Security Keys are Awesome · Security Keys are Awesome and how to use them. Jen Tong Security...
Transcript of Security Keys are Awesome · Security Keys are Awesome and how to use them. Jen Tong Security...
@MimmingCodes -- mimming.com
Security Keys are Awesomeand how to use them
Jen TongSecurity AdvocateGoogle Cloud Platform
@MimmingCodesSlides: mimming.com/u2f
About me
How many of you ...● … are Security Engineers?● … use a U2F security key?
@MimmingCodes -- mimming.com
Agenda
Passwords are bad :(
FIDO Alliance -- better than passwords
How U2F works
Use it yourself
The problemwith authentication
@MimmingCodes -- mimming.com
Authentication
Login:
Password: 123456
jen
@MimmingCodes -- mimming.com
123456 password
Source: SplashData
@MimmingCodes -- mimming.com
123456Most common password in 2017
password2nd most common password in 2017
Source: SplashData
@MimmingCodes -- mimming.com
81%of breaches were due to weak or
stolen passwords
Source: Verizon DBIR 2017
@MimmingCodes -- mimming.com
81%of breaches were due to weak or
stolen passwords
28%of phishing attacks were targeted
Source: Verizon DBIR 2017
@MimmingCodes -- mimming.com
Normal login
User Service
@MimmingCodes -- mimming.com
Normal login
User Service
login - foopassword - 1234
@MimmingCodes -- mimming.com
Normal login
User Service
login - foopassword - 1234
logged in
@MimmingCodes -- mimming.com
Phishing
User Service
Fake service
@MimmingCodes -- mimming.com
Phishing
User Service
login - foopassword - 1234
@MimmingCodes -- mimming.com
Phishing
User Service
login - foopassword - 1234
login - foopassword - 1234
@MimmingCodes -- mimming.com
One Time Passwords
SMS
Enter this code: 1234
@MimmingCodes -- mimming.com
One Time Passwords
SMS
Enter this code: 1234
@MimmingCodes -- mimming.com
One Time Passwords
Photo credit - Von Alexander Klink
SMS
Enter this code: 1234
@MimmingCodes -- mimming.com
Phishing
User Service
login - foopassword - 1234OTP - 5678
login - foopassword - 1234OTP - 5678
FIDO AllianceBetter than passwords
“
@MimmingCodes -- mimming.com
FIDO is the world’s largest ecosystem for standards-based,
interoperable authentication
@MimmingCodes -- mimming.com
W3C’s WebAuthn Spec
Source: WebAuthn spec
New!
@MimmingCodes -- mimming.com
Public key cryptography devices
Why hardware?● Hardware isolation● Interoperable across devices and services● Fast & easy to use
@MimmingCodes -- mimming.com
Transport methods
User Device
USB
NFC
Bluetooth
@MimmingCodes -- mimming.com
Certification process
How it works
@MimmingCodes -- mimming.com
How it works
Public key cryptography
Actors
Transport
Registration
Authentication
@MimmingCodes -- mimming.com
Public key cryptography
Public key
Private key
@MimmingCodes -- mimming.com
Public key cryptography
@MimmingCodes -- mimming.com
Public key cryptography
@MimmingCodes -- mimming.com
Actors
User Service
@MimmingCodes -- mimming.com
Actors
User Service
@MimmingCodes -- mimming.com
Actors
User Device Service
@MimmingCodes -- mimming.com
User to device transport
User Device
@MimmingCodes -- mimming.com
User to device transport
User Device
USB
@MimmingCodes -- mimming.com
User to device transport
User Device
USB
NFC
@MimmingCodes -- mimming.com
Ceremonies
@MimmingCodes -- mimming.com
CeremoniesRegistration
@MimmingCodes -- mimming.com
CeremoniesRegistration
@MimmingCodes -- mimming.com
Ceremonies
Authentication
Registration
@MimmingCodes -- mimming.com
Ceremonies
Authentication
Registration
Lost key?
@MimmingCodes -- mimming.com
Registration ceremony
Registration
@MimmingCodes -- mimming.com
Previously authenticatedLogin & passwordLogin & password
@MimmingCodes -- mimming.com
Registration CeremonyChallenge: KJ4kAppId: https://foo.com
@MimmingCodes -- mimming.com
Registration CeremonyChallenge: KJ4kAppId: https://foo.com
@MimmingCodes -- mimming.com
Registration CeremonyChallenge: KJ4kAppId: https://foo.com
Challenge: KJ4kAppId: https://foo.comOrigin: https://foo.com
@MimmingCodes -- mimming.com
Registration CeremonyChallenge: KJ4kAppId: https://foo.com
Challenge: KJ4kAppId: https://foo.comOrigin: https://foo.com
Key handle
@MimmingCodes -- mimming.com
Registration CeremonyChallenge: KJ4kAppId: https://foo.com
Challenge: KJ4kAppId: https://foo.comOrigin: https://foo.com
Key handle
Encrypt registration data
@MimmingCodes -- mimming.com
Registration CeremonyChallenge: KJ4kAppId: https://foo.com
Challenge: KJ4kAppId: https://foo.comOrigin: https://foo.com
Key handle
Encrypt registration data
Challenge: KJ4kOrigin: https://foo.comKey handle: wfn3Cert: ...
@MimmingCodes -- mimming.com
Registration CeremonyChallenge: KJ4kAppId: https://foo.com
Challenge: KJ4kAppId: https://foo.comOrigin: https://foo.com
Key handle
Encrypt registration data
Challenge: KJ4kOrigin: foo.comKey handle: wfn3Key cert: ...
Verify payload
@MimmingCodes -- mimming.com
Authentication ceremony
Authentication
@MimmingCodes -- mimming.com
Basic ceremonyLogin & passwordLogin & password
@MimmingCodes -- mimming.com
Basic ceremonyChallenge: chBs
@MimmingCodes -- mimming.com
Basic ceremonyChallenge: chBsChallenge: chBs
Sign payload
@MimmingCodes -- mimming.com
Basic ceremonyChallenge: chBsChallenge: chBs
Challenge: chBsSign payload Verify
payload
@MimmingCodes -- mimming.com
Mitigate phishingChallenge: chBsChallenge: chBs
Origin: foo.com
Challenge: chBsOrigin: foo.comSign payload Verify
payload
@MimmingCodes -- mimming.com
Prevent tracking across accountsChallenge: chBsKey handle: 6bHc
Challenge: chBsOrigin: foo.comKey handle: 6bHc
Challenge: chBsOrigin: foo.comFind key,
sign payloadVerify
payload
@MimmingCodes -- mimming.com
Mitigate authenticator cloningChallenge: chBsKey handle: 6bHc
Challenge: chBsOrigin: foo.comKey handle: 6bHc
Challenge: chBsOrigin: foo.comCounter: 42
Find key, counter++,
sign payload
Counter went upVerify payload
@MimmingCodes -- mimming.com
Lost key ‘ceremony’
Lost Key?
Use it yourself
@MimmingCodes -- mimming.com
Browser support
@MimmingCodes -- mimming.com
Lots of websites support it today
Google Cloud Platform
GSuite
Big list - https://www.dongleauth.info/
Adding it to your stuffaka deployment
@MimmingCodes -- mimming.com
Deployment options
Run it yourself
Use 3rd party auth
How Google does it
@MimmingCodes -- mimming.com
Run it yourself
Client Server
@MimmingCodes -- mimming.com
Run it yourself - Server
Source: GitHub search for 'u2f server'
Client libraries
@MimmingCodes -- mimming.com
Run it yourself - Server
Source: Yubico U2F Validation Server
Yubico’s open source server
Client libraries
@MimmingCodes -- mimming.com
Code it yourself
Client Server
@MimmingCodes -- mimming.com
Code it yourself
Client ServerJavaScript Flexible
@MimmingCodes -- mimming.com
Code it yourself - Client
Browser support:
@MimmingCodes -- mimming.com
Client - Registration
u2f.register(appId, [{challenge: challenge, version: 'U2F_V2'}], [], function(resp) { if(resp.error) { console.log(resp.errorcode}); return; } // POST resp.clientData // and resp.registrationData to server});
@MimmingCodes -- mimming.com
Client - Authentication
u2f.sign( [{challenge: challenge, version: 'U2F_V2'}], [], function(devResp) { let jsonResp = JSON.stringify(devResp); u2fRespInput.value = jsonResp; loginForm.submit(); });
@MimmingCodes -- mimming.com
Client libraries for
● Java● Ruby● Python● PHP● C#● C● JavaScript
Code it yourself - Server
@MimmingCodes -- mimming.com
Server - Registration (node.js)function registrationChallengeHandler(req, res) { const regReq = u2f.request(APP_ID); req.session.registrationRequest = regReq; return res.send(regReq);}
function registrationVerificationHandler(req, res) { const regRes = u2f.checkRegistration( req.session.registrationRequest, req.body.registrationResponse);
if (regRes.successful) { return res.sendStatus(200); }
return res.send({result});}
@MimmingCodes -- mimming.com
Server - Authentication (node.js)function authenticationChallengeHandler(req, res) { const authRequest = u2f.request(APP_ID, keyHandleFromDB()); req.session.authRequest = authRequest;
return res.send(authRequest);}
function authenticationVerificationHandler(req, res) { const result = u2f.checkSignature( req.session.authRequest, req.body.authResponse, publicKeyFromDB());
if (result.successful) { return res.sendStatus(200); }
return res.send({result});}
@MimmingCodes -- mimming.com
Let someone else deal with it
@MimmingCodes -- mimming.com
BeyondCorpa.k.a. Google Cloud’sIdentity Aware Proxy
Source: GCP's BeyondCorp marketing page
DemoIdentity Aware Proxy on a black box web app
@MimmingCodes -- mimming.com
@MimmingCodes -- mimming.com
@MimmingCodes -- mimming.com
@MimmingCodes -- mimming.com
@MimmingCodes -- mimming.com
@MimmingCodes -- mimming.com
@MimmingCodes -- mimming.com
@MimmingCodes -- mimming.com
Conclusion
● Passwords aren’t enough● Security keys work● That you should use them yourself● Many options to use
@MimmingCodes -- mimming.com
Thank you!
Now go add it to your software so we can reduce pwnage
Slides: https://mimming.com/u2f
@MimmingCodes -- mimming.com
Want to learn more? Here's a reading listThese slides: https://mimming.com/u2f
Spec● FIDO Alliance specs● Yubico U2F docs
Keys● A review of several commercial authenticators
Relaying Party (server) libs● Google’s reference implementation (Java)● Node.js
Other cool talks● Google Case Study: Strong Authentication● U can U2F
@MimmingCodes -- mimming.com