Strong Authentication State of the Art 2012 / Sarajevo CSO

1,403 views

Published on

0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,403
On SlideShare
0
From Embeds
0
Number of Embeds
11
Actions
Shares
0
Downloads
42
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Strong Authentication State of the Art 2012 / Sarajevo CSO

  1. 1. Consultants of Security Operations d.o.o. Sarajevo
  2. 2. Strong Authentication in Web Application “State of the Art 2012” Sylvain Maret / Digital Security Expert / OpenID Switzerland @smaret Version 1.01 / 22.11.2012
  3. 3. Who am I? • Security Expert – 17 years of experience in ICT Security – Principal Consultant at MARET Consulting – Expert at Engineer School of Yverdon & Geneva University – Swiss French Area delegate at OpenID Switzerland – Co-founder Geneva Application Security Forum – OWASP Member – Author of the blog: la Citadelle Electronique – http://ch.linkedin.com/in/smaret or @smaret – http://www.slideshare.net/smaret • Chosen field – AppSec & Digital Identity Security
  4. 4. 22 per minute……
  5. 5. Protection of digital identities: atopical issue… Strong AuthN
  6. 6. RSA FAILED ?
  7. 7. «Digital identity is the cornerstoneof trust» http://fr.wikipedia.org/wiki/Authentification_forte
  8. 8. Definition of strong authentication Strong Authentication on Wikipedia
  9. 9. Strong Authentication A new paradigm?
  10. 10. Which Strong Authenticationtechnology ?
  11. 11. OTP PKI (HW) Biometry Strong authentication EncryptionDigital signatureNon repudiationStrong link with the user
  12. 12. Strong Authentication with PKI
  13. 13. PKI: Digital Certificate Hardware Token (Crypto PKI) Strong Authentication Software Certificate (PKCS#12;PFX)
  14. 14. SSL/TLS Mutual Authentication :how does it work? Validation CRL Authority or OCSP Request Valid Invalid Unknown SSL / TLS Mutual Authentication Alice Web Server
  15. 15. Strong Authentication withBiometry (Match on Cardtechnology) • A reader – Biometry – SmartCard • A card with chip – Technology MOC – Crypto Processor • PC/SC • PKCS#11 • Digital certificate X509
  16. 16. Strong Authentication With(O)ne (T)ime (P)assword
  17. 17. (O)ne (T)ime (P)assword • OTP Time Based • Others: – Like SecurID – OTP via SMS • OTP Event Based – OTP via email – Biometry and OTP – Phone • OTP Challenge – Bingo Card Response Based – Etc.
  18. 18. OTP T-B?OTP E-B?OTP C-R-B?Crypto - 101
  19. 19. Crypto-101 / Time Based OTP HASH FunctionK=Secret Key / Seed OTP T=UTC Time ie = OTP(K,T) = Truncate(HMAC-SHA-1(K,T))
  20. 20. Crypto-101 / Event Based OTP HASH FunctionK=Secret Key / Seed OTP C = Counter ie = OTP(K,C) = Truncate(HMAC-SHA-1(K,C))
  21. 21. Crypto-101 / OTP ChallengeResponse Based HASH FunctionK=Secret Key / Seed OTP Challenge nonce ie:
  22. 22. Other[s] OTP technologies… OTP Via SMS “Flicker code” Generator Software that converts already encrypted data into optical screen animation
  23. 23. How to Store and Generatemy Secret Key ? A Token !
  24. 24. OTP Token: Software vs Hardware ?
  25. 25. Software OTP for Smartphone http://itunes.apple.com/us/app/iotp/id328973960
  26. 26. Where are[is] the seed ?
  27. 27. Seed generation & distribution ?Still a good model ? K1 Threat Editor / Vendor Agent (APT) Secret Key are[is] generated on promise K1 K1 K1
  28. 28. TokenCode
  29. 29. New Standards &Open Source
  30. 30. Technologies accessible toeveryone  • Initiative for Open AuTHentication (OATH) – HOTP – TOTP – OCRA – Etc. • Mobile OTP – (Use MD5 …..)
  31. 31. Initiative for Open AuTHentication(OATH) • HOTP • Token Identifier – Event Based OTP Specification – RFC 4226 • IETF KeyProv Working • TOTP Group – Time Based OTP – PSKC - Portable Symmetric Key Container, RFC 6030 – Draft IETF Version 8 – DSKPP - Dynamic Symmetric Key Provisioning Protocol, RFC 6063 • OCRA – Challenge/Response OTP • And more ! – Draft IETF Version 13 http://www.openauthentication.org/specifications
  32. 32. (R)isk(B)ased(A)uthentication
  33. 33. RBA (Risk-Based Authentication)= Behavior Model
  34. 34. Use OATH-HOTP & TOTPhttp://code.google.com/p/google-authenticator/
  35. 35. Integration withweb application
  36. 36. Web application: basicauthentication model
  37. 37. Web application: StrongAuthentication ImplementationBlueprint
  38. 38. “Shielding" approach: perimetricauthentication using ReverseProxy / WAF
  39. 39. Module/Agent-based approach
  40. 40. API/SDK based approach
  41. 41. ICAM:a changing paradigmon Strong Authentication
  42. 42. Federation of identity approach a change of paradigm:using IDP for Authentication and Strong Authentication
  43. 43. Identity ProviderSAML, OpenID, etc
  44. 44. Strong AuthenticationStrong Authentication andApplication Security & Application Security
  45. 45. Threat Modeling“detecting web applicationthreats before coding”
  46. 46. Questions ?
  47. 47. Resources on Internet 1/2 • http://motp.sourceforge.net/ • http://www.clavid.ch/otp • http://code.google.com/p/mod-authn-otp/ • http://www.multiotp.net/ • http://www.openauthentication.org/ • http://wiki.openid.net/ • http://www.citadelle-electronique.net/ • http://code.google.com/p/mod-authn-otp/
  48. 48. Resources on Internet 2/2 • http://rcdevs.com/products/openotp/ • https://github.com/adulau/paper-token • http://www.yubico.com/yubikey • http://code.google.com/p/mod-authn-otp/ • http://www.nongnu.org/oath-toolkit/ • http://www.nongnu.org/oath-toolkit/ • http://www.gpaterno.com/publications/2010/du blin_ossbarcamp_2010_otp_with_oss.pdf

×