Post on 22-Feb-2017
FIDO Universal Second Factor (U2F) for WSO2 Identity Server
Ishara Karunarathna, Senior Software Engineer, WSO2Jerrod Chong, Solutions Team leader, YubicoRob Blaauboer, Integration Consultant Yenlo
December 8th 2015
About the presenters
2
Ishara KarunarathnaSenior Software Engineer, WSO2Ishara is a Senior Software Engineer at WSO2 and a key member of WSO2 Identity server team, contributing towards the Identity Server and WSO2's platform security. He has participated in several customer engagements helping them to realize enterprise use cases and to build solutions On top of WSO2 platform.
Jerrod ChongSolutions Team leader, YubicoJerrod leads the Solutions team at Yubico with over fifteen years of experience specializing in enterprise security solutions. He works with small, medium and enterprise customers to consult and build open scalable security solutions. Jerrod is also an active contributor in the FIDO Alliance U2F technical working group and security certification development committee.
Rob BlaauboerSenior Consultant, YenloRob is a Senior Business Consultant and Solution Architect with more than twenty years experience. In addition to his work he is an active blogger working on a number of articles on the 'Internet of Things' and a WSO2 'Getting Started with ...' series in which he talks about WSO2 components and their purpose especially aimed at non technical readers.
3
• Global enterprise, founded in 2007 with an international focus on delivering integration solutions based on Java open source
• #1 in the field of Integration Solutions
• #1 in Managed Services for middleware environments
• #1 Global Strategic Alliance partner of WSO2
• WSO2 Product Support
• WSO2 Development
• WSO2 QuickStarts
• WSO2 Training & Certifications
• WSO2 24/7 Managed Services
• WSO2 Events
About Yenlo
What Yenlo delivers4
Enterprise Architecture Software Development Managed Services
WSO2 Product Support WSO2 Development Support WSO2 QuickStart
WSO2 Training & Certifications WSO2 Managed Services WSO2 Events
Agenda
5
Making WSO2 Identity Server more secure with FIDO UAF & U2F
• Our security is at risk • introduction to FIDO and Why FIDO U2F•Introduction WSO2 IS• Demo• Benefits of the solution• Q&A
Our security is at risk
Making it more secure
Starts at the basis!Access to a mail service enables a hacker to access many more systems Gmail supports Fido and other 2nd factorsSensitive information should be secured
What is a factor?
o Something you know is for instance as password or even a username
o Something you have is a smartcard, token or smartphone
o Something you are is your face, voice and fingerprint (and many more, even the way you type)
o The more factors the better
Depending on the use case the level of security needs to be highero Logging in to a news website: userId and password
o Logging in to an eCommerce website like Amazon: userId and password and the option to increase the level of security
o Logging into your internet banking or government services: userId and password and a challenge / response
10
FIDO Universal 2nd FactorSimple, secure, open and scalable 2FA
11
Benefits of U2F Over Other 2FA
One device, many sites, with no shared secrets
Open standard, platform/ browser support
(no client, no driver)
Protection againstphishing and MitM
12
Stats from Google Deployment U2F vs Google Authenticator
4x faster to login
Support reduced by 40%
Significant fraud reduction
13
Online services
Chip providers
Device providers
Biometrics technology
Enterprise servers
Open source sw/servers
Mobile apps & clients
Browsers
FIDO U2F Ecosystem
250+ Members
1414
Server sends challenge1
Server receives and verifies device signature using attestation cert5Key handle and public key are stored in database6
Device generates key pair2Device creates key handle3Device signs challenge + client info4
Server sends challenge + key handle 1
Server receives and verifies using stored public key 4
Device unwraps/derives private key from key handle 2Device signs challenge + client info 3
Authentication
Individual with U2F Device Relying Party
Registration
15
Relying PartyUser Side
U2F CodeUSB (HID) API
U2F JS APISecure U2F Element (optional)
TransportUSB (HID)
Web Application
U2F Library
Public Keys + Key Handles + Certificates
User Action
FIDO Client Browser
U2F Authenticator
U2F Entities
NFC API
Bluetooth API
NFC
Bluetooth
16
Protocol DesignStep-By-Step
17
U2F Device Client
Relying Party
challenge
challenge
Sign with kpriv signature(challenge)
sChecksignature (s)using kpub
s
Lookupkpub
Authentication
18
U2F Device Client
Relying Party
challenge
challenge, origin, channel id
Sign with kpriv
signature(c)
c, sCheck susing kpub
Verify origin & channel id
s
Lookupkpub
Phishing/MitM Protection
19
U2F Device Client
Relying Party
handle, app id, challenge
h, a;; challenge, origin, channel id, etc.
c
aCheckapp id
Lookupthe kprivassociated with h
Sign with kpriv
signature(a,c)
c, sCheck susing kpub
Verify origin & channel id
s
h
Lookup the kpubassociated with h
Application-Specific Keys
20
U2F Device Client
Relying Party
app id, challenge
a;; challenge, origin, channel id, etc.
c
aCheckapp id
Generate:kpubkprivhandle h kpub, h, attestation cert, signature(a,c,kpub,h)
c, kpub, h, attestation cert, s
Associate kpub with handle hfor user
s
Registration + Device Attestation
21
Original DB
Original Database
user_id Password#
JohnDoe 4^hfd;;`gpo
U2F Database
U2F DB
Relation
Relying Party
user_id Meta U2F Data
JohnDoe Yubico, Security Key, USB
Key handle, public key, certificate
JohnDoeYubico, YubiKey NEO, USB + NFC Key handle, public
key, certificate
Adding U2F Support
Yubico - inventors of the YubiKeyFind out more at yubi.co
Introduction WSO2 Identity Server
What is WSO2 Identity Server
An open source Identity & Entitlement management server
o 100% free and open source with commercial support
o Lightweight and high performanceoHighly modular and extensibleoUser friendly with minimal learning curveoBased on open standards
Authentication framework
o No more federation silos or spaghetti identity anti-patterns
o Multi-option and multi-step authenticationo Authentication Bridge o Provisioning Bridge
Authentication framework
Local and federated authentication
FIDO U2F implementation in Identity server
o Implements the U2F authentication via local authenticator
FIDO U2F implementation in Identity server
oImplements the U2F registration via user dashboard
ADDING FIDO TO A LOGIN SEQUENCE
Demo scenario
o Prerequisites for the demo o Start WSO2 Identity Server 5.1.0o Log in on User Dashboardo Add U2F device (Yubico)
Secure Single Sign-On solution
Demo …….
FIDO AND WSO2 IDENTITY SERVER: WHAT ARE THE BENEFITS?
Making it more secure
Fido is an open standardOne key can be used for multiple applications+WSO2 is an open platformIntegration is easy=Level of security increasesCost is relatively low
Questions & Answers
http://www.slideshare.net/YenloBV
Download the webinar presentation on slideshare:
30
Contact us !