qcon - new york · qcon - new york new york 18th june 2012 (june 18th for americans) 1

QCon - New York

New York18th June 2012

(June 18th for Americans)

1

Copyright © 2012 Incept5 Ltd.

John Davies• An ageing “Über-geek”• Hardware, Assembler, C, Objective-C, C++, OCCAM, SmallTalk, Java

•Worked mostly in trading systems, FX & Derivatives

• Head of trading systems at Paribas, head of architecture at BNP Paribas, global head of architecture at JP Morgan

• Author of Learning Trees Enterprise Java courses & co-author of several Java & architecture books

• Co-founder of C24 Solution in 2000• Sold to Nasdaq’s Iona Technologies in 2007, Iona sold to Progress

Software in 2008, Technical Director of both companies

• Co-founded Incept5 in 2008, re-acquired C24 from Progress in April 2011• CTO of Incept5 & C24

• Original technical architect behind Visa’s V.me (pre-public release)

2


I’m a “Hacker”

•Why am I talking about Social Media OAuth in a Security track?

• I work in banking and payments, security is top, TOP priority• Understanding how security works (or doesn’t) is key to being able to

provide better measures against malicious hackers

• Only by understanding how malicious hackers do their dirty work can we hope to protect our application and systems• So yes, I hack in the exploratory sense of the word

• OAuth is an important tool in today’s increasingly mobile and social world

3


Agenda

• Signup and Password Hell

• Passwords, Hashes and Leaks

• Pass phrases

• OAuth

• Hooking up an app with Facebook

• OAuth & Security

4


One password or multiple?• One single username and password would make our lives a

lot easier• Assuming it’s a good password of course

• But then if it were breached, the hacker gets access to everything :-(

• If you add better security it might work• Something you own perhaps, a phone?

• Access from a specific IP address etc.

• But then when you lose it, you’re locked out of everything• And in practice they’re not really that secure

5


Multiple Passwords

• So we’re back to unique passwords for every single system we use

• Every new app seems to want you to provide new credentials, first the username...• You enter you username “jdoe”, immediately you’re told it’s not free

• You try johndoe, taken, why not try johndoe367?

• You settle with bigjohndoe

• Then the password...• xxxxxx - Password must be minimum 8 chars

• xxxxxxxx - Password must contain a number

• xxxNxxxx - Password must contain at least one uppercase character

• XxxNxxxx - Password must contain a punctuation character

6


Password Hell

• Finally you find a password that works in most places• John1985!

• Then you have to change it a month later• OK, you can’t change your name or date of birth so now what?

• You end up writing it down or entering it into your phone’s notes• Not very secure!

• Don’t fight it, you need multiple passwords

7


Password security

• Most people use common words as passwords, names, numbers, combinations of the two, letter/number substitutes• These are incredibly easy to hack

• John, BigJohn, John1234, J0hni234, B1gJ0hn

• Take almost any combination of 6-8 characters, any word (in any language), any two words, any word with a number• Someone will have hashed it and added it to a rainbow list

• Try it, take your password, hash it with MD5 and SHA and then google the result• If you find it, you might as well not have a password (almost)

8


Getting the hash...

• Some easy methods...

perl -e 'print qw(Password)' | shasum> 8be3c943b1609fffbfc51aad666d0a04adf83c9d

perl -e 'use Digest::MD5 qw(md5_hex); print md5_hex('Password'), "\n";'> dc647eb65e6711e155375218212b3964

In Java/Scala usejava.security. MessageDigest.getInstance("MD5");java.security.MessageDigest.getInstance("SHA-1");

• Now Google the hashes or paste them into something like... http://xdecrypt.com/

9

http://xdecrypt.com

http://xdecrypt.com


Was your password leaked by LinkedIn?

• Two weeks ago it was announced that someone had released 6.4 million passwords from LinkedIn• Then is was eHarmony, Last.fm and others

• It doesn’t matter how well you guard your 8 character password, if some idiot at LinkedIn stores it “unsalted” and that gets out, you’re hacked

• You MUST have a secure password with NO words• Use a generator

• 1Password is a good solution

10


Nepephemeral

• An open-source password manager• Inspired (accelerated) after the LinkedIn leak

• First public release in the next few days - OS-X and then Windoze

• iPhone & Android in the near future

• Most password managers store everything in a database encrypted by a master password/phrase• e.g. 1Password, LastPass etc.

• Disadvantage is that you’re only one password from everything falling into the hands of a hacker• Not just your Facebook login but your bank account and card pins

11


Nepephemeral

• Nepephemeral does not store passwords• It automates the generation of strong passwords from pass phrases

• It also manages common password rotation tasks• Allowing multiple unique passwords from a single pass phrase

• No need to memorise a new password every 30 days

• A pass phrase is a sequence of words or prose that is easy for you to remember and hard for someone else to guess

• Statistically even a short pass phrase is much harder to guess than the average 8 character password

12


Pass phrases

• First the password: Tr0ub4dor&3• Roughly 28 bits of entropy (228=268,435,456) at 10k/sec that’s 7 hours

• Difficulty to crack: EASY

• Difficulty to remember: DIFFICULT

• Now a pass phrase: “correct horse battery staple”

• About 44 bits of entropy (244=over 17 trillion) at 1m/sec that’s over 200 days!

• Difficulty to crack: HARD

• Difficulty to remember: You already have

13


If you’re interested...

• Nepephemeral uses this fact to create passwords that can pass the Draconian passwords that most sites use•While giving you a simple pass phrase that is easy to remember

without compromising on security

• http://nepephemeral.org

14

http://nepephemeral.org

http://nepephemeral.org


Authorisation or Authentication?

• Authentication validates who you are, it can be in several levels.• Just a name, a name and a password, a name, password and something

secure, all of the above, a retina scan and a DNA sample

• Authorisation dictates what you can do, the higher levels may require a better level of authentication• Access to your QCon badge, your hotel key, a seat on a plane or

access into the Federal Reserve Bank or Fort Knox

• Both are interlinked, there’s little point in a retina scan and DNA sample to get your QCon badge

15


OpenID

• OpenID is an open standard for decentralised authentication• A user can signup with an OpenID provider (OP) and then use that

provider as an authority for any web site (relying party or RP) participating in OpenID authentication

OpenID Provider(OP)UserWeb Site / App

(RP)

16


OpenID




(RP)

1RP asks user for OpenID

16


OpenID




(RP)


2User returns OpenID

16


OpenID




(RP)



3User is redirected to OP where he/she authenticates (usually a password)

16


OpenID




(RP)




4OP redirects back to RP and user is authenticated

16


OpenID




(RP)




4OP redirects back to RP and user is authenticated

• OpenID “says” who you are not what you can do

16


OAuth

• "OAuth provides a way to grant access to your data on some website to a third website, without needing to provide this third website with your authentication information for the original website."•What this means for example is that you could grant me access to

some of your Facebook / Twitter / Google account without me having to know your username and password

• You can limit my access to certain parts of you account

• A good example would be a third party Facebook, Twitter or Google+ reader• Normally you wouldn’t want to trust the app developer with your

username and password

17


OAuth 1.0 & 2.0

• OAuth 2.0 was a replacement of OAuth 1.0, the latter was overly complex and difficult to implement due to the need for certificates etc.

• The spec can be found here...• http://tools.ietf.org/html/draft-ietf-oauth-v2-23

• OAuth 2.0 does not require certificates, only SSL/TLS• This makes it more flexible, i.e. the token can be portable

• Used wrongly though it can create a security issue

18

http://tools.ietf.org/html/draft-ietf-oauth-v2-23

http://tools.ietf.org/html/draft-ietf-oauth-v2-23


Authentication

• In theory you can use OAuth to authenticate a user, you don’t necessarily need to get data from the authoriser’s site• This is authentication, NOT authorisation, it just confirms that you are

who you say you are, as far as Facebook/Twitter etc. knows you

• It is very similar to the way OpenID works in this case

• You might want this to provide a common login across multiple apps• Helps the user create an account without a new username/password

• Facilitates Identity management

• Authorisation, i.e. what the user can/can’t do is still your problem

19


OAuth 2.0

Game /Application

Facebook,Twitter,

Google etc.

User logs into game / applicationvia Facebook or Twitter

Game / applicationcan access data on

Facebook or Twitter

20


Twitter, Facebookor Google etc.Your ServerUser Browser

or App

OAuth 2.0 Initial LoginUser Data

21



or App

1Startup


21



or App

1Startup

2You need to login via Facebook


21



or App

1Startup


3User directed to Facebook login


21



or App

1Startup



4Facebook redirects to your “redirect” URI with authentication code


21



or App

1Startup




5 Browser redirects to redirect URI


21



or App

1Startup





6 Server sends user authenticationcode, ID and user secret


21



or App

1Startup






7Returns access token


21



or App

1Startup







8 User is now logged in


21



or App

1Startup








OAuth 2.0 Data RequestUser Data

22



or App

1Startup









9User requests data via app / browser

22



or App

1Startup










10 Server requests data with token

22



or App

1Startup











11 Facebook accesses data

22



or App

1Startup












12Data accessed

22



or App

1Startup










13Facebook returns requested data



12Data accessed

22



or App

1Startup










13Facebook returns requested data



12Data accessed

14User sees data

22


OAuth in Facebook is very easy

• Compared to the complexity of OAuth 1.0 on iPhone using Facebook is wonderfully easy

• Facebook has provided open libraries you can link in to your code• git://github.com/facebook/facebook-ios-sdk.git

• It effectively does all the OAuth “stuff” for you, all you need to do is create (register) an app on Facebook...• https://developers.facebook.com/apps/

• ... and write a few callbacks / delegate methods

23

https://developers.facebook.com/apps/

https://developers.facebook.com/apps/


Registering the app

• You just need the App ID and App Secret

• You can then use this in your application for authentication

• Once your client has “authed” you can use the token on the phone or a server

24


XCode...

25


The Login callback

•When the Facebook web/app login returns it calls our fbDidLogin method

26


Server Delegation

• It’s easy to authenticate and login from the phone but the we may want our own server in the loop•We could run everything though the phone and back to the server

but that’s unnecessary bandwidth (cost and latency)

• So ideally we would want the server to communicate with Facebook

• The token is portable•We can send it to the server which can become a proxy for our

mobile app. Effectively we can transfer privileges

• Useful but how safe is this?• The token is now a new (portable) key to Facebook

• It’s worth noting that Twitter doesn’t allow this

27


In a nutshell then

• You need unique and good passwords• Ideally generated and ideally will over 8 characters in length

•While password management tools are a good start they present a new risk• One you may be happy with but not one a company should accept

• OAuth on Facebook, Google, Twitter etc. is becoming a de-facto tool for SSO• Not just for the data they contain but also just authentication

• OAuth creates a whole new realm of security issues

28


Thank you

Thank you29

qcon - new york · qcon - new york new york 18th june 2012 (june 18th for americans) 1

Documents