Strong Authentication in Web Application #SCS III
4 likes2,034 views
The document discusses strong authentication methods in web applications as of 2011, emphasizing the importance of digital identity in establishing trust. It covers various technologies including OTP, PKI, and biometric solutions, along with their implementation in secure web applications. The document also highlights the shift in authentication paradigms and regulatory requirements affecting financial institutions and online services.
![Other[s] OTP technologies…
OTP Via SMS
“Flicker code” Generator Software
that converts already
encrypted data into
optical screen animation
By Elcard](https://image.slidesharecdn.com/swisscyberstorm-3-sylvain-maret-v1-110513083731-phpapp01/85/Strong-Authentication-in-Web-Application-SCS-III-23-320.jpg)
![Where are[is] the seed ?](https://image.slidesharecdn.com/swisscyberstorm-3-sylvain-maret-v1-110513083731-phpapp01/85/Strong-Authentication-in-Web-Application-SCS-III-29-320.jpg)
![Seed generation & distribution ? Still a good model ?
K1
Threat
Agent Editor / Vendor
(APT)
Secret Key are[is]
generated on promise
K1 K1](https://image.slidesharecdn.com/swisscyberstorm-3-sylvain-maret-v1-110513083731-phpapp01/85/Strong-Authentication-in-Web-Application-SCS-III-31-320.jpg)
![Proof of Concept Code by
Anne Gosselin, Antonio Fontes, Sylvain Maret !
if (! empty($_REQUEST['pma_username'])) {
// The user just logged in
$GLOBALS['PHP_AUTH_USER'] = $_REQUEST['pma_username'];
// we combine both OTP + PIN code for the token verification
$fooPass = empty($_REQUEST['pma_password']) ? '' : $_REQUEST['pma_password'];
$fooOtp = empty($_REQUEST['pma_otp']) ? '' : $_REQUEST['pma_otp'];
$GLOBALS['PHP_AUTH_PW'] = $fooPass.''.$fooOtp;
// OTP CHECK
require_once('./libraries/multiotp.class.php');
$multiotp = new Multiotp();
$multiotp->SetUser($GLOBALS['PHP_AUTH_USER']);
$multiotp->SetEncryptionKey('DefaultCliEncryptionKey');
$multiotp->SetUsersFolder('./libraries/users/');
$multiotp->SetLogFolder('./libraries/log/');
$multiotp->EnableVerboseLog();
$otpCheckResult = $multiotp->CheckToken($GLOBALS['PHP_AUTH_PW']);
// the PIN code use kept for accessing the database
$GLOBALS['PHP_AUTH_PW'] = substr($GLOBALS['PHP_AUTH_PW'], 0, strlen($GLOBALS['PHP_AUTH_PW']
if($otpCheckResult == 0)
return true;
else
die("auth failed.");](https://image.slidesharecdn.com/swisscyberstorm-3-sylvain-maret-v1-110513083731-phpapp01/85/Strong-Authentication-in-Web-Application-SCS-III-49-320.jpg)
![Demo 4#: PHP[OTP] integration for[in] phpmyadmin](https://image.slidesharecdn.com/swisscyberstorm-3-sylvain-maret-v1-110513083731-phpapp01/85/Strong-Authentication-in-Web-Application-SCS-III-55-320.jpg)
Strong Authentication in Web Application #SCS III
- 1. Strong Authentication in Web Application “State of the Art 2011” Sylvain Maret / Digital Security Expert / OpenID Switzerland @smaret Version 1.0 / 2PM
- 3. RSA FAILED ?
- 4. Who am I? Security Expert 17 years of experience in ICT Security Principal Consultant at MARET Consulting Expert at Engineer School of Yverdon & Geneva University Swiss French Area delegate at OpenID Switzerland Co-founder Geneva Application Security Forum OWASP Member Author of the blog: la Citadelle Electronique http://ch.linkedin.com/in/smaret or @smaret http://www.slideshare.net/smaret Chosen field AppSec & Digital Identity Security
- 5. Protection of digital identities: a topical issue… Strong Auth
- 6. «Digital identity is the cornerstone of trust» http://fr.wikipedia.org/wiki/Authentification_forte
- 7. Definition of strong authentication Strong Authentication on Wikipedia
- 8. Strong Authentication A new paradigm?
- 9. Which Strong Authentication technology ? Legacy Token / OTP / PKI / SuisseID ? / Open Source Solution ?
- 11. OTP PKI (HW) Biometry Strong authentication Encryption Digital signature Non repudiation Strong link with the user
- 12. Strong Authentication with PKI
- 13. PKI: Digital Certificate Hardware Token (Crypto PKI) Strong Authentication Software Certificate (PKCS#12;PFX)
- 14. SSL/TLS Mutual Authentication : how does it work? Validation Authority CRL or OCSP Request Valid Invalid Unknown SSL / TLS Mutual Authentication Alice Web Server
- 15. Demo #1: Software Certificate Auth using an IDP OpenID http://www.clavid.com/
- 16. Strong Authentication with Biometry (Match on Card technology) A reader Biometry SmartCard A card with chip Technology MOC Crypto Processor PC/SC PKCS#11 Digital certificate X509
- 17. Strong Authentication With (O)ne (T)ime (P)assword
- 18. (O)ne (T)ime (P)assword OTP Time Based Others: Like SecurID OTP via SMS OTP Event Based OTP via email Biometry and OTP Bingo Card OTP Challenge Etc. Response Based
- 19. OTP T-B? OTP E-B? OTP C-R-B? Crypto - 101
- 20. Crypto-101 / Time Based OTP HASH Function K=Secret Key / Seed OTP T=UTC Time ie = OTP(K,T) = Truncate(HMAC-SHA-1(K,T))
- 21. Crypto-101 / Event Based OTP HASH Function K=Secret Key / Seed OTP C = Counter ie = OTP(K,C) = Truncate(HMAC-SHA-1(K,C))
- 22. Crypto-101 / OTP Challenge Response Based HASH Function K=Secret Key / Seed OTP Challenge nonce ie:
- 23. Other[s] OTP technologies… OTP Via SMS “Flicker code” Generator Software that converts already encrypted data into optical screen animation By Elcard
- 24. Demo #2: Protect WordPress (OTP Via SMS)
- 25. How to Store my Secret Key ? A Token !
- 26. OTP Token: Software vs Hardware ?
- 27. Software OTP for Smartphone http://itunes.apple.com/us/app/iotp/id328973960
- 29. Where are[is] the seed ?
- 31. Seed generation & distribution ? Still a good model ? K1 Threat Agent Editor / Vendor (APT) Secret Key are[is] generated on promise K1 K1
- 32. TokenCode
- 33. New Standards & Open Source
- 34. Technologies accessible to everyone Initiative for Open AuTHentication (OATH) HOTP TOTP OCRA Etc. Mobile OTP (Use MD5 …..)
- 35. Initiative for Open AuTHentication (OATH) HOTP Event Based OTP Token Identifier RFC 4226 Specification TOTP IETF KeyProv Working Group Time Based OTP PSKC - Portable Symmetric Key Container, RFC 6030 Draft IETF Version 8 DSKPP - Dynamic Symmetric Key Provisioning Protocol, RFC 6063 OCRA Challenge/Response OTP And more ! Draft IETF Version 13 http://www.openauthentication.org/specifications
- 37. RBA (Risk-Based Authentication) = Behavior Model
- 38. Use OATH-HOTP & TOTP http://code.google.com/p/google-authenticator/
- 41. Web application: basic authentication model
- 42. Web application: Strong Authentication Implementation Blueprint
- 43. “Shielding" approach: perimetric authentication using Reverse Proxy / WAF
- 45. Demo #3: Apache and Mod_OpenID (Using Biometry / OTP)
- 46. Demo #3: Challenge / Response OTP with Biometry
- 47. API/SDK based approach (example)
- 48. Multi OTP PHP Class Demo #4 & Hardening OS
- 49. Proof of Concept Code by Anne Gosselin, Antonio Fontes, Sylvain Maret ! if (! empty($_REQUEST['pma_username'])) { // The user just logged in $GLOBALS['PHP_AUTH_USER'] = $_REQUEST['pma_username']; // we combine both OTP + PIN code for the token verification $fooPass = empty($_REQUEST['pma_password']) ? '' : $_REQUEST['pma_password']; $fooOtp = empty($_REQUEST['pma_otp']) ? '' : $_REQUEST['pma_otp']; $GLOBALS['PHP_AUTH_PW'] = $fooPass.''.$fooOtp; // OTP CHECK require_once('./libraries/multiotp.class.php'); $multiotp = new Multiotp(); $multiotp->SetUser($GLOBALS['PHP_AUTH_USER']); $multiotp->SetEncryptionKey('DefaultCliEncryptionKey'); $multiotp->SetUsersFolder('./libraries/users/'); $multiotp->SetLogFolder('./libraries/log/'); $multiotp->EnableVerboseLog(); $otpCheckResult = $multiotp->CheckToken($GLOBALS['PHP_AUTH_PW']); // the PIN code use kept for accessing the database $GLOBALS['PHP_AUTH_PW'] = substr($GLOBALS['PHP_AUTH_PW'], 0, strlen($GLOBALS['PHP_AUTH_PW'] if($otpCheckResult == 0) return true; else die("auth failed.");
- 50. Step1: Add a new method using cookie authentication In config.inc.php Howto #1
- 51. Step2: Add pma_otp field In common.inc.php
- 52. Step3: Add new input File ori: cookie.auth.lib.php New file: cookieotp.auth.lib.php
- 54. New file: cookieotp.auth.lib.php Step3: Call multiotp
- 55. Demo 4#: PHP[OTP] integration for[in] phpmyadmin
- 56. Multi OTP PHP Class by André Liechti (Switzerland) Source Code will be publish soon: http://www.citadelle-electronique.net/ http://www.multiotp.net/
- 58. SSH Hardening with OTP Multi OTP PHP Class AES 256 PAM
- 59. Strong Authentication Strong Authentication and Application Security & Application Security
- 60. Threat Modeling “detecting web application threats before coding”
- 61. ICAM: a changing paradigm on Strong Authentication
- 62. Federation of identity approach a change of paradigm: using IDP for Authentication and Strong Authentication Identity Provider SAML, OpenID, etc
- 63. SECTION 2 OpenID > What is it? > How does it work? > How to integrate?
- 64. OpenID - What is it? > Internet SingleSignOn > Free Choice of Identity Provider > Relatively Simple Protocol > No License Fee > User-Centric Identity Management > Independent of Identification Methods > Internet Scalable > Non-Profit Organization
- 65. OpenID - How does it work? User Hans Muster 3 4, 4a Identity Provider e.g. clavid.com hans.muster.clavid.com 5 6 1 2 Identity URL Caption https://hans.muster.clavid.com 1. User enters OpenID 2. Discovery 3. Authentication 4. Approval 4a. Change Attributes 5. Send Attributes 6. Validation Enabled Service
- 66. Surprise! You may already have an OpenID !
- 67. Other Well Known & Simple Providers http://en.wikipedia.org/wiki/List_of_OpenID_providers
- 68. Get an OpenID with Strong Authentication for free !
- 69. Questions ?
- 70. Resources on Internet 1/2 http://motp.sourceforge.net/ http://www.clavid.ch/otp http://code.google.com/p/mod-authn-otp/ http://www.multiotp.net/ http://www.openauthentication.org/ http://wiki.openid.net/ http://www.citadelle-electronique.net/ http://code.google.com/p/mod-authn-otp/
- 71. Resources on Internet 2/2 http://rcdevs.com/products/openotp/ https://github.com/adulau/paper-token http://www.yubico.com/yubikey http://code.google.com/p/mod-authn-otp/ http://www.nongnu.org/oath-toolkit/ http://www.nongnu.org/oath-toolkit/ http://www.gpaterno.com/publications/2010/dublin_oss barcamp_2010_otp_with_oss.pdf
- 72. Backup Slides
- 74. Une conviction forte ! Authentification forte
- 75. SECTION 1 SAML >What is it? >How does it work?
- 76. Using SAML for Authentication and Strong Authentication (Assertion Consumer Service)
- 77. SAML – What is it? SAML (Security Assertion Markup Language): > Defined by the Oasis Group > Well and Academically Designed Specification > Uses XML Syntax > Used for Authentication & Authorization > SAML Assertions > Statements: Authentication, Attribute, Authorization > SAML Protocols > Queries: Authentication, Artifact, Name Identifier Mapping, etc. > SAML Bindings > SOAP, Reverse-SOAP, HTTP-Get, HTTP-Post, HTTP-Artifact > SAML Profiles > Web Browser SingleSignOn Profile, Identity Provider Discovery Profile, Assertion Query / Request Profile, Attribute Profile
- 78. SAML – How does it work? User Hans Muster 3 2 4 Identity Provider e.g. clavid.ch 4 2 1 6 Enabled Service e.g. Google Apps for Business
- 79. Example with HTTP POST Binding Access Resource Browser Web App SAML Ready 1 AuthN 2 <AuthnRequest> 3 + PIN Redirect 302 ACS POST <Response> 7 Ressource Ressource 8 <Response> in HTML Form 6 Single Sign On Service <AuthnRequest> 4 Credential Challenge 5a User Login IDP MC 5b
- 80. A major event in the world of strong authentication 12 October 2005: the Federal Financial Institutions Examination Council (FFIEC) issues a directive « Single Factor Authentication » is not enough for the web financial applications Before end 2006 it is compulsory to implement a strong authentication system http://www.ffiec.gov/press/pr101205.htm And the PCI DSS norm Compulsory strong authentication for distant accesses And now European regulations Payment Services (2007/64/CE) for banks Social Networks, Open Source
- 81. Out of Band Authentication
- 82. Phone Factor
- 83. SAML
- 84. SAML AuthnRequst Transfer via Browser Redirect-Binding POST-Binding
- 85. A SAML AuthnRequest (no magic, just XML) <?xml version="1.0" encoding="UTF-8"?> <samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol“ ID="glcmfhikbbhohichialilnnpjakbeljekmkhppkb“ Version="2.0” IssueInstant="2008-10-14T00:57:14Z” ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST” ProviderName="google.com” ForceAuthn="false” IsPassive="false” AssertionConsumerServiceURL="https://www.google.com/a/unopass.net/acs"> <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"> google.com </saml:Issuer> <samlp:NameIDPolicy AllowCreate="true" Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" /> </samlp:AuthnRequest>
- 86. SAML Assertion Transfer via Browser POST-Binding
- 87. A SAML Assertion Response (no magic, just XML) <samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="s247893b2ec90665dfd5d9bd4a092f5e3a7194fef4" InResponseTo="hkcmljnccpheoobdofbjcngjbadmgcfhaapdbnni" Version="2.0" IssueInstant="2008-10-15T17:24:46Z" Destination="https://www.google.com/a/unopass.net/acs"> <saml:Issuer> http://idp.unopass.net:80/opensso </saml:Issuer> <samlp:Status> <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/> </samlp:Status> <saml:Assertion ID="s295c56ccd7872209ae336b934d1eed5be52a8e6ec" IssueInstant="2008-10-15T17:24:46Z" Version="2.0"> <saml:Issuer>http://idp.unopass.net:80/opensso</saml:Issuer> <Signature> … A DIGITAL SIGNATURE … </Signature> ...
- 88. A SAML Assertion Response (no magic, just XML) ... <saml:Subject> <saml:NameID NameQualifier="http://idp.unopass.net:80/opensso"> sylvain.maret </saml:NameID> <saml:SubjectConfirmation Method="urn:oasis:...:bearer"> <saml:SubjectConfirmationData InResponseTo="hkcmljnccpheoobdofbjcngjbadmgcfhaapdbnni" NotOnOrAfter="2008-10-15T17:34:46Z" Recipient="https://www.google.com/a/unopass.net/acs"/> </saml:SubjectConfirmation> </saml:Subject> ...
- 89. A SAML Assertion Response (no magic, just XML) ... <saml:Conditions NotBefore="2008-10-15T17:14:46Z" NotOnOrAfter="2008-10-15T17:34:46Z"> <saml:AudienceRestriction> <saml:Audience>google.com</saml:Audience> </saml:AudienceRestriction> </saml:Conditions> <saml:AuthnStatement AuthnInstant="2008-10-15T17:24:46Z“ SessionIndex="s2bb816b5a8852dcc29f3301784c1640f245a9ec01"> <saml:AuthnContext> <saml:AuthnContextClassRef> urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport </saml:AuthnContextClassRef> </saml:AuthnContext> </saml:AuthnStatement> </saml:Assertion> </samlp:Response>