authentication and strong authentication in web applications
TRANSCRIPT
-
8/8/2019 Authentication and Strong Authentication in Web Applications
1/43
MARET Consulting | 109, chemin du Pont-du-Centenaire | CH 1228 Plan-les-Ouates | Tl +41 22 727 05 57 | Fax +41 22 727 05 50 | www.maret-consulting.ch
Conseil en technologies
Sylvain Maret / Digital Security Expert @ MARET Consulting
BrightTALK - October 7th 2010
Authentication and Strong Authentication
in Web Application
-
8/8/2019 Authentication and Strong Authentication in Web Applications
2/43
Conseil en technologieswww.maret-consulting.ch
Agenda
f Protecting digital identities
f strong authentication?
f Strong Authentication: A new
paradigm !
f New Standards
f Integration with web
applications
f Identity Federation for
Authentication
f SAML / OpenID
-
8/8/2019 Authentication and Strong Authentication in Web Applications
3/43
Conseil en technologieswww.maret-consulting.ch
Who am I?
f Security Expert
f 15 years of experience in ICT Security
f CEO and Founder of MARET Consulting
f Expert at Engineer School of Yverdon & Geneva University
f Swiss French Area delegate at OpenID Switzerland
f Co-founder Geneva Application Security Forum
f OWASP Member
f Author of the blog: la Citadelle Electronique
f http://ch.linkedin.com/in/smaret
f Chosen field
f Digital Identity Security
-
8/8/2019 Authentication and Strong Authentication in Web Applications
4/43
Conseil en technologieswww.maret-consulting.ch
Protection of digital identities: a topical issue
-
8/8/2019 Authentication and Strong Authentication in Web Applications
5/43
Conseil en technologieswww.maret-consulting.ch
threats on the authentication
-
8/8/2019 Authentication and Strong Authentication in Web Applications
6/43
Conseil en technologieswww.maret-consulting.ch
Facts !
f Keylogger (hard and soft)
f Malware
f Man in the Middle
f Browser in the Middle
f Password Sniffer
f Social Engineering
f Phishing / Pharming
f The number of identity thefts is increasing dramatically!
-
8/8/2019 Authentication and Strong Authentication in Web Applications
7/43
-
8/8/2019 Authentication and Strong Authentication in Web Applications
8/43
Conseil en technologieswww.maret-consulting.ch
Definition of strong authentication
Strong Authentication on Wikipedia
-
8/8/2019 Authentication and Strong Authentication in Web Applications
9/43
Conseil en technologieswww.maret-consulting.ch
Digital identity is the cornerstone of trust
More information on the subject
-
8/8/2019 Authentication and Strong Authentication in Web Applications
10/43
MARET Consulting | 109, chemin du Pont-du-Centenaire | CH 1228 Plan-les-Ouates | Tl +41 22 727 05 57 | Fax +41 22 727 05 50 | www.maret-consulting.ch
Conseil en technologies
Strong Authentication
A new paradigm !
-
8/8/2019 Authentication and Strong Authentication in Web Applications
11/43
Conseil en technologieswww.maret-consulting.ch
Which strong authentication technology? (Legacy Token ..)
-
8/8/2019 Authentication and Strong Authentication in Web Applications
12/43
Conseil en technologieswww.maret-consulting.ch
-
8/8/2019 Authentication and Strong Authentication in Web Applications
13/43
Conseil en technologieswww.maret-consulting.ch
OTP PKI (HW) Biometry
Strong
authenticationEncryption
Digital signature
Non repudiation
Strong link with
the user
*
* Biometry type Fingerprinting
-
8/8/2019 Authentication and Strong Authentication in Web Applications
14/43
Conseil en technologieswww.maret-consulting.ch
Strong Authentication with Biometry (Match on Card technology)
f A reader
f Biometry
f SmartCard
f A card with chip
f Technology MOC
f Crypto processor
f PC/SC
f PKCS#11
f Digital certificate X509
-
8/8/2019 Authentication and Strong Authentication in Web Applications
15/43
Conseil en technologieswww.maret-consulting.ch
Authentication Server must be agnostic
-
8/8/2019 Authentication and Strong Authentication in Web Applications
16/43
Conseil en technologieswww.maret-consulting.ch
New Standards
&
Open Source
-
8/8/2019 Authentication and Strong Authentication in Web Applications
17/43
Conseil en technologieswww.maret-consulting.ch
Technologies accessible to everyone
f Based on Standards
f Open Authentication
(OATH)
f OATH authentication
algorithms
f HOTP (HMAC Event
Based)f OCRA
(Challenge/Response)
f TOTP (Time Based)
f OATH Token Identifier
Specification
f Open Solutions
f Mobile One Time Passwordsf strong, two-factor authentication
with mobile phones
-
8/8/2019 Authentication and Strong Authentication in Web Applications
18/43
Conseil en technologieswww.maret-consulting.ch
Integration withweb application
-
8/8/2019 Authentication and Strong Authentication in Web Applications
19/43
Conseil en technologieswww.maret-consulting.ch
Web applications: basic authentication model
-
8/8/2019 Authentication and Strong Authentication in Web Applications
20/43
Conseil en technologieswww.maret-consulting.ch
Web application: strong authentication model
-
8/8/2019 Authentication and Strong Authentication in Web Applications
21/43
Conseil en technologieswww.maret-consulting.ch
Shielding" approach: perimetric authentication
-
8/8/2019 Authentication and Strong Authentication in Web Applications
22/43
Conseil en technologieswww.maret-consulting.ch
Module/Agent-based approach
-
8/8/2019 Authentication and Strong Authentication in Web Applications
23/43
Conseil en technologieswww.maret-consulting.ch
API/SDK based approach
-
8/8/2019 Authentication and Strong Authentication in Web Applications
24/43
Conseil en technologieswww.maret-consulting.ch
SSL PKI: how does it work?
Web Server
Alice
ValidationAuthority
Valid
Invalid
Unknown
OCSP request
SSL / TLS Mutual Authentication
-
8/8/2019 Authentication and Strong Authentication in Web Applications
25/43
Conseil en technologieswww.maret-consulting.ch
Federated identities:
a changing paradigm
on authentication
-
8/8/2019 Authentication and Strong Authentication in Web Applications
26/43
Conseil en technologieswww.maret-consulting.ch
Federation of identity approach a change of paradigm:
using IDP for Authentication and Strong Authentication
Web App X
Web App Y
Identity Provider
-
8/8/2019 Authentication and Strong Authentication in Web Applications
27/43
Conseil en technologieswww.maret-consulting.ch
SECTION 1
SAML>What is it?
>How does it work?
-
8/8/2019 Authentication and Strong Authentication in Web Applications
28/43
Conseil en technologieswww.maret-consulting.ch
Using SAML for Authentication and Strong Authentication
(AssertionConsumer Service)
-
8/8/2019 Authentication and Strong Authentication in Web Applications
29/43
Conseil en technologieswww.maret-consulting.ch
SAML What is it?
SAML (Security Assertion Markup Language):
> Defined by the Oasis Group
> Well and Academically Designed Specification
> Uses XML Syntax
> Used for Authentication & Authorization
> SAML Assertions
> Statements: Authentication, Attribute, Authorization
> SAML Protocols> Queries: Authentication, Artifact, Name Identifier Mapping, etc.
> SAML Bindings> SOAP, Reverse-SOAP, HTTP-Get, HTTP-Post, HTTP-Artifact
> SAML Profiles> Web Browser SingleSignOn Profile, Identity Provider Discovery Profile, Assertion Query/ Request Profile, Attribute Profile
-
8/8/2019 Authentication and Strong Authentication in Web Applications
30/43
Conseil en technologieswww.maret-consulting.ch
SAML How does it work?
Identity Providere.g. clavid.ch
User Hans Muster
Enabled Service
e.g. Google Apps
for Business
12
2
6
3
4
4
-
8/8/2019 Authentication and Strong Authentication in Web Applications
31/43
Conseil en technologieswww.maret-consulting.ch
Example with HTTP POST Binding
-
8/8/2019 Authentication and Strong Authentication in Web Applications
32/43
Conseil en technologieswww.maret-consulting.ch
1A
SAML AuthN & ACS integration in Web Application
-
8/8/2019 Authentication and Strong Authentication in Web Applications
33/43
Conseil en technologieswww.maret-consulting.ch
OpenID> What is it?
> How does it work?
> How to integrate?
SECTION 2
-
8/8/2019 Authentication and Strong Authentication in Web Applications
34/43
-
8/8/2019 Authentication and Strong Authentication in Web Applications
35/43
Conseil en technologieswww.maret-consulting.ch
OpenID - How does it work?
1
3
5
Enabled Service
Identity Providere.g. clavid.com
6
4, 4a
hans.muster.clavid.com
User Hans Muster
Caption1. User enters OpenID
2. Discovery3. Authentication
4. Approval4a. Change Attributes
5. Send Attributes6. Validation
2 Identity URLhttps://hans.muster.clavid.com
-
8/8/2019 Authentication and Strong Authentication in Web Applications
36/43
Conseil en technologieswww.maret-consulting.ch
Architecture IPD
Authentication Server
-
8/8/2019 Authentication and Strong Authentication in Web Applications
37/43
Conseil en technologieswww.maret-consulting.ch
Unique Interface
Agnostic / Easy
SAML
-
8/8/2019 Authentication and Strong Authentication in Web Applications
38/43
Conseil en technologieswww.maret-consulting.ch
-
8/8/2019 Authentication and Strong Authentication in Web Applications
39/43
Conseil en technologieswww.maret-consulting.ch
Conclusion #1
f Authentication Server need to be agnostic to any Token
Support Open Standards
f Federation of identity: a change of paradigm for authentication
Not Only for Federation or Web SSO
SAML and OpenID can support all authentication technologies
Develop only one authentication interface for all Web Application
-
8/8/2019 Authentication and Strong Authentication in Web Applications
40/43
Conseil en technologieswww.maret-consulting.ch
Conclusion #2
f Users can choose his Strong Authentication Token
Users Friendly and Reduce Costs
f New Standards and Open Source Solution
OTP Software Token is no free
Strong Authentication for Social Networks (OpenID IPD & Strong Authentication)
f Think about Web Application Security
OWASP - Application Security Verification Standard Project
OWASP - Best Practices: Use of Web Application Firewalls 2010 CWE/SANS - Top 25 Most Dangerous Software Errors
-
8/8/2019 Authentication and Strong Authentication in Web Applications
41/43
-
8/8/2019 Authentication and Strong Authentication in Web Applications
42/43
Conseil en technologieswww.maret-consulting.ch
"Le conseil et l'expertise pour le choix et la mise
en oeuvre des technologies innovantes dans la scurit
des systmes d'information et de l'identit numrique"
-
8/8/2019 Authentication and Strong Authentication in Web Applications
43/43
Conseil en technologieswww.maret-consulting.ch