Consultants of Security Operations d.o.o. Sarajevo Consultants of Security Operations d.o.o. Sarajevo

Strong Authentication in Web Application

“State of the Art 2012”

Sylvain Maret / Digital Security Expert / OpenID Switzerland

@smaret

Version 1.01 / 22.11.2012

Who am I?

• Security Expert

– 17 years of experience in ICT Security

– Principal Consultant at MARET Consulting

– Expert at Engineer School of Yverdon & Geneva University

– Swiss French Area delegate at OpenID Switzerland

– Co-founder Geneva Application Security Forum

– OWASP Member

– Author of the blog: la Citadelle Electronique

– http://ch.linkedin.com/in/smaret or @smaret

– http://www.slideshare.net/smaret

• Chosen field

– AppSec & Digital Identity Security

22 per minute……

Protection of digital identities: a

topical issue…

Strong AuthN

RSA FAILED ?

«Digital identity is the cornerstone

of trust»

http://fr.wikipedia.org/wiki/Authentification_forte

Definition of strong authentication

Strong Authentication on Wikipedia

Strong Authentication

A new paradigm?

Which Strong Authentication

technology ?

OTP PKI (HW) Biometry

Strong

authentication

Encryption

Digital signature

Non repudiation

Strong link with

the user

Strong Authentication

with PKI

PKI: Digital Certificate

Software Certificate

(PKCS#12;PFX)

Hardware Token (Crypto PKI)

Strong Authentication

SSL/TLS Mutual Authentication :

how does it work?

Web Server

Alice

Validation

Authority

Valid

Invalid

Unknown

CRL

or

OCSP Request

SSL / TLS Mutual Authentication

Strong Authentication with

Biometry (Match on Card

technology)

• A reader

– Biometry

– SmartCard

• A card with chip

– Technology MOC

– Crypto Processor

• PC/SC

• PKCS#11

• Digital certificate X509

Strong Authentication

With

(O)ne (T)ime (P)assword

(O)ne (T)ime (P)assword

• OTP Time Based

– Like SecurID

• OTP Event Based

• OTP Challenge

Response Based

• Others:

– OTP via SMS

– OTP via email

– Biometry and OTP

– Phone

– Bingo Card

– Etc.

OTP T-B?

OTP E-B?

OTP C-R-B?

Crypto - 101

Crypto-101 / Time Based OTP

ie = OTP(K,T) = Truncate(HMAC-SHA-1(K,T))

K=Secret Key / Seed

T=UTC Time

HASH Function

OTP

Crypto-101 / Event Based OTP

ie = OTP(K,C) = Truncate(HMAC-SHA-1(K,C))

K=Secret Key / Seed

C = Counter

HASH Function

OTP

Crypto-101 / OTP Challenge

Response Based

K=Secret Key / Seed

nonce

HASH Function

OTP

Challenge

ie:

Other[s] OTP technologies…

OTP Via SMS

“Flicker code” Generator Software

that converts already

encrypted data into

optical screen animation

How to Store and

Generate

my Secret Key ?

A Token !

OTP Token: Software vs Hardware ?

Software OTP for Smartphone

http://itunes.apple.com/us/app/iotp/id328973960

Where are[is] the seed ?

Seed generation & distribution ?

Still a good model ?

Editor / Vendor

Secret Key are[is]

generated on promise

K1

K1 K1

Threat

Agent

(APT)

K1

TokenCode

New Standards

&

Open Source

Technologies accessible to

everyone

• Initiative for Open AuTHentication (OATH)

– HOTP

– TOTP

– OCRA

– Etc.

• Mobile OTP

– (Use MD5 …..)

Initiative for Open AuTHentication

(OATH)

• HOTP

– Event Based OTP

– RFC 4226

• TOTP

– Time Based OTP

– Draft IETF Version 8

• OCRA

– Challenge/Response OTP

– Draft IETF Version 13

• Token Identifier

Specification

• IETF KeyProv Working

Group

– PSKC - Portable Symmetric

Key Container, RFC 6030

– DSKPP - Dynamic

Symmetric Key Provisioning

Protocol, RFC 6063

• And more !

http://www.openauthentication.org/specifications

(R)isk

(B)ased

(A)uthentication

RBA (Risk-Based Authentication)

= Behavior Model

http://code.google.com/p/google-authenticator/

Use OATH-HOTP & TOTP

Integration with

web application

Web application: basic

authentication model

Web application: Strong

Authentication Implementation

Blueprint

“Shielding" approach: perimetric

authentication using Reverse

Proxy / WAF

Module/Agent-based approach

API/SDK based approach

ICAM:

a changing paradigm

on Strong Authentication

Federation of identity approach a

change of paradigm:

using IDP for Authentication and

Strong Authentication

Identity Provider

SAML, OpenID, etc

Strong Authentication and

Application Security Strong Authentication

&

Application Security

Threat Modeling

“detecting web application

threats before coding”

Questions ?

Resources on Internet 1/2

• http://motp.sourceforge.net/

• http://www.clavid.ch/otp

• http://code.google.com/p/mod-authn-otp/

• http://www.multiotp.net/

• http://www.openauthentication.org/

• http://wiki.openid.net/

• http://www.citadelle-electronique.net/

• http://code.google.com/p/mod-authn-otp/

Resources on Internet 2/2

• http://rcdevs.com/products/openotp/

• https://github.com/adulau/paper-token

• http://www.yubico.com/yubikey

• http://code.google.com/p/mod-authn-otp/

• http://www.nongnu.org/oath-toolkit/

• http://www.nongnu.org/oath-toolkit/

• http://www.gpaterno.com/publications/2010/du

blin_ossbarcamp_2010_otp_with_oss.pdf