SlideShare a Scribd company logo

Post password era - Bernard Toplak, OWASP Croatia Meetup 2016

Download as PPTX, PDF
Bernard Toplak
Bernard Toplak

A presentation from my speech about various technologies replacing password: multi-factor authentication, OATH, OTP, PKI, FIDO, U2F etc.

Related slideshows

Create a-strong-two-factors-authentication-device-for-less-than-chf-100
Create a-strong-two-factors-authentication-device-for-less-than-chf-100Create a-strong-two-factors-authentication-device-for-less-than-chf-100
Create a-strong-two-factors-authentication-device-for-less-than-chf-100
 
DC4420 2014 - NFC - The Non-Radio Bits
DC4420 2014 - NFC - The Non-Radio BitsDC4420 2014 - NFC - The Non-Radio Bits
DC4420 2014 - NFC - The Non-Radio Bits
 
An open source strong authentication server for less than $100!
An open source strong authentication server for less than $100!An open source strong authentication server for less than $100!
An open source strong authentication server for less than $100!
 
1 of 46
by Bernard Toplak OWASP Croatia, Feb 2016 Post-Password Era Understanding (new) methods of authentication
Bernard Toplak OWASP Croatia, Feb 2016 Passwords ... The damnation of ...
Bernard Toplak OWASP Croatia, Feb 2016 Issues with passwords 1.Passwords can be “stolen” from a.compromised / untrusted device b.untrusted website (phishing) c.legitimate server d.user himself
Bernard Toplak OWASP Croatia, Feb 2016 Issues with passwords 2. Users can’t/won’t remember “stronger” passwords, leads to : a.weak and/or guessable passwords b.reuse on many/all places c.inconvenient to type pass on phone
Bernard Toplak OWASP Croatia, Feb 2016 Discussed in details in ... … my presentation from FSEC 2014
Bernard Toplak OWASP Croatia, Feb 2016 Multi-Factor Authentication The solution in ...
Bernard Toplak OWASP Croatia, Feb 2016 Multi-Factor Authentication Factors of authentication : 1.something you know (knowledge) 1.something you have (possession) 1.something you are (inherence)
Bernard Toplak OWASP Croatia, Feb 2016 2-Factor vs. 2-Step 2-step = twice the same factor 2-factor = each step is also a different factor
Bernard Toplak OWASP Croatia, Feb 2016 2FA … Patented in 1984
Bernard Toplak OWASP Croatia, Feb 2016 OATH ... The usual implementation is ...
Bernard Toplak OWASP Croatia, Feb 2016 OATH Initiative for Open AuTHentication • industry-level collaboration • developing –open standards –reference architecture OATH ≠ OAuth
Bernard Toplak OWASP Croatia, Feb 2016 OATH Authentication Methods A.HOTP (RFC 4226, Dec. 2005) An HMAC-Based One-time Password Algorithm B.TOTP (RFC 6238, May 2011) Time-based One-time Password Algorithm C.OCRA (RFC 6287, Jun. 2011) OATH Challenge/Response Algorithms
Bernard Toplak OWASP Croatia, Feb 2016 One Time Password Intended to act as a bridge between legacy and modern applications. Widely implemented as : 1.SMS distributed 2.software token (often mobile app) 3.hardware token
Bernard Toplak OWASP Croatia, Feb 2016 Issues with OTP 1.Vulnerable to a.MITM - man in the middle b.MITB - man in the browser types of the attacks
Bernard Toplak OWASP Croatia, Feb 2016 Issues with OTP 2. Questionable privacy of the SMS-delivered OTP a.mobile operator b.over the air sniffing c.phone OS environment
Bernard Toplak OWASP Croatia, Feb 2016 Issues with OTP 3. Yet another (expensive) device 4. Inconvenient to type OTP on phone etc.
Bernard Toplak OWASP Croatia, Feb 2016 OTP libraries and example code • OWASP JOTP project • Google Authenticator open-sourced (Android, IOS, Blackberry, libpam) • http://oauth.net/code/ • https://github.com/search?q=otp (1,557 repos) • https://github.com/search?q=oath (371 repos)
Bernard Toplak OWASP Croatia, Feb 2016 PKI ... The complication of ...
Bernard Toplak OWASP Croatia, Feb 2016 Public Key Infrastructure
Bernard Toplak OWASP Croatia, Feb 2016 Public Key Infrastructure Wide and rather complex set of hardware, software, people, policies, and procedures for managing all around certificates
Bernard Toplak OWASP Croatia, Feb 2016 Public Key Infrastructure • developed since 1970’s (GCHQ / Diffie-Hellman- ....) • fundamental security component of all major Internet protocols for authentication and communication (e.g. TLS, WS-Security, IPSec IKE, 802.1x, SIP … )
Bernard Toplak OWASP Croatia, Feb 2016 PKI usages • user authentication (e.g., smart card logon, client authentication with SSL) • e-mail messages encryption and/or sender authentication (eg. OpenPGP, S/MIME) • documents encryption and/or authentication (e.g. XML Signature or XML Encryption) • bootstrapping secure communication protocols (SSL/TLS, IKE) • mobile signatures are electronic signatures that are created using a mobile device
Bernard Toplak OWASP Croatia, Feb 2016 PKI problems 1. it’s complex 2. it’s complex to implement and maintain the proper (read: secure) way 3. even when PKI works perfectly, it doesn't work 4. significant middleware overhead brings potential additional problems of tracking and updating every single “moving part” = outdated insecure versions
Bernard Toplak OWASP Croatia, Feb 2016 PKI libraries and projects • OpenSSL - still most used CA/PKI toolkit • CFSSL - CloudFlare's PKI and TLS toolkit • Let's Encrypt - free, automated, open CA • PKI.IO - scalable X.509 certificate management • OpenCA - full featured CA system • Dogtag - enterprise-class CA system • OpenXPKI - X.509v3 software stack • EJBCA - enterprise-class CA (Java) system • XCA - graphical interface and database
Bernard Toplak OWASP Croatia, Feb 2016 FIDO ... The birth of ...
Bernard Toplak OWASP Croatia, Feb 2016 … Is it a dog? Is it a plane? FIDO (Fast Identity Online) Alliance. The FIDO Alliance includes Google, Microsoft, RSA, ARM, Lenovo, Mastercard, Visa, PayPal, Discover, Samsung, BlackBerry, NXP, Yubico … among its members.
Bernard Toplak OWASP Croatia, Feb 2016 FIDO design principles • easy to use • one device - many services • concept designed to make device production as cheap as it gets • stronger security while reducing complexity
Bernard Toplak OWASP Croatia, Feb 2016 FIDO design principles • no secrets on the server side (public key) • no 3rd-pty in the protocol • (if used) biometric data never leaves the device • accounts and/or services are not “interchangeable”
1. Passwordless experience (UAF standard)
2. Second Factor experience (U2F Standard)
FIDO registration
FIDO login
Local auth plugins
Bernard Toplak OWASP Croatia, Feb 2016 FIDO U2F The invention of ...
Bernard Toplak OWASP Croatia, Feb 2016 Universal 2nd Factor • open authentication standard • goal: Strong Authentication and Privacy for the Web • initially developed by Google, Yubico and NXP, but now managed by the FIDO Alliance
Bernard Toplak OWASP Croatia, Feb 2016 U2F - Universal 2nd Factor • based on similar security technology found in smart cards (PKI) • streamlines the 2FA process using a U2F- enabled USB, NFC, BT-LE keyfob, card, or mobile device …
Bernard Toplak OWASP Croatia, Feb 2016 • Chrome - plugin v.38, natively v.40 • Firefox - WIP (tracker #1065729), plugin exists • IE/Edge - announced for Win10, MS is FIDO member • Opera - not yet See http://caniuse.com/#feat=u2f U2F browser integration
Bernard Toplak OWASP Croatia, Feb 2016 FIDO U2F soft libraries Reference U2F implementation, Google PHP based U2F server library Python based U2F server library Pluggable Authentication Module (PAM) for U2F Ruby + Rails FIDO U2F lib https://github.com/showcases/universal-2nd-factor
Bernard Toplak OWASP Croatia, Feb 2016 Passwordless Auth-Protocols Finally, new ...
Bernard Toplak OWASP Croatia, Feb 2016 Let’s go passwordless !! Some of the authentication protocols that don’t require passwords: • FIDO UAF • OAuth (1.0a or 2.0) • OpenId • SAML - Security Assertion Markup Language
Bernard Toplak OWASP Croatia, Feb 2016 FIDO UAF The invention of ...
Bernard Toplak OWASP Croatia, Feb 2016 Universal Authentication Framework Intended to use existing security technologies present on devices for authentication : • fingerprint sensors • cameras (face biometrics) • microphones (voice biometrics) • Trusted Execution Environments(TEEs) • Secure Elements(SEs) • and others ...
Bernard Toplak OWASP Croatia, Feb 2016 Universal Authentication Framework The protocol is designed to plug-in these device capabilities into a common authentication framework. UAF works with both native applications and web applications.
Bernard Toplak OWASP Croatia, Feb 2016 Other interesting bookmarks ... • OWASP Authentication Cheat Sheet • Securing SSH with Google Authenticator • OWASP Transaction Authorization Cheat Sheet • OWASP Anti-Malware KB (point on OTP) • OWASP SAML Security Cheat Sheet
by Bernard Toplak OWASP Croatia, Feb 2016 QUESTIONS ?
by Bernard Toplak OWASP Croatia, Feb 2016 Bernard Toplak ORION Informatics Federation Servers THANK YOU !!! bernard@orion-web.hr @toplak

More Related Content

Post password era - Bernard Toplak, OWASP Croatia Meetup 2016

  • 1. by Bernard Toplak OWASP Croatia, Feb 2016 Post-Password Era Understanding (new) methods of authentication
  • 2. Bernard Toplak OWASP Croatia, Feb 2016 Passwords ... The damnation of ...
  • 3. Bernard Toplak OWASP Croatia, Feb 2016 Issues with passwords 1.Passwords can be “stolen” from a.compromised / untrusted device b.untrusted website (phishing) c.legitimate server d.user himself
  • 4. Bernard Toplak OWASP Croatia, Feb 2016 Issues with passwords 2. Users can’t/won’t remember “stronger” passwords, leads to : a.weak and/or guessable passwords b.reuse on many/all places c.inconvenient to type pass on phone
  • 5. Bernard Toplak OWASP Croatia, Feb 2016 Discussed in details in ... … my presentation from FSEC 2014
  • 6. Bernard Toplak OWASP Croatia, Feb 2016 Multi-Factor Authentication The solution in ...
  • 7. Bernard Toplak OWASP Croatia, Feb 2016 Multi-Factor Authentication Factors of authentication : 1.something you know (knowledge) 1.something you have (possession) 1.something you are (inherence)
  • 8. Bernard Toplak OWASP Croatia, Feb 2016 2-Factor vs. 2-Step 2-step = twice the same factor 2-factor = each step is also a different factor
  • 9. Bernard Toplak OWASP Croatia, Feb 2016 2FA … Patented in 1984
  • 10. Bernard Toplak OWASP Croatia, Feb 2016 OATH ... The usual implementation is ...
  • 11. Bernard Toplak OWASP Croatia, Feb 2016 OATH Initiative for Open AuTHentication • industry-level collaboration • developing –open standards –reference architecture OATH ≠ OAuth
  • 12. Bernard Toplak OWASP Croatia, Feb 2016 OATH Authentication Methods A.HOTP (RFC 4226, Dec. 2005) An HMAC-Based One-time Password Algorithm B.TOTP (RFC 6238, May 2011) Time-based One-time Password Algorithm C.OCRA (RFC 6287, Jun. 2011) OATH Challenge/Response Algorithms
  • 13. Bernard Toplak OWASP Croatia, Feb 2016 One Time Password Intended to act as a bridge between legacy and modern applications. Widely implemented as : 1.SMS distributed 2.software token (often mobile app) 3.hardware token
  • 14. Bernard Toplak OWASP Croatia, Feb 2016 Issues with OTP 1.Vulnerable to a.MITM - man in the middle b.MITB - man in the browser types of the attacks
  • 15. Bernard Toplak OWASP Croatia, Feb 2016 Issues with OTP 2. Questionable privacy of the SMS-delivered OTP a.mobile operator b.over the air sniffing c.phone OS environment
  • 16. Bernard Toplak OWASP Croatia, Feb 2016 Issues with OTP 3. Yet another (expensive) device 4. Inconvenient to type OTP on phone etc.
  • 17. Bernard Toplak OWASP Croatia, Feb 2016 OTP libraries and example code • OWASP JOTP project • Google Authenticator open-sourced (Android, IOS, Blackberry, libpam) • http://oauth.net/code/ • https://github.com/search?q=otp (1,557 repos) • https://github.com/search?q=oath (371 repos)
  • 18. Bernard Toplak OWASP Croatia, Feb 2016 PKI ... The complication of ...
  • 19. Bernard Toplak OWASP Croatia, Feb 2016 Public Key Infrastructure
  • 20. Bernard Toplak OWASP Croatia, Feb 2016 Public Key Infrastructure Wide and rather complex set of hardware, software, people, policies, and procedures for managing all around certificates
  • 21. Bernard Toplak OWASP Croatia, Feb 2016 Public Key Infrastructure • developed since 1970’s (GCHQ / Diffie-Hellman- ....) • fundamental security component of all major Internet protocols for authentication and communication (e.g. TLS, WS-Security, IPSec IKE, 802.1x, SIP … )
  • 22. Bernard Toplak OWASP Croatia, Feb 2016 PKI usages • user authentication (e.g., smart card logon, client authentication with SSL) • e-mail messages encryption and/or sender authentication (eg. OpenPGP, S/MIME) • documents encryption and/or authentication (e.g. XML Signature or XML Encryption) • bootstrapping secure communication protocols (SSL/TLS, IKE) • mobile signatures are electronic signatures that are created using a mobile device
  • 23. Bernard Toplak OWASP Croatia, Feb 2016 PKI problems 1. it’s complex 2. it’s complex to implement and maintain the proper (read: secure) way 3. even when PKI works perfectly, it doesn't work 4. significant middleware overhead brings potential additional problems of tracking and updating every single “moving part” = outdated insecure versions
  • 24. Bernard Toplak OWASP Croatia, Feb 2016 PKI libraries and projects • OpenSSL - still most used CA/PKI toolkit • CFSSL - CloudFlare's PKI and TLS toolkit • Let's Encrypt - free, automated, open CA • PKI.IO - scalable X.509 certificate management • OpenCA - full featured CA system • Dogtag - enterprise-class CA system • OpenXPKI - X.509v3 software stack • EJBCA - enterprise-class CA (Java) system • XCA - graphical interface and database
  • 25. Bernard Toplak OWASP Croatia, Feb 2016 FIDO ... The birth of ...
  • 26. Bernard Toplak OWASP Croatia, Feb 2016 … Is it a dog? Is it a plane? FIDO (Fast Identity Online) Alliance. The FIDO Alliance includes Google, Microsoft, RSA, ARM, Lenovo, Mastercard, Visa, PayPal, Discover, Samsung, BlackBerry, NXP, Yubico … among its members.
  • 27. Bernard Toplak OWASP Croatia, Feb 2016 FIDO design principles • easy to use • one device - many services • concept designed to make device production as cheap as it gets • stronger security while reducing complexity
  • 28. Bernard Toplak OWASP Croatia, Feb 2016 FIDO design principles • no secrets on the server side (public key) • no 3rd-pty in the protocol • (if used) biometric data never leaves the device • accounts and/or services are not “interchangeable”
  • 30. 2. Second Factor experience (U2F Standard)
  • 34. Bernard Toplak OWASP Croatia, Feb 2016 FIDO U2F The invention of ...
  • 35. Bernard Toplak OWASP Croatia, Feb 2016 Universal 2nd Factor • open authentication standard • goal: Strong Authentication and Privacy for the Web • initially developed by Google, Yubico and NXP, but now managed by the FIDO Alliance
  • 36. Bernard Toplak OWASP Croatia, Feb 2016 U2F - Universal 2nd Factor • based on similar security technology found in smart cards (PKI) • streamlines the 2FA process using a U2F- enabled USB, NFC, BT-LE keyfob, card, or mobile device …
  • 37. Bernard Toplak OWASP Croatia, Feb 2016 • Chrome - plugin v.38, natively v.40 • Firefox - WIP (tracker #1065729), plugin exists • IE/Edge - announced for Win10, MS is FIDO member • Opera - not yet See http://caniuse.com/#feat=u2f U2F browser integration
  • 38. Bernard Toplak OWASP Croatia, Feb 2016 FIDO U2F soft libraries Reference U2F implementation, Google PHP based U2F server library Python based U2F server library Pluggable Authentication Module (PAM) for U2F Ruby + Rails FIDO U2F lib https://github.com/showcases/universal-2nd-factor
  • 39. Bernard Toplak OWASP Croatia, Feb 2016 Passwordless Auth-Protocols Finally, new ...
  • 40. Bernard Toplak OWASP Croatia, Feb 2016 Let’s go passwordless !! Some of the authentication protocols that don’t require passwords: • FIDO UAF • OAuth (1.0a or 2.0) • OpenId • SAML - Security Assertion Markup Language
  • 41. Bernard Toplak OWASP Croatia, Feb 2016 FIDO UAF The invention of ...
  • 42. Bernard Toplak OWASP Croatia, Feb 2016 Universal Authentication Framework Intended to use existing security technologies present on devices for authentication : • fingerprint sensors • cameras (face biometrics) • microphones (voice biometrics) • Trusted Execution Environments(TEEs) • Secure Elements(SEs) • and others ...
  • 43. Bernard Toplak OWASP Croatia, Feb 2016 Universal Authentication Framework The protocol is designed to plug-in these device capabilities into a common authentication framework. UAF works with both native applications and web applications.
  • 44. Bernard Toplak OWASP Croatia, Feb 2016 Other interesting bookmarks ... • OWASP Authentication Cheat Sheet • Securing SSH with Google Authenticator • OWASP Transaction Authorization Cheat Sheet • OWASP Anti-Malware KB (point on OTP) • OWASP SAML Security Cheat Sheet
  • 45. by Bernard Toplak OWASP Croatia, Feb 2016 QUESTIONS ?
  • 46. by Bernard Toplak OWASP Croatia, Feb 2016 Bernard Toplak ORION Informatics Federation Servers THANK YOU !!! bernard@orion-web.hr @toplak