Professional Documents
Culture Documents
ch
Conseil en technologies
Agenda
Security Expert
17 years of experience in ICT Security
Principal Consultant at MARET Consulting
Expert at Engineer School of Yverdon & Geneva University
Swiss French Area delegate at OpenID Switzerland
Co-founder Geneva Application Security Forum
OWASP Member
Author of the blog: la Citadelle Electronique
http://ch.linkedin.com/in/smaret or @smaret
Chosen field
AppSec & Digital Identity Security
Strong Authentication
2011-03-08 Montréal
2011-03-09 Montréal OWASP Meeting
http://fr.wikipedia.org/wiki/Authentification_forte
www.maret-consulting.ch Conseil en technologies
MARET Consulting | Boulevard Georges Favon 43 | CH 1204 Geneva | Tél +41 22 575 30 35 | info@maret-consulting.ch | www.maret-consulting.ch
Strong Authentication
A new paradigm !
Conseil en technologies
Which Strong Authentication technology ?
Digital signature
Non repudiation
TPM
www.maret-consulting.ch Conseil en technologies
SSL/TLS Mutual Athentication : how does it work?
Validation
Authority
OCSP request
Valid
Invalid
Unknown
http://www.clavid.com/
www.maret-consulting.ch Conseil en technologies
Strong Authentication with Biometry (Match on Card technology)
A reader
Biometry
SmartCard
With
HASH Function
OTP
T=UTC Time
ie = OTP(K,T) = Truncate(HMAC-SHA-1(K,T))
www.maret-consulting.ch Conseil en technologies
Crypto-101 / Event Based OTP
HASH Function
OTP
C = Counter
ie = OTP(K,C) = Truncate(HMAC-SHA-1(K,C))
www.maret-consulting.ch Conseil en technologies
Crypto-101 / OTP Challenge Response Based
HASH Function
OTP
Challenge
nonce
By Elcard
www.maret-consulting.ch Conseil en technologies
Demo #2: Protect WordPress (OTP Via SMS)
A Token !
www.maret-consulting.ch Conseil en technologies
OTP Token: Software vs Hardware ?
http://itunes.apple.com/us/app/iotp/id328973960
www.maret-consulting.ch Conseil en technologies
New Standards
&
Open Source
Mobile OTP
(Use MD5 …..)
http://www.openauthentication.org/
www.maret-consulting.ch Conseil en technologies
Initiative for Open AuTHentication (OATH)
HOTP OCRA
Event Based OTP Challenge/Response
RFC 4226 OTP
Draft IETF Version 13
TOTP
Time Based OTP
Token Identifier
Draft IETF Version 8
Specification
www.maret-consulting.ch
Etc. Conseil en technologies
(R)isk
(B)ased
(A)uthentication
www.maret-consulting.ch Conseil en technologies
RBA (Risk-Based Authentication) = Behavior Model
http://code.google.com/p/google-authenticator/
if (! empty($_REQUEST['pma_username'])) {
// The user just logged in
$GLOBALS['PHP_AUTH_USER'] = $_REQUEST['pma_username'];
// OTP CHECK
require_once('./libraries/multiotp.class.php');
$multiotp = new Multiotp();
$multiotp->SetUser($GLOBALS['PHP_AUTH_USER']);
$multiotp->SetEncryptionKey('DefaultCliEncryptionKey');
$multiotp->SetUsersFolder('./libraries/users/');
$multiotp->SetLogFolder('./libraries/log/');
$multiotp->EnableVerboseLog();
$otpCheckResult = $multiotp->CheckToken($GLOBALS['PHP_AUTH_PW']);
// the PIN code use kept for accessing the database
$GLOBALS['PHP_AUTH_PW'] = substr($GLOBALS['PHP_AUTH_PW'], 0, strlen($GLOBALS['PHP_AUTH_PW']
if($otpCheckResult == 0)
return true;
else
die("auth failed.");
www.maret-consulting.ch Conseil en technologies
Think about Software Security !
a changing paradigm
on authentication
www.maret-consulting.ch Conseil en technologies
Federation of identity approach a change of paradigm:
using IDP for Authentication and Strong Authentication
Identity Provider
Web App X
Web App Y
4, 4a Identity Provider
e.g. clavid.com
hans.muster.clavid.com 5 6
1 2 Identity URL
Caption https://hans.muster.clavid.com
1. User enters OpenID
2. Discovery
3. Authentication
4. Approval
4a. Change Attributes
5. Send Attributes
6. Validation Enabled Service
http://en.wikipedia.org/wiki/List_of_OpenID_providers
(Assertion
Consumer Service)
3
2
4 Identity Provider
e.g. clavid.ch
4
2
1
6
Enabled Service
Access Resource
Browser Web App SAML Ready
1
AuthN
2
<AuthnRequest>
3
+ PIN Redirect 302
ACS
POST
<Response> 7
Ressource
Ressource 8
<Response>
in HTML Form 6
Single Sign On
Service
<AuthnRequest> 4
Credential
Challenge 5a
http://motp.sourceforge.net/
http://www.clavid.ch/otp
http://code.google.com/p/mod-authn-otp/
http://www.multiotp.net/
http://www.openauthentication.org/
http://wiki.openid.net/
http://www.citadelle-electronique.net/
http://code.google.com/p/mod-authn-otp/
http://rcdevs.com/products/openotp/
https://github.com/adulau/paper-token
http://www.yubico.com/yubikey
http://code.google.com/p/mod-authn-otp/
http://www.nongnu.org/oath-toolkit/
http://www.nongnu.org/oath-toolkit/
http://www.gpaterno.com/publications/2010/dublin_oss
barcamp_2010_otp_with_oss.pdf
Authentification forte
www.maret-consulting.ch Conseil en technologies
A major event in the world of strong authentication
Redirect-Binding
POST-Binding
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol“
ID="glcmfhikbbhohichialilnnpjakbeljekmkhppkb“
Version="2.0”
IssueInstant="2008-10-14T00:57:14Z”
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST”
ProviderName="google.com”
ForceAuthn="false”
IsPassive="false”
AssertionConsumerServiceURL="https://www.google.com/a/unopass.net/acs">
<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
google.com
</saml:Issuer>
<samlp:NameIDPolicy AllowCreate="true"
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" />
</samlp:AuthnRequest>
POST-Binding
<saml:Issuer>
http://idp.unopass.net:80/opensso
</saml:Issuer>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
</samlp:Status>
<saml:Assertion
ID="s295c56ccd7872209ae336b934d1eed5be52a8e6ec"
IssueInstant="2008-10-15T17:24:46Z"
Version="2.0">
<saml:Issuer>http://idp.unopass.net:80/opensso</saml:Issuer>
<Signature>
… A DIGITAL SIGNATURE …
</Signature>
...
...
<saml:Subject>
<saml:NameID
NameQualifier="http://idp.unopass.net:80/opensso">
sylvain.maret
</saml:NameID>
<saml:SubjectConfirmation Method="urn:oasis:...:bearer">
<saml:SubjectConfirmationData
InResponseTo="hkcmljnccpheoobdofbjcngjbadmgcfhaapdbnni"
NotOnOrAfter="2008-10-15T17:34:46Z"
Recipient="https://www.google.com/a/unopass.net/acs"/>
</saml:SubjectConfirmation>
</saml:Subject>
...
...
<saml:Conditions NotBefore="2008-10-15T17:14:46Z"
NotOnOrAfter="2008-10-15T17:34:46Z">
<saml:AudienceRestriction>
<saml:Audience>google.com</saml:Audience>
</saml:AudienceRestriction>
</saml:Conditions>
<saml:AuthnStatement AuthnInstant="2008-10-15T17:24:46Z“
SessionIndex="s2bb816b5a8852dcc29f3301784c1640f245a9ec01">
<saml:AuthnContext>
<saml:AuthnContextClassRef>
urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
</saml:AuthnContextClassRef>
</saml:AuthnContext>
</saml:AuthnStatement>
</saml:Assertion>
</samlp:Response>