Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Strong Authentication in Web Application / ConFoo.ca 2011

4,072 views

Published on

Strong Authentication in Web Application: State of the Art 2011

* Risk Based Authentication
* Biometry - Match on Card
* OTP for Smartphones
* PKI
* Mobile-OTP
* OATH-HOTP
* TOTP
* Open Source approach

How to integrate Strong Authentication in Web Application

* OpenID, SAML, Liberty Alliance / Kantara
* API, Agents, Web Services, Modules
* PAM, Radius, JAAS
* Reverse Proxy (WAF) and WebSSO
* PKI / SSL client authentication

* PHP example with Multi-OTP PHP class

Published in: Technology
  • Be the first to comment

Strong Authentication in Web Application / ConFoo.ca 2011

  1. 1. MARET Consulting | Boulevard Georges Favon 43 | CH 1204 Geneva | Tél +41 22 575 30 35 | info@maret-consulting.ch | www.maret-consulting.chStrong Authentication in Web Application Sylvain Maret / Digital Security Expert / OpenID Switzerland ConFoo.ca / 2011-03-10 Conseil en technologies
  2. 2. Agendawww.maret-consulting.ch Conseil en technologies
  3. 3. Who am I?  Security Expert  17 years of experience in ICT Security  Principal Consultant at MARET Consulting  Expert at Engineer School of Yverdon & Geneva University  Swiss French Area delegate at OpenID Switzerland  Co-founder Geneva Application Security Forum  OWASP Member  Author of the blog: la Citadelle Electronique  http://ch.linkedin.com/in/smaret or @smaret  Chosen field  AppSec & Digital Identity Securitywww.maret-consulting.ch Conseil en technologies
  4. 4. Protection of digital identities: a topical issue… Strong Authenticationwww.maret-consulting.ch Conseil en technologies
  5. 5. Multi-factor Authentication-101: Talk by Philippe Gamache 2011-03-08 Montréal 2011-03-09 Montréal OWASP Meetingwww.maret-consulting.ch Conseil en technologies
  6. 6. «Digital identity is the cornerstone of trust» http://fr.wikipedia.org/wiki/Authentification_fortewww.maret-consulting.ch Conseil en technologies
  7. 7. MARET Consulting | Boulevard Georges Favon 43 | CH 1204 Geneva | Tél +41 22 575 30 35 | info@maret-consulting.ch | www.maret-consulting.chStrong Authentication A new paradigm ! Conseil en technologies
  8. 8. Which Strong Authentication technology ? Legacy Token / Old Model ? / Open Source Solution ?www.maret-consulting.ch Conseil en technologies
  9. 9. www.maret-consulting.ch Conseil en technologies
  10. 10. OTP PKI (HW) Biometry Strong * authentication Encryption Digital signature Non repudiation Strong link with the user * Biometry type Fingerprintingwww.maret-consulting.ch Conseil en technologies
  11. 11. Strong Authentication with PKIwww.maret-consulting.ch Conseil en technologies
  12. 12. PKI: Digital Certificate Hardware Token (Crypto PKI) Strong Authentication Software Certificate (PKCS#12;PFX) TPMwww.maret-consulting.ch Conseil en technologies
  13. 13. SSL/TLS Mutual Athentication : how does it work? Validation Authority OCSP request Valid Invalid Unknown SSL / TLS Mutual Authentication Alice Web Serverwww.maret-consulting.ch Conseil en technologies
  14. 14. Demo #1: OpenID and Software Certificate using Clavid.ch http://www.clavid.com/www.maret-consulting.ch Conseil en technologies
  15. 15. Strong Authentication with Biometry (Match on Card technology)  A reader  Biometry  SmartCard  A card with chip  Technology MOC  Crypto Processor  PC/SC  PKCS#11  Digital certificate X509www.maret-consulting.ch Conseil en technologies
  16. 16. Strong Authentication With(O)ne (T)ime (P)assword www.maret-consulting.ch Conseil en technologies
  17. 17. (O)ne (T)ime (P)assword  OTP Time Based  Others:  OTP Event Based  OTP via SMS  OTP via email  Biometry and OTP  OTP Challenge  Bingo Card Response Based  Etc.www.maret-consulting.ch Conseil en technologies
  18. 18. OTP T-B? OTP E-B? OTP C-R-B?www.maret-consulting.ch Crypto - 101 Conseil en technologies
  19. 19. Crypto-101 / Time Based OTP HASH FunctionK=Secret Key / Seed OTP T=UTC Time ie = OTP(K,T) = Truncate(HMAC-SHA-1(K,T)) www.maret-consulting.ch Conseil en technologies
  20. 20. Crypto-101 / Event Based OTP HASH FunctionK=Secret Key / Seed OTP C = Counter ie = OTP(K,C) = Truncate(HMAC-SHA-1(K,C)) www.maret-consulting.ch Conseil en technologies
  21. 21. Crypto-101 / OTP Challenge Response Based HASH FunctionK=Secret Key / Seed OTP Challenge nonce www.maret-consulting.ch Conseil en technologies
  22. 22. Others OTP technologies… OTP Via SMS “Flicker code” Generator Software that converts already encrypted data into optical screen animation By Elcardwww.maret-consulting.ch Conseil en technologies
  23. 23. Demo #2: Protect WordPress (OTP Via SMS)www.maret-consulting.ch Conseil en technologies
  24. 24. How to Storemy Secret Key ? A Token !www.maret-consulting.ch Conseil en technologies
  25. 25. OTP Token: Software vs Hardware ?www.maret-consulting.ch Conseil en technologies
  26. 26. Software OTP for Smartphone http://itunes.apple.com/us/app/iotp/id328973960www.maret-consulting.ch Conseil en technologies
  27. 27. New Standards & Open Sourcewww.maret-consulting.ch Conseil en technologies
  28. 28. Technologies accessible to everyone   Initiative for Open AuTHentication (OATH)  HOTP  TOTP  OCRA  Etc.  Mobile OTP  (Use MD5 …..)www.maret-consulting.ch Conseil en technologies
  29. 29. OATH Reference Architecture, Release 2.0 http://www.openauthentication.org/www.maret-consulting.ch Conseil en technologies
  30. 30. Initiative for Open AuTHentication (OATH)  HOTP  OCRA  Event Based OTP  Challenge/Response  RFC 4226 OTP  Draft IETF Version 13  TOTP  Time Based OTP  Token Identifier  Draft IETF Version 8 Specificationwww.maret-consulting.ch  Etc. Conseil en technologies
  31. 31. (R)isk (B)ased (A)uthenticationwww.maret-consulting.ch Conseil en technologies
  32. 32. RBA (Risk-Based Authentication) = Behavior Modelwww.maret-consulting.ch Conseil en technologies
  33. 33. 2 Step Verification from Google !Use OATH-HOTP & TOTPhttp://code.google.com/p/google-authenticator/ www.maret-consulting.ch Conseil en technologies
  34. 34. Integration with web applicationwww.maret-consulting.ch Conseil en technologies
  35. 35. Web application: basic authentication modelwww.maret-consulting.ch Conseil en technologies
  36. 36. Web application: Strong Authentication modelwww.maret-consulting.ch Conseil en technologies
  37. 37. “Shielding" approach: perimetric authentication using WAFwww.maret-consulting.ch Conseil en technologies
  38. 38. Module/Agent-based approach (example)www.maret-consulting.ch Conseil en technologies
  39. 39. API/SDK based approach (example)www.maret-consulting.ch Conseil en technologies
  40. 40. Demo 3#: PHP Integration for phpmyadminwww.maret-consulting.ch Conseil en technologies
  41. 41. Multi OTP PHP Class by André Liechti (Switzerland) Source Code will be publish soon: http://www.citadelle-electronique.net/ http://www.multiotp.net/www.maret-consulting.ch Conseil en technologies
  42. 42. Proof of Concept Code by Anne Gosselin, Antonio Fontes !if (! empty($_REQUEST[pma_username])) { // The user just logged in $GLOBALS[PHP_AUTH_USER] = $_REQUEST[pma_username]; // we combine both OTP + PIN code for the token verification $fooPass = empty($_REQUEST[pma_password]) ? : $_REQUEST[pma_password]; $fooOtp = empty($_REQUEST[pma_otp]) ? : $_REQUEST[pma_otp]; $GLOBALS[PHP_AUTH_PW] = $fooPass..$fooOtp; // OTP CHECK require_once(./libraries/multiotp.class.php); $multiotp = new Multiotp(); $multiotp->SetUser($GLOBALS[PHP_AUTH_USER]); $multiotp->SetEncryptionKey(DefaultCliEncryptionKey); $multiotp->SetUsersFolder(./libraries/users/); $multiotp->SetLogFolder(./libraries/log/); $multiotp->EnableVerboseLog(); $otpCheckResult = $multiotp->CheckToken($GLOBALS[PHP_AUTH_PW]); // the PIN code use kept for accessing the database $GLOBALS[PHP_AUTH_PW] = substr($GLOBALS[PHP_AUTH_PW], 0, strlen($GLOBALS[PHP_AUTH_PW] if($otpCheckResult == 0) return true; else die("auth failed."); www.maret-consulting.ch Conseil en technologies
  43. 43. Think about Software Security ! Cf Talk Antonio Fontes Cf Talk Philippe GamacheCf Talk Sébastien Giorawww.maret-consulting.ch Conseil en technologies
  44. 44. Federated identities: a changing paradigm on authenticationwww.maret-consulting.ch Conseil en technologies
  45. 45. Federation of identity approach a change of paradigm: using IDP for Authentication and Strong Authentication Identity Provider Web App X Web App Ywww.maret-consulting.ch Conseil en technologies
  46. 46. SECTION 2 OpenID > What is it? > How does it work? > How to integrate?www.maret-consulting.ch Conseil en technologies
  47. 47. OpenID - What is it?> Internet SingleSignOn > Free Choice of Identity Provider> Relatively Simple Protocol > No License Fee> User-Centric Identity Management > Independent of Identification Methods> Internet Scalable > Non-Profit Organization www.maret-consulting.ch Conseil en technologies
  48. 48. OpenID - How does it work? User Hans Muster 3 4, 4a Identity Provider e.g. clavid.com hans.muster.clavid.com 5 6 1 2 Identity URL Caption https://hans.muster.clavid.com 1. User enters OpenID 2. Discovery 3. Authentication 4. Approval 4a. Change Attributes 5. Send Attributes 6. Validation Enabled Servicewww.maret-consulting.ch Conseil en technologies
  49. 49. Demo #4: Apache and Mod_OpenID (Using Biometry / OTP)www.maret-consulting.ch Conseil en technologies
  50. 50. Demo #4: Challenge / Response OTP with Biometrywww.maret-consulting.ch Conseil en technologies
  51. 51. Surprise! You may already have an OpenID !www.maret-consulting.ch Conseil en technologies
  52. 52. Other Well Known & Simple Providers http://en.wikipedia.org/wiki/List_of_OpenID_providerswww.maret-consulting.ch Conseil en technologies
  53. 53. Get an OpenID with Strong Authentication for free !www.maret-consulting.ch Conseil en technologies
  54. 54. SECTION 1 SAML >What is it? >How does it work?www.maret-consulting.ch Conseil en technologies
  55. 55. Using SAML for Authentication and Strong Authentication (Assertion Consumer Service)www.maret-consulting.ch Conseil en technologies
  56. 56. SAML – What is it? SAML (Security Assertion Markup Language): > Defined by the Oasis Group > Well and Academically Designed Specification > Uses XML Syntax > Used for Authentication & Authorization > SAML Assertions > Statements: Authentication, Attribute, Authorization > SAML Protocols > Queries: Authentication, Artifact, Name Identifier Mapping, etc. > SAML Bindings > SOAP, Reverse-SOAP, HTTP-Get, HTTP-Post, HTTP-Artifact > SAML Profiles > Web Browser SingleSignOn Profile, Identity Provider Discovery Profile, Assertion Query / Request Profile, Attribute Profilewww.maret-consulting.ch Conseil en technologies
  57. 57. SAML – How does it work? User Hans Muster 3 2 4 Identity Provider e.g. clavid.ch 4 2 1 6 Enabled Service e.g. Google Apps for Businesswww.maret-consulting.ch Conseil en technologies
  58. 58. Example with HTTP POST Binding Access Resource Browser Web App SAML Ready 1 AuthN 2 <AuthnRequest> 3 + PIN Redirect 302 ACS POST <Response> 7 Ressource Ressource 8 <Response> in HTML Form 6 Single Sign On Service <AuthnRequest> 4 Credential Challenge 5awww.maret-consulting.ch User Login IDP MC Conseil en technologies 5b
  59. 59. Questions ? www.maret-consulting.ch Conseil en technologies
  60. 60. Resources on Internet 1/2  http://motp.sourceforge.net/  http://www.clavid.ch/otp  http://code.google.com/p/mod-authn-otp/  http://www.multiotp.net/  http://www.openauthentication.org/  http://wiki.openid.net/  http://www.citadelle-electronique.net/  http://code.google.com/p/mod-authn-otp/www.maret-consulting.ch Conseil en technologies
  61. 61. Resources on Internet 2/2  http://rcdevs.com/products/openotp/  https://github.com/adulau/paper-token  http://www.yubico.com/yubikey  http://code.google.com/p/mod-authn-otp/  http://www.nongnu.org/oath-toolkit/  http://www.nongnu.org/oath-toolkit/  http://www.gpaterno.com/publications/2010/dublin_oss barcamp_2010_otp_with_oss.pdfwww.maret-consulting.ch Conseil en technologies
  62. 62. "Le conseil et lexpertise pour le choix et la mise en oeuvre des technologies innovantes dans la sécurité des systèmes dinformation et de lidentité numérique"www.maret-consulting.ch Conseil en technologies
  63. 63. Une conviction forte !Authentification fortewww.maret-consulting.ch Conseil en technologies
  64. 64. A major event in the world of strong authentication  12 October 2005: the Federal Financial Institutions Examination Council (FFIEC) issues a directive  « Single Factor Authentication » is not enough for the web financial applications  Before end 2006 it is compulsory to implement a strong authentication system  http://www.ffiec.gov/press/pr101205.htm  And the PCI DSS norm  Compulsory strong authentication for distant accesses  And now European regulations  Payment Services (2007/64/CE) for banks  Social Networks, Open Sourcewww.maret-consulting.ch Conseil en technologies
  65. 65. Out of Band Authenticationwww.maret-consulting.ch Conseil en technologies
  66. 66. Phone Factorwww.maret-consulting.ch Conseil en technologies
  67. 67. SAMLwww.maret-consulting.ch Conseil en technologies
  68. 68. SAML AuthnRequst Transfer via Browser Redirect-Binding POST-Bindingwww.maret-consulting.ch Conseil en technologies
  69. 69. A SAML AuthnRequest (no magic, just XML) <?xml version="1.0" encoding="UTF-8"?> <samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol“ ID="glcmfhikbbhohichialilnnpjakbeljekmkhppkb“ Version="2.0” IssueInstant="2008-10-14T00:57:14Z” ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST” ProviderName="google.com” ForceAuthn="false” IsPassive="false” AssertionConsumerServiceURL="https://www.google.com/a/unopass.net/acs"> <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"> google.com </saml:Issuer> <samlp:NameIDPolicy AllowCreate="true" Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" /> </samlp:AuthnRequest>www.maret-consulting.ch Conseil en technologies
  70. 70. SAML Assertion Transfer via Browser POST-Bindingwww.maret-consulting.ch Conseil en technologies
  71. 71. A SAML Assertion Response (no magic, just XML) <samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="s247893b2ec90665dfd5d9bd4a092f5e3a7194fef4" InResponseTo="hkcmljnccpheoobdofbjcngjbadmgcfhaapdbnni" Version="2.0" IssueInstant="2008-10-15T17:24:46Z" Destination="https://www.google.com/a/unopass.net/acs"> <saml:Issuer> http://idp.unopass.net:80/opensso </saml:Issuer> <samlp:Status> <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/> </samlp:Status> <saml:Assertion ID="s295c56ccd7872209ae336b934d1eed5be52a8e6ec" IssueInstant="2008-10-15T17:24:46Z" Version="2.0"> <saml:Issuer>http://idp.unopass.net:80/opensso</saml:Issuer> <Signature> … A DIGITAL SIGNATURE … </Signature> ...www.maret-consulting.ch Conseil en technologies
  72. 72. A SAML Assertion Response (no magic, just XML) ... <saml:Subject> <saml:NameID NameQualifier="http://idp.unopass.net:80/opensso"> sylvain.maret </saml:NameID> <saml:SubjectConfirmation Method="urn:oasis:...:bearer"> <saml:SubjectConfirmationData InResponseTo="hkcmljnccpheoobdofbjcngjbadmgcfhaapdbnni" NotOnOrAfter="2008-10-15T17:34:46Z" Recipient="https://www.google.com/a/unopass.net/acs"/> </saml:SubjectConfirmation> </saml:Subject> ...www.maret-consulting.ch Conseil en technologies
  73. 73. A SAML Assertion Response (no magic, just XML) ... <saml:Conditions NotBefore="2008-10-15T17:14:46Z" NotOnOrAfter="2008-10-15T17:34:46Z"> <saml:AudienceRestriction> <saml:Audience>google.com</saml:Audience> </saml:AudienceRestriction> </saml:Conditions> <saml:AuthnStatement AuthnInstant="2008-10-15T17:24:46Z“ SessionIndex="s2bb816b5a8852dcc29f3301784c1640f245a9ec01"> <saml:AuthnContext> <saml:AuthnContextClassRef> urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport </saml:AuthnContextClassRef> </saml:AuthnContext> </saml:AuthnStatement> </saml:Assertion> </samlp:Response>www.maret-consulting.ch Conseil en technologies

×