Authentication Without Authentication

Click here to load reader

  • date post

    21-Jan-2018

  • Category

    Technology

  • view

    158

  • download

    0

Embed Size (px)

Transcript of Authentication Without Authentication

  1. 1. Authentication Without Authentication AppSec Israel @omerlh
  2. 2. Source: Nissan
  3. 3. Troy Hunt - Hack Yourself First
  4. 4. Source: Troy Hunt's Blog
  5. 5. - Helping people get the most out of their technology
  6. 6. ...a significant amount of drop-off in app usage, losing up to 56% of users, but are pretty much essential for the majority of apps out there today... Source: Optimizely
  7. 7. Source: pinterest
  8. 8. Authenticate Request Per Second
  9. 9. Source: https://www.engadget.com/2016/01/08/samsung-family-hub-smart-fridge-hands-on/
  10. 10. Source: https://turcomusa.com/turcom-smart-home-camera-kit-with-motion-sensor-door-sensor-and-alarm-key-fob.html
  11. 11. User Id Application Server
  12. 12. Device Id Application Server
  13. 13. Agenda OpenID Digital Signature One Time Password Demo Edge Cases OpenId --- Digital Signature --- One Time Password --- Demo --- Edges Cases
  14. 14. Simple Identity Layer Token-based authentication Widely supported Modularity - many authentication flows OpenId --- Digital Signature --- One Time Password --- Demo --- Edges Cases
  15. 15. Authorization Server Application ServerDevice OpenId --- Digital Signature --- One Time Password --- Demo --- Edges Cases
  16. 16. Supported Authentication Methods Authorization/Implicit/Hybrid Client credentials Resource Owner JWT client assertion OpenId --- Digital Signature --- One Time Password --- Demo --- Edges Cases
  17. 17. We need a new authentication flow OpenId --- Digital Signature --- One Time Password --- Demo --- Edges Cases
  18. 18. Authorization Server Device OpenId --- Digital Signature --- One Time Password --- Demo --- Edges Cases
  19. 19. Authorization Server Application ServerDevice OpenId --- Digital Signature --- One Time Password --- Demo --- Edges Cases
  20. 20. Requirements Strong authentication solution Unique device identification Simple Unique per request Replay Attacks Fault tolerant OpenId --- Digital Signature --- One Time Password --- Demo --- Edges Cases
  21. 21. Questions?
  22. 22. Lets use Digital Signature OpenId --- Digital Signature --- One Time Password --- Demo --- Edges Cases
  23. 23. Dear Bob Dear BobSign Verify OpenId --- Digital Signature --- One Time Password --- Demo --- Edges Cases Leo Bob the BuilderTM Source: Bob the Buildertm Official Site
  24. 24. This sounds familiar... OpenId --- Digital Signature --- One Time Password --- Demo --- Edges Cases
  25. 25. How we can use it? OpenId --- Digital Signature --- One Time Password --- Demo --- Edges Cases
  26. 26. Authorization Server Device Public Key, Id Public Key, Id OpenId --- Digital Signature --- One Time Password --- Demo --- Edges Cases Id: 5467
  27. 27. Authorization ServerDevice Digital Signature, Id Public Key, Id OpenId --- Digital Signature --- One Time Password --- Demo --- Edges Cases Id: 5467
  28. 28. So far we have: Strong authentication solution Unique device identification Simple Unique per request Fault tolerant OpenId --- Digital Signature --- One Time Password --- Demo --- Edges Cases
  29. 29. Questions?
  30. 30. One Time Password OpenId --- Digital Signature --- One Time Password --- Demo --- Edges Cases
  31. 31. Authorization ServerDevice Digital Signature, Id Public Key, Id OpenId --- Digital Signature --- One Time Password --- Demo --- Edges Cases Id: 5467
  32. 32. Time Based Use current timestamp Allowed time range (e.g. +- 1 min) 2FA Solution Start with a random seed Increase by one after each request Allowed value range (e.g. +- 5) OpenId --- Digital Signature --- One Time Password --- Demo --- Edges Cases Counter Based
  33. 33. Synchronization Issues
  34. 34. Lets build our own OTP OpenId --- Digital Signature --- One Time Password --- Demo --- Edges Cases
  35. 35. Client State Server State Old 5 New 2 Old 5 New 2 Old 2 New 42 Old 5 New 2 Old 2 New 42 Token OpenId --- Digital Signature --- One Time Password --- Demo --- Edges Cases
  36. 36. So far we have Strong authentication solution Unique device identification Simple Unique per request Fault tolerant
  37. 37. Questions?
  38. 38. Demo Time OpenId --- Digital Signature --- One Time Password --- Demo --- Edges Cases
  39. 39. Client Authorization Server Application Server (Sensitive API) OpenId --- Digital Signature --- One Time Password --- Demo --- Edges Cases
  40. 40. Lets see it in action... All the code is available on GitHub OpenId --- Digital Signature --- One Time Password --- Demo --- Edges Cases
  41. 41. Network request can fail Reasons: Timeout Network failure Temporary server errors Unknown server state State did not changed State changed OpenId --- Digital Signature --- One Time Password --- Demo --- Edges Cases
  42. 42. Client State Server State Old 2 New 42 Old 1 New 2 Old 2 New 42 Old 2 New 42 Old 1 New 2 Token Error OpenId --- Digital Signature --- One Time Password --- Demo --- Edges Cases
  43. 43. Client State Server State Old 2 New 42 Old 2 New 42 Old 1 New 2 Old 2 New 42Old 2 New 42Old 2 New 42 Error OpenId --- Digital Signature --- One Time Password --- Demo --- Edges Cases
  44. 44. Client State Server State Old 2 New 42 Old 2 New 42 Old 42 New 86 Old 42 New 86 Old 2 New 42 Bad Request (400) Token OpenId --- Digital Signature --- One Time Password --- Demo --- Edges Cases
  45. 45. Questions?
  46. 46. What is the weakest link in the chain?
  47. 47. Detecting Compromised Devices OpenId --- Digital Signature --- One Time Password --- Demo --- Edges Cases
  48. 48. OpenId --- Digital Signature --- One Time Password --- Demo --- Edges Cases
  49. 49. Client State Server State Old 2 New 42 Old 1 New 2 Eve Old 2 New 42 Old 1 New 2 Old 2 New 42 Old 2 New 42 Token OpenId --- Digital Signature --- One Time Password --- Demo --- Edges Cases
  50. 50. Client State Server State Old 2 New 42 Old 2 New 42 Eve Old 42 New 56 Old 2 New 42 Old 2 New 42 Bad Request (400) OpenId --- Digital Signature --- One Time Password --- Demo --- Edges Cases
  51. 51. Client State Server State Old 42 New 78 Old 2 New 42 Eve Old 42 New 56 Old 2 New 42 Old 42 New 78 Old 42 New 78Token OpenId --- Digital Signature --- One Time Password --- Demo --- Edges Cases
  52. 52. Client State Server State Old 78 New 4 Old 7 New 78 Eve Old 7 New 56 Old 7 New 78 Old 7 New 93 400 Bad Request OpenId --- Digital Signature --- One Time Password --- Demo --- Edges Cases
  53. 53. OpenId --- Digital Signature --- One Time Password --- Demo --- Edges Cases
  54. 54. Questions?
  55. 55. Conclusion
  56. 56. Responsible Disclosure
  57. 57. Requirements Strong authentication solution Unique device identification Simple Unique per request Fault tolerant
  58. 58. Authorization Server Device
  59. 59. Authorization Server Application ServerDevice
  60. 60. How can you use it? @omerlh

Authentication and Whitepaper Authentication¢  Factor) and UAF (Universal Authentication Framework)
Authentication and Whitepaper Authentication¢  Factor) and UAF (Universal Authentication Framework)
Automotive Fleet 2018-11-13¢  Possible to call APIs, used by the mobile application, without authentication
Automotive Fleet 2018-11-13¢  Possible to call APIs, used by the mobile application, without authentication
Strong Authentication for Healthcare - Entrust Datacard ??2016-10-03Strong Authentication for Healthcare ... You should not act or abstain from acting based upon such information without
Strong Authentication for Healthcare - Entrust Datacard ??2016-10-03Strong Authentication for Healthcare ... You should not act or abstain from acting based upon such information without
SYNOPSIS: INSIGHTS SECURE Q & A intercaste & love marriages without any authentication by brahimical
SYNOPSIS: INSIGHTS SECURE Q & A intercaste & love marriages without any authentication by brahimical
Authentication without Identi¯¬¾cation Jan Camenisch ¢  Authentication ¢â‚¬â€œ Traditional approach ID Management:
Authentication without Identi¯¬¾cation Jan Camenisch ¢  Authentication ¢â‚¬â€œ Traditional approach ID Management:
System-Level Authentication Certificate-based authentication. Client authentication based on certificates
System-Level Authentication Certificate-based authentication. Client authentication based on certificates
Information Security Lecture 8: User Authentication RSA SecurID without PIN L08 - User Auth. INF3510
Information Security Lecture 8: User Authentication RSA SecurID without PIN L08 - User Auth. INF3510
Does Multi Factor Authentication MFA without Single Sign ... Technical / Manual / Organisational Communication
Does Multi Factor Authentication MFA without Single Sign ... Technical / Manual / Organisational Communication
Authentication without interruptions
Authentication without interruptions
TCAN: Authentication Without Cryptography biham/Workshops/Cyberday/2019/Slid¢  ¢â‚¬¢Anti-lock braking
TCAN: Authentication Without Cryptography biham/Workshops/Cyberday/2019/Slid¢  ¢â‚¬¢Anti-lock braking
Authentication, Protocols, sloan/CLASSES/privacy...¢  authentication User authentication is absolutely
Authentication, Protocols, sloan/CLASSES/privacy...¢  authentication User authentication is absolutely
DB-19: OpenEdge ® Authentication Without the _User Table Stephen Ferguson Progress Software
DB-19: OpenEdge ® Authentication Without the _User Table Stephen Ferguson Progress Software
UNIX Authentication and Pluggable-authentication Modules ... UNIX Authentication and Pluggable-authentication
UNIX Authentication and Pluggable-authentication Modules ... UNIX Authentication and Pluggable-authentication
Strong Authentication without Tamper-Resistant Hardware ... Strong Authentication without Tamper-Resistant
Strong Authentication without Tamper-Resistant Hardware ... Strong Authentication without Tamper-Resistant
Chapter 42 Biometric Authentication Techniques in Online ... Authentication... 868 Biometric Authentication
Chapter 42 Biometric Authentication Techniques in Online ... Authentication... 868 Biometric Authentication
Message Authentication Code - 1. Message Authentication Requirements 2. Message Authentication Functions
Message Authentication Code - 1. Message Authentication Requirements 2. Message Authentication Functions
CIS14: Bringing Crypto Back: Web Authentication without Bearer Tokens
CIS14: Bringing Crypto Back: Web Authentication without Bearer Tokens
Online risk-based authentication using behavioral biometrics risk-based authentication... authentication
Online risk-based authentication using behavioral biometrics risk-based authentication... authentication
Custom/External Authentication in TIBCO Spotœre .authenticationâ€‌ that will handle most cases without
Custom/External Authentication in TIBCO Spotœre .authenticationâ€‌ that will handle most cases without
Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication
Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication
View more