SlideShare a Scribd company logo

Strong Authentication in Web Applications: State of the Art 2011

Sylvain Maret
Sylvain Maret

The document discusses strong authentication in web applications, highlighting its importance in securing digital identities and the various technologies available, such as OTP, PKI, and biometrics. It provides insights into different methods of authentication, including SAML and OpenID, along with practical examples and resources for implementing these technologies. The emphasis lies on the necessity of adopting robust authentication measures in compliance with regulatory requirements.

Technology
1 of 80
Downloaded 102 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
MARET Consulting | Boulevard Georges Favon 43 | CH 1204 Geneva | Tél +41 22 575 30 35 | info@maret-consulting.ch | www.maret-consulting.ch Strong Authentication in Web Application “State of the Art 2011” Sylvain Maret / Digital Security Expert / OpenID Switzerland Yverdon - IT Security Days / 16-03-2011 Conseil en technologies
Agenda www.maret-consulting.ch Conseil en technologies
Who am I?  Security Expert  17 years of experience in ICT Security  Principal Consultant at MARET Consulting  Expert at Engineer School of Yverdon & Geneva University  Swiss French Area delegate at OpenID Switzerland  Co-founder Geneva Application Security Forum  OWASP Member  Author of the blog: la Citadelle Electronique  http://ch.linkedin.com/in/smaret or @smaret  http://www.slideshare.net/smaret  Chosen field  AppSec & Digital Identity Security www.maret-consulting.ch Conseil en technologies
Protection of digital identities: a topical issue… Strong Auth www.maret-consulting.ch Conseil en technologies
Definition of strong authentication Strong Authentication on Wikipedia www.maret-consulting.ch Conseil en technologies
«Digital identity is the cornerstone of trust» http://fr.wikipedia.org/wiki/Authentification_forte www.maret-consulting.ch Conseil en technologies
MARET Consulting | Boulevard Georges Favon 43 | CH 1204 Geneva | Tél +41 22 575 30 35 | info@maret-consulting.ch | www.maret-consulting.ch Strong Authentication A new paradigm ! Conseil en technologies
Which Strong Authentication technology ? Legacy Token / Old Model ? / Open Source Solution ? www.maret-consulting.ch Conseil en technologies
www.maret-consulting.ch Conseil en technologies
OTP PKI (HW) Biometry Strong * authentication Encryption Digital signature Non repudiation Strong link with the user * Biometry type Fingerprinting www.maret-consulting.ch Conseil en technologies
Strong Authentication with PKI www.maret-consulting.ch Conseil en technologies
PKI: Digital Certificate Hardware Token (Crypto PKI) Strong Authentication Software Certificate (PKCS#12;PFX) www.maret-consulting.ch Conseil en technologies
SSL/TLS Mutual Authentication : how does it work? Validation Authority CRL or OCSP Request Valid Invalid Unknown SSL / TLS Mutual Authentication Alice Web Server www.maret-consulting.ch Conseil en technologies
Demo #1: OpenID and Software Certificate using Clavid.ch http://www.clavid.com/ www.maret-consulting.ch Conseil en technologies
Strong Authentication with Biometry (Match on Card technology)  A reader  Biometry  SmartCard  A card with chip  Technology MOC  Crypto Processor  PC/SC  PKCS#11  Digital certificate X509 www.maret-consulting.ch Conseil en technologies
Strong Authentication With (O)ne (T)ime (P)assword www.maret-consulting.ch Conseil en technologies
(O)ne (T)ime (P)assword  OTP Time Based  Others:  OTP Event Based  OTP via SMS  OTP via email  Biometry and OTP  OTP Challenge  Bingo Card Response Based  Etc. www.maret-consulting.ch Conseil en technologies
OTP T-B? OTP E-B? OTP C-R-B? www.maret-consulting.ch Crypto - 101 Conseil en technologies
Crypto-101 / Time Based OTP HASH Function K=Secret Key / Seed OTP T=UTC Time ie = OTP(K,T) = Truncate(HMAC-SHA-1(K,T)) www.maret-consulting.ch Conseil en technologies
Crypto-101 / Event Based OTP HASH Function K=Secret Key / Seed OTP C = Counter ie = OTP(K,C) = Truncate(HMAC-SHA-1(K,C)) www.maret-consulting.ch Conseil en technologies
Crypto-101 / OTP Challenge Response Based HASH Function K=Secret Key / Seed OTP Challenge nonce www.maret-consulting.ch Conseil en technologies ie:
Others OTP technologies… OTP Via SMS “Flicker code” Generator Software that converts already encrypted data into optical screen animation By Elcard www.maret-consulting.ch Conseil en technologies
Demo #2: Protect WordPress (OTP Via SMS) www.maret-consulting.ch Conseil en technologies
How to Store my Secret Key ? A Token ! www.maret-consulting.ch Conseil en technologies
OTP Token: Software vs Hardware ? www.maret-consulting.ch Conseil en technologies
Software OTP for Smartphone http://itunes.apple.com/us/app/iotp/id328973960 www.maret-consulting.ch Conseil en technologies
New Standards & Open Source www.maret-consulting.ch Conseil en technologies
Technologies accessible to everyone   Initiative for Open AuTHentication (OATH)  HOTP  TOTP  OCRA  Etc.  Mobile OTP  (Use MD5 …..) www.maret-consulting.ch Conseil en technologies
OATH Reference Architecture, Release 2.0 http://www.openauthentication.org/ www.maret-consulting.ch Conseil en technologies
Initiative for Open AuTHentication (OATH)  HOTP  Event Based OTP  Token Identifier  RFC 4226 Specification  TOTP  IETF KeyProv Working Group  Time Based OTP  PSKC - Portable Symmetric Key Container, RFC 6030  Draft IETF Version 8  DSKPP - Dynamic Symmetric Key Provisioning Protocol, RFC 6063  OCRA  Challenge/Response OTP  And more !  Draft IETF Version 13 www.maret-consulting.ch Conseil en technologies http://www.openauthentication.org/specifications
(R)isk (B)ased (A)uthentication www.maret-consulting.ch Conseil en technologies
RBA (Risk-Based Authentication) = Behavior Model www.maret-consulting.ch Conseil en technologies
2 Step Verification from Google ! Use OATH-HOTP & TOTP http://code.google.com/p/google-authenticator/ www.maret-consulting.ch Conseil en technologies
Integration with web application www.maret-consulting.ch Conseil en technologies
Web application: basic authentication model www.maret-consulting.ch Conseil en technologies
Web application: Strong Authentication model www.maret-consulting.ch Conseil en technologies
“Shielding" approach: perimetric authentication using Reverse Proxy / WAF www.maret-consulting.ch Conseil en technologies
Module/Agent-based approach (example) www.maret-consulting.ch Conseil en technologies
Demo #4: Apache and Mod_OpenID (Using Biometry / OTP) www.maret-consulting.ch Conseil en technologies
Demo #4: Challenge / Response OTP with Biometry www.maret-consulting.ch Conseil en technologies
API/SDK based approach (example) www.maret-consulting.ch Conseil en technologies
Multi OTP PHP Class Demo www.maret-consulting.ch Conseil en technologies
Proof of Concept Code by Anne Gosselin, Antonio Fontes, Sylvain Maret ! if (! empty($_REQUEST['pma_username'])) { // The user just logged in $GLOBALS['PHP_AUTH_USER'] = $_REQUEST['pma_username']; // we combine both OTP + PIN code for the token verification $fooPass = empty($_REQUEST['pma_password']) ? '' : $_REQUEST['pma_password']; $fooOtp = empty($_REQUEST['pma_otp']) ? '' : $_REQUEST['pma_otp']; $GLOBALS['PHP_AUTH_PW'] = $fooPass.''.$fooOtp; // OTP CHECK require_once('./libraries/multiotp.class.php'); $multiotp = new Multiotp(); $multiotp->SetUser($GLOBALS['PHP_AUTH_USER']); $multiotp->SetEncryptionKey('DefaultCliEncryptionKey'); $multiotp->SetUsersFolder('./libraries/users/'); $multiotp->SetLogFolder('./libraries/log/'); $multiotp->EnableVerboseLog(); $otpCheckResult = $multiotp->CheckToken($GLOBALS['PHP_AUTH_PW']); // the PIN code use kept for accessing the database $GLOBALS['PHP_AUTH_PW'] = substr($GLOBALS['PHP_AUTH_PW'], 0, strlen($GLOBALS['PHP_AUTH_PW'] if($otpCheckResult == 0) return true; else die("auth failed."); www.maret-consulting.ch Conseil en technologies
Step1: Add a new method using cookie authentication In config.inc.php Howto #1 www.maret-consulting.ch Conseil en technologies
Step2: Add pma_otp field In common.inc.php www.maret-consulting.ch Conseil en technologies
Step3: Add new input File ori: cookie.auth.lib.php www.maret-consulting.ch New file: cookieotp.auth.lib.php Conseil en technologies
File ori: cookie.auth.lib.php www.maret-consulting.ch Conseil en technologies
New file: cookieotp.auth.lib.php Step3: Call multiotp www.maret-consulting.ch Conseil en technologies
Demo 3#: PHP Integration for phpmyadmin www.maret-consulting.ch Conseil en technologies
Multi OTP PHP Class by André Liechti (Switzerland) Source Code will be publish soon: http://www.citadelle-electronique.net/ http://www.multiotp.net/ www.maret-consulting.ch Conseil en technologies
Strong Authentication Strong Authentication and Application Security & Application Security www.maret-consulting.ch Conseil en technologies
Threat Modeling “detecting web application threats before coding” 14h30: Antonio Fontes "Threat modeling your web application: mitigating risks right from the start!" www.maret-consulting.ch Conseil en technologies
Federated identities: a changing paradigm on authentication www.maret-consulting.ch Conseil en technologies
Federation of identity approach a change of paradigm: using IDP for Authentication and Strong Authentication Identity Provider Web App X Web App Y www.maret-consulting.ch Conseil en technologies
SECTION 2 OpenID > What is it? > How does it work? > How to integrate? www.maret-consulting.ch Conseil en technologies
OpenID - What is it? > Internet SingleSignOn > Free Choice of Identity Provider > Relatively Simple Protocol > No License Fee > User-Centric Identity Management > Independent of Identification Methods > Internet Scalable > Non-Profit Organization www.maret-consulting.ch Conseil en technologies
OpenID - How does it work? User Hans Muster 3 4, 4a Identity Provider e.g. clavid.com hans.muster.clavid.com 5 6 1 2 Identity URL Caption https://hans.muster.clavid.com 1. User enters OpenID 2. Discovery 3. Authentication 4. Approval 4a. Change Attributes 5. Send Attributes 6. Validation Enabled Service www.maret-consulting.ch Conseil en technologies
Surprise! You may already have an OpenID ! www.maret-consulting.ch Conseil en technologies
Other Well Known & Simple Providers http://en.wikipedia.org/wiki/List_of_OpenID_providers www.maret-consulting.ch Conseil en technologies
Get an OpenID with Strong Authentication for free ! www.maret-consulting.ch Conseil en technologies
Questions ? www.maret-consulting.ch Conseil en technologies
Resources on Internet 1/2  http://motp.sourceforge.net/  http://www.clavid.ch/otp  http://code.google.com/p/mod-authn-otp/  http://www.multiotp.net/  http://www.openauthentication.org/  http://wiki.openid.net/  http://www.citadelle-electronique.net/  http://code.google.com/p/mod-authn-otp/ www.maret-consulting.ch Conseil en technologies
Resources on Internet 2/2  http://rcdevs.com/products/openotp/  https://github.com/adulau/paper-token  http://www.yubico.com/yubikey  http://code.google.com/p/mod-authn-otp/  http://www.nongnu.org/oath-toolkit/  http://www.nongnu.org/oath-toolkit/  http://www.gpaterno.com/publications/2010/dublin_oss barcamp_2010_otp_with_oss.pdf www.maret-consulting.ch Conseil en technologies
"Le conseil et l'expertise pour le choix et la mise en oeuvre des technologies innovantes dans la sécurité des systèmes d'information et de l'identité numérique" www.maret-consulting.ch Conseil en technologies
Une conviction forte ! Authentification forte www.maret-consulting.ch Conseil en technologies
SECTION 1 SAML >What is it? >How does it work? www.maret-consulting.ch Conseil en technologies
Using SAML for Authentication and Strong Authentication (Assertion Consumer Service) www.maret-consulting.ch Conseil en technologies
SAML – What is it? SAML (Security Assertion Markup Language): > Defined by the Oasis Group > Well and Academically Designed Specification > Uses XML Syntax > Used for Authentication & Authorization > SAML Assertions > Statements: Authentication, Attribute, Authorization > SAML Protocols > Queries: Authentication, Artifact, Name Identifier Mapping, etc. > SAML Bindings > SOAP, Reverse-SOAP, HTTP-Get, HTTP-Post, HTTP-Artifact > SAML Profiles > Web Browser SingleSignOn Profile, Identity Provider Discovery Profile, Assertion Query / Request Profile, Attribute Profile www.maret-consulting.ch Conseil en technologies
SAML – How does it work? User Hans Muster 3 2 4 Identity Provider e.g. clavid.ch 4 2 1 6 Enabled Service e.g. Google Apps for Business www.maret-consulting.ch Conseil en technologies
Example with HTTP POST Binding Access Resource Browser Web App SAML Ready 1 AuthN 2 <AuthnRequest> 3 + PIN Redirect 302 ACS POST <Response> 7 Ressource Ressource 8 <Response> in HTML Form 6 Single Sign On Service <AuthnRequest> 4 Credential Challenge 5a User Login IDP MC Conseil en technologies www.maret-consulting.ch 5b
A major event in the world of strong authentication  12 October 2005: the Federal Financial Institutions Examination Council (FFIEC) issues a directive  « Single Factor Authentication » is not enough for the web financial applications  Before end 2006 it is compulsory to implement a strong authentication system  http://www.ffiec.gov/press/pr101205.htm  And the PCI DSS norm  Compulsory strong authentication for distant accesses  And now European regulations  Payment Services (2007/64/CE) for banks  Social Networks, Open Source www.maret-consulting.ch Conseil en technologies
Out of Band Authentication www.maret-consulting.ch Conseil en technologies
Phone Factor www.maret-consulting.ch Conseil en technologies
SAML www.maret-consulting.ch Conseil en technologies
SAML AuthnRequst Transfer via Browser Redirect-Binding POST-Binding www.maret-consulting.ch Conseil en technologies
A SAML AuthnRequest (no magic, just XML) <?xml version="1.0" encoding="UTF-8"?> <samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol“ ID="glcmfhikbbhohichialilnnpjakbeljekmkhppkb“ Version="2.0” IssueInstant="2008-10-14T00:57:14Z” ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST” ProviderName="google.com” ForceAuthn="false” IsPassive="false” AssertionConsumerServiceURL="https://www.google.com/a/unopass.net/acs"> <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"> google.com </saml:Issuer> <samlp:NameIDPolicy AllowCreate="true" Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" /> </samlp:AuthnRequest> www.maret-consulting.ch Conseil en technologies
SAML Assertion Transfer via Browser POST-Binding www.maret-consulting.ch Conseil en technologies
A SAML Assertion Response (no magic, just XML) <samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="s247893b2ec90665dfd5d9bd4a092f5e3a7194fef4" InResponseTo="hkcmljnccpheoobdofbjcngjbadmgcfhaapdbnni" Version="2.0" IssueInstant="2008-10-15T17:24:46Z" Destination="https://www.google.com/a/unopass.net/acs"> <saml:Issuer> http://idp.unopass.net:80/opensso </saml:Issuer> <samlp:Status> <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/> </samlp:Status> <saml:Assertion ID="s295c56ccd7872209ae336b934d1eed5be52a8e6ec" IssueInstant="2008-10-15T17:24:46Z" Version="2.0"> <saml:Issuer>http://idp.unopass.net:80/opensso</saml:Issuer> <Signature> … A DIGITAL SIGNATURE … </Signature> ... www.maret-consulting.ch Conseil en technologies
A SAML Assertion Response (no magic, just XML) ... <saml:Subject> <saml:NameID NameQualifier="http://idp.unopass.net:80/opensso"> sylvain.maret </saml:NameID> <saml:SubjectConfirmation Method="urn:oasis:...:bearer"> <saml:SubjectConfirmationData InResponseTo="hkcmljnccpheoobdofbjcngjbadmgcfhaapdbnni" NotOnOrAfter="2008-10-15T17:34:46Z" Recipient="https://www.google.com/a/unopass.net/acs"/> </saml:SubjectConfirmation> </saml:Subject> ... www.maret-consulting.ch Conseil en technologies
A SAML Assertion Response (no magic, just XML) ... <saml:Conditions NotBefore="2008-10-15T17:14:46Z" NotOnOrAfter="2008-10-15T17:34:46Z"> <saml:AudienceRestriction> <saml:Audience>google.com</saml:Audience> </saml:AudienceRestriction> </saml:Conditions> <saml:AuthnStatement AuthnInstant="2008-10-15T17:24:46Z“ SessionIndex="s2bb816b5a8852dcc29f3301784c1640f245a9ec01"> <saml:AuthnContext> <saml:AuthnContextClassRef> urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport </saml:AuthnContextClassRef> </saml:AuthnContext> </saml:AuthnStatement> </saml:Assertion> </samlp:Response> www.maret-consulting.ch Conseil en technologies

More Related Content

Similar to Strong Authentication in Web Applications: State of the Art 2011 (20)

PDF
Why and how to implement strong authentication on the web cartes 2010 - pat...
Keynectis
 
PDF
Threat Modeling / iPad
Sylvain Maret
 
PDF
Comodo Overview Presentation Read Only
JayHicks
 
PDF
Stronger/Multi-factor Authentication for Enterprise Applications
Ramesh Nagappan
 
PDF
SmartCard Forum 2009 - OpenTrust SCM
OKsystem
 
PPTX
User Authentication for Government
Carahsoft
 
PDF
Tutorial 3 pedro janices
egovernment
 
PDF
My private cloud overview
davidwchadwick
 
PDF
PKI Interoperability
Conferencias FIST
 
PDF
SmartCard Forum 2011 - Evolution of authentication market
OKsystem
 
PDF
IAM
Prof. Jacques Folon (Ph.D)
 
PDF
Sms passcode
TechMeetups
 
PPT
Managing IT security and Business Ethics
Rahul Sharma
 
PDF
SmartCard Forum 2010 - Enterprise authentication
OKsystem
 
PDF
OAuth 2.0 Updates #technight in Osaka
Nov Matake
 
PPTX
Symantec Web Security Solutions
Symantec
 
PDF
dna-identity-crisis-cloud-web
Ravi Venkat
 
PPT
Authentication and strong authentication for Web Application
Sylvain Maret
 
PDF
Cidway Byod Authentication
lfilliat
 
PDF
Enhancing Authentication to Secure the Open Enterprise
Symantec
 
Why and how to implement strong authentication on the web cartes 2010 - pat...
Keynectis
 
Threat Modeling / iPad
Sylvain Maret
 
Comodo Overview Presentation Read Only
JayHicks
 
Stronger/Multi-factor Authentication for Enterprise Applications
Ramesh Nagappan
 
SmartCard Forum 2009 - OpenTrust SCM
OKsystem
 
User Authentication for Government
Carahsoft
 
Tutorial 3 pedro janices
egovernment
 
My private cloud overview
davidwchadwick
 
PKI Interoperability
Conferencias FIST
 
SmartCard Forum 2011 - Evolution of authentication market
OKsystem
 
IAM
Prof. Jacques Folon (Ph.D)
 
Sms passcode
TechMeetups
 
Managing IT security and Business Ethics
Rahul Sharma
 
SmartCard Forum 2010 - Enterprise authentication
OKsystem
 
OAuth 2.0 Updates #technight in Osaka
Nov Matake
 
Symantec Web Security Solutions
Symantec
 
dna-identity-crisis-cloud-web
Ravi Venkat
 
Authentication and strong authentication for Web Application
Sylvain Maret
 
Cidway Byod Authentication
lfilliat
 
Enhancing Authentication to Secure the Open Enterprise
Symantec
 

More from Sylvain Maret (20)

PDF
Air Navigation Service Providers - Unsecurity on Voice over IP Radion
Sylvain Maret
 
PDF
factsheet_4g_critical_comm_en_vl
Sylvain Maret
 
PDF
INA Volume 1/3 Version 1.02 Released / Digital Identity and Authentication
Sylvain Maret
 
PDF
INA Volume 1/3 Version 1.0 Released / Digital Identity and Authentication
Sylvain Maret
 
PDF
INA Volume 1/3 Version 1.0 RC / Digital Identity and Authentication
Sylvain Maret
 
PDF
Securite des Web Services (SOAP vs REST) / OWASP Geneva dec. 2012
Sylvain Maret
 
PDF
ASFWS 2012 / Initiation à la sécurité des Web Services par Sylvain Maret
Sylvain Maret
 
PDF
Geneva Application Security Forum 2010
Sylvain Maret
 
PDF
Final conclusions of Working Group 3 at Workshop Münchenwiler 20-21 of May 20...
Sylvain Maret
 
PPTX
Comment protéger de façon efficace son/ses identité(s) numérique(s) sur le We...
Sylvain Maret
 
PPTX
Digital identity trust & confidence
Sylvain Maret
 
PDF
Geneva Application Security Forum: Vers une authentification plus forte dans ...
Sylvain Maret
 
PDF
Geneva Application Security Forum: Vers une authentification plus forte dans ...
Sylvain Maret
 
PDF
Geneva Application Security Forum: Vers une authentification plus forte dans ...
Sylvain Maret
 
PPTX
Geneva Application Security Forum: Vers une authentification plus forte dans ...
Sylvain Maret
 
PDF
Corrélation d'évènements dans un environnement VoIP avec ExaProtect
Sylvain Maret
 
PPTX
Protection Des Données avec la Biométrie Match On Card
Sylvain Maret
 
PPTX
Retour d'expérience sur le déploiement de biométrie à grande échelle
Sylvain Maret
 
PDF
Etude de cas Biométrie
Sylvain Maret
 
PDF
Phishing Facebook Attack
Sylvain Maret
 
Air Navigation Service Providers - Unsecurity on Voice over IP Radion
Sylvain Maret
 
factsheet_4g_critical_comm_en_vl
Sylvain Maret
 
INA Volume 1/3 Version 1.02 Released / Digital Identity and Authentication
Sylvain Maret
 
INA Volume 1/3 Version 1.0 Released / Digital Identity and Authentication
Sylvain Maret
 
INA Volume 1/3 Version 1.0 RC / Digital Identity and Authentication
Sylvain Maret
 
Securite des Web Services (SOAP vs REST) / OWASP Geneva dec. 2012
Sylvain Maret
 
ASFWS 2012 / Initiation à la sécurité des Web Services par Sylvain Maret
Sylvain Maret
 
Geneva Application Security Forum 2010
Sylvain Maret
 
Final conclusions of Working Group 3 at Workshop Münchenwiler 20-21 of May 20...
Sylvain Maret
 
Comment protéger de façon efficace son/ses identité(s) numérique(s) sur le We...
Sylvain Maret
 
Digital identity trust & confidence
Sylvain Maret
 
Geneva Application Security Forum: Vers une authentification plus forte dans ...
Sylvain Maret
 
Geneva Application Security Forum: Vers une authentification plus forte dans ...
Sylvain Maret
 
Geneva Application Security Forum: Vers une authentification plus forte dans ...
Sylvain Maret
 
Geneva Application Security Forum: Vers une authentification plus forte dans ...
Sylvain Maret
 
Corrélation d'évènements dans un environnement VoIP avec ExaProtect
Sylvain Maret
 
Protection Des Données avec la Biométrie Match On Card
Sylvain Maret
 
Retour d'expérience sur le déploiement de biométrie à grande échelle
Sylvain Maret
 
Etude de cas Biométrie
Sylvain Maret
 
Phishing Facebook Attack
Sylvain Maret
 
Ad

Recently uploaded (20)

PDF
Building Real-Time Digital Twins with IBM Maximo & ArcGIS Indoors
Safe Software
 
PPTX
Q2 FY26 Tableau User Group Leader Quarterly Call
lward7
 
PPTX
OpenID AuthZEN - Analyst Briefing July 2025
David Brossard
 
PDF
Using FME to Develop Self-Service CAD Applications for a Major UK Police Force
Safe Software
 
PDF
Biography of Daniel Podor.pdf
Daniel Podor
 
PDF
CIFDAQ Weekly Market Wrap for 11th July 2025
CIFDAQ
 
PDF
NewMind AI - Journal 100 Insights After The 100th Issue
NewMind AI
 
PPTX
"Autonomy of LLM Agents: Current State and Future Prospects", Oles` Petriv
Fwdays
 
PDF
IoT-Powered Industrial Transformation – Smart Manufacturing to Connected Heal...
Rejig Digital
 
PDF
Chris Elwell Woburn, MA - Passionate About IT Innovation
Chris Elwell Woburn, MA
 
PDF
HubSpot Main Hub: A Unified Growth Platform
Jaswinder Singh
 
PDF
Blockchain Transactions Explained For Everyone
CIFDAQ
 
PDF
CIFDAQ Market Insights for July 7th 2025
CIFDAQ
 
PDF
What Makes Contify’s News API Stand Out: Key Features at a Glance
Contify
 
PDF
Mastering Financial Management in Direct Selling
Epixel MLM Software
 
PPTX
Building Search Using OpenSearch: Limitations and Workarounds
Sease
 
PDF
The Rise of AI and IoT in Mobile App Tech.pdf
IMG Global Infotech
 
PDF
From Code to Challenge: Crafting Skill-Based Games That Engage and Reward
aiyshauae
 
PDF
New from BookNet Canada for 2025: BNC BiblioShare - Tech Forum 2025
BookNet Canada
 
PPTX
AUTOMATION AND ROBOTICS IN PHARMA INDUSTRY.pptx
sameeraaabegumm
 
Building Real-Time Digital Twins with IBM Maximo & ArcGIS Indoors
Safe Software
 
Q2 FY26 Tableau User Group Leader Quarterly Call
lward7
 
OpenID AuthZEN - Analyst Briefing July 2025
David Brossard
 
Using FME to Develop Self-Service CAD Applications for a Major UK Police Force
Safe Software
 
Biography of Daniel Podor.pdf
Daniel Podor
 
CIFDAQ Weekly Market Wrap for 11th July 2025
CIFDAQ
 
NewMind AI - Journal 100 Insights After The 100th Issue
NewMind AI
 
"Autonomy of LLM Agents: Current State and Future Prospects", Oles` Petriv
Fwdays
 
IoT-Powered Industrial Transformation – Smart Manufacturing to Connected Heal...
Rejig Digital
 
Chris Elwell Woburn, MA - Passionate About IT Innovation
Chris Elwell Woburn, MA
 
HubSpot Main Hub: A Unified Growth Platform
Jaswinder Singh
 
Blockchain Transactions Explained For Everyone
CIFDAQ
 
CIFDAQ Market Insights for July 7th 2025
CIFDAQ
 
What Makes Contify’s News API Stand Out: Key Features at a Glance
Contify
 
Mastering Financial Management in Direct Selling
Epixel MLM Software
 
Building Search Using OpenSearch: Limitations and Workarounds
Sease
 
The Rise of AI and IoT in Mobile App Tech.pdf
IMG Global Infotech
 
From Code to Challenge: Crafting Skill-Based Games That Engage and Reward
aiyshauae
 
New from BookNet Canada for 2025: BNC BiblioShare - Tech Forum 2025
BookNet Canada
 
AUTOMATION AND ROBOTICS IN PHARMA INDUSTRY.pptx
sameeraaabegumm
 
Ad

Strong Authentication in Web Applications: State of the Art 2011

  • 1. MARET Consulting | Boulevard Georges Favon 43 | CH 1204 Geneva | Tél +41 22 575 30 35 | [email protected] | www.maret-consulting.ch Strong Authentication in Web Application “State of the Art 2011” Sylvain Maret / Digital Security Expert / OpenID Switzerland Yverdon - IT Security Days / 16-03-2011 Conseil en technologies
  • 2. Agenda www.maret-consulting.ch Conseil en technologies
  • 3. Who am I?  Security Expert  17 years of experience in ICT Security  Principal Consultant at MARET Consulting  Expert at Engineer School of Yverdon & Geneva University  Swiss French Area delegate at OpenID Switzerland  Co-founder Geneva Application Security Forum  OWASP Member  Author of the blog: la Citadelle Electronique  http://ch.linkedin.com/in/smaret or @smaret  http://www.slideshare.net/smaret  Chosen field  AppSec & Digital Identity Security www.maret-consulting.ch Conseil en technologies
  • 4. Protection of digital identities: a topical issue… Strong Auth www.maret-consulting.ch Conseil en technologies
  • 5. Definition of strong authentication Strong Authentication on Wikipedia www.maret-consulting.ch Conseil en technologies
  • 6. «Digital identity is the cornerstone of trust» http://fr.wikipedia.org/wiki/Authentification_forte www.maret-consulting.ch Conseil en technologies
  • 7. MARET Consulting | Boulevard Georges Favon 43 | CH 1204 Geneva | Tél +41 22 575 30 35 | [email protected] | www.maret-consulting.ch Strong Authentication A new paradigm ! Conseil en technologies
  • 8. Which Strong Authentication technology ? Legacy Token / Old Model ? / Open Source Solution ? www.maret-consulting.ch Conseil en technologies
  • 9. www.maret-consulting.ch Conseil en technologies
  • 10. OTP PKI (HW) Biometry Strong * authentication Encryption Digital signature Non repudiation Strong link with the user * Biometry type Fingerprinting www.maret-consulting.ch Conseil en technologies
  • 11. Strong Authentication with PKI www.maret-consulting.ch Conseil en technologies
  • 12. PKI: Digital Certificate Hardware Token (Crypto PKI) Strong Authentication Software Certificate (PKCS#12;PFX) www.maret-consulting.ch Conseil en technologies
  • 13. SSL/TLS Mutual Authentication : how does it work? Validation Authority CRL or OCSP Request Valid Invalid Unknown SSL / TLS Mutual Authentication Alice Web Server www.maret-consulting.ch Conseil en technologies
  • 14. Demo #1: OpenID and Software Certificate using Clavid.ch http://www.clavid.com/ www.maret-consulting.ch Conseil en technologies
  • 15. Strong Authentication with Biometry (Match on Card technology)  A reader  Biometry  SmartCard  A card with chip  Technology MOC  Crypto Processor  PC/SC  PKCS#11  Digital certificate X509 www.maret-consulting.ch Conseil en technologies
  • 16. Strong Authentication With (O)ne (T)ime (P)assword www.maret-consulting.ch Conseil en technologies
  • 17. (O)ne (T)ime (P)assword  OTP Time Based  Others:  OTP Event Based  OTP via SMS  OTP via email  Biometry and OTP  OTP Challenge  Bingo Card Response Based  Etc. www.maret-consulting.ch Conseil en technologies
  • 18. OTP T-B? OTP E-B? OTP C-R-B? www.maret-consulting.ch Crypto - 101 Conseil en technologies
  • 19. Crypto-101 / Time Based OTP HASH Function K=Secret Key / Seed OTP T=UTC Time ie = OTP(K,T) = Truncate(HMAC-SHA-1(K,T)) www.maret-consulting.ch Conseil en technologies
  • 20. Crypto-101 / Event Based OTP HASH Function K=Secret Key / Seed OTP C = Counter ie = OTP(K,C) = Truncate(HMAC-SHA-1(K,C)) www.maret-consulting.ch Conseil en technologies
  • 21. Crypto-101 / OTP Challenge Response Based HASH Function K=Secret Key / Seed OTP Challenge nonce www.maret-consulting.ch Conseil en technologies ie:
  • 22. Others OTP technologies… OTP Via SMS “Flicker code” Generator Software that converts already encrypted data into optical screen animation By Elcard www.maret-consulting.ch Conseil en technologies
  • 23. Demo #2: Protect WordPress (OTP Via SMS) www.maret-consulting.ch Conseil en technologies
  • 24. How to Store my Secret Key ? A Token ! www.maret-consulting.ch Conseil en technologies
  • 25. OTP Token: Software vs Hardware ? www.maret-consulting.ch Conseil en technologies
  • 26. Software OTP for Smartphone http://itunes.apple.com/us/app/iotp/id328973960 www.maret-consulting.ch Conseil en technologies
  • 27. New Standards & Open Source www.maret-consulting.ch Conseil en technologies
  • 28. Technologies accessible to everyone   Initiative for Open AuTHentication (OATH)  HOTP  TOTP  OCRA  Etc.  Mobile OTP  (Use MD5 …..) www.maret-consulting.ch Conseil en technologies
  • 29. OATH Reference Architecture, Release 2.0 http://www.openauthentication.org/ www.maret-consulting.ch Conseil en technologies
  • 30. Initiative for Open AuTHentication (OATH)  HOTP  Event Based OTP  Token Identifier  RFC 4226 Specification  TOTP  IETF KeyProv Working Group  Time Based OTP  PSKC - Portable Symmetric Key Container, RFC 6030  Draft IETF Version 8  DSKPP - Dynamic Symmetric Key Provisioning Protocol, RFC 6063  OCRA  Challenge/Response OTP  And more !  Draft IETF Version 13 www.maret-consulting.ch Conseil en technologies http://www.openauthentication.org/specifications
  • 31. (R)isk (B)ased (A)uthentication www.maret-consulting.ch Conseil en technologies
  • 32. RBA (Risk-Based Authentication) = Behavior Model www.maret-consulting.ch Conseil en technologies
  • 33. 2 Step Verification from Google ! Use OATH-HOTP & TOTP http://code.google.com/p/google-authenticator/ www.maret-consulting.ch Conseil en technologies
  • 34. Integration with web application www.maret-consulting.ch Conseil en technologies
  • 35. Web application: basic authentication model www.maret-consulting.ch Conseil en technologies
  • 36. Web application: Strong Authentication model www.maret-consulting.ch Conseil en technologies
  • 37. “Shielding" approach: perimetric authentication using Reverse Proxy / WAF www.maret-consulting.ch Conseil en technologies
  • 39. Demo #4: Apache and Mod_OpenID (Using Biometry / OTP) www.maret-consulting.ch Conseil en technologies
  • 40. Demo #4: Challenge / Response OTP with Biometry www.maret-consulting.ch Conseil en technologies
  • 41. API/SDK based approach (example) www.maret-consulting.ch Conseil en technologies
  • 42. Multi OTP PHP Class Demo www.maret-consulting.ch Conseil en technologies
  • 43. Proof of Concept Code by Anne Gosselin, Antonio Fontes, Sylvain Maret ! if (! empty($_REQUEST['pma_username'])) { // The user just logged in $GLOBALS['PHP_AUTH_USER'] = $_REQUEST['pma_username']; // we combine both OTP + PIN code for the token verification $fooPass = empty($_REQUEST['pma_password']) ? '' : $_REQUEST['pma_password']; $fooOtp = empty($_REQUEST['pma_otp']) ? '' : $_REQUEST['pma_otp']; $GLOBALS['PHP_AUTH_PW'] = $fooPass.''.$fooOtp; // OTP CHECK require_once('./libraries/multiotp.class.php'); $multiotp = new Multiotp(); $multiotp->SetUser($GLOBALS['PHP_AUTH_USER']); $multiotp->SetEncryptionKey('DefaultCliEncryptionKey'); $multiotp->SetUsersFolder('./libraries/users/'); $multiotp->SetLogFolder('./libraries/log/'); $multiotp->EnableVerboseLog(); $otpCheckResult = $multiotp->CheckToken($GLOBALS['PHP_AUTH_PW']); // the PIN code use kept for accessing the database $GLOBALS['PHP_AUTH_PW'] = substr($GLOBALS['PHP_AUTH_PW'], 0, strlen($GLOBALS['PHP_AUTH_PW'] if($otpCheckResult == 0) return true; else die("auth failed."); www.maret-consulting.ch Conseil en technologies
  • 44. Step1: Add a new method using cookie authentication In config.inc.php Howto #1 www.maret-consulting.ch Conseil en technologies
  • 45. Step2: Add pma_otp field In common.inc.php www.maret-consulting.ch Conseil en technologies
  • 46. Step3: Add new input File ori: cookie.auth.lib.php www.maret-consulting.ch New file: cookieotp.auth.lib.php Conseil en technologies
  • 47. File ori: cookie.auth.lib.php www.maret-consulting.ch Conseil en technologies
  • 48. New file: cookieotp.auth.lib.php Step3: Call multiotp www.maret-consulting.ch Conseil en technologies
  • 49. Demo 3#: PHP Integration for phpmyadmin www.maret-consulting.ch Conseil en technologies
  • 50. Multi OTP PHP Class by André Liechti (Switzerland) Source Code will be publish soon: http://www.citadelle-electronique.net/ http://www.multiotp.net/ www.maret-consulting.ch Conseil en technologies
  • 51. Strong Authentication Strong Authentication and Application Security & Application Security www.maret-consulting.ch Conseil en technologies
  • 52. Threat Modeling “detecting web application threats before coding” 14h30: Antonio Fontes "Threat modeling your web application: mitigating risks right from the start!" www.maret-consulting.ch Conseil en technologies
  • 53. Federated identities: a changing paradigm on authentication www.maret-consulting.ch Conseil en technologies
  • 54. Federation of identity approach a change of paradigm: using IDP for Authentication and Strong Authentication Identity Provider Web App X Web App Y www.maret-consulting.ch Conseil en technologies
  • 55. SECTION 2 OpenID > What is it? > How does it work? > How to integrate? www.maret-consulting.ch Conseil en technologies
  • 56. OpenID - What is it? > Internet SingleSignOn > Free Choice of Identity Provider > Relatively Simple Protocol > No License Fee > User-Centric Identity Management > Independent of Identification Methods > Internet Scalable > Non-Profit Organization www.maret-consulting.ch Conseil en technologies
  • 57. OpenID - How does it work? User Hans Muster 3 4, 4a Identity Provider e.g. clavid.com hans.muster.clavid.com 5 6 1 2 Identity URL Caption https://hans.muster.clavid.com 1. User enters OpenID 2. Discovery 3. Authentication 4. Approval 4a. Change Attributes 5. Send Attributes 6. Validation Enabled Service www.maret-consulting.ch Conseil en technologies
  • 58. Surprise! You may already have an OpenID ! www.maret-consulting.ch Conseil en technologies
  • 59. Other Well Known & Simple Providers http://en.wikipedia.org/wiki/List_of_OpenID_providers www.maret-consulting.ch Conseil en technologies
  • 60. Get an OpenID with Strong Authentication for free ! www.maret-consulting.ch Conseil en technologies
  • 61. Questions ? www.maret-consulting.ch Conseil en technologies
  • 62. Resources on Internet 1/2  http://motp.sourceforge.net/  http://www.clavid.ch/otp  http://code.google.com/p/mod-authn-otp/  http://www.multiotp.net/  http://www.openauthentication.org/  http://wiki.openid.net/  http://www.citadelle-electronique.net/  http://code.google.com/p/mod-authn-otp/ www.maret-consulting.ch Conseil en technologies
  • 63. Resources on Internet 2/2  http://rcdevs.com/products/openotp/  https://github.com/adulau/paper-token  http://www.yubico.com/yubikey  http://code.google.com/p/mod-authn-otp/  http://www.nongnu.org/oath-toolkit/  http://www.nongnu.org/oath-toolkit/  http://www.gpaterno.com/publications/2010/dublin_oss barcamp_2010_otp_with_oss.pdf www.maret-consulting.ch Conseil en technologies
  • 64. "Le conseil et l'expertise pour le choix et la mise en oeuvre des technologies innovantes dans la sécurité des systèmes d'information et de l'identité numérique" www.maret-consulting.ch Conseil en technologies
  • 65. Une conviction forte ! Authentification forte www.maret-consulting.ch Conseil en technologies
  • 66. SECTION 1 SAML >What is it? >How does it work? www.maret-consulting.ch Conseil en technologies
  • 67. Using SAML for Authentication and Strong Authentication (Assertion Consumer Service) www.maret-consulting.ch Conseil en technologies
  • 68. SAML – What is it? SAML (Security Assertion Markup Language): > Defined by the Oasis Group > Well and Academically Designed Specification > Uses XML Syntax > Used for Authentication & Authorization > SAML Assertions > Statements: Authentication, Attribute, Authorization > SAML Protocols > Queries: Authentication, Artifact, Name Identifier Mapping, etc. > SAML Bindings > SOAP, Reverse-SOAP, HTTP-Get, HTTP-Post, HTTP-Artifact > SAML Profiles > Web Browser SingleSignOn Profile, Identity Provider Discovery Profile, Assertion Query / Request Profile, Attribute Profile www.maret-consulting.ch Conseil en technologies
  • 69. SAML – How does it work? User Hans Muster 3 2 4 Identity Provider e.g. clavid.ch 4 2 1 6 Enabled Service e.g. Google Apps for Business www.maret-consulting.ch Conseil en technologies
  • 70. Example with HTTP POST Binding Access Resource Browser Web App SAML Ready 1 AuthN 2 <AuthnRequest> 3 + PIN Redirect 302 ACS POST <Response> 7 Ressource Ressource 8 <Response> in HTML Form 6 Single Sign On Service <AuthnRequest> 4 Credential Challenge 5a User Login IDP MC Conseil en technologies www.maret-consulting.ch 5b
  • 71. A major event in the world of strong authentication  12 October 2005: the Federal Financial Institutions Examination Council (FFIEC) issues a directive  « Single Factor Authentication » is not enough for the web financial applications  Before end 2006 it is compulsory to implement a strong authentication system  http://www.ffiec.gov/press/pr101205.htm  And the PCI DSS norm  Compulsory strong authentication for distant accesses  And now European regulations  Payment Services (2007/64/CE) for banks  Social Networks, Open Source www.maret-consulting.ch Conseil en technologies
  • 72. Out of Band Authentication www.maret-consulting.ch Conseil en technologies
  • 73. Phone Factor www.maret-consulting.ch Conseil en technologies
  • 74. SAML www.maret-consulting.ch Conseil en technologies
  • 75. SAML AuthnRequst Transfer via Browser Redirect-Binding POST-Binding www.maret-consulting.ch Conseil en technologies
  • 76. A SAML AuthnRequest (no magic, just XML) <?xml version="1.0" encoding="UTF-8"?> <samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol“ ID="glcmfhikbbhohichialilnnpjakbeljekmkhppkb“ Version="2.0” IssueInstant="2008-10-14T00:57:14Z” ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST” ProviderName="google.com” ForceAuthn="false” IsPassive="false” AssertionConsumerServiceURL="https://www.google.com/a/unopass.net/acs"> <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"> google.com </saml:Issuer> <samlp:NameIDPolicy AllowCreate="true" Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" /> </samlp:AuthnRequest> www.maret-consulting.ch Conseil en technologies
  • 77. SAML Assertion Transfer via Browser POST-Binding www.maret-consulting.ch Conseil en technologies
  • 78. A SAML Assertion Response (no magic, just XML) <samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="s247893b2ec90665dfd5d9bd4a092f5e3a7194fef4" InResponseTo="hkcmljnccpheoobdofbjcngjbadmgcfhaapdbnni" Version="2.0" IssueInstant="2008-10-15T17:24:46Z" Destination="https://www.google.com/a/unopass.net/acs"> <saml:Issuer> http://idp.unopass.net:80/opensso </saml:Issuer> <samlp:Status> <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/> </samlp:Status> <saml:Assertion ID="s295c56ccd7872209ae336b934d1eed5be52a8e6ec" IssueInstant="2008-10-15T17:24:46Z" Version="2.0"> <saml:Issuer>http://idp.unopass.net:80/opensso</saml:Issuer> <Signature> … A DIGITAL SIGNATURE … </Signature> ... www.maret-consulting.ch Conseil en technologies
  • 79. A SAML Assertion Response (no magic, just XML) ... <saml:Subject> <saml:NameID NameQualifier="http://idp.unopass.net:80/opensso"> sylvain.maret </saml:NameID> <saml:SubjectConfirmation Method="urn:oasis:...:bearer"> <saml:SubjectConfirmationData InResponseTo="hkcmljnccpheoobdofbjcngjbadmgcfhaapdbnni" NotOnOrAfter="2008-10-15T17:34:46Z" Recipient="https://www.google.com/a/unopass.net/acs"/> </saml:SubjectConfirmation> </saml:Subject> ... www.maret-consulting.ch Conseil en technologies
  • 80. A SAML Assertion Response (no magic, just XML) ... <saml:Conditions NotBefore="2008-10-15T17:14:46Z" NotOnOrAfter="2008-10-15T17:34:46Z"> <saml:AudienceRestriction> <saml:Audience>google.com</saml:Audience> </saml:AudienceRestriction> </saml:Conditions> <saml:AuthnStatement AuthnInstant="2008-10-15T17:24:46Z“ SessionIndex="s2bb816b5a8852dcc29f3301784c1640f245a9ec01"> <saml:AuthnContext> <saml:AuthnContextClassRef> urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport </saml:AuthnContextClassRef> </saml:AuthnContext> </saml:AuthnStatement> </saml:Assertion> </samlp:Response> www.maret-consulting.ch Conseil en technologies