Strong Authentication in Web Application / ConFoo.ca 2011

Conseil en technologies

Sylvain Maret / Digital Security Expert / OpenID Switzerland

ConFoo.ca / 2011-03-10

Strong Authentication in Web Application

Conseil en technologieswww.maret-consulting.ch

Agenda

Who am I?

Security Expert

17 years of experience in ICT Security

Principal Consultant at MARET Consulting

Expert at Engineer School of Yverdon & Geneva University

Swiss French Area delegate at OpenID Switzerland

Co-founder Geneva Application Security Forum

OWASP Member

Author of the blog: la Citadelle Electronique

http://ch.linkedin.com/in/smaret or @smaret

Chosen field

AppSec & Digital Identity Security

Protection of digital identities: a topical issue…

Strong Authentication

Multi-factor Authentication-101: Talk by Philippe Gamache

2011-03-09 Montréal2011-03-08 Montréal

OWASP Meeting

«Digital identity is the cornerstone of trust»

http://fr.wikipedia.org/wiki/Authentification_forte

Conseil en technologies

A new paradigm !

Which Strong Authentication technology ?

Legacy Token / Old Model ? / Open Source Solution ?

OTP PKI (HW) Biometry

Strong

authentication

Encryption

Digital signature

Non repudiation

Strong link with

the user

* Biometry type Fingerprinting

with PKI

PKI: Digital Certificate

Software Certificate

(PKCS#12;PFX)

Hardware Token (Crypto PKI)

SSL/TLS Mutual Athentication : how does it work?

Web Server

Validation

Authority

Invalid

Unknown

OCSP request

SSL / TLS Mutual Authentication

Demo #1: OpenID and Software Certificate using Clavid.ch

http://www.clavid.com/

Strong Authentication with Biometry (Match on Card technology)

A reader

Biometry

SmartCard

A card with chip

Technology MOC

Crypto Processor

PKCS#11

Digital certificate X509

(O)ne (T)ime (P)assword

OTP Time Based

OTP Event Based

OTP Challenge

Response Based

Others:

OTP via SMS

OTP via email

Biometry and OTP

Bingo Card

OTP T-B?

OTP E-B?

OTP C-R-B?

Crypto - 101

Crypto-101 / Time Based OTP

ie = OTP(K,T) = Truncate(HMAC-SHA-1(K,T))

K=Secret Key / Seed

T=UTC Time

HASH Function

Crypto-101 / Event Based OTP

ie = OTP(K,C) = Truncate(HMAC-SHA-1(K,C))

K=Secret Key / Seed

C = Counter

HASH Function

Crypto-101 / OTP Challenge Response Based

K=Secret Key / Seed

HASH Function

Challenge

Others OTP technologies…

OTP Via SMS

By Elcard

“Flicker code” Generator Software

that converts already

encrypted data into

optical screen animation

Demo #2: Protect WordPress (OTP Via SMS)

How to Store

my Secret Key ?

A Token !

OTP Token: Software vs Hardware ?

Software OTP for Smartphone

http://itunes.apple.com/us/app/iotp/id328973960

New Standards

Open Source

Technologies accessible to everyone

Initiative for Open AuTHentication (OATH)

Mobile OTP

(Use MD5 …..)

OATH Reference Architecture, Release 2.0

http://www.openauthentication.org/

Initiative for Open AuTHentication (OATH)

Event Based OTP

RFC 4226

Time Based OTP

Draft IETF Version 8

Challenge/Response

Draft IETF Version 13

Token Identifier

Specification

(R)isk

(B)ased

(A)uthentication

RBA (Risk-Based Authentication) = Behavior Model

2 Step Verification from Google !

http://code.google.com/p/google-authenticator/

Use OATH-HOTP & TOTP

Integration with

web application

Web application: basic authentication model

Web application: Strong Authentication model

“Shielding" approach: perimetric authentication using WAF

Module/Agent-based approach (example)

API/SDK based approach (example)

Demo 3#: PHP Integration for phpmyadmin

Multi OTP PHP Class by André Liechti (Switzerland)

http://www.multiotp.net/

Source Code will be publish soon:

http://www.citadelle-electronique.net/

Proof of Concept Code by

Anne Gosselin, Antonio Fontes !

if (! empty($_REQUEST['pma_username'])) {

// The user just logged in

$GLOBALS['PHP_AUTH_USER'] = $_REQUEST['pma_username'];

// we combine both OTP + PIN code for the token verification

$fooPass = empty($_REQUEST['pma_password']) ? '' : $_REQUEST['pma_password'];

$fooOtp = empty($_REQUEST['pma_otp']) ? '' : $_REQUEST['pma_otp'];

$GLOBALS['PHP_AUTH_PW'] = $fooPass.''.$fooOtp;

// OTP CHECK

require_once('./libraries/multiotp.class.php');

$multiotp = new Multiotp();

$multiotp->SetUser($GLOBALS['PHP_AUTH_USER']);

$multiotp->SetEncryptionKey('DefaultCliEncryptionKey');

$multiotp->SetUsersFolder('./libraries/users/');

$multiotp->SetLogFolder('./libraries/log/');

$multiotp->EnableVerboseLog();

$otpCheckResult = $multiotp->CheckToken($GLOBALS['PHP_AUTH_PW']);

// the PIN code use kept for accessing the database

$GLOBALS['PHP_AUTH_PW'] = substr($GLOBALS['PHP_AUTH_PW'], 0, strlen($GLOBALS['PHP_AUTH_PW'])

if($otpCheckResult == 0)

return true;

die("auth failed.");

Think about Software Security !

Cf Talk Antonio Fontes

Cf Talk Sébastien Giora

Cf Talk Philippe Gamache

Federated identities:

a changing paradigm

on authentication

Federation of identity approach a change of paradigm:

using IDP for Authentication and Strong Authentication

Web App X

Web App Y

Identity Provider

OpenID> What is it?

> How does it work?

> How to integrate?

SECTION 2

OpenID - What is it?

> Internet SingleSignOn

> Relatively Simple Protocol

> User-Centric Identity Management

> Internet Scalable

> Free Choice of Identity Provider

> No License Fee

> Independent of Identification Methods

> Non-Profit Organization

OpenID - How does it work?

Enabled Service

Identity Providere.g. clavid.com

hans.muster.clavid.com

User Hans Muster

Caption

1. User enters OpenID

2. Discovery

3. Authentication

4. Approval

4a. Change Attributes

5. Send Attributes

6. Validation

2 Identity URLhttps://hans.muster.clavid.com

Demo #4: Apache and Mod_OpenID (Using Biometry / OTP)

Demo #4: Challenge / Response OTP with Biometry

Surprise! You may already

have an OpenID !

Other Well Known

Simple Providers

http://en.wikipedia.org/wiki/List_of_OpenID_providers

Get an OpenID with Strong Authentication for free !

SECTION 1

SAML>What is it?

>How does it work?

Using SAML for Authentication and Strong Authentication

(Assertion

Consumer Service)

SAML – What is it?

SAML (Security Assertion Markup Language):

> Defined by the Oasis Group

> Well and Academically Designed Specification

> Uses XML Syntax

> Used for Authentication & Authorization

> SAML Assertions> Statements: Authentication, Attribute, Authorization

> SAML Protocols> Queries: Authentication, Artifact, Name Identifier Mapping, etc.

> SAML Bindings> SOAP, Reverse-SOAP, HTTP-Get, HTTP-Post, HTTP-Artifact

> SAML Profiles> Web Browser SingleSignOn Profile, Identity Provider Discovery Profile, Assertion Query

/ Request Profile, Attribute Profile

SAML – How does it work?

Identity Providere.g. clavid.ch

User Hans Muster

Enabled Service

e.g. Google Apps

for Business

Example with HTTP POST Binding

Web App SAML Ready

Ressource

IDP MC

Access Resource

3 <AuthnRequest>

Redirect 302

Single Sign On

Service

4<AuthnRequest>

Credential

Challenge 5a

User Login

in HTML Form 6

8Ressource

Browser

Questions ?

Resources on Internet 1/2

http://motp.sourceforge.net/

http://www.clavid.ch/otp

http://code.google.com/p/mod-authn-otp/

http://www.multiotp.net/

http://www.openauthentication.org/

http://wiki.openid.net/

http://www.citadelle-electronique.net/

Resources on Internet 2/2

http://rcdevs.com/products/openotp/

https://github.com/adulau/paper-token

http://www.yubico.com/yubikey

http://www.nongnu.org/oath-toolkit/

http://www.gpaterno.com/publications/2010/dublin_oss

barcamp_2010_otp_with_oss.pdf

"Le conseil et l'expertise pour le choix et la mise

en oeuvre des technologies innovantes dans la sécurité

des systèmes d'information et de l'identité numérique"

Une conviction forte !

Authentification forte

A major event in the world of strong authentication

12 October 2005: the Federal Financial Institutions Examination Council (FFIEC) issues a directive

« Single Factor Authentication » is not enough for the web financial applications

Before end 2006 it is compulsory to implement a strong authentication system

http://www.ffiec.gov/press/pr101205.htm

And the PCI DSS norm Compulsory strong authentication for distant accesses

And now European regulations Payment Services (2007/64/CE) for banks

Social Networks, Open Source

Out of Band Authentication

Phone Factor

SAML AuthnRequst Transfer via Browser

Redirect-Binding

POST-Binding

A SAML AuthnRequest (no magic, just XML)

<?xml version="1.0" encoding="UTF-8"?>

<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol“

ID="glcmfhikbbhohichialilnnpjakbeljekmkhppkb“

Version="2.0”

IssueInstant="2008-10-14T00:57:14Z”

ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST”

ProviderName="google.com”

ForceAuthn="false”

IsPassive="false”

AssertionConsumerServiceURL="https://www.google.com/a/unopass.net/acs">

<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">

google.com

</saml:Issuer>

<samlp:NameIDPolicy AllowCreate="true"

Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" />

</samlp:AuthnRequest>

SAML Assertion Transfer via Browser

POST-Binding

A SAML Assertion Response (no magic, just XML)

<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"

ID="s247893b2ec90665dfd5d9bd4a092f5e3a7194fef4"

InResponseTo="hkcmljnccpheoobdofbjcngjbadmgcfhaapdbnni"

Version="2.0"

IssueInstant="2008-10-15T17:24:46Z"

Destination="https://www.google.com/a/unopass.net/acs">

<saml:Issuer>

http://idp.unopass.net:80/opensso

</saml:Issuer>

<samlp:Status>

<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>

</samlp:Status>

<saml:Assertion

ID="s295c56ccd7872209ae336b934d1eed5be52a8e6ec"

IssueInstant="2008-10-15T17:24:46Z"

Version="2.0">

<saml:Issuer>http://idp.unopass.net:80/opensso</saml:Issuer>

… A DIGITAL SIGNATURE …

</Signature>

<saml:Subject>

<saml:NameID

NameQualifier="http://idp.unopass.net:80/opensso">

sylvain.maret

</saml:NameID>

<saml:SubjectConfirmation Method="urn:oasis:...:bearer">

<saml:SubjectConfirmationData

InResponseTo="hkcmljnccpheoobdofbjcngjbadmgcfhaapdbnni"

NotOnOrAfter="2008-10-15T17:34:46Z"

Recipient="https://www.google.com/a/unopass.net/acs"/>

</saml:SubjectConfirmation>

</saml:Subject>

<saml:Conditions NotBefore="2008-10-15T17:14:46Z"

NotOnOrAfter="2008-10-15T17:34:46Z">

<saml:AudienceRestriction>

<saml:Audience>google.com</saml:Audience>

</saml:AudienceRestriction>

</saml:Conditions>

<saml:AuthnStatement AuthnInstant="2008-10-15T17:24:46Z“

SessionIndex="s2bb816b5a8852dcc29f3301784c1640f245a9ec01">

<saml:AuthnContext>

<saml:AuthnContextClassRef>

urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport

</saml:AuthnContextClassRef>

</saml:AuthnContext>

</saml:AuthnStatement>

</saml:Assertion>

</samlp:Response>

Strong Authentication in Web Application / ConFoo.ca 2011

Documents

Transcript of Strong Authentication in Web Application / ConFoo.ca 2011

Offering SIM Strong Authentication to Internet Services.

Strong Authentication – System Design and Deployment

FIDO, Strong Authentication and elD in Germany

Online authentication methods - OS3 · Using strong authentication provides more protection for sensitive information than a simple username and password can provide. Strong authentication,

Strong User Authentication Mechanisms

Strong Authentication in Web Application / ConFoo.ca 2011

Strong Customer Authentication€¦ · Strong Customer Authentication is an advanced form of two-factor authentication, in which a consumer will share two of the factors (see Fig.

An Industry Roadmap for Open Strong Authentication€¦ · An Industry Roadmap for Open Strong Authentication 5 Universal Strong Authentication for Users and Devices The strength—that

Strong password authentication with AKA authentication ...

Strong Authentication - Peoplepeople.cs.vt.edu/~kafura/cs6204/Readings/...III. STRONG AUTHENTICATION: A STRONGER VALUE PROPOSITION, TOO Enhancing Security Enhancing ROI Creating a

Strong authentication implementation guide

Authentication and Strong Authentication in Web Applications

Strong Authentication OpenID & Yubico

Authentication and strong authentication for Web Application

Strong authentication and authorisation. STORK and STORK2.0

Strong Authentication Plan

Testing is Fun @Confoo.ca 2012

Strong authentication - ngage: identity, access & security · Level 2: Simple Authentication (e.g. name pasword). The lack of strong authentication is not considered to be a risk.

Ultra-strong authentication to protect network access and ... · Ultra-strong authentication to protect network access and assets ESET Secure Authentication provides powerful authentication

Offering SIM Strong Authentication - Liberty Alliance