authentication - wordpress.com · 2016. 7. 29. · 4 balance user friendly strength of security o...
TRANSCRIPT
1
Authentication
Sreepriya Chalakkal
22
Content
o Why, how, what?o Basic authenticationo Digest access authenticationo Oautho 2f vs 2So Threatso Security checkso Demo
3
Why, how, what?
o Who is “who”?
o Is the “who” the real “who”?
o What does “who” know?
o How is “who” communicating his secret?
o How many ways to know “who” ?
4
Balance
User friendly
Strength of security
o Knowledge – password, token sent to mobile
o Ownership - certificate
o Biometic – finger print
5
Basic authentication (BA)
o Method to provide username and password in HTTP request.
o No cookies, no session identifiers
o No confidentiality
o Used with SSL/TLS
6
BA: Server
WWW-Authenticate: Basic realm="User Visible Realm"
o Unauthenticated requests should return a response whose header contains a HTTP 401 Unauthorized status and a WWW-Authenticate field.
7
BA: Client
o Use Authorization field
o Uname and pass combined with colon
o Encoded with RFC2045-MIME variant of Base64
o The authorization method and a space i.e. "Basic " is then put before the encoded string
Authorization: Basic QWxhZGRpbjpPcGVuU2VzYW1l
8
BA: URL encoding
o Client may avoid login prompt by prepending username:password@ in URL.
https://priya:[email protected]/index.html
9
Digest access authentication
o Send hash instead of credentials.
o Add nonce to prevent replay attacks
o Nonce can include timestamps as well
Issues:
o MITM
o Password recovery
10
Digest access
authentication
https://en.wikipedia.org/wiki/Digest_access_authentication
11
https://en.wikipedia.org/wiki/Digest_access_authentication
12
HA1 = MD5( "Mufasa:[email protected]:Circle Of Life" ) =
939e7578ed9e3c518a452acee763bce9
HA2 = MD5( "GET:/dir/index.html" ) = 39aff3a2bab6126f332b942af96d3366
Response = MD5( "939e7578ed9e3c518a452acee763bce9:\
dcd98b7102dd2f0e8b11d0f600bfb0c093:\ 00000001:0a4f113b:auth:\
39aff3a2bab6126f332b942af96d3366" ) =
6629fae49393a05397450978507c4ef1
DA
13
OAuth
14
OAuth
o Access token response
HTTP/1.1 200 OK
Content-Type: application/json;charset=UTF-8
Cache-Control: no-store
Pragma: no-cache
{
"access_token":"mF_9.B5f-4.1JqM",
"token_type":"Bearer",
"expires_in":3600,
"refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA"
}
15
OAuth
GET /resource HTTP/1.1
Host: server.example.com
Authorization: Bearer mF_9.B5f-4.1JqM
o Request to resource after acquiring bearer token
16
Bearer token
o Response to expired token request
HTTP/1.1 401 Unauthorized
WWW-Authenticate: Bearer realm="example",
error="invalid_token",
error_description="The access token expired"
17
2Factor vs 2Step
o Single: PIN or password
o 2 Factor: Single factor + (software/hardware generated token or smart card)
o "something you have", "something you are", and "something you know"
o 2 Step: Single factor + (code sent to user out-of-the-band)
18
Threats
o Bypassing authentication
o Default password
o Privilege escalation
o Eg:- Stack overflow
o Physical access
o Password guessing
o Dictionary, brute force, rainbow
19
Threats
o Sniffing credentials
o Replaying authentication
o Downgrading authentication strength
o Imposter server
o MITM
o Session hijacking
o Keyloggers/Trojans/virus
20
Security checks
o Strong password
o Rules same for register, reset, change etc
o Error message for unknown user and wrong password
o Admin feature/remember me?
o Lockout – time based/count based
o Automatically generated credentials
21
Sources
o http://www.infosectoday.com/Articles/AU5219_C01.pdf
o http://www.techrepublic.com/article/understanding-and-selecting-authentication-methods/
o https://www.sans.org/reading-room/whitepapers/authentication/overview-authentication-methods-protocols-118
o http://security.stackexchange.com/questions/41939/two-step-vs-two-factor-authentication-is-there-a-difference