Académique Documents
Professionnel Documents
Culture Documents
ch
Conseil en technologies
Agenda
Security Expert
17 years of experience in ICT Security
Principal Consultant at MARET Consulting
Expert at Engineer School of Yverdon & Geneva University
Swiss French Area delegate at OpenID Switzerland
Co-founder Geneva Application Security Forum
OWASP Member
Author of the blog: la Citadelle Electronique
http://ch.linkedin.com/in/smaret or @smaret
Chosen field
AppSec & Digital Identity Security
Strong Authentication
2011-03-08 Montréal
2011-03-09 Montréal OWASP Meeting
http://fr.wikipedia.org/wiki/Authentification_forte
www.maret-consulting.ch Conseil en technologies
MARET Consulting | Boulevard Georges Favon 43 | CH 1204 Geneva | Tél +41 22 575 30 35 | info@maret-consulting.ch | www.maret-consulting.ch
Strong Authentication
A new paradigm !
Conseil en technologies
Which Strong Authentication technology ?
Digital signature
Non repudiation
TPM
www.maret-consulting.ch Conseil en technologies
SSL/TLS Mutual Athentication : how does it work?
Validation
Authority
OCSP request
Valid
Invalid
Unknown
http://www.clavid.com/
www.maret-consulting.ch Conseil en technologies
Strong Authentication with Biometry (Match on Card technology)
A reader
Biometry
SmartCard
With
HASH Function
OTP
T=UTC Time
ie = OTP(K,T) = Truncate(HMAC-SHA-1(K,T))
www.maret-consulting.ch Conseil en technologies
Crypto-101 / Event Based OTP
HASH Function
OTP
C = Counter
ie = OTP(K,C) = Truncate(HMAC-SHA-1(K,C))
www.maret-consulting.ch Conseil en technologies
Crypto-101 / OTP Challenge Response Based
HASH Function
OTP
Challenge
nonce
By Elcard
www.maret-consulting.ch Conseil en technologies
Demo #2: Protect WordPress (OTP Via SMS)
A Token !
www.maret-consulting.ch Conseil en technologies
OTP Token: Software vs Hardware ?
http://itunes.apple.com/us/app/iotp/id328973960
www.maret-consulting.ch Conseil en technologies
New Standards
&
Open Source
Mobile OTP
(Use MD5 …..)
http://www.openauthentication.org/
www.maret-consulting.ch Conseil en technologies
Initiative for Open AuTHentication (OATH)
HOTP OCRA
Event Based OTP Challenge/Response
RFC 4226 OTP
Draft IETF Version 13
TOTP
Time Based OTP
Token Identifier
Draft IETF Version 8
Specification
www.maret-consulting.ch
Etc. Conseil en technologies
(R)isk
(B)ased
(A)uthentication
www.maret-consulting.ch Conseil en technologies
RBA (Risk-Based Authentication) = Behavior Model
http://code.google.com/p/google-authenticator/
if (! empty($_REQUEST['pma_username'])) {
// The user just logged in
$GLOBALS['PHP_AUTH_USER'] = $_REQUEST['pma_username'];
// OTP CHECK
require_once('./libraries/multiotp.class.php');
$multiotp = new Multiotp();
$multiotp->SetUser($GLOBALS['PHP_AUTH_USER']);
$multiotp->SetEncryptionKey('DefaultCliEncryptionKey');
$multiotp->SetUsersFolder('./libraries/users/');
$multiotp->SetLogFolder('./libraries/log/');
$multiotp->EnableVerboseLog();
$otpCheckResult = $multiotp->CheckToken($GLOBALS['PHP_AUTH_PW']);
// the PIN code use kept for accessing the database
$GLOBALS['PHP_AUTH_PW'] = substr($GLOBALS['PHP_AUTH_PW'], 0, strlen($GLOBALS['PHP_AUTH_PW']
if($otpCheckResult == 0)
return true;
else
die("auth failed.");
www.maret-consulting.ch Conseil en technologies
Think about Software Security !
a changing paradigm
on authentication
www.maret-consulting.ch Conseil en technologies
Federation of identity approach a change of paradigm:
using IDP for Authentication and Strong Authentication
Identity Provider
Web App X
Web App Y
4, 4a Identity Provider
e.g. clavid.com
hans.muster.clavid.com 5 6
1 2 Identity URL
Caption https://hans.muster.clavid.com
1. User enters OpenID
2. Discovery
3. Authentication
4. Approval
4a. Change Attributes
5. Send Attributes
6. Validation Enabled Service
http://en.wikipedia.org/wiki/List_of_OpenID_providers
(Assertion
Consumer Service)
3
2
4 Identity Provider
e.g. clavid.ch
4
2
1
6
Enabled Service
Access Resource
Browser Web App SAML Ready
1
AuthN
2
<AuthnRequest>
3
+ PIN Redirect 302
ACS
POST
<Response> 7
Ressource
Ressource 8
<Response>
in HTML Form 6
Single Sign On
Service
<AuthnRequest> 4
Credential
Challenge 5a
http://motp.sourceforge.net/
http://www.clavid.ch/otp
http://code.google.com/p/mod-authn-otp/
http://www.multiotp.net/
http://www.openauthentication.org/
http://wiki.openid.net/
http://www.citadelle-electronique.net/
http://code.google.com/p/mod-authn-otp/
http://rcdevs.com/products/openotp/
https://github.com/adulau/paper-token
http://www.yubico.com/yubikey
http://code.google.com/p/mod-authn-otp/
http://www.nongnu.org/oath-toolkit/
http://www.nongnu.org/oath-toolkit/
http://www.gpaterno.com/publications/2010/dublin_oss
barcamp_2010_otp_with_oss.pdf
Authentification forte
www.maret-consulting.ch Conseil en technologies
A major event in the world of strong authentication
Redirect-Binding
POST-Binding
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol“
ID="glcmfhikbbhohichialilnnpjakbeljekmkhppkb“
Version="2.0”
IssueInstant="2008-10-14T00:57:14Z”
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST”
ProviderName="google.com”
ForceAuthn="false”
IsPassive="false”
AssertionConsumerServiceURL="https://www.google.com/a/unopass.net/acs">
<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
google.com
</saml:Issuer>
<samlp:NameIDPolicy AllowCreate="true"
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" />
</samlp:AuthnRequest>
POST-Binding
<saml:Issuer>
http://idp.unopass.net:80/opensso
</saml:Issuer>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
</samlp:Status>
<saml:Assertion
ID="s295c56ccd7872209ae336b934d1eed5be52a8e6ec"
IssueInstant="2008-10-15T17:24:46Z"
Version="2.0">
<saml:Issuer>http://idp.unopass.net:80/opensso</saml:Issuer>
<Signature>
… A DIGITAL SIGNATURE …
</Signature>
...
...
<saml:Subject>
<saml:NameID
NameQualifier="http://idp.unopass.net:80/opensso">
sylvain.maret
</saml:NameID>
<saml:SubjectConfirmation Method="urn:oasis:...:bearer">
<saml:SubjectConfirmationData
InResponseTo="hkcmljnccpheoobdofbjcngjbadmgcfhaapdbnni"
NotOnOrAfter="2008-10-15T17:34:46Z"
Recipient="https://www.google.com/a/unopass.net/acs"/>
</saml:SubjectConfirmation>
</saml:Subject>
...
...
<saml:Conditions NotBefore="2008-10-15T17:14:46Z"
NotOnOrAfter="2008-10-15T17:34:46Z">
<saml:AudienceRestriction>
<saml:Audience>google.com</saml:Audience>
</saml:AudienceRestriction>
</saml:Conditions>
<saml:AuthnStatement AuthnInstant="2008-10-15T17:24:46Z“
SessionIndex="s2bb816b5a8852dcc29f3301784c1640f245a9ec01">
<saml:AuthnContext>
<saml:AuthnContextClassRef>
urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
</saml:AuthnContextClassRef>
</saml:AuthnContext>
</saml:AuthnStatement>
</saml:Assertion>
</samlp:Response>