1

Authentication

Sreepriya Chalakkal

22

Content

o Why, how, what?o Basic authenticationo Digest access authenticationo Oautho 2f vs 2So Threatso Security checkso Demo

3

Why, how, what?

o Who is “who”?

o Is the “who” the real “who”?

o What does “who” know?

o How is “who” communicating his secret?

o How many ways to know “who” ?

4

Balance

User friendly

Strength of security

o Knowledge – password, token sent to mobile

o Ownership - certificate

o Biometic – finger print

5

Basic authentication (BA)

o Method to provide username and password in HTTP request.

o No cookies, no session identifiers

o No confidentiality

o Used with SSL/TLS

6

BA: Server

WWW-Authenticate: Basic realm="User Visible Realm"

o Unauthenticated requests should return a response whose header contains a HTTP 401 Unauthorized status and a WWW-Authenticate field.

7

BA: Client

o Use Authorization field

o Uname and pass combined with colon

o Encoded with RFC2045-MIME variant of Base64

o The authorization method and a space i.e. "Basic " is then put before the encoded string

Authorization: Basic QWxhZGRpbjpPcGVuU2VzYW1l

8

BA: URL encoding

o Client may avoid login prompt by prepending username:password@ in URL.

https://priya:mystrongpass@www.abcd.com/index.html

9

Digest access authentication

o Send hash instead of credentials.

o Add nonce to prevent replay attacks

o Nonce can include timestamps as well

Issues:

o MITM

o Password recovery

10

Digest access

authentication

https://en.wikipedia.org/wiki/Digest_access_authentication

11

https://en.wikipedia.org/wiki/Digest_access_authentication

12

HA1 = MD5( "Mufasa:testrealm@host.com:Circle Of Life" ) =

939e7578ed9e3c518a452acee763bce9

HA2 = MD5( "GET:/dir/index.html" ) = 39aff3a2bab6126f332b942af96d3366

Response = MD5( "939e7578ed9e3c518a452acee763bce9:\

dcd98b7102dd2f0e8b11d0f600bfb0c093:\ 00000001:0a4f113b:auth:\

39aff3a2bab6126f332b942af96d3366" ) =

6629fae49393a05397450978507c4ef1

DA

13

OAuth

14

OAuth

o Access token response

HTTP/1.1 200 OK

Content-Type: application/json;charset=UTF-8

Cache-Control: no-store

Pragma: no-cache

{

"access_token":"mF_9.B5f-4.1JqM",

"token_type":"Bearer",

"expires_in":3600,

"refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA"

}

15

OAuth

GET /resource HTTP/1.1

Host: server.example.com

Authorization: Bearer mF_9.B5f-4.1JqM

o Request to resource after acquiring bearer token

16

Bearer token

o Response to expired token request

HTTP/1.1 401 Unauthorized

WWW-Authenticate: Bearer realm="example",

error="invalid_token",

error_description="The access token expired"

17

2Factor vs 2Step

o Single: PIN or password

o 2 Factor: Single factor + (software/hardware generated token or smart card)

o "something you have", "something you are", and "something you know"

o 2 Step: Single factor + (code sent to user out-of-the-band)

18

Threats

o Bypassing authentication

o Default password

o Privilege escalation

o Eg:- Stack overflow

o Physical access

o Password guessing

o Dictionary, brute force, rainbow

19

Threats

o Sniffing credentials

o Replaying authentication

o Downgrading authentication strength

o Imposter server

o MITM

o Session hijacking

o Keyloggers/Trojans/virus

20

Security checks

o Strong password

o Rules same for register, reset, change etc

o Error message for unknown user and wrong password

o Admin feature/remember me?

o Lockout – time based/count based

o Automatically generated credentials

21

Sources

o http://www.infosectoday.com/Articles/AU5219_C01.pdf

o http://www.techrepublic.com/article/understanding-and-selecting-authentication-methods/

o https://www.sans.org/reading-room/whitepapers/authentication/overview-authentication-methods-protocols-118

o http://security.stackexchange.com/questions/41939/two-step-vs-two-factor-authentication-is-there-a-difference

22

www.ernw.de

www.insinuator.net

schalakkal@ernw.de

@priyachalakkal