Authentication Without Authentication

Click here to load reader

  • date post

    21-Jan-2018
  • Category

    Technology

  • view

    158
  • download

    0

Embed Size (px)

Transcript of Authentication Without Authentication

  1. 1. Authentication Without Authentication AppSec Israel @omerlh
  2. 2. Source: Nissan
  3. 3. Troy Hunt - Hack Yourself First
  4. 4. Source: Troy Hunt's Blog
  5. 5. - Helping people get the most out of their technology
  6. 6. ...a significant amount of drop-off in app usage, losing up to 56% of users, but are pretty much essential for the majority of apps out there today... Source: Optimizely
  7. 7. Source: pinterest
  8. 8. Authenticate Request Per Second
  9. 9. Source: https://www.engadget.com/2016/01/08/samsung-family-hub-smart-fridge-hands-on/
  10. 10. Source: https://turcomusa.com/turcom-smart-home-camera-kit-with-motion-sensor-door-sensor-and-alarm-key-fob.html
  11. 11. User Id Application Server
  12. 12. Device Id Application Server
  13. 13. Agenda OpenID Digital Signature One Time Password Demo Edge Cases OpenId --- Digital Signature --- One Time Password --- Demo --- Edges Cases
  14. 14. Simple Identity Layer Token-based authentication Widely supported Modularity - many authentication flows OpenId --- Digital Signature --- One Time Password --- Demo --- Edges Cases
  15. 15. Authorization Server Application ServerDevice OpenId --- Digital Signature --- One Time Password --- Demo --- Edges Cases
  16. 16. Supported Authentication Methods Authorization/Implicit/Hybrid Client credentials Resource Owner JWT client assertion OpenId --- Digital Signature --- One Time Password --- Demo --- Edges Cases
  17. 17. We need a new authentication flow OpenId --- Digital Signature --- One Time Password --- Demo --- Edges Cases
  18. 18. Authorization Server Device OpenId --- Digital Signature --- One Time Password --- Demo --- Edges Cases
  19. 19. Authorization Server Application ServerDevice OpenId --- Digital Signature --- One Time Password --- Demo --- Edges Cases
  20. 20. Requirements Strong authentication solution Unique device identification Simple Unique per request Replay Attacks Fault tolerant OpenId --- Digital Signature --- One Time Password --- Demo --- Edges Cases
  21. 21. Questions?
  22. 22. Lets use Digital Signature OpenId --- Digital Signature --- One Time Password --- Demo --- Edges Cases
  23. 23. Dear Bob Dear BobSign Verify OpenId --- Digital Signature --- One Time Password --- Demo --- Edges Cases Leo Bob the BuilderTM Source: Bob the Buildertm Official Site
  24. 24. This sounds familiar... OpenId --- Digital Signature --- One Time Password --- Demo --- Edges Cases
  25. 25. How we can use it? OpenId --- Digital Signature --- One Time Password --- Demo --- Edges Cases
  26. 26. Authorization Server Device Public Key, Id Public Key, Id OpenId --- Digital Signature --- One Time Password --- Demo --- Edges Cases Id: 5467
  27. 27. Authorization ServerDevice Digital Signature, Id Public Key, Id OpenId --- Digital Signature --- One Time Password --- Demo --- Edges Cases Id: 5467
  28. 28. So far we have: Strong authentication solution Unique device identification Simple Unique per request Fault tolerant OpenId --- Digital Signature --- One Time Password --- Demo --- Edges Cases
  29. 29. Questions?
  30. 30. One Time Password OpenId --- Digital Signature --- One Time Password --- Demo --- Edges Cases
  31. 31. Authorization ServerDevice Digital Signature, Id Public Key, Id OpenId --- Digital Signature --- One Time Password --- Demo --- Edges Cases Id: 5467
  32. 32. Time Based Use current timestamp Allowed time range (e.g. +- 1 min) 2FA Solution Start with a random seed Increase by one after each request Allowed value range (e.g. +- 5) OpenId --- Digital Signature --- One Time Password --- Demo --- Edges Cases Counter Based
  33. 33. Synchronization Issues
  34. 34. Lets build our own OTP OpenId --- Digital Signature --- One Time Password --- Demo --- Edges Cases
  35. 35. Client State Server State Old 5 New 2 Old 5 New 2 Old 2 New 42 Old 5 New 2 Old 2 New 42 Token OpenId --- Digital Signature --- One Time Password --- Demo --- Edges Cases
  36. 36. So far we have Strong authentication solution Unique device identification Simple Unique per request Fault tolerant
  37. 37. Questions?
  38. 38. Demo Time OpenId --- Digital Signature --- One Time Password --- Demo --- Edges Cases
  39. 39. Client Authorization Server Application Server (Sensitive API) OpenId --- Digital Signature --- One Time Password --- Demo --- Edges Cases
  40. 40. Lets see it in action... All the code is available on GitHub OpenId --- Digital Signature --- One Time Password --- Demo --- Edges Cases
  41. 41. Network request can fail Reasons: Timeout Network failure Temporary server errors Unknown server state State did not changed State changed OpenId --- Digital Signature --- One Time Password --- Demo --- Edges Cases
  42. 42. Client State Server State Old 2 New 42 Old 1 New 2 Old 2 New 42 Old 2 New 42 Old 1 New 2 Token Error OpenId --- Digital Signature --- One Time Password --- Demo --- Edges Cases
  43. 43. Client State Server State Old 2 New 42 Old 2 New 42 Old 1 New 2 Old 2 New 42Old 2 New 42Old 2 New 42 Error OpenId --- Digital Signature --- One Time Password --- Demo --- Edges Cases
  44. 44. Client State Server State Old 2 New 42 Old 2 New 42 Old 42 New 86 Old 42 New 86 Old 2 New 42 Bad Request (400) Token OpenId --- Digital Signature --- One Time Password --- Demo --- Edges Cases
  45. 45. Questions?
  46. 46. What is the weakest link in the chain?
  47. 47. Detecting Compromised Devices OpenId --- Digital Signature --- One Time Password --- Demo --- Edges Cases
  48. 48. OpenId --- Digital Signature --- One Time Password --- Demo --- Edges Cases
  49. 49. Client State Server State Old 2 New 42 Old 1 New 2 Eve Old 2 New 42 Old 1 New 2 Old 2 New 42 Old 2 New 42 Token OpenId --- Digital Signature --- One Time Password --- Demo --- Edges Cases
  50. 50. Client State Server State Old 2 New 42 Old 2 New 42 Eve Old 42 New 56 Old 2 New 42 Old 2 New 42 Bad Request (400) OpenId --- Digital Signature --- One Time Password --- Demo --- Edges Cases
  51. 51. Client State Server State Old 42 New 78 Old 2 New 42 Eve Old 42 New 56 Old 2 New 42 Old 42 New 78 Old 42 New 78Token OpenId --- Digital Signature --- One Time Password --- Demo --- Edges Cases
  52. 52. Client State Server State Old 78 New 4 Old 7 New 78 Eve Old 7 New 56 Old 7 New 78 Old 7 New 93 400 Bad Request OpenId --- Digital Signature --- One Time Password --- Demo --- Edges Cases
  53. 53. OpenId --- Digital Signature --- One Time Password --- Demo --- Edges Cases
  54. 54. Questions?
  55. 55. Conclusion
  56. 56. Responsible Disclosure
  57. 57. Requirements Strong authentication solution Unique device identification Simple Unique per request Fault tolerant
  58. 58. Authorization Server Device
  59. 59. Authorization Server Application ServerDevice
  60. 60. How can you use it? @omerlh