Strong Authentication in Web Application / ConFoo.ca 2011

MARET Consulting | Boulevard Georges Favon 43 | CH 1204 Geneva | Tél +41 22 575 30 35 | [email protected] | www.maret-consulting.ch

Conseil en technologies

Sylvain Maret / Digital Security Expert / OpenID Switzerland

ConFoo.ca / 2011-03-10

Strong Authentication in Web Application

Conseil en technologieswww.maret-consulting.ch

Agenda


Who am I?

Security Expert

17 years of experience in ICT Security

Principal Consultant at MARET Consulting

Expert at Engineer School of Yverdon & Geneva University

Swiss French Area delegate at OpenID Switzerland

Co-founder Geneva Application Security Forum

OWASP Member

Author of the blog: la Citadelle Electronique

http://ch.linkedin.com/in/smaret or @smaret

Chosen field

AppSec & Digital Identity Security

http://www.citadelle-electronique.net/

http://ch.linkedin.com/in/smaret

http://twitter.com/smaret

http://twitter.com/smaret


Protection of digital identities: a topical issue…

Strong Authentication


Multi-factor Authentication-101: Talk by Philippe Gamache

2011-03-09 Montréal2011-03-08 Montréal

OWASP Meeting


«Digital identity is the cornerstone of trust»

http://fr.wikipedia.org/wiki/Authentification_forte

http://fr.wikipedia.org/wiki/Authentification_forte


Which Strong Authentication technology ?

Legacy Token / Old Model ? / Open Source Solution ?


OTP PKI (HW) Biometry

Strong

authentication

Encryption

Digital signature

Non repudiation

Strong link with

the user

*

* Biometry type Fingerprinting



with PKI


PKI: Digital Certificate

Software Certificate

(PKCS#12;PFX)

Hardware Token (Crypto PKI)


TPM


SSL/TLS Mutual Athentication : how does it work?

Web Server

Alice

Validation

Authority

Valid

Invalid

Unknown

OCSP request

SSL / TLS Mutual Authentication


Demo #1: OpenID and Software Certificate using Clavid.ch

http://www.clavid.com/

http://www.clavid.com/


Strong Authentication with Biometry (Match on Card technology)

A reader

Biometry

SmartCard

A card with chip

Technology MOC

Crypto Processor

PC/SC

PKCS#11

Digital certificate X509



With

(O)ne (T)ime (P)assword


(O)ne (T)ime (P)assword

OTP Time Based

OTP Event Based

OTP Challenge

Response Based

Others:

OTP via SMS

OTP via email

Biometry and OTP

Bingo Card

Etc.


OTP T-B?

OTP E-B?

OTP C-R-B?

Crypto - 101


Crypto-101 / Time Based OTP

ie = OTP(K,T) = Truncate(HMAC-SHA-1(K,T))

K=Secret Key / Seed

T=UTC Time

HASH Function

OTP


Crypto-101 / Event Based OTP

ie = OTP(K,C) = Truncate(HMAC-SHA-1(K,C))

K=Secret Key / Seed

C = Counter

HASH Function

OTP


Crypto-101 / OTP Challenge Response Based

K=Secret Key / Seed

nonce

HASH Function

OTP

Challenge


Others OTP technologies…

OTP Via SMS

By Elcard

“Flicker code” Generator Software

that converts already

encrypted data into

optical screen animation


Demo #2: Protect WordPress (OTP Via SMS)


How to Store

my Secret Key ?

A Token !


OTP Token: Software vs Hardware ?


Software OTP for Smartphone

http://itunes.apple.com/us/app/iotp/id328973960

http://itunes.apple.com/us/app/iotp/id328973960


New Standards

&

Open Source


Technologies accessible to everyone

Initiative for Open AuTHentication (OATH)

HOTP

TOTP

OCRA

Etc.

Mobile OTP

(Use MD5 …..)


OATH Reference Architecture, Release 2.0

http://www.openauthentication.org/



Initiative for Open AuTHentication (OATH)

HOTP

Event Based OTP

RFC 4226

TOTP

Time Based OTP

Draft IETF Version 8

OCRA

Challenge/Response

OTP

Draft IETF Version 13

Token Identifier

Specification

Etc.


(R)isk

(B)ased

(A)uthentication


RBA (Risk-Based Authentication) = Behavior Model


2 Step Verification from Google !

http://code.google.com/p/google-authenticator/

Use OATH-HOTP & TOTP





Integration with

web application


Web application: basic authentication model


Web application: Strong Authentication model


“Shielding" approach: perimetric authentication using WAF


Module/Agent-based approach (example)


API/SDK based approach (example)


Demo 3#: PHP Integration for phpmyadmin


Multi OTP PHP Class by André Liechti (Switzerland)

http://www.multiotp.net/

Source Code will be publish soon:







Proof of Concept Code by

Anne Gosselin, Antonio Fontes !

if (! empty($_REQUEST['pma_username'])) {

// The user just logged in

$GLOBALS['PHP_AUTH_USER'] = $_REQUEST['pma_username'];

// we combine both OTP + PIN code for the token verification

$fooPass = empty($_REQUEST['pma_password']) ? '' : $_REQUEST['pma_password'];

$fooOtp = empty($_REQUEST['pma_otp']) ? '' : $_REQUEST['pma_otp'];

$GLOBALS['PHP_AUTH_PW'] = $fooPass.''.$fooOtp;

// OTP CHECK

require_once('./libraries/multiotp.class.php');

$multiotp = new Multiotp();

$multiotp->SetUser($GLOBALS['PHP_AUTH_USER']);

$multiotp->SetEncryptionKey('DefaultCliEncryptionKey');

$multiotp->SetUsersFolder('./libraries/users/');

$multiotp->SetLogFolder('./libraries/log/');

$multiotp->EnableVerboseLog();

$otpCheckResult = $multiotp->CheckToken($GLOBALS['PHP_AUTH_PW']);

// the PIN code use kept for accessing the database

$GLOBALS['PHP_AUTH_PW'] = substr($GLOBALS['PHP_AUTH_PW'], 0, strlen($GLOBALS['PHP_AUTH_PW'])

if($otpCheckResult == 0)

return true;

else

die("auth failed.");


Think about Software Security !

Cf Talk Antonio Fontes

Cf Talk Sébastien Giora

Cf Talk Philippe Gamache


Federated identities:

a changing paradigm

on authentication


Federation of identity approach a change of paradigm:

using IDP for Authentication and Strong Authentication

Web App X

Web App Y

Identity Provider


OpenID> What is it?

> How does it work?

> How to integrate?

SECTION 2


OpenID - What is it?

> Internet SingleSignOn

> Relatively Simple Protocol

> User-Centric Identity Management

> Internet Scalable

> Free Choice of Identity Provider

> No License Fee

> Independent of Identification Methods

> Non-Profit Organization


OpenID - How does it work?

1

3

5

Enabled Service

Identity Providere.g. clavid.com

6

4, 4a

hans.muster.clavid.com

User Hans Muster

Caption

1. User enters OpenID

2. Discovery

3. Authentication

4. Approval

4a. Change Attributes

5. Send Attributes

6. Validation

2 Identity URLhttps://hans.muster.clavid.com


Demo #4: Apache and Mod_OpenID (Using Biometry / OTP)


Demo #4: Challenge / Response OTP with Biometry


Surprise! You may already

have an OpenID !


Other Well Known

&

Simple Providers

http://en.wikipedia.org/wiki/List_of_OpenID_providers

http://en.wikipedia.org/wiki/List_of_OpenID_providers


Get an OpenID with Strong Authentication for free !


SECTION 1

SAML>What is it?

>How does it work?


Using SAML for Authentication and Strong Authentication

(Assertion

Consumer Service)


SAML – What is it?

SAML (Security Assertion Markup Language):

> Defined by the Oasis Group

> Well and Academically Designed Specification

> Uses XML Syntax

> Used for Authentication & Authorization

> SAML Assertions> Statements: Authentication, Attribute, Authorization

> SAML Protocols> Queries: Authentication, Artifact, Name Identifier Mapping, etc.

> SAML Bindings> SOAP, Reverse-SOAP, HTTP-Get, HTTP-Post, HTTP-Artifact

> SAML Profiles> Web Browser SingleSignOn Profile, Identity Provider Discovery Profile, Assertion Query

/ Request Profile, Attribute Profile


SAML – How does it work?

Identity Providere.g. clavid.ch

User Hans Muster

Enabled Service

e.g. Google Apps

for Business

12

2

6

3

4

4


Example with HTTP POST Binding

+ PIN

Web App SAML Ready

AuthN

ACS

Ressource

IDP MC

Access Resource

1

3 <AuthnRequest>

Redirect 302

Single Sign On

Service

4<AuthnRequest>

Credential

Challenge 5a

User Login

<Response>

in HTML Form 6

7POST

<Response>

8Ressource

Browser

2

5b


Questions ?


Resources on Internet 1/2

http://motp.sourceforge.net/

http://www.clavid.ch/otp

http://code.google.com/p/mod-authn-otp/



http://wiki.openid.net/



http://motp.sourceforge.net/

http://www.clavid.ch/otp








http://wiki.openid.net/










Resources on Internet 2/2

http://rcdevs.com/products/openotp/

https://github.com/adulau/paper-token

http://www.yubico.com/yubikey


http://www.nongnu.org/oath-toolkit/


http://www.gpaterno.com/publications/2010/dublin_oss

barcamp_2010_otp_with_oss.pdf

http://rcdevs.com/products/openotp/




http://www.yubico.com/yubikey












http://www.gpaterno.com/publications/2010/dublin_ossbarcamp_2010_otp_with_oss.pdf

http://www.gpaterno.com/publications/2010/dublin_ossbarcamp_2010_otp_with_oss.pdf


"Le conseil et l'expertise pour le choix et la mise

en oeuvre des technologies innovantes dans la sécurité

des systèmes d'information et de l'identité numérique"


Une conviction forte !

Authentification forte


A major event in the world of strong authentication

12 October 2005: the Federal Financial Institutions Examination Council (FFIEC) issues a directive

« Single Factor Authentication » is not enough for the web financial applications

Before end 2006 it is compulsory to implement a strong authentication system

http://www.ffiec.gov/press/pr101205.htm

And the PCI DSS norm Compulsory strong authentication for distant accesses

And now European regulations Payment Services (2007/64/CE) for banks

Social Networks, Open Source

http://www.ffiec.gov/press/pr101205.htm

https://www.pcisecuritystandards.org/

http://www.zdnet.fr/blogs/securite-it/authentification-forte-les-banques-n-ont-plus-le-choix-39705963.htm


Out of Band Authentication


Phone Factor


SAML


SAML AuthnRequst Transfer via Browser

Redirect-Binding

POST-Binding


A SAML AuthnRequest (no magic, just XML)

<?xml version="1.0" encoding="UTF-8"?>

<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol“

ID="glcmfhikbbhohichialilnnpjakbeljekmkhppkb“

Version="2.0”

IssueInstant="2008-10-14T00:57:14Z”

ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST”

ProviderName="google.com”

ForceAuthn="false”

IsPassive="false”

AssertionConsumerServiceURL="https://www.google.com/a/unopass.net/acs">

<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">

google.com

</saml:Issuer>

<samlp:NameIDPolicy AllowCreate="true"

Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" />

</samlp:AuthnRequest>


SAML Assertion Transfer via Browser

POST-Binding


A SAML Assertion Response (no magic, just XML)

<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"

ID="s247893b2ec90665dfd5d9bd4a092f5e3a7194fef4"

InResponseTo="hkcmljnccpheoobdofbjcngjbadmgcfhaapdbnni"

Version="2.0"

IssueInstant="2008-10-15T17:24:46Z"

Destination="https://www.google.com/a/unopass.net/acs">

<saml:Issuer>

http://idp.unopass.net:80/opensso

</saml:Issuer>

<samlp:Status>

<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>

</samlp:Status>

<saml:Assertion

ID="s295c56ccd7872209ae336b934d1eed5be52a8e6ec"

IssueInstant="2008-10-15T17:24:46Z"

Version="2.0">

<saml:Issuer>http://idp.unopass.net:80/opensso</saml:Issuer>

<Signature>

… A DIGITAL SIGNATURE …

</Signature>

...



...

<saml:Subject>

<saml:NameID

NameQualifier="http://idp.unopass.net:80/opensso">

sylvain.maret

</saml:NameID>

<saml:SubjectConfirmation Method="urn:oasis:...:bearer">

<saml:SubjectConfirmationData

InResponseTo="hkcmljnccpheoobdofbjcngjbadmgcfhaapdbnni"

NotOnOrAfter="2008-10-15T17:34:46Z"

Recipient="https://www.google.com/a/unopass.net/acs"/>

</saml:SubjectConfirmation>

</saml:Subject>

...



...

<saml:Conditions NotBefore="2008-10-15T17:14:46Z"

NotOnOrAfter="2008-10-15T17:34:46Z">

<saml:AudienceRestriction>

<saml:Audience>google.com</saml:Audience>

</saml:AudienceRestriction>

</saml:Conditions>

<saml:AuthnStatement AuthnInstant="2008-10-15T17:24:46Z“

SessionIndex="s2bb816b5a8852dcc29f3301784c1640f245a9ec01">

<saml:AuthnContext>

<saml:AuthnContextClassRef>

urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport

</saml:AuthnContextClassRef>

</saml:AuthnContext>

</saml:AuthnStatement>

</saml:Assertion>

</samlp:Response>

Strong Authentication in Web Application / ConFoo.ca 2011

Documents

Transcript of Strong Authentication in Web Application / ConFoo.ca 2011