyond the text of the NextGenPSD2 Spec and will be based on the latest OAuth Security Guidelines (https://tools.ietf.org/html/draft-ietf-oauth-security-topics) and work being conducted at OpenID Foundations FAPI working group.
Case VC+: Como tornar seguro um aplicativo mobile payment sem penalizar a exp...Márcio Rosa
Nessa apresentação falamos do estudo de caso da fintech VC+, abordamos o que fizemos para nos proteger e as principais lições aprendidas, assim como abordaremos o que não fazer. Demonstraremos também um Account Hijacking em um dos aplicativos mais conhecidos do mercado (anonimizado)
How to do Cryptography right in Android Part TwoArash Ramez
Cryptography is an indispensable tool used to protect information in computing systems. It is used everywhere and by billions of people worldwide on a daily basis. It is used to protect data at rest and data in motion. While extremely useful, cryptography is also highly brittle. The most secure cryptographic system can be rendered completely insecure by a single specification or programming error.to argue that a cryptosystem is secure, we rely on mathematical modeling and proofs to show that a particular system satisfies the security properties attributed to it.
We often need to introduce certain plausible assumptions to push our security arguments through.
This presentation is about exactly that: constructing practical cryptosystems in android platform for which we can argue security under plausible assumptions.part one just covers fundamentals topics in cryptography world.
see videos :
https://www.youtube.com/playlist?list=PLT2xIm2X7W7j-arpnN90cuwBcNN_5L3AU
https://www.aparat.com/v/gtlHP
DEFERLANTE. Le 19 juillet 2001, Code Red infectait 250000 ordinateurs en l'espace de 9 heures. Quelque temps après,
c'était au tour de Nimda. Puis, cette année, du virus Klez, qui se propage par la messagerie.
Strong Authentication in Web Application / ConFoo.ca 2011Sylvain Maret
Strong Authentication in Web Application: State of the Art 2011
* Risk Based Authentication
* Biometry - Match on Card
* OTP for Smartphones
* PKI
* Mobile-OTP
* OATH-HOTP
* TOTP
* Open Source approach
How to integrate Strong Authentication in Web Application
* OpenID, SAML, Liberty Alliance / Kantara
* API, Agents, Web Services, Modules
* PAM, Radius, JAAS
* Reverse Proxy (WAF) and WebSSO
* PKI / SSL client authentication
* PHP example with Multi-OTP PHP class
Strong Authentication in Web Applications: State of the Art 2011Sylvain Maret
Sylvain’s talk will focus on risk based authentication, biometry, OTP for smartphones, PKIs, Mobile-OTP, OATH-HOTP, TOTP and the open-source approach to this subjet.
PHP Demo with multiotp class.
Architectural Patterns in IoT Cloud PlatformsRoshan Kulkarni
IoT PaaS platforms help accelerate the delivery of IoT solutions. This deck outlines the various architectural patterns in IoT Cloud Platforms - A useful checklist to ascertain your own IoT Solution Architecture.
Case Studies and Lessons Learned from SSL/TLS Certificate Verification Vulner...JPCERT Coordination Center
Recently we’ve seen many vulnerabilities related to improper certificate validation. Those vulnerabilities come from developers’ ignorance or misunderstanding of basic knowledge of certificate validation or insufficient testing of validation code. This presentation starts with the basics of the certificate validation process, surveys several vulnerabilities in the real world, and concludes with lessons learned from real-world vulnerabilities.
This is presented on JavaOne2015.
"Crypto wallets security. For developers", Julia PotapenkoFwdays
From a security perspective, cryptocurrency wallets are just applications. Similar to banking apps, wallets operate users’ funds and allow making transactions. But are they as secure as banking apps? Let’s talk about the risks and threats of crypto wallets, then move to design concerns and implementation issues. What types of data should be protected? What are the most common vulnerabilities? And why encrypting data is not as trivial as it may seem?
Bitcoin and other distributed virtual currencies are revolutionizing how monetary value is stored and exchanged on the Internet. Key opportunities and risks will be described. The two main objectives of this talk will be to explain the underlying blockchain and cryptology technologies that make them work, and to demonstrate PHP recipes for using the web services that enable payment processing, identity validation, and smart contract execution.
Similar to Strong Authentication State of the Art 2012 / Sarajevo CSO (20)
ASFWS 2012 / Initiation à la sécurité des Web Services par Sylvain MaretSylvain Maret
Avec l’expansion des services en lignes via le cloud ou tout simplement l’interconnexion des SI, le besoin d’exposer des services vers l’extérieur est croissant. Les WebServices sont une solution
maintenant éprouvée depuis longtemps pour répondre à ce besoin.
Que l’on utilise SOAP ou REST un problème se pose toujours : comment faire pour sécuriser l’accès à mon SI alors que j’en ouvre une porte en exposant mon métier ? Cette conférence tentera de répondre à ces questions en présentant des cas concrets d’implémentation.
Comment protéger de façon efficace son/ses identité(s) numérique(s) sur le We...Sylvain Maret
Comment protéger de façon efficace son/ses identité(s) numérique(s) sur le Web 2.0?
Workshop der SATW ICT Commission
20./21. Mai 2010, Parkhotel Schloss Münchenwiler
Implementation of a Biometric Solution Providing Strong Authentication To Gai...Sylvain Maret
First- hand feedback on the implementation of identity management within a bank.
Technological choices ? Issues ? Concept and design, implementation, training and human aspects. A hands-on experience.
Corrélation d'évènements dans un environnement VoIP avec ExaProtectSylvain Maret
Ce projet est né d’une initiative d’e-Xpert Solutions SA, Exaprotect et IICT qui désiraient collaborer dans le domaine de la sécurité VoIP. En effet, grâce à l’aboutissement de la première étape du projet Vadese (www.vadese.org), l’IICT souhaitait déployer une solution de type SIEM (Security Information and Event Management) disponible sur le marché dans le but de créer un démonstrateur de fonctions de détection et traitement des alertes VoIP.
L’objectif de ce travail de diplôme consiste essentiellement à repérer des sessions SIP et de détecter des attaques complexes basées sur la corrélation de messages SIP et RTP/RTPC utilisés lors de l’établissement d’une communication téléphonique ainsi que l’enregistrement et l’actualisation du client (UA) auprès du proxy SIP.
Comment Sécurisé son Identité NumériqueSylvain Maret
Usurpation de votre identité ! Réalité ou fiction ?Identité numérique et authentification forte
Utilisation de SeatBelt de Verisign
Protection de vos comptes Linkedin, Facebook et Google
Sylvain Maret 7 juin 20009
2. Strong Authentication in Web Application
“State of the Art 2012”
Sylvain Maret / Digital Security Expert / OpenID Switzerland
@smaret
Version 1.01 / 22.11.2012
3. Who am I?
• Security Expert
– 17 years of experience in ICT Security
– Principal Consultant at MARET Consulting
– Expert at Engineer School of Yverdon & Geneva University
– Swiss French Area delegate at OpenID Switzerland
– Co-founder Geneva Application Security Forum
– OWASP Member
– Author of the blog: la Citadelle Electronique
– http://ch.linkedin.com/in/smaret or @smaret
– http://www.slideshare.net/smaret
• Chosen field
– AppSec & Digital Identity Security
17. SSL/TLS Mutual Authentication :
how does it work?
Validation
CRL Authority
or
OCSP Request
Valid
Invalid
Unknown
SSL / TLS Mutual Authentication
Alice
Web Server
18. Strong Authentication with
Biometry (Match on Card
technology)
• A reader
– Biometry
– SmartCard
• A card with chip
– Technology MOC
– Crypto Processor
• PC/SC
• PKCS#11
• Digital certificate X509
20. (O)ne (T)ime (P)assword
• OTP Time Based • Others:
– Like SecurID
– OTP via SMS
• OTP Event Based – OTP via email
– Biometry and OTP
– Phone
• OTP Challenge
– Bingo Card
Response Based
– Etc.