MARET Consulting | 109, chemin du Pont-du-Centenaire | CH 1228 Plan-les-Ouates | Tél +41 22 727 05 57 | Fax +41 22 727 05 50 | www.maret-consulting.

ch

Authentication and Strong Authentication

in Web Application

Sylvain Maret / Digital Security Expert @ MARET Consulting

BrightTALK - October 7th 2010

Conseil en technologies
 Agenda


Protecting digital identities


strong authentication?

Integration with web
applications

Strong Authentication: A new
paradigm !

Identity Federation for
Authentication

New Standards

SAML / OpenID

www.maret-consulting.ch Conseil en technologies

 Who am I?


Security Expert

15 years of experience in ICT Security

CEO and Founder of MARET Consulting

Expert at Engineer School of Yverdon & Geneva University

Swiss French Area delegate at OpenID Switzerland

Co-founder Geneva Application Security Forum

OWASP Member

Author of the blog: la Citadelle Electronique

http://ch.linkedin.com/in/smaret


Chosen field

Digital Identity Security
www.maret-consulting.ch Conseil en technologies
 Protection of digital identities: a topical issue…

www.maret-consulting.ch Conseil en technologies

 threats on the authentication

www.maret-consulting.ch Conseil en technologies

 Facts !


Keylogger (hard and soft)

Malware

Man in the Middle

Browser in the Middle

Password Sniffer

Social Engineering

Phishing / Pharming


The number of identity thefts is increasing dramatically!

www.maret-consulting.ch Conseil en technologies

 A major event in the world of strong authentication


12 October 2005: the Federal Financial Institutions Examination
Council (FFIEC) issues a directive

« Single Factor Authentication » is not enough for the web financial
applications

Before end 2006 it is compulsory to implement a strong authentication
system

http://www.ffiec.gov/press/pr101205.htm


And the PCI DSS norm

Compulsory strong authentication for distant accesses


And now European regulations

Payment Services (2007/64/CE) for banks


Social Networks, Open Source

www.maret-consulting.ch Conseil en technologies

 Definition of strong authentication

Strong Authentication on Wikipedia

www.maret-consulting.ch Conseil en technologies

 «Digital identity is the cornerstone of trust»

More information on the subject

www.maret-consulting.ch Conseil en technologies

 MARET Consulting | 109, chemin du Pont-du-Centenaire | CH 1228 Plan-les-Ouates | Tél +41 22 727 05 57 | Fax +41 22 727 05 50 | www.maret-consulting.ch

Strong Authentication

A new paradigm !

Conseil en technologies
 Which strong authentication technology? (Legacy Token …..)

www.maret-consulting.ch Conseil en technologies

www.maret-consulting.ch Conseil en technologies
 OTP PKI (HW) Biometry
Strong *
authentication
Encryption

Digital signature

Non repudiation

Strong link with

the user

* Biometry type Fingerprinting

www.maret-consulting.ch Conseil en technologies
 Strong Authentication with Biometry (Match on Card technology)


A reader

Biometry

SmartCard


A card with chip

Technology MOC

Crypto processor

PC/SC

PKCS#11

Digital certificate X509

www.maret-consulting.ch Conseil en technologies

 Authentication Server must be agnostic

www.maret-consulting.ch Conseil en technologies

New Standards
&
Open Source

www.maret-consulting.ch Conseil en technologies

 Technologies accessible to everyone


Based on Standards 
Open Solutions


Open Authentication 
Mobile One Time Passwords
(OATH) 
strong, two-factor authentication

OATH authentication with mobile phones
algorithms

HOTP (HMAC Event
Based)

OCRA
(Challenge/Response)

TOTP (Time Based)

OATH Token Identifier
Specification
www.maret-consulting.ch Conseil en technologies
 Integration with
web application
www.maret-consulting.ch Conseil en technologies
 Web applications: basic authentication model

www.maret-consulting.ch Conseil en technologies

 Web application: strong authentication model

www.maret-consulting.ch Conseil en technologies

 “Shielding" approach: perimetric authentication

www.maret-consulting.ch Conseil en technologies

 Module/Agent-based approach

www.maret-consulting.ch Conseil en technologies

 API/SDK based approach

www.maret-consulting.ch Conseil en technologies

 SSL PKI: how does it work?

Validation
Authority

OCSP request

Valid
Invalid
Unknown

SSL / TLS Mutual Authentication

Alice
Web Server
www.maret-consulting.ch Conseil en technologies
 Federated identities:

a changing paradigm

on authentication
www.maret-consulting.ch Conseil en technologies
 Federation of identity approach a change of paradigm:
using IDP for Authentication and Strong Authentication

Identity Provider

Web App X

Web App Y

www.maret-consulting.ch Conseil en technologies

 SECTION 1
SAML
>What is it?
>How does it work?

www.maret-consulting.ch Conseil en technologies

 Using SAML for Authentication and Strong Authentication

(Assertion
Consumer Service)

www.maret-consulting.ch Conseil en technologies

 SAML – What is it?

SAML (Security Assertion Markup Language):

>Defined by the Oasis Group
>Well and Academically Designed Specification
>Uses XML Syntax
>Used for Authentication & Authorization

>SAML Assertions
> Statements: Authentication, Attribute, Authorization

>SAML Protocols
> Queries: Authentication, Artifact, Name Identifier Mapping, etc.

>SAML Bindings
> SOAP, Reverse-SOAP, HTTP-Get, HTTP-Post, HTTP-Artifact

>SAML Profiles
> Web Browser SingleSignOn Profile, Identity Provider Discovery Profile, Assertion Query
/ Request Profile, Attribute Profile

www.maret-consulting.ch Conseil en technologies

 SAML – How does it work?

User Hans Muster

3
2
4 Identity Provider
e.g. clavid.ch

4
2
1
6

Enabled Service

e.g. Google Apps

for Business

www.maret-consulting.ch Conseil en technologies

 Example with HTTP POST Binding

Access Resource
Browser Web App SAML Ready

1
AuthN

2
<AuthnRequest>
3
+ PIN Redirect 302

ACS
POST
<Response> 7

Ressource
Ressource 8

<Response>
in HTML Form 6

Single Sign On
Service

<AuthnRequest> 4

Credential
Challenge 5a

User Login IDP MC

www.maret-consulting.ch 5b Conseil en technologies
 SAML AuthN & ACS integration in Web Application
Digital Identity (Principale)

1A 1B 1C
Service Provider (SP)

1/3 AuthN AuthN

Web
Server ACS

2/3
App ACS AuthN
Server
ACS

3/3
Back
End

Web App SAML Ready

www.maret-consulting.ch Conseil en technologies
 SECTION 2
OpenID
> What is it?
> How does it work?
> How to integrate?

www.maret-consulting.ch Conseil en technologies

 OpenID - What is it?

> Internet SingleSignOn > Free Choice of Identity Provider

> Relatively Simple Protocol > No License Fee
> User-Centric Identity Management > Independent of Identification Methods
> Internet Scalable > Non-Profit Organization

www.maret-consulting.ch Conseil en technologies

 OpenID - How does it work?

User Hans Muster

4, 4a Identity Provider
e.g. clavid.com
hans.muster.clavid.com 5 6

1 2 Identity URL
Caption https://hans.muster.clavid.com
1. User enters OpenID
2. Discovery
3. Authentication
4. Approval
4a. Change Attributes
5. Send Attributes
6. Validation Enabled Service

www.maret-consulting.ch Conseil en technologies

 Architecture IPD

Authentication Server

www.maret-consulting.ch Conseil en technologies

 Federation
(Facebook, Google, OpenID, other IDP, Internal Active Directory, etc.)

SAML v2 OTP

SAML
Service Provider (SP)

SAML v1 PKI
1/3
Web
Server
IDP-AS
2/3
App AuthN
OpenID BIO
Server
ACS

3/3
Back
End Radius, etc. Password

Web App SAML Ready

Protocol Protocol
Frontend Backend

Unique Interface
Agnostic / Easy
www.maret-consulting.ch Conseil en technologies
www.maret-consulting.ch Conseil en technologies
 Conclusion #1


Authentication Server need to be agnostic to any Token
•
Support Open Standards


Federation of identity: a change of paradigm for authentication
•
Not Only for Federation or Web SSO
•
SAML and OpenID can support all authentication technologies
•
Develop only one authentication interface for all Web Application

www.maret-consulting.ch Conseil en technologies

 Conclusion #2


Users can choose his Strong Authentication Token
•
Users Friendly and Reduce Costs


New Standards and Open Source Solution
•
OTP Software Token is no free 
•
Strong Authentication for Social Networks (OpenID IPD & Strong Authentication)


Think about Web Application Security
•
OWASP - Application Security Verification Standard Project
•
OWASP - Best Practices: Use of Web Application Firewalls
•
2010 CWE/SANS - Top 25 Most Dangerous Software Errors

www.maret-consulting.ch Conseil en technologies

 Quelques liens pour aller approfondir le sujet


MARET Consulting

http://maret-consulting.ch/

La Citadelle Electronique (le blog sur les identités numériques)

http://www.citadelle-electronique.net/

Articles banque et finance:

Usurper une identité? Impossible avec la biométrie!

http://www.banque-finance.ch/numeros/88/59.pdf

Biométrie et Mobilité

http://www.banque-finance.ch/numeros/97/62.pdf

Présentations publiques

OSSIR Paris 2009: Retour d'expérience sur le déploiement de biométrie à grande
échelle

http://www.ossir.org/paris/supports/2009/2009-10-13/Sylvain_Maret_Biometrie.pdf

ISACA, Clusis: Accès à l’information : Rôles et responsabilités

http://blog.b3b.ch/wp-content/uploads/mise-en-oeuvre-de28099une-solution-biometrique-
de28099authentification-forte.pdf

www.maret-consulting.ch Conseil en technologies

 "Le conseil et l'expertise pour le choix et la mise

en oeuvre des technologies innovantes dans la sécurité

des systèmes d'information et de l'identité numérique"

www.maret-consulting.ch Conseil en technologies

www.maret-consulting.ch Conseil en technologies