Building a One- Time-Password Token Infrastructure · Centralized yet Distributed No Secrets on...
Transcript of Building a One- Time-Password Token Infrastructure · Centralized yet Distributed No Secrets on...
![Page 1: Building a One- Time-Password Token Infrastructure · Centralized yet Distributed No Secrets on Endpoints There can be only one Modular, Abstracted . Provisioning Users Make it simple](https://reader034.fdocuments.net/reader034/viewer/2022042808/5f8c54f24623f420616c8660/html5/thumbnails/1.jpg)
Building a One-Time-Password Token
Infrastructure
Jonathan Hanks & Abe Singer
LIGO Laboratory
![Page 2: Building a One- Time-Password Token Infrastructure · Centralized yet Distributed No Secrets on Endpoints There can be only one Modular, Abstracted . Provisioning Users Make it simple](https://reader034.fdocuments.net/reader034/viewer/2022042808/5f8c54f24623f420616c8660/html5/thumbnails/2.jpg)
![Page 3: Building a One- Time-Password Token Infrastructure · Centralized yet Distributed No Secrets on Endpoints There can be only one Modular, Abstracted . Provisioning Users Make it simple](https://reader034.fdocuments.net/reader034/viewer/2022042808/5f8c54f24623f420616c8660/html5/thumbnails/3.jpg)
Distributed
Multi-Institution
International
![Page 4: Building a One- Time-Password Token Infrastructure · Centralized yet Distributed No Secrets on Endpoints There can be only one Modular, Abstracted . Provisioning Users Make it simple](https://reader034.fdocuments.net/reader034/viewer/2022042808/5f8c54f24623f420616c8660/html5/thumbnails/4.jpg)
Kerberos
Shibboleth
Grouper
![Page 5: Building a One- Time-Password Token Infrastructure · Centralized yet Distributed No Secrets on Endpoints There can be only one Modular, Abstracted . Provisioning Users Make it simple](https://reader034.fdocuments.net/reader034/viewer/2022042808/5f8c54f24623f420616c8660/html5/thumbnails/5.jpg)
Open Data
Time Critical
No Do-Overs
Remote Access
Single/Common sign-on
![Page 6: Building a One- Time-Password Token Infrastructure · Centralized yet Distributed No Secrets on Endpoints There can be only one Modular, Abstracted . Provisioning Users Make it simple](https://reader034.fdocuments.net/reader034/viewer/2022042808/5f8c54f24623f420616c8660/html5/thumbnails/6.jpg)
Credential Theft
![Page 7: Building a One- Time-Password Token Infrastructure · Centralized yet Distributed No Secrets on Endpoints There can be only one Modular, Abstracted . Provisioning Users Make it simple](https://reader034.fdocuments.net/reader034/viewer/2022042808/5f8c54f24623f420616c8660/html5/thumbnails/7.jpg)
Separate Credential
Non-Replayable
Not for everything
![Page 8: Building a One- Time-Password Token Infrastructure · Centralized yet Distributed No Secrets on Endpoints There can be only one Modular, Abstracted . Provisioning Users Make it simple](https://reader034.fdocuments.net/reader034/viewer/2022042808/5f8c54f24623f420616c8660/html5/thumbnails/8.jpg)
One Time Passwords
![Page 9: Building a One- Time-Password Token Infrastructure · Centralized yet Distributed No Secrets on Endpoints There can be only one Modular, Abstracted . Provisioning Users Make it simple](https://reader034.fdocuments.net/reader034/viewer/2022042808/5f8c54f24623f420616c8660/html5/thumbnails/9.jpg)
What does(n’t) OTP solve?
![Page 10: Building a One- Time-Password Token Infrastructure · Centralized yet Distributed No Secrets on Endpoints There can be only one Modular, Abstracted . Provisioning Users Make it simple](https://reader034.fdocuments.net/reader034/viewer/2022042808/5f8c54f24623f420616c8660/html5/thumbnails/10.jpg)
Time Based
Sequence Based
Challenge-Response
One Time Pad
![Page 11: Building a One- Time-Password Token Infrastructure · Centralized yet Distributed No Secrets on Endpoints There can be only one Modular, Abstracted . Provisioning Users Make it simple](https://reader034.fdocuments.net/reader034/viewer/2022042808/5f8c54f24623f420616c8660/html5/thumbnails/11.jpg)
Something you Have
What do(n’t) tokens solve?
![Page 12: Building a One- Time-Password Token Infrastructure · Centralized yet Distributed No Secrets on Endpoints There can be only one Modular, Abstracted . Provisioning Users Make it simple](https://reader034.fdocuments.net/reader034/viewer/2022042808/5f8c54f24623f420616c8660/html5/thumbnails/12.jpg)
Delivery
Rolf
Synchronization
Overhead
Integration
Failures
![Page 13: Building a One- Time-Password Token Infrastructure · Centralized yet Distributed No Secrets on Endpoints There can be only one Modular, Abstracted . Provisioning Users Make it simple](https://reader034.fdocuments.net/reader034/viewer/2022042808/5f8c54f24623f420616c8660/html5/thumbnails/13.jpg)
One token to rule them all
Physical device
Trust No-one
Distributed, Fault tolerant
Open
Cheap
![Page 14: Building a One- Time-Password Token Infrastructure · Centralized yet Distributed No Secrets on Endpoints There can be only one Modular, Abstracted . Provisioning Users Make it simple](https://reader034.fdocuments.net/reader034/viewer/2022042808/5f8c54f24623f420616c8660/html5/thumbnails/14.jpg)
Custom Authentication Server
PAM
Yubikey
Kerberos
![Page 15: Building a One- Time-Password Token Infrastructure · Centralized yet Distributed No Secrets on Endpoints There can be only one Modular, Abstracted . Provisioning Users Make it simple](https://reader034.fdocuments.net/reader034/viewer/2022042808/5f8c54f24623f420616c8660/html5/thumbnails/15.jpg)
Why?
Ownership
Trust
Capabilities
![Page 16: Building a One- Time-Password Token Infrastructure · Centralized yet Distributed No Secrets on Endpoints There can be only one Modular, Abstracted . Provisioning Users Make it simple](https://reader034.fdocuments.net/reader034/viewer/2022042808/5f8c54f24623f420616c8660/html5/thumbnails/16.jpg)
Architectures
![Page 17: Building a One- Time-Password Token Infrastructure · Centralized yet Distributed No Secrets on Endpoints There can be only one Modular, Abstracted . Provisioning Users Make it simple](https://reader034.fdocuments.net/reader034/viewer/2022042808/5f8c54f24623f420616c8660/html5/thumbnails/17.jpg)
DCC-Number Title
SP Internet
Auth Server
SP
SP
SP = Service Provider
![Page 18: Building a One- Time-Password Token Infrastructure · Centralized yet Distributed No Secrets on Endpoints There can be only one Modular, Abstracted . Provisioning Users Make it simple](https://reader034.fdocuments.net/reader034/viewer/2022042808/5f8c54f24623f420616c8660/html5/thumbnails/18.jpg)
DCC-Number Title
SP Internet SP
SP
Auth Server
Auth Server
Auth Server
![Page 19: Building a One- Time-Password Token Infrastructure · Centralized yet Distributed No Secrets on Endpoints There can be only one Modular, Abstracted . Provisioning Users Make it simple](https://reader034.fdocuments.net/reader034/viewer/2022042808/5f8c54f24623f420616c8660/html5/thumbnails/19.jpg)
DCC-Number Title
SP Internet SP
SP
SP Auth Server
Auth Server
![Page 20: Building a One- Time-Password Token Infrastructure · Centralized yet Distributed No Secrets on Endpoints There can be only one Modular, Abstracted . Provisioning Users Make it simple](https://reader034.fdocuments.net/reader034/viewer/2022042808/5f8c54f24623f420616c8660/html5/thumbnails/20.jpg)
DCC-Number Title
SP Internet SP
SP
SP Auth Server
Auth Server
![Page 21: Building a One- Time-Password Token Infrastructure · Centralized yet Distributed No Secrets on Endpoints There can be only one Modular, Abstracted . Provisioning Users Make it simple](https://reader034.fdocuments.net/reader034/viewer/2022042808/5f8c54f24623f420616c8660/html5/thumbnails/21.jpg)
DCC-Number Title
Architecture
Client
KDC
Service Provider
PAM
Auth. Server
Auth. Server
Auth. Server
![Page 22: Building a One- Time-Password Token Infrastructure · Centralized yet Distributed No Secrets on Endpoints There can be only one Modular, Abstracted . Provisioning Users Make it simple](https://reader034.fdocuments.net/reader034/viewer/2022042808/5f8c54f24623f420616c8660/html5/thumbnails/22.jpg)
Replication and Mitigating
Replay Attacks
Replication takes Time
Replicate Data w/o global
locks
![Page 23: Building a One- Time-Password Token Infrastructure · Centralized yet Distributed No Secrets on Endpoints There can be only one Modular, Abstracted . Provisioning Users Make it simple](https://reader034.fdocuments.net/reader034/viewer/2022042808/5f8c54f24623f420616c8660/html5/thumbnails/23.jpg)
Centralized yet Distributed
No Secrets on Endpoints
There can be only one
Modular, Abstracted
![Page 24: Building a One- Time-Password Token Infrastructure · Centralized yet Distributed No Secrets on Endpoints There can be only one Modular, Abstracted . Provisioning Users Make it simple](https://reader034.fdocuments.net/reader034/viewer/2022042808/5f8c54f24623f420616c8660/html5/thumbnails/24.jpg)
Provisioning Users
Make it simple
Make it safe
![Page 25: Building a One- Time-Password Token Infrastructure · Centralized yet Distributed No Secrets on Endpoints There can be only one Modular, Abstracted . Provisioning Users Make it simple](https://reader034.fdocuments.net/reader034/viewer/2022042808/5f8c54f24623f420616c8660/html5/thumbnails/25.jpg)
Supporting Users
Any auth scheme is a
hinderance
Just replace the token
![Page 26: Building a One- Time-Password Token Infrastructure · Centralized yet Distributed No Secrets on Endpoints There can be only one Modular, Abstracted . Provisioning Users Make it simple](https://reader034.fdocuments.net/reader034/viewer/2022042808/5f8c54f24623f420616c8660/html5/thumbnails/26.jpg)
Experiences / Problems
It Works
Tokens get out of sync
When good tokens go bad
Local Account Issues
![Page 27: Building a One- Time-Password Token Infrastructure · Centralized yet Distributed No Secrets on Endpoints There can be only one Modular, Abstracted . Provisioning Users Make it simple](https://reader034.fdocuments.net/reader034/viewer/2022042808/5f8c54f24623f420616c8660/html5/thumbnails/27.jpg)
Kerberos
![Page 28: Building a One- Time-Password Token Infrastructure · Centralized yet Distributed No Secrets on Endpoints There can be only one Modular, Abstracted . Provisioning Users Make it simple](https://reader034.fdocuments.net/reader034/viewer/2022042808/5f8c54f24623f420616c8660/html5/thumbnails/28.jpg)
We like SSO
Cannot afford to support all
the client systems
Cannot wait for the OTP
extensions to reach end
users
![Page 29: Building a One- Time-Password Token Infrastructure · Centralized yet Distributed No Secrets on Endpoints There can be only one Modular, Abstracted . Provisioning Users Make it simple](https://reader034.fdocuments.net/reader034/viewer/2022042808/5f8c54f24623f420616c8660/html5/thumbnails/29.jpg)
Hijack encrypted timestamp
All kinits support this
No custom client SW required
![Page 30: Building a One- Time-Password Token Infrastructure · Centralized yet Distributed No Secrets on Endpoints There can be only one Modular, Abstracted . Provisioning Users Make it simple](https://reader034.fdocuments.net/reader034/viewer/2022042808/5f8c54f24623f420616c8660/html5/thumbnails/30.jpg)
Questions?