Académique Documents
Professionnel Documents
Culture Documents
ch
Conseil en technologies
Agenda
Security Expert
17 years of experience in ICT Security
Principal Consultant at MARET Consulting
Expert at Engineer School of Yverdon & Geneva University
Swiss French Area delegate at OpenID Switzerland
Co-founder Geneva Application Security Forum
OWASP Member
Author of the blog: la Citadelle Electronique
http://ch.linkedin.com/in/smaret or @smaret
http://www.slideshare.net/smaret
Chosen field
AppSec & Digital Identity Security
www.maret-consulting.ch Conseil en technologies
Protection of digital identities: a topical issue…
Strong Auth
http://fr.wikipedia.org/wiki/Authentification_forte
www.maret-consulting.ch Conseil en technologies
MARET Consulting | Boulevard Georges Favon 43 | CH 1204 Geneva | Tél +41 22 575 30 35 | info@maret-consulting.ch | www.maret-consulting.ch
Strong Authentication
A new paradigm !
Conseil en technologies
Which Strong Authentication technology ?
Legacy Token / Old Model ? / Open Source Solution ?
Digital signature
Non repudiation
Validation
Authority
CRL
or
OCSP Request
Valid
Invalid
Unknown
http://www.clavid.com/
www.maret-consulting.ch Conseil en technologies
Strong Authentication with Biometry (Match on Card technology)
A reader
Biometry
SmartCard
With
HASH Function
OTP
T=UTC Time
ie = OTP(K,T) = Truncate(HMAC-SHA-1(K,T))
www.maret-consulting.ch Conseil en technologies
Crypto-101 / Event Based OTP
HASH Function
OTP
C = Counter
ie = OTP(K,C) = Truncate(HMAC-SHA-1(K,C))
www.maret-consulting.ch Conseil en technologies
Crypto-101 / OTP Challenge Response Based
HASH Function
OTP
Challenge
nonce
ie:
Others OTP technologies…
By Elcard
www.maret-consulting.ch Conseil en technologies
Demo #2: Protect WordPress (OTP Via SMS)
A Token !
www.maret-consulting.ch Conseil en technologies
OTP Token: Software vs Hardware ?
http://itunes.apple.com/us/app/iotp/id328973960
www.maret-consulting.ch Conseil en technologies
New Standards
&
Open Source
Mobile OTP
(Use MD5 …..)
http://www.openauthentication.org/
www.maret-consulting.ch Conseil en technologies
Initiative for Open AuTHentication (OATH)
HOTP
Event Based OTP Token Identifier
RFC 4226 Specification
http://www.openauthentication.org/specifications
(R)isk
(B)ased
(A)uthentication
www.maret-consulting.ch Conseil en technologies
RBA (Risk-Based Authentication) = Behavior Model
http://code.google.com/p/google-authenticator/
www.maret-consulting.ch Conseil en technologies
Integration with
web application
www.maret-consulting.ch Conseil en technologies
Web application: basic authentication model
if (! empty($_REQUEST['pma_username'])) {
// The user just logged in
$GLOBALS['PHP_AUTH_USER'] = $_REQUEST['pma_username'];
// OTP CHECK
require_once('./libraries/multiotp.class.php');
$multiotp = new Multiotp();
$multiotp->SetUser($GLOBALS['PHP_AUTH_USER']);
$multiotp->SetEncryptionKey('DefaultCliEncryptionKey');
$multiotp->SetUsersFolder('./libraries/users/');
$multiotp->SetLogFolder('./libraries/log/');
$multiotp->EnableVerboseLog();
$otpCheckResult = $multiotp->CheckToken($GLOBALS['PHP_AUTH_PW']);
// the PIN code use kept for accessing the database
$GLOBALS['PHP_AUTH_PW'] = substr($GLOBALS['PHP_AUTH_PW'], 0, strlen($GLOBALS['PHP_AUTH_PW']
if($otpCheckResult == 0)
return true;
else
die("auth failed.");
www.maret-consulting.ch Conseil en technologies
Step1: Add a new method using cookie authentication
In config.inc.php
Howto #1
In common.inc.php
&
Application Security
www.maret-consulting.ch Conseil en technologies
Threat Modeling
"Threat modeling your web application: mitigating risks right from the start!"
a changing paradigm
on authentication
www.maret-consulting.ch Conseil en technologies
Federation of identity approach a change of paradigm:
using IDP for Authentication and Strong Authentication
Identity Provider
Web App X
Web App Y
4, 4a Identity Provider
e.g. clavid.com
hans.muster.clavid.com 5 6
1 2 Identity URL
Caption https://hans.muster.clavid.com
1. User enters OpenID
2. Discovery
3. Authentication
4. Approval
4a. Change Attributes
5. Send Attributes
6. Validation Enabled Service
http://en.wikipedia.org/wiki/List_of_OpenID_providers
http://motp.sourceforge.net/
http://www.clavid.ch/otp
http://code.google.com/p/mod-authn-otp/
http://www.multiotp.net/
http://www.openauthentication.org/
http://wiki.openid.net/
http://www.citadelle-electronique.net/
http://code.google.com/p/mod-authn-otp/
http://rcdevs.com/products/openotp/
https://github.com/adulau/paper-token
http://www.yubico.com/yubikey
http://code.google.com/p/mod-authn-otp/
http://www.nongnu.org/oath-toolkit/
http://www.nongnu.org/oath-toolkit/
http://www.gpaterno.com/publications/2010/dublin_oss
barcamp_2010_otp_with_oss.pdf
Authentification forte
www.maret-consulting.ch Conseil en technologies
SECTION 1
SAML
>What is it?
>How does it work?
(Assertion
Consumer Service)
3
2
4 Identity Provider
e.g. clavid.ch
4
2
1
6
Enabled Service
Access Resource
Browser Web App SAML Ready
1
AuthN
2
<AuthnRequest>
3
+ PIN Redirect 302
ACS
POST
<Response> 7
Ressource
Ressource 8
<Response>
in HTML Form 6
Single Sign On
Service
<AuthnRequest> 4
Credential
Challenge 5a
Redirect-Binding
POST-Binding
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol“
ID="glcmfhikbbhohichialilnnpjakbeljekmkhppkb“
Version="2.0”
IssueInstant="2008-10-14T00:57:14Z”
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST”
ProviderName="google.com”
ForceAuthn="false”
IsPassive="false”
AssertionConsumerServiceURL="https://www.google.com/a/unopass.net/acs">
<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
google.com
</saml:Issuer>
<samlp:NameIDPolicy AllowCreate="true"
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" />
</samlp:AuthnRequest>
POST-Binding
<saml:Issuer>
http://idp.unopass.net:80/opensso
</saml:Issuer>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
</samlp:Status>
<saml:Assertion
ID="s295c56ccd7872209ae336b934d1eed5be52a8e6ec"
IssueInstant="2008-10-15T17:24:46Z"
Version="2.0">
<saml:Issuer>http://idp.unopass.net:80/opensso</saml:Issuer>
<Signature>
… A DIGITAL SIGNATURE …
</Signature>
...
...
<saml:Subject>
<saml:NameID
NameQualifier="http://idp.unopass.net:80/opensso">
sylvain.maret
</saml:NameID>
<saml:SubjectConfirmation Method="urn:oasis:...:bearer">
<saml:SubjectConfirmationData
InResponseTo="hkcmljnccpheoobdofbjcngjbadmgcfhaapdbnni"
NotOnOrAfter="2008-10-15T17:34:46Z"
Recipient="https://www.google.com/a/unopass.net/acs"/>
</saml:SubjectConfirmation>
</saml:Subject>
...
...
<saml:Conditions NotBefore="2008-10-15T17:14:46Z"
NotOnOrAfter="2008-10-15T17:34:46Z">
<saml:AudienceRestriction>
<saml:Audience>google.com</saml:Audience>
</saml:AudienceRestriction>
</saml:Conditions>
<saml:AuthnStatement AuthnInstant="2008-10-15T17:24:46Z“
SessionIndex="s2bb816b5a8852dcc29f3301784c1640f245a9ec01">
<saml:AuthnContext>
<saml:AuthnContextClassRef>
urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
</saml:AuthnContextClassRef>
</saml:AuthnContext>
</saml:AuthnStatement>
</saml:Assertion>
</samlp:Response>