Post password era - Bernard Toplak, OWASP Croatia Meetup 2016
- 3. Bernard Toplak OWASP Croatia, Feb 2016
Issues with passwords
1.Passwords can be “stolen” from
a.compromised / untrusted device
b.untrusted website (phishing)
c.legitimate server
d.user himself
- 4. Bernard Toplak OWASP Croatia, Feb 2016
Issues with passwords
2. Users can’t/won’t remember “stronger”
passwords, leads to :
a.weak and/or guessable passwords
b.reuse on many/all places
c.inconvenient to type pass on phone
- 5. Bernard Toplak OWASP Croatia, Feb 2016
Discussed in details in ...
… my presentation from FSEC 2014
- 7. Bernard Toplak OWASP Croatia, Feb 2016
Multi-Factor Authentication
Factors of authentication :
1.something you know
(knowledge)
1.something you have
(possession)
1.something you are
(inherence)
- 8. Bernard Toplak OWASP Croatia, Feb 2016
2-Factor vs. 2-Step
2-step = twice the same factor
2-factor = each step is also a different factor
- 11. Bernard Toplak OWASP Croatia, Feb 2016
OATH
Initiative for Open AuTHentication
• industry-level collaboration
• developing
–open standards
–reference architecture
OATH ≠ OAuth
- 12. Bernard Toplak OWASP Croatia, Feb 2016
OATH Authentication Methods
A.HOTP (RFC 4226, Dec. 2005)
An HMAC-Based One-time Password Algorithm
B.TOTP (RFC 6238, May 2011)
Time-based One-time Password Algorithm
C.OCRA (RFC 6287, Jun. 2011)
OATH Challenge/Response Algorithms
- 13. Bernard Toplak OWASP Croatia, Feb 2016
One Time Password
Intended to act as a bridge between legacy and
modern applications.
Widely implemented as :
1.SMS distributed
2.software token
(often mobile app)
3.hardware token
- 14. Bernard Toplak OWASP Croatia, Feb 2016
Issues with OTP
1.Vulnerable to
a.MITM - man in the middle
b.MITB - man in the browser
types of the attacks
- 15. Bernard Toplak OWASP Croatia, Feb 2016
Issues with OTP
2. Questionable privacy of the SMS-delivered
OTP
a.mobile operator
b.over the air sniffing
c.phone OS environment
- 16. Bernard Toplak OWASP Croatia, Feb 2016
Issues with OTP
3. Yet another (expensive) device
4. Inconvenient to type OTP on phone etc.
- 17. Bernard Toplak OWASP Croatia, Feb 2016
OTP libraries and example code
• OWASP JOTP project
• Google Authenticator open-sourced
(Android, IOS, Blackberry, libpam)
• http://oauth.net/code/
• https://github.com/search?q=otp (1,557
repos)
• https://github.com/search?q=oath (371 repos)
- 20. Bernard Toplak OWASP Croatia, Feb 2016
Public Key Infrastructure
Wide and rather
complex set of
hardware,
software, people,
policies, and
procedures for
managing all
around certificates
- 21. Bernard Toplak OWASP Croatia, Feb 2016
Public Key Infrastructure
• developed since 1970’s (GCHQ / Diffie-Hellman-
....)
• fundamental security component of
all major Internet protocols for
authentication and communication
(e.g. TLS, WS-Security, IPSec IKE, 802.1x, SIP … )
- 22. Bernard Toplak OWASP Croatia, Feb 2016
PKI usages
• user authentication (e.g., smart card logon, client
authentication with SSL)
• e-mail messages encryption and/or sender
authentication (eg. OpenPGP, S/MIME)
• documents encryption and/or authentication (e.g.
XML Signature or XML Encryption)
• bootstrapping secure communication protocols
(SSL/TLS, IKE)
• mobile signatures are electronic signatures that are
created using a mobile device
- 23. Bernard Toplak OWASP Croatia, Feb 2016
PKI problems
1. it’s complex
2. it’s complex to implement and maintain the proper
(read: secure) way
3. even when PKI works perfectly, it doesn't work
4. significant middleware overhead brings potential
additional problems of tracking and updating every
single “moving part” = outdated insecure versions
- 24. Bernard Toplak OWASP Croatia, Feb 2016
PKI libraries and projects
• OpenSSL - still most used CA/PKI toolkit
• CFSSL - CloudFlare's PKI and TLS toolkit
• Let's Encrypt - free, automated, open CA
• PKI.IO - scalable X.509 certificate management
• OpenCA - full featured CA system
• Dogtag - enterprise-class CA system
• OpenXPKI - X.509v3 software stack
• EJBCA - enterprise-class CA (Java) system
• XCA - graphical interface and database
- 26. Bernard Toplak OWASP Croatia, Feb 2016
… Is it a dog? Is it a plane?
FIDO (Fast Identity Online) Alliance.
The FIDO Alliance includes Google, Microsoft,
RSA, ARM, Lenovo, Mastercard, Visa, PayPal,
Discover, Samsung, BlackBerry, NXP, Yubico …
among its members.
- 27. Bernard Toplak OWASP Croatia, Feb 2016
FIDO design principles
• easy to use
• one device - many services
• concept designed to make device production
as cheap as it gets
• stronger security while reducing complexity
- 28. Bernard Toplak OWASP Croatia, Feb 2016
FIDO design principles
• no secrets on the server side (public key)
• no 3rd-pty in the protocol
• (if used) biometric data never leaves the
device
• accounts and/or services are not
“interchangeable”
- 35. Bernard Toplak OWASP Croatia, Feb 2016
Universal 2nd Factor
• open authentication standard
• goal: Strong Authentication and Privacy for
the Web
• initially developed by Google, Yubico and
NXP, but now managed by the FIDO Alliance
- 36. Bernard Toplak OWASP Croatia, Feb 2016
U2F - Universal 2nd Factor
• based on similar security technology found in
smart cards (PKI)
• streamlines the 2FA process using a U2F-
enabled USB, NFC, BT-LE keyfob, card, or
mobile device …
- 37. Bernard Toplak OWASP Croatia, Feb 2016
• Chrome - plugin v.38, natively v.40
• Firefox - WIP (tracker #1065729), plugin exists
• IE/Edge - announced for Win10, MS is FIDO
member
• Opera - not yet
See http://caniuse.com/#feat=u2f
U2F browser integration
- 38. Bernard Toplak OWASP Croatia, Feb 2016
FIDO U2F soft libraries
Reference U2F implementation, Google
PHP based U2F server library
Python based U2F server library
Pluggable Authentication Module (PAM) for U2F
Ruby + Rails FIDO U2F lib
https://github.com/showcases/universal-2nd-factor
- 40. Bernard Toplak OWASP Croatia, Feb 2016
Let’s go passwordless !!
Some of the authentication protocols that
don’t require passwords:
• FIDO UAF
• OAuth (1.0a or 2.0)
• OpenId
• SAML - Security Assertion Markup Language
- 42. Bernard Toplak OWASP Croatia, Feb 2016
Universal Authentication Framework
Intended to use existing security technologies
present on devices for authentication :
• fingerprint sensors
• cameras (face biometrics)
• microphones (voice biometrics)
• Trusted Execution Environments(TEEs)
• Secure Elements(SEs)
• and others ...
- 43. Bernard Toplak OWASP Croatia, Feb 2016
Universal Authentication Framework
The protocol is designed to plug-in these device
capabilities into a common authentication
framework.
UAF works with both native applications and
web applications.
- 44. Bernard Toplak OWASP Croatia, Feb 2016
Other interesting bookmarks ...
• OWASP Authentication Cheat Sheet
• Securing SSH with Google Authenticator
• OWASP Transaction Authorization Cheat
Sheet
• OWASP Anti-Malware KB (point on OTP)
• OWASP SAML Security Cheat Sheet
- 46. by Bernard Toplak
OWASP Croatia, Feb 2016
Bernard Toplak
ORION Informatics
Federation Servers
THANK YOU !!!
bernard@orion-web.hr
@toplak