Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Strong Authentication State of the Art 2012 / Sarajevo CSO

1,460 views

Published on

  • Be the first to comment

Strong Authentication State of the Art 2012 / Sarajevo CSO

  1. 1. Consultants of Security Operations d.o.o. Sarajevo
  2. 2. Strong Authentication in Web Application “State of the Art 2012” Sylvain Maret / Digital Security Expert / OpenID Switzerland @smaret Version 1.01 / 22.11.2012
  3. 3. Who am I? • Security Expert – 17 years of experience in ICT Security – Principal Consultant at MARET Consulting – Expert at Engineer School of Yverdon & Geneva University – Swiss French Area delegate at OpenID Switzerland – Co-founder Geneva Application Security Forum – OWASP Member – Author of the blog: la Citadelle Electronique – http://ch.linkedin.com/in/smaret or @smaret – http://www.slideshare.net/smaret • Chosen field – AppSec & Digital Identity Security
  4. 4. 22 per minute……
  5. 5. Protection of digital identities: atopical issue… Strong AuthN
  6. 6. RSA FAILED ?
  7. 7. «Digital identity is the cornerstoneof trust» http://fr.wikipedia.org/wiki/Authentification_forte
  8. 8. Definition of strong authentication Strong Authentication on Wikipedia
  9. 9. Strong Authentication A new paradigm?
  10. 10. Which Strong Authenticationtechnology ?
  11. 11. OTP PKI (HW) Biometry Strong authentication EncryptionDigital signatureNon repudiationStrong link with the user
  12. 12. Strong Authentication with PKI
  13. 13. PKI: Digital Certificate Hardware Token (Crypto PKI) Strong Authentication Software Certificate (PKCS#12;PFX)
  14. 14. SSL/TLS Mutual Authentication :how does it work? Validation CRL Authority or OCSP Request Valid Invalid Unknown SSL / TLS Mutual Authentication Alice Web Server
  15. 15. Strong Authentication withBiometry (Match on Cardtechnology) • A reader – Biometry – SmartCard • A card with chip – Technology MOC – Crypto Processor • PC/SC • PKCS#11 • Digital certificate X509
  16. 16. Strong Authentication With(O)ne (T)ime (P)assword
  17. 17. (O)ne (T)ime (P)assword • OTP Time Based • Others: – Like SecurID – OTP via SMS • OTP Event Based – OTP via email – Biometry and OTP – Phone • OTP Challenge – Bingo Card Response Based – Etc.
  18. 18. OTP T-B?OTP E-B?OTP C-R-B?Crypto - 101
  19. 19. Crypto-101 / Time Based OTP HASH FunctionK=Secret Key / Seed OTP T=UTC Time ie = OTP(K,T) = Truncate(HMAC-SHA-1(K,T))
  20. 20. Crypto-101 / Event Based OTP HASH FunctionK=Secret Key / Seed OTP C = Counter ie = OTP(K,C) = Truncate(HMAC-SHA-1(K,C))
  21. 21. Crypto-101 / OTP ChallengeResponse Based HASH FunctionK=Secret Key / Seed OTP Challenge nonce ie:
  22. 22. Other[s] OTP technologies… OTP Via SMS “Flicker code” Generator Software that converts already encrypted data into optical screen animation
  23. 23. How to Store and Generatemy Secret Key ? A Token !
  24. 24. OTP Token: Software vs Hardware ?
  25. 25. Software OTP for Smartphone http://itunes.apple.com/us/app/iotp/id328973960
  26. 26. Where are[is] the seed ?
  27. 27. Seed generation & distribution ?Still a good model ? K1 Threat Editor / Vendor Agent (APT) Secret Key are[is] generated on promise K1 K1 K1
  28. 28. TokenCode
  29. 29. New Standards &Open Source
  30. 30. Technologies accessible toeveryone  • Initiative for Open AuTHentication (OATH) – HOTP – TOTP – OCRA – Etc. • Mobile OTP – (Use MD5 …..)
  31. 31. Initiative for Open AuTHentication(OATH) • HOTP • Token Identifier – Event Based OTP Specification – RFC 4226 • IETF KeyProv Working • TOTP Group – Time Based OTP – PSKC - Portable Symmetric Key Container, RFC 6030 – Draft IETF Version 8 – DSKPP - Dynamic Symmetric Key Provisioning Protocol, RFC 6063 • OCRA – Challenge/Response OTP • And more ! – Draft IETF Version 13 http://www.openauthentication.org/specifications
  32. 32. (R)isk(B)ased(A)uthentication
  33. 33. RBA (Risk-Based Authentication)= Behavior Model
  34. 34. Use OATH-HOTP & TOTPhttp://code.google.com/p/google-authenticator/
  35. 35. Integration withweb application
  36. 36. Web application: basicauthentication model
  37. 37. Web application: StrongAuthentication ImplementationBlueprint
  38. 38. “Shielding" approach: perimetricauthentication using ReverseProxy / WAF
  39. 39. Module/Agent-based approach
  40. 40. API/SDK based approach
  41. 41. ICAM:a changing paradigmon Strong Authentication
  42. 42. Federation of identity approach a change of paradigm:using IDP for Authentication and Strong Authentication
  43. 43. Identity ProviderSAML, OpenID, etc
  44. 44. Strong AuthenticationStrong Authentication andApplication Security & Application Security
  45. 45. Threat Modeling“detecting web applicationthreats before coding”
  46. 46. Questions ?
  47. 47. Resources on Internet 1/2 • http://motp.sourceforge.net/ • http://www.clavid.ch/otp • http://code.google.com/p/mod-authn-otp/ • http://www.multiotp.net/ • http://www.openauthentication.org/ • http://wiki.openid.net/ • http://www.citadelle-electronique.net/ • http://code.google.com/p/mod-authn-otp/
  48. 48. Resources on Internet 2/2 • http://rcdevs.com/products/openotp/ • https://github.com/adulau/paper-token • http://www.yubico.com/yubikey • http://code.google.com/p/mod-authn-otp/ • http://www.nongnu.org/oath-toolkit/ • http://www.nongnu.org/oath-toolkit/ • http://www.gpaterno.com/publications/2010/du blin_ossbarcamp_2010_otp_with_oss.pdf

×