Post password era - Bernard Toplak, OWASP Croatia Meetup 2016
-
Upload
bernard-toplak -
Category
Software
-
view
291 -
download
1
Transcript of Post password era - Bernard Toplak, OWASP Croatia Meetup 2016
by Bernard Toplak
OWASP Croatia, Feb 2016
Post-Password Era
Understanding (new) methods of authentication
Bernard Toplak OWASP Croatia, Feb 2016
Passwords ...The damnation of ...
Bernard Toplak OWASP Croatia, Feb 2016
Issues with passwords
1.Passwords can be “stolen” from
a.compromised / untrusted device
b.untrusted website (phishing)
c.legitimate server
d.user himself
Bernard Toplak OWASP Croatia, Feb 2016
Issues with passwords
2. Users can’t/won’t remember “stronger” passwords, leads to :
a.weak and/or guessable passwords
b.reuse on many/all places
c.inconvenient to type pass on phone
Bernard Toplak OWASP Croatia, Feb 2016
Discussed in details in ...
… my presentation from FSEC 2014
Bernard Toplak OWASP Croatia, Feb 2016
Multi-Factor AuthenticationThe solution in ...
Bernard Toplak OWASP Croatia, Feb 2016
Multi-Factor Authentication
Factors of authentication :1.something you know
(knowledge)
2.something you have (possession)
3.something you are(inherence)
Bernard Toplak OWASP Croatia, Feb 2016
2-Factor vs. 2-Step
2-step = twice the same factor
2-factor = each step is also a different factor
Bernard Toplak OWASP Croatia, Feb 2016
2FA
… Patented in 1984
Bernard Toplak OWASP Croatia, Feb 2016
OATH ...The usual implementation is ...
Bernard Toplak OWASP Croatia, Feb 2016
OATH
Initiative for Open AuTHentication• industry-level collaboration• developing
–open standards–reference architecture
OATH ≠ OAuth
Bernard Toplak OWASP Croatia, Feb 2016
OATH Authentication Methods
A.HOTP (RFC 4226, Dec. 2005)An HMAC-Based One-time Password Algorithm
B.TOTP (RFC 6238, May 2011)Time-based One-time Password Algorithm
C.OCRA (RFC 6287, Jun. 2011)OATH Challenge/Response Algorithms
Bernard Toplak OWASP Croatia, Feb 2016
One Time Password
Intended to act as a bridge between legacy and modern applications.
Widely implemented as :
1.SMS distributed2.software token
(often mobile app)
3.hardware token
Bernard Toplak OWASP Croatia, Feb 2016
Issues with OTP
1.Vulnerable to
a.MITM - man in the middle
b.MITB - man in the browser
types of the attacks
Bernard Toplak OWASP Croatia, Feb 2016
Issues with OTP
2. Questionable privacy of the SMS-delivered OTP
a.mobile operator
b.over the air sniffing
c.phone OS environment
Bernard Toplak OWASP Croatia, Feb 2016
Issues with OTP
3. Yet another (expensive) device
4. Inconvenient to type OTP on phone etc.
Bernard Toplak OWASP Croatia, Feb 2016
OTP libraries and example code
• OWASP JOTP project• Google Authenticator open-sourced
(Android, IOS, Blackberry, libpam)• http://oauth.net/code/ • https://github.com/search?q=otp (1,557 repos)• https://github.com/search?q=oath (371 repos)
Bernard Toplak OWASP Croatia, Feb 2016
PKI ...The complication of ...
Bernard Toplak OWASP Croatia, Feb 2016
Public Key Infrastructure
Bernard Toplak OWASP Croatia, Feb 2016
Public Key Infrastructure
Wide and rather complex set of hardware, software, people, policies, and procedures for managing all around certificates
Bernard Toplak OWASP Croatia, Feb 2016
Public Key Infrastructure
• developed since 1970’s (GCHQ / Diffie-Hellman-....)
• fundamental security component ofall major Internet protocols for authentication and communication (e.g. TLS, WS-Security, IPSec IKE, 802.1x, SIP … )
Bernard Toplak OWASP Croatia, Feb 2016
PKI usages• user authentication (e.g., smart card logon, client
authentication with SSL)• e-mail messages encryption and/or sender
authentication (eg. OpenPGP, S/MIME)• documents encryption and/or authentication (e.g.
XML Signature or XML Encryption)• bootstrapping secure communication protocols
(SSL/TLS, IKE)• mobile signatures are electronic signatures that are
created using a mobile device
Bernard Toplak OWASP Croatia, Feb 2016
PKI problems
1. it’s complex2. it’s complex to implement and maintain the proper
(read: secure) way3. even when PKI works perfectly, it doesn't work4. significant middleware overhead brings potential
additional problems of tracking and updating every single “moving part” = outdated insecure versions
Bernard Toplak OWASP Croatia, Feb 2016
PKI libraries and projects
• OpenSSL - still most used CA/PKI toolkit• CFSSL - CloudFlare's PKI and TLS toolkit
• Let's Encrypt - free, automated, open CA• PKI.IO - scalable X.509 certificate management• OpenCA - full featured CA system• Dogtag - enterprise-class CA system
• OpenXPKI - X.509v3 software stack• EJBCA - enterprise-class CA (Java) system• XCA - graphical interface and database
Bernard Toplak OWASP Croatia, Feb 2016
FIDO ...The birth of ...
Bernard Toplak OWASP Croatia, Feb 2016
… Is it a dog? Is it a plane?
FIDO (Fast Identity Online) Alliance.
The FIDO Alliance includes Google, Microsoft, RSA, ARM, Lenovo, Mastercard, Visa, PayPal, Discover, Samsung, BlackBerry, NXP, Yubico … among its members.
Bernard Toplak OWASP Croatia, Feb 2016
FIDO design principles
• easy to use
• one device - many services• concept designed to make device production
as cheap as it gets
• stronger security while reducing complexity
Bernard Toplak OWASP Croatia, Feb 2016
FIDO design principles
• no secrets on the server side (public key)• no 3rd-pty in the protocol• (if used) biometric data never leaves the
device• accounts and/or services are not
“interchangeable”
1. Passwordless experience(UAF standard)
2. Second Factor experience(U2F Standard)
FIDO registration
FIDOlogin
Localauth
plugins
Bernard Toplak OWASP Croatia, Feb 2016
FIDO U2FThe invention of ...
Bernard Toplak OWASP Croatia, Feb 2016
Universal 2nd Factor
• open authentication standard• goal: Strong Authentication and Privacy for
the Web• initially developed by Google, Yubico and NXP,
but now managed by the FIDO Alliance
Bernard Toplak OWASP Croatia, Feb 2016
U2F - Universal 2nd Factor
• based on similar security technology found in smart cards (PKI)
• streamlines the 2FA process using a U2F-enabled USB, NFC, BT-LE keyfob, card, or mobile device …
Bernard Toplak OWASP Croatia, Feb 2016
• Chrome - plugin v.38, natively v.40• Firefox - WIP (tracker #1065729), plugin exists• IE/Edge - announced for Win10, MS is FIDO
member• Opera - not yet
See http://caniuse.com/#feat=u2f
U2F browser integration
Bernard Toplak OWASP Croatia, Feb 2016
FIDO U2F soft libraries
Reference U2F implementation, Google
PHP based U2F server library
Python based U2F server library
Pluggable Authentication Module (PAM) for U2F
Ruby + Rails FIDO U2F lib
https://github.com/showcases/universal-2nd-factor
Bernard Toplak OWASP Croatia, Feb 2016
Passwordless Auth-ProtocolsFinally, new ...
Bernard Toplak OWASP Croatia, Feb 2016
Let’s go passwordless !!
Some of the authentication protocols that don’t require passwords:
• FIDO UAF• OAuth (1.0a or 2.0)• OpenId• SAML - Security Assertion Markup Language
Bernard Toplak OWASP Croatia, Feb 2016
FIDO UAFThe invention of ...
Bernard Toplak OWASP Croatia, Feb 2016
Universal Authentication Framework
Intended to use existing security technologies present on devices for authentication :
• fingerprint sensors• cameras (face biometrics)• microphones (voice biometrics)• Trusted Execution Environments(TEEs)• Secure Elements(SEs)• and others ...
Bernard Toplak OWASP Croatia, Feb 2016
Universal Authentication Framework
The protocol is designed to plug-in these device capabilities into a common authentication framework.
UAF works with both native applications and web applications.
Bernard Toplak OWASP Croatia, Feb 2016
Other interesting bookmarks ...
• OWASP Authentication Cheat Sheet• Securing SSH with Google Authenticator• OWASP Transaction Authorization Cheat Shee
t• OWASP Anti-Malware KB (point on OTP)• OWASP SAML Security Cheat Sheet
by Bernard Toplak
OWASP Croatia, Feb 2016
QUESTIONS ?
by Bernard Toplak
OWASP Croatia, Feb 2016
Bernard ToplakORION InformaticsFederation Servers
THANK YOU !!!
[email protected]@toplak