strong authentication in web applications: state of the art 2011
DESCRIPTION
Sylvain’s talk will focus on risk based authentication, biometry, OTP for smartphones, PKIs, Mobile-OTP, OATH-HOTP, TOTP and the open-source approach to this subjet.PHP Demo with multiotp class.TRANSCRIPT
![Page 1: Strong Authentication in Web Applications: State of the Art 2011](https://reader031.vdocument.in/reader031/viewer/2022020207/555a087cd8b42aa8098b53c6/html5/thumbnails/1.jpg)
MARET Consulting | Boulevard Georges Favon 43 | CH 1204 Geneva | Tél +41 22 575 30 35 | [email protected] | www.maret-consulting.ch
Conseil en technologies
Sylvain Maret / Digital Security Expert / OpenID Switzerland
Yverdon - IT Security Days / 16-03-2011
Strong Authentication in Web Application
“State of the Art 2011”
![Page 2: Strong Authentication in Web Applications: State of the Art 2011](https://reader031.vdocument.in/reader031/viewer/2022020207/555a087cd8b42aa8098b53c6/html5/thumbnails/2.jpg)
Conseil en technologieswww.maret-consulting.ch
Agenda
![Page 3: Strong Authentication in Web Applications: State of the Art 2011](https://reader031.vdocument.in/reader031/viewer/2022020207/555a087cd8b42aa8098b53c6/html5/thumbnails/3.jpg)
Conseil en technologieswww.maret-consulting.ch
Who am I?
Security Expert
17 years of experience in ICT Security
Principal Consultant at MARET Consulting
Expert at Engineer School of Yverdon & Geneva University
Swiss French Area delegate at OpenID Switzerland
Co-founder Geneva Application Security Forum
OWASP Member
Author of the blog: la Citadelle Electronique
http://ch.linkedin.com/in/smaret or @smaret
http://www.slideshare.net/smaret
Chosen field
AppSec & Digital Identity Security
![Page 4: Strong Authentication in Web Applications: State of the Art 2011](https://reader031.vdocument.in/reader031/viewer/2022020207/555a087cd8b42aa8098b53c6/html5/thumbnails/4.jpg)
Conseil en technologieswww.maret-consulting.ch
Protection of digital identities: a topical issue…
Strong Auth
![Page 5: Strong Authentication in Web Applications: State of the Art 2011](https://reader031.vdocument.in/reader031/viewer/2022020207/555a087cd8b42aa8098b53c6/html5/thumbnails/5.jpg)
Conseil en technologieswww.maret-consulting.ch
Definition of strong authentication
Strong Authentication on Wikipedia
![Page 6: Strong Authentication in Web Applications: State of the Art 2011](https://reader031.vdocument.in/reader031/viewer/2022020207/555a087cd8b42aa8098b53c6/html5/thumbnails/6.jpg)
Conseil en technologieswww.maret-consulting.ch
«Digital identity is the cornerstone of trust»
http://fr.wikipedia.org/wiki/Authentification_forte
![Page 7: Strong Authentication in Web Applications: State of the Art 2011](https://reader031.vdocument.in/reader031/viewer/2022020207/555a087cd8b42aa8098b53c6/html5/thumbnails/7.jpg)
MARET Consulting | Boulevard Georges Favon 43 | CH 1204 Geneva | Tél +41 22 575 30 35 | [email protected] | www.maret-consulting.ch
Conseil en technologies
Strong Authentication
A new paradigm !
![Page 8: Strong Authentication in Web Applications: State of the Art 2011](https://reader031.vdocument.in/reader031/viewer/2022020207/555a087cd8b42aa8098b53c6/html5/thumbnails/8.jpg)
Conseil en technologieswww.maret-consulting.ch
Which Strong Authentication technology ?
Legacy Token / Old Model ? / Open Source Solution ?
![Page 9: Strong Authentication in Web Applications: State of the Art 2011](https://reader031.vdocument.in/reader031/viewer/2022020207/555a087cd8b42aa8098b53c6/html5/thumbnails/9.jpg)
Conseil en technologieswww.maret-consulting.ch
![Page 10: Strong Authentication in Web Applications: State of the Art 2011](https://reader031.vdocument.in/reader031/viewer/2022020207/555a087cd8b42aa8098b53c6/html5/thumbnails/10.jpg)
Conseil en technologieswww.maret-consulting.ch
OTP PKI (HW) Biometry
Strong
authentication
Encryption
Digital signature
Non repudiation
Strong link with
the user
*
* Biometry type Fingerprinting
![Page 11: Strong Authentication in Web Applications: State of the Art 2011](https://reader031.vdocument.in/reader031/viewer/2022020207/555a087cd8b42aa8098b53c6/html5/thumbnails/11.jpg)
Conseil en technologieswww.maret-consulting.ch
Strong Authentication
with PKI
![Page 12: Strong Authentication in Web Applications: State of the Art 2011](https://reader031.vdocument.in/reader031/viewer/2022020207/555a087cd8b42aa8098b53c6/html5/thumbnails/12.jpg)
Conseil en technologieswww.maret-consulting.ch
PKI: Digital Certificate
Software Certificate
(PKCS#12;PFX)
Hardware Token (Crypto PKI)
Strong Authentication
![Page 13: Strong Authentication in Web Applications: State of the Art 2011](https://reader031.vdocument.in/reader031/viewer/2022020207/555a087cd8b42aa8098b53c6/html5/thumbnails/13.jpg)
Conseil en technologieswww.maret-consulting.ch
SSL/TLS Mutual Authentication : how does it work?
Web Server
Alice
Validation
Authority
Valid
Invalid
Unknown
CRL
or
OCSP Request
SSL / TLS Mutual Authentication
![Page 14: Strong Authentication in Web Applications: State of the Art 2011](https://reader031.vdocument.in/reader031/viewer/2022020207/555a087cd8b42aa8098b53c6/html5/thumbnails/14.jpg)
Conseil en technologieswww.maret-consulting.ch
Demo #1: OpenID and Software Certificate using Clavid.ch
http://www.clavid.com/
![Page 15: Strong Authentication in Web Applications: State of the Art 2011](https://reader031.vdocument.in/reader031/viewer/2022020207/555a087cd8b42aa8098b53c6/html5/thumbnails/15.jpg)
Conseil en technologieswww.maret-consulting.ch
Strong Authentication with Biometry (Match on Card technology)
A reader
Biometry
SmartCard
A card with chip
Technology MOC
Crypto Processor
PC/SC
PKCS#11
Digital certificate X509
![Page 16: Strong Authentication in Web Applications: State of the Art 2011](https://reader031.vdocument.in/reader031/viewer/2022020207/555a087cd8b42aa8098b53c6/html5/thumbnails/16.jpg)
Conseil en technologieswww.maret-consulting.ch
Strong Authentication
With
(O)ne (T)ime (P)assword
![Page 17: Strong Authentication in Web Applications: State of the Art 2011](https://reader031.vdocument.in/reader031/viewer/2022020207/555a087cd8b42aa8098b53c6/html5/thumbnails/17.jpg)
Conseil en technologieswww.maret-consulting.ch
(O)ne (T)ime (P)assword
OTP Time Based
OTP Event Based
OTP Challenge
Response Based
Others:
OTP via SMS
OTP via email
Biometry and OTP
Bingo Card
Etc.
![Page 18: Strong Authentication in Web Applications: State of the Art 2011](https://reader031.vdocument.in/reader031/viewer/2022020207/555a087cd8b42aa8098b53c6/html5/thumbnails/18.jpg)
Conseil en technologieswww.maret-consulting.ch
OTP T-B?
OTP E-B?
OTP C-R-B?
Crypto - 101
![Page 19: Strong Authentication in Web Applications: State of the Art 2011](https://reader031.vdocument.in/reader031/viewer/2022020207/555a087cd8b42aa8098b53c6/html5/thumbnails/19.jpg)
Conseil en technologieswww.maret-consulting.ch
Crypto-101 / Time Based OTP
ie = OTP(K,T) = Truncate(HMAC-SHA-1(K,T))
K=Secret Key / Seed
T=UTC Time
HASH Function
OTP
![Page 20: Strong Authentication in Web Applications: State of the Art 2011](https://reader031.vdocument.in/reader031/viewer/2022020207/555a087cd8b42aa8098b53c6/html5/thumbnails/20.jpg)
Conseil en technologieswww.maret-consulting.ch
Crypto-101 / Event Based OTP
ie = OTP(K,C) = Truncate(HMAC-SHA-1(K,C))
K=Secret Key / Seed
C = Counter
HASH Function
OTP
![Page 21: Strong Authentication in Web Applications: State of the Art 2011](https://reader031.vdocument.in/reader031/viewer/2022020207/555a087cd8b42aa8098b53c6/html5/thumbnails/21.jpg)
Conseil en technologieswww.maret-consulting.ch
Crypto-101 / OTP Challenge Response Based
K=Secret Key / Seed
nonce
HASH Function
OTP
Challenge
ie:
![Page 22: Strong Authentication in Web Applications: State of the Art 2011](https://reader031.vdocument.in/reader031/viewer/2022020207/555a087cd8b42aa8098b53c6/html5/thumbnails/22.jpg)
Conseil en technologieswww.maret-consulting.ch
Others OTP technologies…
OTP Via SMS
By Elcard
“Flicker code” Generator Software
that converts already
encrypted data into
optical screen animation
![Page 23: Strong Authentication in Web Applications: State of the Art 2011](https://reader031.vdocument.in/reader031/viewer/2022020207/555a087cd8b42aa8098b53c6/html5/thumbnails/23.jpg)
Conseil en technologieswww.maret-consulting.ch
Demo #2: Protect WordPress (OTP Via SMS)
![Page 24: Strong Authentication in Web Applications: State of the Art 2011](https://reader031.vdocument.in/reader031/viewer/2022020207/555a087cd8b42aa8098b53c6/html5/thumbnails/24.jpg)
Conseil en technologieswww.maret-consulting.ch
How to Store
my Secret Key ?
A Token !
![Page 25: Strong Authentication in Web Applications: State of the Art 2011](https://reader031.vdocument.in/reader031/viewer/2022020207/555a087cd8b42aa8098b53c6/html5/thumbnails/25.jpg)
Conseil en technologieswww.maret-consulting.ch
OTP Token: Software vs Hardware ?
![Page 26: Strong Authentication in Web Applications: State of the Art 2011](https://reader031.vdocument.in/reader031/viewer/2022020207/555a087cd8b42aa8098b53c6/html5/thumbnails/26.jpg)
Conseil en technologieswww.maret-consulting.ch
Software OTP for Smartphone
http://itunes.apple.com/us/app/iotp/id328973960
![Page 27: Strong Authentication in Web Applications: State of the Art 2011](https://reader031.vdocument.in/reader031/viewer/2022020207/555a087cd8b42aa8098b53c6/html5/thumbnails/27.jpg)
Conseil en technologieswww.maret-consulting.ch
New Standards
&
Open Source
![Page 28: Strong Authentication in Web Applications: State of the Art 2011](https://reader031.vdocument.in/reader031/viewer/2022020207/555a087cd8b42aa8098b53c6/html5/thumbnails/28.jpg)
Conseil en technologieswww.maret-consulting.ch
Technologies accessible to everyone
Initiative for Open AuTHentication (OATH)
HOTP
TOTP
OCRA
Etc.
Mobile OTP
(Use MD5 …..)
![Page 29: Strong Authentication in Web Applications: State of the Art 2011](https://reader031.vdocument.in/reader031/viewer/2022020207/555a087cd8b42aa8098b53c6/html5/thumbnails/29.jpg)
Conseil en technologieswww.maret-consulting.ch
OATH Reference Architecture, Release 2.0
http://www.openauthentication.org/
![Page 30: Strong Authentication in Web Applications: State of the Art 2011](https://reader031.vdocument.in/reader031/viewer/2022020207/555a087cd8b42aa8098b53c6/html5/thumbnails/30.jpg)
Conseil en technologieswww.maret-consulting.ch
Initiative for Open AuTHentication (OATH)
HOTP
Event Based OTP
RFC 4226
TOTP
Time Based OTP
Draft IETF Version 8
OCRA
Challenge/Response OTP
Draft IETF Version 13
Token Identifier
Specification
IETF KeyProv Working Group
PSKC - Portable Symmetric Key
Container, RFC 6030
DSKPP - Dynamic Symmetric
Key Provisioning Protocol, RFC
6063
And more !
http://www.openauthentication.org/specifications
![Page 31: Strong Authentication in Web Applications: State of the Art 2011](https://reader031.vdocument.in/reader031/viewer/2022020207/555a087cd8b42aa8098b53c6/html5/thumbnails/31.jpg)
Conseil en technologieswww.maret-consulting.ch
(R)isk
(B)ased
(A)uthentication
![Page 32: Strong Authentication in Web Applications: State of the Art 2011](https://reader031.vdocument.in/reader031/viewer/2022020207/555a087cd8b42aa8098b53c6/html5/thumbnails/32.jpg)
Conseil en technologieswww.maret-consulting.ch
RBA (Risk-Based Authentication) = Behavior Model
![Page 33: Strong Authentication in Web Applications: State of the Art 2011](https://reader031.vdocument.in/reader031/viewer/2022020207/555a087cd8b42aa8098b53c6/html5/thumbnails/33.jpg)
Conseil en technologieswww.maret-consulting.ch
2 Step Verification from Google !
http://code.google.com/p/google-authenticator/
Use OATH-HOTP & TOTP
![Page 34: Strong Authentication in Web Applications: State of the Art 2011](https://reader031.vdocument.in/reader031/viewer/2022020207/555a087cd8b42aa8098b53c6/html5/thumbnails/34.jpg)
Conseil en technologieswww.maret-consulting.ch
Integration with
web application
![Page 35: Strong Authentication in Web Applications: State of the Art 2011](https://reader031.vdocument.in/reader031/viewer/2022020207/555a087cd8b42aa8098b53c6/html5/thumbnails/35.jpg)
Conseil en technologieswww.maret-consulting.ch
Web application: basic authentication model
![Page 36: Strong Authentication in Web Applications: State of the Art 2011](https://reader031.vdocument.in/reader031/viewer/2022020207/555a087cd8b42aa8098b53c6/html5/thumbnails/36.jpg)
Conseil en technologieswww.maret-consulting.ch
Web application: Strong Authentication model
![Page 37: Strong Authentication in Web Applications: State of the Art 2011](https://reader031.vdocument.in/reader031/viewer/2022020207/555a087cd8b42aa8098b53c6/html5/thumbnails/37.jpg)
Conseil en technologieswww.maret-consulting.ch
“Shielding" approach: perimetric authentication using Reverse Proxy / WAF
![Page 38: Strong Authentication in Web Applications: State of the Art 2011](https://reader031.vdocument.in/reader031/viewer/2022020207/555a087cd8b42aa8098b53c6/html5/thumbnails/38.jpg)
Conseil en technologieswww.maret-consulting.ch
Module/Agent-based approach (example)
![Page 39: Strong Authentication in Web Applications: State of the Art 2011](https://reader031.vdocument.in/reader031/viewer/2022020207/555a087cd8b42aa8098b53c6/html5/thumbnails/39.jpg)
Conseil en technologieswww.maret-consulting.ch
Demo #4: Apache and Mod_OpenID (Using Biometry / OTP)
![Page 40: Strong Authentication in Web Applications: State of the Art 2011](https://reader031.vdocument.in/reader031/viewer/2022020207/555a087cd8b42aa8098b53c6/html5/thumbnails/40.jpg)
Conseil en technologieswww.maret-consulting.ch
Demo #4: Challenge / Response OTP with Biometry
![Page 41: Strong Authentication in Web Applications: State of the Art 2011](https://reader031.vdocument.in/reader031/viewer/2022020207/555a087cd8b42aa8098b53c6/html5/thumbnails/41.jpg)
Conseil en technologieswww.maret-consulting.ch
API/SDK based approach (example)
![Page 42: Strong Authentication in Web Applications: State of the Art 2011](https://reader031.vdocument.in/reader031/viewer/2022020207/555a087cd8b42aa8098b53c6/html5/thumbnails/42.jpg)
Conseil en technologieswww.maret-consulting.ch
Multi OTP PHP Class Demo
![Page 43: Strong Authentication in Web Applications: State of the Art 2011](https://reader031.vdocument.in/reader031/viewer/2022020207/555a087cd8b42aa8098b53c6/html5/thumbnails/43.jpg)
Conseil en technologieswww.maret-consulting.ch
Proof of Concept Code by
Anne Gosselin, Antonio Fontes, Sylvain Maret !
if (! empty($_REQUEST['pma_username'])) {
// The user just logged in
$GLOBALS['PHP_AUTH_USER'] = $_REQUEST['pma_username'];
// we combine both OTP + PIN code for the token verification
$fooPass = empty($_REQUEST['pma_password']) ? '' : $_REQUEST['pma_password'];
$fooOtp = empty($_REQUEST['pma_otp']) ? '' : $_REQUEST['pma_otp'];
$GLOBALS['PHP_AUTH_PW'] = $fooPass.''.$fooOtp;
// OTP CHECK
require_once('./libraries/multiotp.class.php');
$multiotp = new Multiotp();
$multiotp->SetUser($GLOBALS['PHP_AUTH_USER']);
$multiotp->SetEncryptionKey('DefaultCliEncryptionKey');
$multiotp->SetUsersFolder('./libraries/users/');
$multiotp->SetLogFolder('./libraries/log/');
$multiotp->EnableVerboseLog();
$otpCheckResult = $multiotp->CheckToken($GLOBALS['PHP_AUTH_PW']);
// the PIN code use kept for accessing the database
$GLOBALS['PHP_AUTH_PW'] = substr($GLOBALS['PHP_AUTH_PW'], 0, strlen($GLOBALS['PHP_AUTH_PW'])
if($otpCheckResult == 0)
return true;
else
die("auth failed.");
![Page 44: Strong Authentication in Web Applications: State of the Art 2011](https://reader031.vdocument.in/reader031/viewer/2022020207/555a087cd8b42aa8098b53c6/html5/thumbnails/44.jpg)
Conseil en technologieswww.maret-consulting.ch
Howto #1
Step1: Add a new method using cookie authentication
In config.inc.php
![Page 45: Strong Authentication in Web Applications: State of the Art 2011](https://reader031.vdocument.in/reader031/viewer/2022020207/555a087cd8b42aa8098b53c6/html5/thumbnails/45.jpg)
Conseil en technologieswww.maret-consulting.ch
Step2: Add pma_otp field
In common.inc.php
![Page 46: Strong Authentication in Web Applications: State of the Art 2011](https://reader031.vdocument.in/reader031/viewer/2022020207/555a087cd8b42aa8098b53c6/html5/thumbnails/46.jpg)
Conseil en technologieswww.maret-consulting.ch
Step3: Add new input
File ori: cookie.auth.lib.php
New file: cookieotp.auth.lib.php
![Page 47: Strong Authentication in Web Applications: State of the Art 2011](https://reader031.vdocument.in/reader031/viewer/2022020207/555a087cd8b42aa8098b53c6/html5/thumbnails/47.jpg)
Conseil en technologieswww.maret-consulting.ch
File ori: cookie.auth.lib.php
![Page 48: Strong Authentication in Web Applications: State of the Art 2011](https://reader031.vdocument.in/reader031/viewer/2022020207/555a087cd8b42aa8098b53c6/html5/thumbnails/48.jpg)
Conseil en technologieswww.maret-consulting.ch
Step3: Call multiotpNew file: cookieotp.auth.lib.php
![Page 49: Strong Authentication in Web Applications: State of the Art 2011](https://reader031.vdocument.in/reader031/viewer/2022020207/555a087cd8b42aa8098b53c6/html5/thumbnails/49.jpg)
Conseil en technologieswww.maret-consulting.ch
Demo 3#: PHP Integration for phpmyadmin
![Page 50: Strong Authentication in Web Applications: State of the Art 2011](https://reader031.vdocument.in/reader031/viewer/2022020207/555a087cd8b42aa8098b53c6/html5/thumbnails/50.jpg)
Conseil en technologieswww.maret-consulting.ch
Multi OTP PHP Class by André Liechti (Switzerland)
http://www.multiotp.net/
Source Code will be publish soon:
http://www.citadelle-electronique.net/
![Page 51: Strong Authentication in Web Applications: State of the Art 2011](https://reader031.vdocument.in/reader031/viewer/2022020207/555a087cd8b42aa8098b53c6/html5/thumbnails/51.jpg)
Conseil en technologieswww.maret-consulting.ch
Strong Authentication and Application SecurityStrong Authentication
&
Application Security
![Page 52: Strong Authentication in Web Applications: State of the Art 2011](https://reader031.vdocument.in/reader031/viewer/2022020207/555a087cd8b42aa8098b53c6/html5/thumbnails/52.jpg)
Conseil en technologieswww.maret-consulting.ch
Threat Modeling
“detecting web application
threats before coding”
14h30: Antonio Fontes
"Threat modeling your web application: mitigating risks right from the start!"
![Page 53: Strong Authentication in Web Applications: State of the Art 2011](https://reader031.vdocument.in/reader031/viewer/2022020207/555a087cd8b42aa8098b53c6/html5/thumbnails/53.jpg)
Conseil en technologieswww.maret-consulting.ch
Federated identities:
a changing paradigm
on authentication
![Page 54: Strong Authentication in Web Applications: State of the Art 2011](https://reader031.vdocument.in/reader031/viewer/2022020207/555a087cd8b42aa8098b53c6/html5/thumbnails/54.jpg)
Conseil en technologieswww.maret-consulting.ch
Federation of identity approach a change of paradigm:
using IDP for Authentication and Strong Authentication
Web App X
Web App Y
Identity Provider
![Page 55: Strong Authentication in Web Applications: State of the Art 2011](https://reader031.vdocument.in/reader031/viewer/2022020207/555a087cd8b42aa8098b53c6/html5/thumbnails/55.jpg)
Conseil en technologieswww.maret-consulting.ch
OpenID> What is it?
> How does it work?
> How to integrate?
SECTION 2
![Page 56: Strong Authentication in Web Applications: State of the Art 2011](https://reader031.vdocument.in/reader031/viewer/2022020207/555a087cd8b42aa8098b53c6/html5/thumbnails/56.jpg)
Conseil en technologieswww.maret-consulting.ch
OpenID - What is it?
> Internet SingleSignOn
> Relatively Simple Protocol
> User-Centric Identity Management
> Internet Scalable
> Free Choice of Identity Provider
> No License Fee
> Independent of Identification Methods
> Non-Profit Organization
![Page 57: Strong Authentication in Web Applications: State of the Art 2011](https://reader031.vdocument.in/reader031/viewer/2022020207/555a087cd8b42aa8098b53c6/html5/thumbnails/57.jpg)
Conseil en technologieswww.maret-consulting.ch
OpenID - How does it work?
1
3
5
Enabled Service
Identity Providere.g. clavid.com
6
4, 4a
hans.muster.clavid.com
User Hans Muster
Caption
1. User enters OpenID
2. Discovery
3. Authentication
4. Approval
4a. Change Attributes
5. Send Attributes
6. Validation
2 Identity URLhttps://hans.muster.clavid.com
![Page 58: Strong Authentication in Web Applications: State of the Art 2011](https://reader031.vdocument.in/reader031/viewer/2022020207/555a087cd8b42aa8098b53c6/html5/thumbnails/58.jpg)
Conseil en technologieswww.maret-consulting.ch
Surprise! You may already
have an OpenID !
![Page 59: Strong Authentication in Web Applications: State of the Art 2011](https://reader031.vdocument.in/reader031/viewer/2022020207/555a087cd8b42aa8098b53c6/html5/thumbnails/59.jpg)
Conseil en technologieswww.maret-consulting.ch
Other Well Known
&
Simple Providers
http://en.wikipedia.org/wiki/List_of_OpenID_providers
![Page 60: Strong Authentication in Web Applications: State of the Art 2011](https://reader031.vdocument.in/reader031/viewer/2022020207/555a087cd8b42aa8098b53c6/html5/thumbnails/60.jpg)
Conseil en technologieswww.maret-consulting.ch
Get an OpenID with Strong Authentication for free !
![Page 61: Strong Authentication in Web Applications: State of the Art 2011](https://reader031.vdocument.in/reader031/viewer/2022020207/555a087cd8b42aa8098b53c6/html5/thumbnails/61.jpg)
Conseil en technologieswww.maret-consulting.ch
Questions ?
![Page 62: Strong Authentication in Web Applications: State of the Art 2011](https://reader031.vdocument.in/reader031/viewer/2022020207/555a087cd8b42aa8098b53c6/html5/thumbnails/62.jpg)
Conseil en technologieswww.maret-consulting.ch
Resources on Internet 1/2
http://motp.sourceforge.net/
http://www.clavid.ch/otp
http://code.google.com/p/mod-authn-otp/
http://www.multiotp.net/
http://www.openauthentication.org/
http://wiki.openid.net/
http://www.citadelle-electronique.net/
http://code.google.com/p/mod-authn-otp/
![Page 63: Strong Authentication in Web Applications: State of the Art 2011](https://reader031.vdocument.in/reader031/viewer/2022020207/555a087cd8b42aa8098b53c6/html5/thumbnails/63.jpg)
Conseil en technologieswww.maret-consulting.ch
Resources on Internet 2/2
http://rcdevs.com/products/openotp/
https://github.com/adulau/paper-token
http://www.yubico.com/yubikey
http://code.google.com/p/mod-authn-otp/
http://www.nongnu.org/oath-toolkit/
http://www.nongnu.org/oath-toolkit/
http://www.gpaterno.com/publications/2010/dublin_oss
barcamp_2010_otp_with_oss.pdf
![Page 64: Strong Authentication in Web Applications: State of the Art 2011](https://reader031.vdocument.in/reader031/viewer/2022020207/555a087cd8b42aa8098b53c6/html5/thumbnails/64.jpg)
Conseil en technologieswww.maret-consulting.ch
"Le conseil et l'expertise pour le choix et la mise
en oeuvre des technologies innovantes dans la sécurité
des systèmes d'information et de l'identité numérique"
![Page 65: Strong Authentication in Web Applications: State of the Art 2011](https://reader031.vdocument.in/reader031/viewer/2022020207/555a087cd8b42aa8098b53c6/html5/thumbnails/65.jpg)
Conseil en technologieswww.maret-consulting.ch
Une conviction forte !
Authentification forte
![Page 66: Strong Authentication in Web Applications: State of the Art 2011](https://reader031.vdocument.in/reader031/viewer/2022020207/555a087cd8b42aa8098b53c6/html5/thumbnails/66.jpg)
Conseil en technologieswww.maret-consulting.ch
SECTION 1
SAML>What is it?
>How does it work?
![Page 67: Strong Authentication in Web Applications: State of the Art 2011](https://reader031.vdocument.in/reader031/viewer/2022020207/555a087cd8b42aa8098b53c6/html5/thumbnails/67.jpg)
Conseil en technologieswww.maret-consulting.ch
Using SAML for Authentication and Strong Authentication
(Assertion
Consumer Service)
![Page 68: Strong Authentication in Web Applications: State of the Art 2011](https://reader031.vdocument.in/reader031/viewer/2022020207/555a087cd8b42aa8098b53c6/html5/thumbnails/68.jpg)
Conseil en technologieswww.maret-consulting.ch
SAML – What is it?
SAML (Security Assertion Markup Language):
> Defined by the Oasis Group
> Well and Academically Designed Specification
> Uses XML Syntax
> Used for Authentication & Authorization
> SAML Assertions> Statements: Authentication, Attribute, Authorization
> SAML Protocols> Queries: Authentication, Artifact, Name Identifier Mapping, etc.
> SAML Bindings> SOAP, Reverse-SOAP, HTTP-Get, HTTP-Post, HTTP-Artifact
> SAML Profiles> Web Browser SingleSignOn Profile, Identity Provider Discovery Profile, Assertion Query
/ Request Profile, Attribute Profile
![Page 69: Strong Authentication in Web Applications: State of the Art 2011](https://reader031.vdocument.in/reader031/viewer/2022020207/555a087cd8b42aa8098b53c6/html5/thumbnails/69.jpg)
Conseil en technologieswww.maret-consulting.ch
SAML – How does it work?
Identity Providere.g. clavid.ch
User Hans Muster
Enabled Service
e.g. Google Apps
for Business
12
2
6
3
4
4
![Page 70: Strong Authentication in Web Applications: State of the Art 2011](https://reader031.vdocument.in/reader031/viewer/2022020207/555a087cd8b42aa8098b53c6/html5/thumbnails/70.jpg)
Conseil en technologieswww.maret-consulting.ch
Example with HTTP POST Binding
+ PIN
Web App SAML Ready
AuthN
ACS
Ressource
IDP MC
Access Resource
1
3 <AuthnRequest>
Redirect 302
Single Sign On
Service
4<AuthnRequest>
Credential
Challenge 5a
User Login
<Response>
in HTML Form 6
7POST
<Response>
8Ressource
Browser
2
5b
![Page 71: Strong Authentication in Web Applications: State of the Art 2011](https://reader031.vdocument.in/reader031/viewer/2022020207/555a087cd8b42aa8098b53c6/html5/thumbnails/71.jpg)
Conseil en technologieswww.maret-consulting.ch
A major event in the world of strong authentication
12 October 2005: the Federal Financial Institutions Examination Council (FFIEC) issues a directive
« Single Factor Authentication » is not enough for the web financial applications
Before end 2006 it is compulsory to implement a strong authentication system
http://www.ffiec.gov/press/pr101205.htm
And the PCI DSS norm Compulsory strong authentication for distant accesses
And now European regulations Payment Services (2007/64/CE) for banks
Social Networks, Open Source
![Page 72: Strong Authentication in Web Applications: State of the Art 2011](https://reader031.vdocument.in/reader031/viewer/2022020207/555a087cd8b42aa8098b53c6/html5/thumbnails/72.jpg)
Conseil en technologieswww.maret-consulting.ch
Out of Band Authentication
![Page 73: Strong Authentication in Web Applications: State of the Art 2011](https://reader031.vdocument.in/reader031/viewer/2022020207/555a087cd8b42aa8098b53c6/html5/thumbnails/73.jpg)
Conseil en technologieswww.maret-consulting.ch
Phone Factor
![Page 74: Strong Authentication in Web Applications: State of the Art 2011](https://reader031.vdocument.in/reader031/viewer/2022020207/555a087cd8b42aa8098b53c6/html5/thumbnails/74.jpg)
Conseil en technologieswww.maret-consulting.ch
SAML
![Page 75: Strong Authentication in Web Applications: State of the Art 2011](https://reader031.vdocument.in/reader031/viewer/2022020207/555a087cd8b42aa8098b53c6/html5/thumbnails/75.jpg)
Conseil en technologieswww.maret-consulting.ch
SAML AuthnRequst Transfer via Browser
Redirect-Binding
POST-Binding
![Page 76: Strong Authentication in Web Applications: State of the Art 2011](https://reader031.vdocument.in/reader031/viewer/2022020207/555a087cd8b42aa8098b53c6/html5/thumbnails/76.jpg)
Conseil en technologieswww.maret-consulting.ch
A SAML AuthnRequest (no magic, just XML)
<?xml version="1.0" encoding="UTF-8"?>
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol“
ID="glcmfhikbbhohichialilnnpjakbeljekmkhppkb“
Version="2.0”
IssueInstant="2008-10-14T00:57:14Z”
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST”
ProviderName="google.com”
ForceAuthn="false”
IsPassive="false”
AssertionConsumerServiceURL="https://www.google.com/a/unopass.net/acs">
<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
google.com
</saml:Issuer>
<samlp:NameIDPolicy AllowCreate="true"
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" />
</samlp:AuthnRequest>
![Page 77: Strong Authentication in Web Applications: State of the Art 2011](https://reader031.vdocument.in/reader031/viewer/2022020207/555a087cd8b42aa8098b53c6/html5/thumbnails/77.jpg)
Conseil en technologieswww.maret-consulting.ch
SAML Assertion Transfer via Browser
POST-Binding
![Page 78: Strong Authentication in Web Applications: State of the Art 2011](https://reader031.vdocument.in/reader031/viewer/2022020207/555a087cd8b42aa8098b53c6/html5/thumbnails/78.jpg)
Conseil en technologieswww.maret-consulting.ch
A SAML Assertion Response (no magic, just XML)
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
ID="s247893b2ec90665dfd5d9bd4a092f5e3a7194fef4"
InResponseTo="hkcmljnccpheoobdofbjcngjbadmgcfhaapdbnni"
Version="2.0"
IssueInstant="2008-10-15T17:24:46Z"
Destination="https://www.google.com/a/unopass.net/acs">
<saml:Issuer>
http://idp.unopass.net:80/opensso
</saml:Issuer>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
</samlp:Status>
<saml:Assertion
ID="s295c56ccd7872209ae336b934d1eed5be52a8e6ec"
IssueInstant="2008-10-15T17:24:46Z"
Version="2.0">
<saml:Issuer>http://idp.unopass.net:80/opensso</saml:Issuer>
<Signature>
… A DIGITAL SIGNATURE …
</Signature>
...
![Page 79: Strong Authentication in Web Applications: State of the Art 2011](https://reader031.vdocument.in/reader031/viewer/2022020207/555a087cd8b42aa8098b53c6/html5/thumbnails/79.jpg)
Conseil en technologieswww.maret-consulting.ch
A SAML Assertion Response (no magic, just XML)
...
<saml:Subject>
<saml:NameID
NameQualifier="http://idp.unopass.net:80/opensso">
sylvain.maret
</saml:NameID>
<saml:SubjectConfirmation Method="urn:oasis:...:bearer">
<saml:SubjectConfirmationData
InResponseTo="hkcmljnccpheoobdofbjcngjbadmgcfhaapdbnni"
NotOnOrAfter="2008-10-15T17:34:46Z"
Recipient="https://www.google.com/a/unopass.net/acs"/>
</saml:SubjectConfirmation>
</saml:Subject>
...
![Page 80: Strong Authentication in Web Applications: State of the Art 2011](https://reader031.vdocument.in/reader031/viewer/2022020207/555a087cd8b42aa8098b53c6/html5/thumbnails/80.jpg)
Conseil en technologieswww.maret-consulting.ch
A SAML Assertion Response (no magic, just XML)
...
<saml:Conditions NotBefore="2008-10-15T17:14:46Z"
NotOnOrAfter="2008-10-15T17:34:46Z">
<saml:AudienceRestriction>
<saml:Audience>google.com</saml:Audience>
</saml:AudienceRestriction>
</saml:Conditions>
<saml:AuthnStatement AuthnInstant="2008-10-15T17:24:46Z“
SessionIndex="s2bb816b5a8852dcc29f3301784c1640f245a9ec01">
<saml:AuthnContext>
<saml:AuthnContextClassRef>
urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
</saml:AuthnContextClassRef>
</saml:AuthnContext>
</saml:AuthnStatement>
</saml:Assertion>
</samlp:Response>