MARET Consulting | Boulevard Georges Favon 43 | CH 1204 Geneva | Tél +41 22 575 30 35 | info@maret-consulting.ch | www.maret-consulting.

ch

Strong Authentication in Web Application

Sylvain Maret / Digital Security Expert / OpenID Switzerland

ConFoo.ca / 2011-03-10

Conseil en technologies
 Agenda

www.maret-consulting.ch Conseil en technologies

 Who am I?

 Security Expert
 17 years of experience in ICT Security
 Principal Consultant at MARET Consulting
 Expert at Engineer School of Yverdon & Geneva University
 Swiss French Area delegate at OpenID Switzerland
 Co-founder Geneva Application Security Forum
 OWASP Member
 Author of the blog: la Citadelle Electronique
 http://ch.linkedin.com/in/smaret or @smaret

 Chosen field
 AppSec & Digital Identity Security

www.maret-consulting.ch Conseil en technologies

 Protection of digital identities: a topical issue…

Strong Authentication

www.maret-consulting.ch Conseil en technologies

 Multi-factor Authentication-101: Talk by Philippe Gamache

2011-03-08 Montréal
2011-03-09 Montréal OWASP Meeting

www.maret-consulting.ch Conseil en technologies

 «Digital identity is the cornerstone of trust»

http://fr.wikipedia.org/wiki/Authentification_forte
www.maret-consulting.ch Conseil en technologies
 MARET Consulting | Boulevard Georges Favon 43 | CH 1204 Geneva | Tél +41 22 575 30 35 | info@maret-consulting.ch | www.maret-consulting.ch

Strong Authentication

A new paradigm !

Conseil en technologies
 Which Strong Authentication technology ?

Legacy Token / Old Model ? / Open Source Solution ?

www.maret-consulting.ch Conseil en technologies

www.maret-consulting.ch Conseil en technologies
 OTP PKI (HW) Biometry
Strong *
authentication
Encryption

Digital signature

Non repudiation

Strong link with

the user

* Biometry type Fingerprinting

www.maret-consulting.ch Conseil en technologies
 Strong Authentication
with PKI

www.maret-consulting.ch Conseil en technologies

 PKI: Digital Certificate

Hardware Token (Crypto PKI)

Strong Authentication
Software Certificate
(PKCS#12;PFX)

TPM
www.maret-consulting.ch Conseil en technologies
 SSL/TLS Mutual Athentication : how does it work?

Validation
Authority

OCSP request

Valid
Invalid
Unknown

SSL / TLS Mutual Authentication

Alice
Web Server
www.maret-consulting.ch Conseil en technologies
 Demo #1: OpenID and Software Certificate using Clavid.ch

http://www.clavid.com/
www.maret-consulting.ch Conseil en technologies
 Strong Authentication with Biometry (Match on Card technology)

 A reader
 Biometry
 SmartCard

 A card with chip

 Technology MOC
 Crypto Processor
 PC/SC
 PKCS#11
 Digital certificate X509
www.maret-consulting.ch Conseil en technologies
 Strong Authentication

With

(O)ne (T)ime (P)assword

www.maret-consulting.ch Conseil en technologies
 (O)ne (T)ime (P)assword

 OTP Time Based  Others:

 OTP Event Based  OTP via SMS

 OTP via email
 Biometry and OTP
 OTP Challenge
 Bingo Card
Response Based
 Etc.

www.maret-consulting.ch Conseil en technologies

 OTP T-B?
OTP E-B?
OTP C-R-B?

www.maret-consulting.ch Crypto - 101 Conseil en technologies

 Crypto-101 / Time Based OTP

HASH Function

K=Secret Key / Seed

OTP
T=UTC Time

ie = OTP(K,T) = Truncate(HMAC-SHA-1(K,T))
www.maret-consulting.ch Conseil en technologies
 Crypto-101 / Event Based OTP

HASH Function

K=Secret Key / Seed

OTP
C = Counter

ie = OTP(K,C) = Truncate(HMAC-SHA-1(K,C))
www.maret-consulting.ch Conseil en technologies
 Crypto-101 / OTP Challenge Response Based

HASH Function

K=Secret Key / Seed

OTP
Challenge
nonce

www.maret-consulting.ch Conseil en technologies

 Others OTP technologies…

OTP Via SMS

“Flicker code” Generator Software

that converts already
encrypted data into
optical screen animation

By Elcard
www.maret-consulting.ch Conseil en technologies
 Demo #2: Protect WordPress (OTP Via SMS)

www.maret-consulting.ch Conseil en technologies

 How to Store
my Secret Key ?

A Token !
www.maret-consulting.ch Conseil en technologies
 OTP Token: Software vs Hardware ?

www.maret-consulting.ch Conseil en technologies

 Software OTP for Smartphone

http://itunes.apple.com/us/app/iotp/id328973960
www.maret-consulting.ch Conseil en technologies
New Standards
&
Open Source

www.maret-consulting.ch Conseil en technologies

 Technologies accessible to everyone 

 Initiative for Open AuTHentication (OATH)

 HOTP
 TOTP
 OCRA
 Etc.

 Mobile OTP
 (Use MD5 …..)

www.maret-consulting.ch Conseil en technologies

 OATH Reference Architecture, Release 2.0

http://www.openauthentication.org/
www.maret-consulting.ch Conseil en technologies
 Initiative for Open AuTHentication (OATH)

 HOTP  OCRA
 Event Based OTP  Challenge/Response
 RFC 4226 OTP
 Draft IETF Version 13

 TOTP
 Time Based OTP
 Token Identifier
 Draft IETF Version 8
Specification

www.maret-consulting.ch
 Etc. Conseil en technologies
 (R)isk

(B)ased

(A)uthentication
www.maret-consulting.ch Conseil en technologies
 RBA (Risk-Based Authentication) = Behavior Model

www.maret-consulting.ch Conseil en technologies

 2 Step Verification from Google !

Use OATH-HOTP & TOTP

http://code.google.com/p/google-authenticator/

www.maret-consulting.ch Conseil en technologies

 Integration with
web application
www.maret-consulting.ch Conseil en technologies
 Web application: basic authentication model

www.maret-consulting.ch Conseil en technologies

 Web application: Strong Authentication model

www.maret-consulting.ch Conseil en technologies

 “Shielding" approach: perimetric authentication using WAF

www.maret-consulting.ch Conseil en technologies

 Module/Agent-based approach (example)

www.maret-consulting.ch Conseil en technologies

 API/SDK based approach (example)

www.maret-consulting.ch Conseil en technologies

 Demo 3#: PHP Integration for phpmyadmin

www.maret-consulting.ch Conseil en technologies

 Multi OTP PHP Class by André Liechti (Switzerland)

Source Code will be publish soon:

http://www.citadelle-electronique.net/
http://www.multiotp.net/
www.maret-consulting.ch Conseil en technologies
 Proof of Concept Code by
Anne Gosselin, Antonio Fontes !

if (! empty($_REQUEST['pma_username'])) {
// The user just logged in
$GLOBALS['PHP_AUTH_USER'] = $_REQUEST['pma_username'];

// we combine both OTP + PIN code for the token verification

$fooPass = empty($_REQUEST['pma_password']) ? '' : $_REQUEST['pma_password'];
$fooOtp = empty($_REQUEST['pma_otp']) ? '' : $_REQUEST['pma_otp'];
$GLOBALS['PHP_AUTH_PW'] = $fooPass.''.$fooOtp;

// OTP CHECK
require_once('./libraries/multiotp.class.php');
$multiotp = new Multiotp();
$multiotp->SetUser($GLOBALS['PHP_AUTH_USER']);
$multiotp->SetEncryptionKey('DefaultCliEncryptionKey');
$multiotp->SetUsersFolder('./libraries/users/');
$multiotp->SetLogFolder('./libraries/log/');
$multiotp->EnableVerboseLog();

$otpCheckResult = $multiotp->CheckToken($GLOBALS['PHP_AUTH_PW']);
// the PIN code use kept for accessing the database
$GLOBALS['PHP_AUTH_PW'] = substr($GLOBALS['PHP_AUTH_PW'], 0, strlen($GLOBALS['PHP_AUTH_PW']

if($otpCheckResult == 0)
return true;
else
die("auth failed.");
www.maret-consulting.ch Conseil en technologies
 Think about Software Security !

Cf Talk Antonio Fontes

Cf Talk Philippe Gamache

Cf Talk Sébastien Giora

www.maret-consulting.ch Conseil en technologies
 Federated identities:

a changing paradigm

on authentication
www.maret-consulting.ch Conseil en technologies
 Federation of identity approach a change of paradigm:
using IDP for Authentication and Strong Authentication

Identity Provider

Web App X

Web App Y

www.maret-consulting.ch Conseil en technologies

 SECTION 2
OpenID
> What is it?
> How does it work?
> How to integrate?

www.maret-consulting.ch Conseil en technologies

 OpenID - What is it?

> Internet SingleSignOn > Free Choice of Identity Provider

> Relatively Simple Protocol > No License Fee
> User-Centric Identity Management > Independent of Identification Methods
> Internet Scalable > Non-Profit Organization

www.maret-consulting.ch Conseil en technologies

 OpenID - How does it work?

User Hans Muster

4, 4a Identity Provider
e.g. clavid.com
hans.muster.clavid.com 5 6

1 2 Identity URL
Caption https://hans.muster.clavid.com
1. User enters OpenID
2. Discovery
3. Authentication
4. Approval
4a. Change Attributes
5. Send Attributes
6. Validation Enabled Service

www.maret-consulting.ch Conseil en technologies

 Demo #4: Apache and Mod_OpenID (Using Biometry / OTP)

www.maret-consulting.ch Conseil en technologies

 Demo #4: Challenge / Response OTP with Biometry

www.maret-consulting.ch Conseil en technologies

 Surprise! You may already
have an OpenID !

www.maret-consulting.ch Conseil en technologies

 Other Well Known
&
Simple Providers

http://en.wikipedia.org/wiki/List_of_OpenID_providers

www.maret-consulting.ch Conseil en technologies

 Get an OpenID with Strong Authentication for free !

www.maret-consulting.ch Conseil en technologies

 SECTION 1
SAML
>What is it?
>How does it work?

www.maret-consulting.ch Conseil en technologies

 Using SAML for Authentication and Strong Authentication

(Assertion
Consumer Service)

www.maret-consulting.ch Conseil en technologies

 SAML – What is it?

SAML (Security Assertion Markup Language):

> Defined by the Oasis Group
> Well and Academically Designed Specification
> Uses XML Syntax
> Used for Authentication & Authorization

> SAML Assertions

> Statements: Authentication, Attribute, Authorization

> SAML Protocols

> Queries: Authentication, Artifact, Name Identifier Mapping, etc.

> SAML Bindings

> SOAP, Reverse-SOAP, HTTP-Get, HTTP-Post, HTTP-Artifact

> SAML Profiles

> Web Browser SingleSignOn Profile, Identity Provider Discovery Profile, Assertion Query
/ Request Profile, Attribute Profile

www.maret-consulting.ch Conseil en technologies

 SAML – How does it work?

User Hans Muster

3
2
4 Identity Provider
e.g. clavid.ch

4
2
1
6

Enabled Service

e.g. Google Apps

for Business

www.maret-consulting.ch Conseil en technologies

 Example with HTTP POST Binding

Access Resource
Browser Web App SAML Ready

1
AuthN

2
<AuthnRequest>
3
+ PIN Redirect 302

ACS
POST
<Response> 7

Ressource
Ressource 8

<Response>
in HTML Form 6

Single Sign On
Service

<AuthnRequest> 4

Credential
Challenge 5a

www.maret-consulting.ch User Login IDP MC Conseil en technologies

5b
Questions ?

www.maret-consulting.ch Conseil en technologies

 Resources on Internet 1/2

 http://motp.sourceforge.net/
 http://www.clavid.ch/otp
 http://code.google.com/p/mod-authn-otp/
 http://www.multiotp.net/
 http://www.openauthentication.org/
 http://wiki.openid.net/
 http://www.citadelle-electronique.net/
 http://code.google.com/p/mod-authn-otp/

www.maret-consulting.ch Conseil en technologies

 Resources on Internet 2/2

 http://rcdevs.com/products/openotp/
 https://github.com/adulau/paper-token
 http://www.yubico.com/yubikey
 http://code.google.com/p/mod-authn-otp/
 http://www.nongnu.org/oath-toolkit/
 http://www.nongnu.org/oath-toolkit/
 http://www.gpaterno.com/publications/2010/dublin_oss
barcamp_2010_otp_with_oss.pdf

www.maret-consulting.ch Conseil en technologies

 "Le conseil et l'expertise pour le choix et la mise

en oeuvre des technologies innovantes dans la sécurité

des systèmes d'information et de l'identité numérique"

www.maret-consulting.ch Conseil en technologies

 Une conviction forte !

Authentification forte
www.maret-consulting.ch Conseil en technologies
 A major event in the world of strong authentication

 12 October 2005: the Federal Financial Institutions Examination

Council (FFIEC) issues a directive

 « Single Factor Authentication » is not enough for the web financial

applications
 Before end 2006 it is compulsory to implement a strong
authentication system
 http://www.ffiec.gov/press/pr101205.htm

 And the PCI DSS norm

 Compulsory strong authentication for distant accesses

 And now European regulations

 Payment Services (2007/64/CE) for banks

 Social Networks, Open Source

www.maret-consulting.ch Conseil en technologies
 Out of Band Authentication

www.maret-consulting.ch Conseil en technologies

 Phone Factor

www.maret-consulting.ch Conseil en technologies

 SAML

www.maret-consulting.ch Conseil en technologies

 SAML AuthnRequst Transfer via Browser

Redirect-Binding

POST-Binding

www.maret-consulting.ch Conseil en technologies

 A SAML AuthnRequest (no magic, just XML)

<?xml version="1.0" encoding="UTF-8"?>

<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol“
ID="glcmfhikbbhohichialilnnpjakbeljekmkhppkb“
Version="2.0”
IssueInstant="2008-10-14T00:57:14Z”
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST”
ProviderName="google.com”
ForceAuthn="false”
IsPassive="false”
AssertionConsumerServiceURL="https://www.google.com/a/unopass.net/acs">

<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
google.com
</saml:Issuer>

<samlp:NameIDPolicy AllowCreate="true"
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" />

</samlp:AuthnRequest>

www.maret-consulting.ch Conseil en technologies

 SAML Assertion Transfer via Browser

POST-Binding

www.maret-consulting.ch Conseil en technologies

 A SAML Assertion Response (no magic, just XML)
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
ID="s247893b2ec90665dfd5d9bd4a092f5e3a7194fef4"
InResponseTo="hkcmljnccpheoobdofbjcngjbadmgcfhaapdbnni"
Version="2.0"
IssueInstant="2008-10-15T17:24:46Z"
Destination="https://www.google.com/a/unopass.net/acs">

<saml:Issuer>
http://idp.unopass.net:80/opensso
</saml:Issuer>

<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
</samlp:Status>

<saml:Assertion
ID="s295c56ccd7872209ae336b934d1eed5be52a8e6ec"
IssueInstant="2008-10-15T17:24:46Z"
Version="2.0">
<saml:Issuer>http://idp.unopass.net:80/opensso</saml:Issuer>
<Signature>
… A DIGITAL SIGNATURE …
</Signature>

...

www.maret-consulting.ch Conseil en technologies

 A SAML Assertion Response (no magic, just XML)

...

<saml:Subject>
<saml:NameID
NameQualifier="http://idp.unopass.net:80/opensso">
sylvain.maret
</saml:NameID>
<saml:SubjectConfirmation Method="urn:oasis:...:bearer">
<saml:SubjectConfirmationData
InResponseTo="hkcmljnccpheoobdofbjcngjbadmgcfhaapdbnni"
NotOnOrAfter="2008-10-15T17:34:46Z"
Recipient="https://www.google.com/a/unopass.net/acs"/>
</saml:SubjectConfirmation>
</saml:Subject>

...

www.maret-consulting.ch Conseil en technologies

 A SAML Assertion Response (no magic, just XML)

...

<saml:Conditions NotBefore="2008-10-15T17:14:46Z"
NotOnOrAfter="2008-10-15T17:34:46Z">
<saml:AudienceRestriction>
<saml:Audience>google.com</saml:Audience>
</saml:AudienceRestriction>
</saml:Conditions>
<saml:AuthnStatement AuthnInstant="2008-10-15T17:24:46Z“
SessionIndex="s2bb816b5a8852dcc29f3301784c1640f245a9ec01">
<saml:AuthnContext>
<saml:AuthnContextClassRef>
urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
</saml:AuthnContextClassRef>
</saml:AuthnContext>
</saml:AuthnStatement>
</saml:Assertion>
</samlp:Response>

www.maret-consulting.ch Conseil en technologies