Professional Documents
Culture Documents
ch
Conseil en technologies
Agenda
Protecting digital identities
strong authentication?
Integration with web
applications
Strong Authentication: A new
paradigm !
Identity Federation for
Authentication
New Standards
SAML / OpenID
Security Expert
15 years of experience in ICT Security
CEO and Founder of MARET Consulting
Expert at Engineer School of Yverdon & Geneva University
Swiss French Area delegate at OpenID Switzerland
Co-founder Geneva Application Security Forum
OWASP Member
Author of the blog: la Citadelle Electronique
http://ch.linkedin.com/in/smaret
Chosen field
Digital Identity Security
www.maret-consulting.ch Conseil en technologies
Protection of digital identities: a topical issue…
Keylogger (hard and soft)
Malware
Man in the Middle
Browser in the Middle
Password Sniffer
Social Engineering
Phishing / Pharming
The number of identity thefts is increasing dramatically!
12 October 2005: the Federal Financial Institutions Examination
Council (FFIEC) issues a directive
« Single Factor Authentication » is not enough for the web financial
applications
Before end 2006 it is compulsory to implement a strong authentication
system
http://www.ffiec.gov/press/pr101205.htm
And the PCI DSS norm
Compulsory strong authentication for distant accesses
And now European regulations
Payment Services (2007/64/CE) for banks
Social Networks, Open Source
Strong Authentication
A new paradigm !
Conseil en technologies
Which strong authentication technology? (Legacy Token …..)
Digital signature
Non repudiation
A reader
Biometry
SmartCard
A card with chip
Technology MOC
Crypto processor
PC/SC
PKCS#11
Digital certificate X509
Based on Standards
Open Solutions
Open Authentication
Mobile One Time Passwords
(OATH)
strong, two-factor authentication
OATH authentication with mobile phones
algorithms
HOTP (HMAC Event
Based)
OCRA
(Challenge/Response)
TOTP (Time Based)
OATH Token Identifier
Specification
www.maret-consulting.ch Conseil en technologies
Integration with
web application
www.maret-consulting.ch Conseil en technologies
Web applications: basic authentication model
Validation
Authority
OCSP request
Valid
Invalid
Unknown
a changing paradigm
on authentication
www.maret-consulting.ch Conseil en technologies
Federation of identity approach a change of paradigm:
using IDP for Authentication and Strong Authentication
Identity Provider
Web App X
Web App Y
(Assertion
Consumer Service)
>SAML Assertions
> Statements: Authentication, Attribute, Authorization
>SAML Protocols
> Queries: Authentication, Artifact, Name Identifier Mapping, etc.
>SAML Bindings
> SOAP, Reverse-SOAP, HTTP-Get, HTTP-Post, HTTP-Artifact
>SAML Profiles
> Web Browser SingleSignOn Profile, Identity Provider Discovery Profile, Assertion Query
/ Request Profile, Attribute Profile
3
2
4 Identity Provider
e.g. clavid.ch
4
2
1
6
Enabled Service
Access Resource
Browser Web App SAML Ready
1
AuthN
2
<AuthnRequest>
3
+ PIN Redirect 302
ACS
POST
<Response> 7
Ressource
Ressource 8
<Response>
in HTML Form 6
Single Sign On
Service
<AuthnRequest> 4
Credential
Challenge 5a
1A 1B 1C
Service Provider (SP)
2/3
App ACS AuthN
Server
ACS
3/3
Back
End
4, 4a Identity Provider
e.g. clavid.com
hans.muster.clavid.com 5 6
1 2 Identity URL
Caption https://hans.muster.clavid.com
1. User enters OpenID
2. Discovery
3. Authentication
4. Approval
4a. Change Attributes
5. Send Attributes
6. Validation Enabled Service
Authentication Server
SAML v2 OTP
SAML
Service Provider (SP)
SAML v1 PKI
1/3
Web
Server
IDP-AS
2/3
App AuthN
OpenID BIO
Server
ACS
3/3
Back
End Radius, etc. Password
Protocol Protocol
Frontend Backend
Unique Interface
Agnostic / Easy
www.maret-consulting.ch Conseil en technologies
www.maret-consulting.ch Conseil en technologies
Conclusion #1
Authentication Server need to be agnostic to any Token
•
Support Open Standards
Federation of identity: a change of paradigm for authentication
•
Not Only for Federation or Web SSO
•
SAML and OpenID can support all authentication technologies
•
Develop only one authentication interface for all Web Application
Users can choose his Strong Authentication Token
•
Users Friendly and Reduce Costs
New Standards and Open Source Solution
•
OTP Software Token is no free
•
Strong Authentication for Social Networks (OpenID IPD & Strong Authentication)
Think about Web Application Security
•
OWASP - Application Security Verification Standard Project
•
OWASP - Best Practices: Use of Web Application Firewalls
•
2010 CWE/SANS - Top 25 Most Dangerous Software Errors
MARET Consulting
http://maret-consulting.ch/
La Citadelle Electronique (le blog sur les identités numériques)
http://www.citadelle-electronique.net/
Articles banque et finance:
Usurper une identité? Impossible avec la biométrie!
http://www.banque-finance.ch/numeros/88/59.pdf
Biométrie et Mobilité
http://www.banque-finance.ch/numeros/97/62.pdf
Présentations publiques
OSSIR Paris 2009: Retour d'expérience sur le déploiement de biométrie à grande
échelle
http://www.ossir.org/paris/supports/2009/2009-10-13/Sylvain_Maret_Biometrie.pdf
ISACA, Clusis: Accès à l’information : Rôles et responsabilités
http://blog.b3b.ch/wp-content/uploads/mise-en-oeuvre-de28099une-solution-biometrique-
de28099authentification-forte.pdf