Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Strong Authentication in Web Applications: State of the Art 2011

3,671 views

Published on

Sylvain’s talk will focus on risk based authentication, biometry, OTP for smartphones, PKIs, Mobile-OTP, OATH-HOTP, TOTP and the open-source approach to this subjet.
PHP Demo with multiotp class.

Published in: Technology
  • Be the first to comment

Strong Authentication in Web Applications: State of the Art 2011

  1. 1. MARET Consulting | Boulevard Georges Favon 43 | CH 1204 Geneva | Tél +41 22 575 30 35 | info@maret-consulting.ch | www.maret-consulting.chStrong Authentication in Web Application “State of the Art 2011” Sylvain Maret / Digital Security Expert / OpenID Switzerland Yverdon - IT Security Days / 16-03-2011 Conseil en technologies
  2. 2. Agendawww.maret-consulting.ch Conseil en technologies
  3. 3. Who am I?  Security Expert  17 years of experience in ICT Security  Principal Consultant at MARET Consulting  Expert at Engineer School of Yverdon & Geneva University  Swiss French Area delegate at OpenID Switzerland  Co-founder Geneva Application Security Forum  OWASP Member  Author of the blog: la Citadelle Electronique  http://ch.linkedin.com/in/smaret or @smaret  http://www.slideshare.net/smaret  Chosen field  AppSec & Digital Identity Securitywww.maret-consulting.ch Conseil en technologies
  4. 4. Protection of digital identities: a topical issue… Strong Authwww.maret-consulting.ch Conseil en technologies
  5. 5. Definition of strong authentication Strong Authentication on Wikipediawww.maret-consulting.ch Conseil en technologies
  6. 6. «Digital identity is the cornerstone of trust» http://fr.wikipedia.org/wiki/Authentification_fortewww.maret-consulting.ch Conseil en technologies
  7. 7. MARET Consulting | Boulevard Georges Favon 43 | CH 1204 Geneva | Tél +41 22 575 30 35 | info@maret-consulting.ch | www.maret-consulting.chStrong Authentication A new paradigm ! Conseil en technologies
  8. 8. Which Strong Authentication technology ? Legacy Token / Old Model ? / Open Source Solution ?www.maret-consulting.ch Conseil en technologies
  9. 9. www.maret-consulting.ch Conseil en technologies
  10. 10. OTP PKI (HW) Biometry Strong * authentication Encryption Digital signature Non repudiation Strong link with the user * Biometry type Fingerprintingwww.maret-consulting.ch Conseil en technologies
  11. 11. Strong Authentication with PKIwww.maret-consulting.ch Conseil en technologies
  12. 12. PKI: Digital Certificate Hardware Token (Crypto PKI) Strong Authentication Software Certificate (PKCS#12;PFX)www.maret-consulting.ch Conseil en technologies
  13. 13. SSL/TLS Mutual Authentication : how does it work? Validation Authority CRL or OCSP Request Valid Invalid Unknown SSL / TLS Mutual Authentication Alice Web Serverwww.maret-consulting.ch Conseil en technologies
  14. 14. Demo #1: OpenID and Software Certificate using Clavid.ch http://www.clavid.com/www.maret-consulting.ch Conseil en technologies
  15. 15. Strong Authentication with Biometry (Match on Card technology)  A reader  Biometry  SmartCard  A card with chip  Technology MOC  Crypto Processor  PC/SC  PKCS#11  Digital certificate X509www.maret-consulting.ch Conseil en technologies
  16. 16. Strong Authentication With(O)ne (T)ime (P)assword www.maret-consulting.ch Conseil en technologies
  17. 17. (O)ne (T)ime (P)assword  OTP Time Based  Others:  OTP Event Based  OTP via SMS  OTP via email  Biometry and OTP  OTP Challenge  Bingo Card Response Based  Etc.www.maret-consulting.ch Conseil en technologies
  18. 18. OTP T-B? OTP E-B? OTP C-R-B?www.maret-consulting.ch Crypto - 101 Conseil en technologies
  19. 19. Crypto-101 / Time Based OTP HASH FunctionK=Secret Key / Seed OTP T=UTC Time ie = OTP(K,T) = Truncate(HMAC-SHA-1(K,T)) www.maret-consulting.ch Conseil en technologies
  20. 20. Crypto-101 / Event Based OTP HASH FunctionK=Secret Key / Seed OTP C = Counter ie = OTP(K,C) = Truncate(HMAC-SHA-1(K,C)) www.maret-consulting.ch Conseil en technologies
  21. 21. Crypto-101 / OTP Challenge Response Based HASH FunctionK=Secret Key / Seed OTP Challenge nonce www.maret-consulting.ch Conseil en technologies ie:
  22. 22. Others OTP technologies… OTP Via SMS “Flicker code” Generator Software that converts already encrypted data into optical screen animation By Elcardwww.maret-consulting.ch Conseil en technologies
  23. 23. Demo #2: Protect WordPress (OTP Via SMS)www.maret-consulting.ch Conseil en technologies
  24. 24. How to Storemy Secret Key ? A Token !www.maret-consulting.ch Conseil en technologies
  25. 25. OTP Token: Software vs Hardware ?www.maret-consulting.ch Conseil en technologies
  26. 26. Software OTP for Smartphone http://itunes.apple.com/us/app/iotp/id328973960www.maret-consulting.ch Conseil en technologies
  27. 27. New Standards & Open Sourcewww.maret-consulting.ch Conseil en technologies
  28. 28. Technologies accessible to everyone   Initiative for Open AuTHentication (OATH)  HOTP  TOTP  OCRA  Etc.  Mobile OTP  (Use MD5 …..)www.maret-consulting.ch Conseil en technologies
  29. 29. OATH Reference Architecture, Release 2.0 http://www.openauthentication.org/www.maret-consulting.ch Conseil en technologies
  30. 30. Initiative for Open AuTHentication (OATH)  HOTP  Event Based OTP  Token Identifier  RFC 4226 Specification  TOTP  IETF KeyProv Working Group  Time Based OTP  PSKC - Portable Symmetric Key Container, RFC 6030  Draft IETF Version 8  DSKPP - Dynamic Symmetric Key Provisioning Protocol, RFC 6063  OCRA  Challenge/Response OTP  And more !  Draft IETF Version 13www.maret-consulting.ch Conseil en technologies http://www.openauthentication.org/specifications
  31. 31. (R)isk (B)ased (A)uthenticationwww.maret-consulting.ch Conseil en technologies
  32. 32. RBA (Risk-Based Authentication) = Behavior Modelwww.maret-consulting.ch Conseil en technologies
  33. 33. 2 Step Verification from Google !Use OATH-HOTP & TOTP http://code.google.com/p/google-authenticator/www.maret-consulting.ch Conseil en technologies
  34. 34. Integration with web applicationwww.maret-consulting.ch Conseil en technologies
  35. 35. Web application: basic authentication modelwww.maret-consulting.ch Conseil en technologies
  36. 36. Web application: Strong Authentication modelwww.maret-consulting.ch Conseil en technologies
  37. 37. “Shielding" approach: perimetric authentication using Reverse Proxy / WAFwww.maret-consulting.ch Conseil en technologies
  38. 38. Module/Agent-based approach (example)www.maret-consulting.ch Conseil en technologies
  39. 39. Demo #4: Apache and Mod_OpenID (Using Biometry / OTP)www.maret-consulting.ch Conseil en technologies
  40. 40. Demo #4: Challenge / Response OTP with Biometrywww.maret-consulting.ch Conseil en technologies
  41. 41. API/SDK based approach (example)www.maret-consulting.ch Conseil en technologies
  42. 42. Multi OTP PHP Class Demowww.maret-consulting.ch Conseil en technologies
  43. 43. Proof of Concept Code by Anne Gosselin, Antonio Fontes, Sylvain Maret !if (! empty($_REQUEST[pma_username])) { // The user just logged in $GLOBALS[PHP_AUTH_USER] = $_REQUEST[pma_username]; // we combine both OTP + PIN code for the token verification $fooPass = empty($_REQUEST[pma_password]) ? : $_REQUEST[pma_password]; $fooOtp = empty($_REQUEST[pma_otp]) ? : $_REQUEST[pma_otp]; $GLOBALS[PHP_AUTH_PW] = $fooPass..$fooOtp; // OTP CHECK require_once(./libraries/multiotp.class.php); $multiotp = new Multiotp(); $multiotp->SetUser($GLOBALS[PHP_AUTH_USER]); $multiotp->SetEncryptionKey(DefaultCliEncryptionKey); $multiotp->SetUsersFolder(./libraries/users/); $multiotp->SetLogFolder(./libraries/log/); $multiotp->EnableVerboseLog(); $otpCheckResult = $multiotp->CheckToken($GLOBALS[PHP_AUTH_PW]); // the PIN code use kept for accessing the database $GLOBALS[PHP_AUTH_PW] = substr($GLOBALS[PHP_AUTH_PW], 0, strlen($GLOBALS[PHP_AUTH_PW] if($otpCheckResult == 0) return true; else die("auth failed."); www.maret-consulting.ch Conseil en technologies
  44. 44. Step1: Add a new method using cookie authentication In config.inc.php Howto #1www.maret-consulting.ch Conseil en technologies
  45. 45. Step2: Add pma_otp field In common.inc.phpwww.maret-consulting.ch Conseil en technologies
  46. 46. Step3: Add new input File ori: cookie.auth.lib.phpwww.maret-consulting.ch New file: cookieotp.auth.lib.php Conseil en technologies
  47. 47. File ori: cookie.auth.lib.php www.maret-consulting.ch Conseil en technologies
  48. 48. New file: cookieotp.auth.lib.php Step3: Call multiotp www.maret-consulting.ch Conseil en technologies
  49. 49. Demo 3#: PHP Integration for phpmyadminwww.maret-consulting.ch Conseil en technologies
  50. 50. Multi OTP PHP Class by André Liechti (Switzerland) Source Code will be publish soon: http://www.citadelle-electronique.net/ http://www.multiotp.net/www.maret-consulting.ch Conseil en technologies
  51. 51. Strong Authentication Strong Authentication and Application Security & Application Securitywww.maret-consulting.ch Conseil en technologies
  52. 52. Threat Modeling“detecting web applicationthreats before coding” 14h30: Antonio Fontes "Threat modeling your web application: mitigating risks right from the start!" www.maret-consulting.ch Conseil en technologies
  53. 53. Federated identities: a changing paradigm on authenticationwww.maret-consulting.ch Conseil en technologies
  54. 54. Federation of identity approach a change of paradigm: using IDP for Authentication and Strong Authentication Identity Provider Web App X Web App Ywww.maret-consulting.ch Conseil en technologies
  55. 55. SECTION 2 OpenID > What is it? > How does it work? > How to integrate?www.maret-consulting.ch Conseil en technologies
  56. 56. OpenID - What is it?> Internet SingleSignOn > Free Choice of Identity Provider> Relatively Simple Protocol > No License Fee> User-Centric Identity Management > Independent of Identification Methods> Internet Scalable > Non-Profit Organization www.maret-consulting.ch Conseil en technologies
  57. 57. OpenID - How does it work? User Hans Muster 3 4, 4a Identity Provider e.g. clavid.com hans.muster.clavid.com 5 6 1 2 Identity URL Caption https://hans.muster.clavid.com 1. User enters OpenID 2. Discovery 3. Authentication 4. Approval 4a. Change Attributes 5. Send Attributes 6. Validation Enabled Servicewww.maret-consulting.ch Conseil en technologies
  58. 58. Surprise! You may already have an OpenID !www.maret-consulting.ch Conseil en technologies
  59. 59. Other Well Known & Simple Providers http://en.wikipedia.org/wiki/List_of_OpenID_providerswww.maret-consulting.ch Conseil en technologies
  60. 60. Get an OpenID with Strong Authentication for free !www.maret-consulting.ch Conseil en technologies
  61. 61. Questions ? www.maret-consulting.ch Conseil en technologies
  62. 62. Resources on Internet 1/2  http://motp.sourceforge.net/  http://www.clavid.ch/otp  http://code.google.com/p/mod-authn-otp/  http://www.multiotp.net/  http://www.openauthentication.org/  http://wiki.openid.net/  http://www.citadelle-electronique.net/  http://code.google.com/p/mod-authn-otp/www.maret-consulting.ch Conseil en technologies
  63. 63. Resources on Internet 2/2  http://rcdevs.com/products/openotp/  https://github.com/adulau/paper-token  http://www.yubico.com/yubikey  http://code.google.com/p/mod-authn-otp/  http://www.nongnu.org/oath-toolkit/  http://www.nongnu.org/oath-toolkit/  http://www.gpaterno.com/publications/2010/dublin_oss barcamp_2010_otp_with_oss.pdfwww.maret-consulting.ch Conseil en technologies
  64. 64. "Le conseil et lexpertise pour le choix et la mise en oeuvre des technologies innovantes dans la sécurité des systèmes dinformation et de lidentité numérique"www.maret-consulting.ch Conseil en technologies
  65. 65. Une conviction forte !Authentification fortewww.maret-consulting.ch Conseil en technologies
  66. 66. SECTION 1 SAML >What is it? >How does it work?www.maret-consulting.ch Conseil en technologies
  67. 67. Using SAML for Authentication and Strong Authentication (Assertion Consumer Service)www.maret-consulting.ch Conseil en technologies
  68. 68. SAML – What is it? SAML (Security Assertion Markup Language): > Defined by the Oasis Group > Well and Academically Designed Specification > Uses XML Syntax > Used for Authentication & Authorization > SAML Assertions > Statements: Authentication, Attribute, Authorization > SAML Protocols > Queries: Authentication, Artifact, Name Identifier Mapping, etc. > SAML Bindings > SOAP, Reverse-SOAP, HTTP-Get, HTTP-Post, HTTP-Artifact > SAML Profiles > Web Browser SingleSignOn Profile, Identity Provider Discovery Profile, Assertion Query / Request Profile, Attribute Profilewww.maret-consulting.ch Conseil en technologies
  69. 69. SAML – How does it work? User Hans Muster 3 2 4 Identity Provider e.g. clavid.ch 4 2 1 6 Enabled Service e.g. Google Apps for Businesswww.maret-consulting.ch Conseil en technologies
  70. 70. Example with HTTP POST Binding Access Resource Browser Web App SAML Ready 1 AuthN 2 <AuthnRequest> 3 + PIN Redirect 302 ACS POST <Response> 7 Ressource Ressource 8 <Response> in HTML Form 6 Single Sign On Service <AuthnRequest> 4 Credential Challenge 5a User Login IDP MC Conseil en technologieswww.maret-consulting.ch 5b
  71. 71. A major event in the world of strong authentication  12 October 2005: the Federal Financial Institutions Examination Council (FFIEC) issues a directive  « Single Factor Authentication » is not enough for the web financial applications  Before end 2006 it is compulsory to implement a strong authentication system  http://www.ffiec.gov/press/pr101205.htm  And the PCI DSS norm  Compulsory strong authentication for distant accesses  And now European regulations  Payment Services (2007/64/CE) for banks  Social Networks, Open Sourcewww.maret-consulting.ch Conseil en technologies
  72. 72. Out of Band Authenticationwww.maret-consulting.ch Conseil en technologies
  73. 73. Phone Factorwww.maret-consulting.ch Conseil en technologies
  74. 74. SAMLwww.maret-consulting.ch Conseil en technologies
  75. 75. SAML AuthnRequst Transfer via Browser Redirect-Binding POST-Bindingwww.maret-consulting.ch Conseil en technologies
  76. 76. A SAML AuthnRequest (no magic, just XML) <?xml version="1.0" encoding="UTF-8"?> <samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol“ ID="glcmfhikbbhohichialilnnpjakbeljekmkhppkb“ Version="2.0” IssueInstant="2008-10-14T00:57:14Z” ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST” ProviderName="google.com” ForceAuthn="false” IsPassive="false” AssertionConsumerServiceURL="https://www.google.com/a/unopass.net/acs"> <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"> google.com </saml:Issuer> <samlp:NameIDPolicy AllowCreate="true" Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" /> </samlp:AuthnRequest>www.maret-consulting.ch Conseil en technologies
  77. 77. SAML Assertion Transfer via Browser POST-Bindingwww.maret-consulting.ch Conseil en technologies
  78. 78. A SAML Assertion Response (no magic, just XML) <samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="s247893b2ec90665dfd5d9bd4a092f5e3a7194fef4" InResponseTo="hkcmljnccpheoobdofbjcngjbadmgcfhaapdbnni" Version="2.0" IssueInstant="2008-10-15T17:24:46Z" Destination="https://www.google.com/a/unopass.net/acs"> <saml:Issuer> http://idp.unopass.net:80/opensso </saml:Issuer> <samlp:Status> <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/> </samlp:Status> <saml:Assertion ID="s295c56ccd7872209ae336b934d1eed5be52a8e6ec" IssueInstant="2008-10-15T17:24:46Z" Version="2.0"> <saml:Issuer>http://idp.unopass.net:80/opensso</saml:Issuer> <Signature> … A DIGITAL SIGNATURE … </Signature> ...www.maret-consulting.ch Conseil en technologies
  79. 79. A SAML Assertion Response (no magic, just XML) ... <saml:Subject> <saml:NameID NameQualifier="http://idp.unopass.net:80/opensso"> sylvain.maret </saml:NameID> <saml:SubjectConfirmation Method="urn:oasis:...:bearer"> <saml:SubjectConfirmationData InResponseTo="hkcmljnccpheoobdofbjcngjbadmgcfhaapdbnni" NotOnOrAfter="2008-10-15T17:34:46Z" Recipient="https://www.google.com/a/unopass.net/acs"/> </saml:SubjectConfirmation> </saml:Subject> ...www.maret-consulting.ch Conseil en technologies
  80. 80. A SAML Assertion Response (no magic, just XML) ... <saml:Conditions NotBefore="2008-10-15T17:14:46Z" NotOnOrAfter="2008-10-15T17:34:46Z"> <saml:AudienceRestriction> <saml:Audience>google.com</saml:Audience> </saml:AudienceRestriction> </saml:Conditions> <saml:AuthnStatement AuthnInstant="2008-10-15T17:24:46Z“ SessionIndex="s2bb816b5a8852dcc29f3301784c1640f245a9ec01"> <saml:AuthnContext> <saml:AuthnContextClassRef> urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport </saml:AuthnContextClassRef> </saml:AuthnContext> </saml:AuthnStatement> </saml:Assertion> </samlp:Response>www.maret-consulting.ch Conseil en technologies

×