next generation authentication

14
Next Generation Authentication Bugs in Rails, design flaws, ways to fix

Upload: -

Post on 13-Jan-2017

90 views

Category:

Data & Analytics


0 download

TRANSCRIPT

Page 1: Next Generation Authentication

Next Generation Authentication

Bugs in Rails, design flaws, ways to fix

Page 2: Next Generation Authentication

Bugs!MongoDB Hash Injection

Rails query parameters are not strongly typed

User.where(email: params[:email])?email[$regex]=.*@google.com.

Bypass any token or cause DoS

Page 3: Next Generation Authentication

Bugs!ActiveRecord injection in MySQL

User.find_by_token(params[:token])

curl app -H 'content-type:application/json' --data '{"token":0}'

curl app?token[] //fixed

Page 4: Next Generation Authentication

Bugs!Omniauth is full of bugs:/auth/facebook?state=123/auth/facebook/callback?state=123&code=mycode

Do not ever use Facebook Login for loginhttp://sakurity.com/reconnect

Page 5: Next Generation Authentication

Authenticate/authorize

"Who you are" vs "what you can do"

Sign Up = create a recordSign In = use that record

Page 6: Next Generation Authentication

BiometricsReal world authentication vs remote authentication

Every part of human body is static and observable"Fingerprint is username"Except passwords in our mind

Page 7: Next Generation Authentication

>>P4$$word$<<Not going away. All we have is "knowledge" (=possession), and password is best kind of possession. Every other private key / secret data still depends on your password.

Security keys are useless, impossible to backup and expensive

Page 8: Next Generation Authentication

>>P4$$word$<<Now

Page 9: Next Generation Authentication

>>P4$$word$<<Password managers are a monkey patch(1% penetration rate). Authentication must be built-in and easy to use

Page 10: Next Generation Authentication

Truefactor.ioPassword reuse, bruteforce < Password managers---CSRF < Time based TOTP---XSS, MitM, client side bugs, external JS < Truefactor Web---UXSS, MitB, malicious extensions < Truefactor Desktop---Device compromise < Paired Truefactors---Both devices are compromised < Nobody

Page 11: Next Generation Authentication

Truefactor.ioOut of band transaction verification

+

Page 12: Next Generation Authentication

Truefactor.io

Page 13: Next Generation Authentication

Truefactor.ioIntegration:

user = User.find_by_email(params[:user][:email]) if user if user.encrypted_password.starts_with? "truefactor:" str = "truefactor:#{params[:otp0]}:#{params[:otp1]}" if user.valid_signatures?("login", str) sign_in User, user return redirect_to root_path.....

Protect critical actions and responses:

Page 14: Next Generation Authentication

Truefactor.ioZero-knowledge backup. The server knows *nothing* about you and your passwords.