MARET Consulting | Boulevard Georges Favon 43 | CH 1204 Geneva | Tél +41 22 575 30 35 | info@maret-consulting.ch | www.maret-consulting.

ch

Strong Authentication in Web Application

Sylvain Maret / Digital Security Expert / OpenID Switzerland ConFoo.ca / 2011-03-10

Conseil en technologies

Agenda

www.maret-consulting.ch

Conseil en technologies

Who am I?

Security Expert
     


17 years of experience in ICT Security Principal Consultant at MARET Consulting Expert at Engineer School of Yverdon & Geneva University Swiss French Area delegate at OpenID Switzerland Co-founder Geneva Application Security Forum OWASP Member Author of the blog: la Citadelle Electronique http://ch.linkedin.com/in/smaret or @smaret

Chosen field

AppSec & Digital Identity Security

www.maret-consulting.ch

Conseil en technologies

Protection of digital identities: a topical issue…

Strong Authentication

www.maret-consulting.ch

Conseil en technologies

Multi-factor Authentication-101: Talk by Philippe Gamache

2011-03-09 Montréal

2011-03-08 Montréal OWASP Meeting

www.maret-consulting.ch

Conseil en technologies

«Digital identity is the cornerstone of trust»

http://fr.wikipedia.org/wiki/Authentification_forte
www.maret-consulting.ch
Conseil en technologies

MARET Consulting | Boulevard Georges Favon 43 | CH 1204 Geneva | Tél +41 22 575 30 35 | info@maret-consulting.ch | www.maret-consulting.ch

Strong Authentication A new paradigm !
Conseil en technologies

Which Strong Authentication technology ?
Legacy Token / Old Model ? / Open Source Solution ?

www.maret-consulting.ch

Conseil en technologies

www.maret-consulting.ch

Conseil en technologies

OTP
Strong authentication Encryption Digital signature Non repudiation Strong link with the user
* Biometry type Fingerprinting
www.maret-consulting.ch

PKI (HW)

Biometry
*

Conseil en technologies

Strong Authentication with PKI

www.maret-consulting.ch

Conseil en technologies

PKI: Digital Certificate
Hardware Token (Crypto PKI) Strong Authentication
Software Certificate (PKCS#12;PFX)

TPM
www.maret-consulting.ch
Conseil en technologies

SSL/TLS Mutual Athentication : how does it work?
Validation Authority

OCSP request

Valid Invalid Unknown

SSL / TLS Mutual Authentication
Alice Web Server
www.maret-consulting.ch
Conseil en technologies

Demo #1: OpenID and Software Certificate using Clavid.ch

http://www.clavid.com/
www.maret-consulting.ch
Conseil en technologies

Strong Authentication with Biometry (Match on Card technology)

A reader
 

Biometry SmartCard

A card with chip

Technology MOC Crypto Processor
  

PC/SC PKCS#11 Digital certificate X509
Conseil en technologies

www.maret-consulting.ch

Strong Authentication

With

(O)ne (T)ime (P)assword
www.maret-consulting.ch
Conseil en technologies

(O)ne (T)ime (P)assword

OTP Time Based OTP Event Based OTP Challenge Response Based

Others:
    

OTP via SMS OTP via email Biometry and OTP Bingo Card Etc.

www.maret-consulting.ch

Conseil en technologies

OTP T-B? OTP E-B? OTP C-R-B?

www.maret-consulting.ch

Crypto - 101

Conseil en technologies

Crypto-101 / Time Based OTP

HASH Function
K=Secret Key / Seed

OTP
T=UTC Time

ie = OTP(K,T) = Truncate(HMAC-SHA-1(K,T))
www.maret-consulting.ch
Conseil en technologies

Crypto-101 / Event Based OTP

HASH Function
K=Secret Key / Seed

OTP
C = Counter

ie = OTP(K,C) = Truncate(HMAC-SHA-1(K,C))
www.maret-consulting.ch
Conseil en technologies

Crypto-101 / OTP Challenge Response Based

HASH Function
K=Secret Key / Seed

OTP Challenge
nonce

www.maret-consulting.ch

Conseil en technologies

Others OTP technologies…

OTP Via SMS

“Flicker code” Generator Software
that converts already encrypted data into

optical screen animation
By Elcard
www.maret-consulting.ch
Conseil en technologies

Demo #2: Protect WordPress (OTP Via SMS)

www.maret-consulting.ch

Conseil en technologies

How to Store my Secret Key ?
A Token !
www.maret-consulting.ch
Conseil en technologies

OTP Token: Software vs Hardware ?

www.maret-consulting.ch

Conseil en technologies

Software OTP for Smartphone

http://itunes.apple.com/us/app/iotp/id328973960
www.maret-consulting.ch
Conseil en technologies

New Standards & Open Source

www.maret-consulting.ch

Conseil en technologies

Technologies accessible to everyone 

Initiative for Open AuTHentication (OATH)
 


HOTP TOTP OCRA Etc.

Mobile OTP

(Use MD5 …..)

www.maret-consulting.ch

Conseil en technologies

OATH Reference Architecture, Release 2.0

http://www.openauthentication.org/
www.maret-consulting.ch
Conseil en technologies

Initiative for Open AuTHentication (OATH)

HOTP
 

OCRA

Event Based OTP RFC 4226

Challenge/Response OTP Draft IETF Version 13

TOTP
 

Time Based OTP Draft IETF Version 8

Token Identifier Specification


www.maret-consulting.ch

Etc.

Conseil en technologies

(R)isk (B)ased (A)uthentication
www.maret-consulting.ch
Conseil en technologies

RBA (Risk-Based Authentication) = Behavior Model

www.maret-consulting.ch

Conseil en technologies

2 Step Verification from Google !

Use OATH-HOTP & TOTP
http://code.google.com/p/google-authenticator/

www.maret-consulting.ch

Conseil en technologies

Integration with web application
www.maret-consulting.ch
Conseil en technologies

Web application: basic authentication model

www.maret-consulting.ch

Conseil en technologies

Web application: Strong Authentication model

www.maret-consulting.ch

Conseil en technologies

“Shielding" approach: perimetric authentication using WAF

www.maret-consulting.ch

Conseil en technologies

Module/Agent-based approach (example)

www.maret-consulting.ch

Conseil en technologies

API/SDK based approach (example)

www.maret-consulting.ch

Conseil en technologies

Demo 3#: PHP Integration for phpmyadmin

www.maret-consulting.ch

Conseil en technologies

Multi OTP PHP Class by André Liechti (Switzerland)

Source Code will be publish soon: http://www.citadelle-electronique.net/ http://www.multiotp.net/
www.maret-consulting.ch
Conseil en technologies

Proof of Concept Code by Anne Gosselin, Antonio Fontes !
if (! empty($_REQUEST['pma_username'])) { // The user just logged in $GLOBALS['PHP_AUTH_USER'] = $_REQUEST['pma_username'];

// we combine both OTP + PIN code for the token verification $fooPass = empty($_REQUEST['pma_password']) ? '' : $_REQUEST['pma_password']; $fooOtp = empty($_REQUEST['pma_otp']) ? '' : $_REQUEST['pma_otp']; $GLOBALS['PHP_AUTH_PW'] = $fooPass.''.$fooOtp; // OTP CHECK require_once('./libraries/multiotp.class.php'); $multiotp = new Multiotp(); $multiotp->SetUser($GLOBALS['PHP_AUTH_USER']); $multiotp->SetEncryptionKey('DefaultCliEncryptionKey'); $multiotp->SetUsersFolder('./libraries/users/'); $multiotp->SetLogFolder('./libraries/log/'); $multiotp->EnableVerboseLog();

$otpCheckResult = $multiotp->CheckToken($GLOBALS['PHP_AUTH_PW']); // the PIN code use kept for accessing the database $GLOBALS['PHP_AUTH_PW'] = substr($GLOBALS['PHP_AUTH_PW'], 0, strlen($GLOBALS['PHP_AUTH_PW'] if($otpCheckResult == 0) return true; else die("auth failed.");
www.maret-consulting.ch
Conseil en technologies

Think about Software Security !

Cf Talk Antonio Fontes

Cf Talk Philippe Gamache

Cf Talk Sébastien Giora
www.maret-consulting.ch
Conseil en technologies

Federated identities: a changing paradigm on authentication
www.maret-consulting.ch
Conseil en technologies

Federation of identity approach a change of paradigm: using IDP for Authentication and Strong Authentication

Identity Provider

Web App X

Web App Y

www.maret-consulting.ch

Conseil en technologies

SECTION 2 OpenID
> What is it?
> How does it work? > How to integrate?

www.maret-consulting.ch

Conseil en technologies

OpenID - What is it?

> > > >

Internet SingleSignOn Relatively Simple Protocol User-Centric Identity Management Internet Scalable

> > > >

Free Choice of Identity Provider No License Fee Independent of Identification Methods Non-Profit Organization

www.maret-consulting.ch

Conseil en technologies

OpenID - How does it work?

User Hans Muster
3 4, 4a
hans.muster.clavid.com

Identity Provider e.g. clavid.com

5

6 2 Identity URL
https://hans.muster.clavid.com

1
Caption 1. User enters OpenID 2. Discovery 3. Authentication 4. Approval 4a. Change Attributes 5. Send Attributes 6. Validation

Enabled Service

www.maret-consulting.ch

Conseil en technologies

Demo #4: Apache and Mod_OpenID (Using Biometry / OTP)

www.maret-consulting.ch

Conseil en technologies

Demo #4: Challenge / Response OTP with Biometry

www.maret-consulting.ch

Conseil en technologies

Surprise! You may already have an OpenID !

www.maret-consulting.ch

Conseil en technologies

Other Well Known & Simple Providers

http://en.wikipedia.org/wiki/List_of_OpenID_providers

www.maret-consulting.ch

Conseil en technologies

Get an OpenID with Strong Authentication for free !

www.maret-consulting.ch

Conseil en technologies

SECTION 1 SAML
>What is it?
>How does it work?

www.maret-consulting.ch

Conseil en technologies

Using SAML for Authentication and Strong Authentication

(Assertion Consumer Service)

www.maret-consulting.ch

Conseil en technologies

SAML – What is it?

SAML (Security Assertion Markup Language): > Defined by the Oasis Group > Well and Academically Designed Specification > Uses XML Syntax > Used for Authentication & Authorization > SAML Assertions
> Statements: Authentication, Attribute, Authorization

> SAML Protocols
> Queries: Authentication, Artifact, Name Identifier Mapping, etc.

> SAML Bindings
> SOAP, Reverse-SOAP, HTTP-Get, HTTP-Post, HTTP-Artifact

> SAML Profiles
> Web Browser SingleSignOn Profile, Identity Provider Discovery Profile, Assertion Query / Request Profile, Attribute Profile

www.maret-consulting.ch

Conseil en technologies

SAML – How does it work?

User Hans Muster
3 2 4 4 2 1 Identity Provider e.g. clavid.ch

6

Enabled Service
e.g. Google Apps for Business

www.maret-consulting.ch

Conseil en technologies

Example with HTTP POST Binding
Browser Access Resource Web App SAML Ready

1
AuthN

2

+ PIN

3

<AuthnRequest> Redirect 302

ACS POST <Response> 7 Ressource Ressource

8

<Response> in HTML Form

6
Single Sign On Service

<AuthnRequest>

4

Credential Challenge

5a
IDP MC

www.maret-consulting.ch

User Login

5b

Conseil en technologies

Questions ?

www.maret-consulting.ch

Conseil en technologies

Resources on Internet 1/2

      

http://motp.sourceforge.net/ http://www.clavid.ch/otp http://code.google.com/p/mod-authn-otp/ http://www.multiotp.net/ http://www.openauthentication.org/ http://wiki.openid.net/ http://www.citadelle-electronique.net/ http://code.google.com/p/mod-authn-otp/

www.maret-consulting.ch

Conseil en technologies

Resources on Internet 2/2

      

http://rcdevs.com/products/openotp/ https://github.com/adulau/paper-token http://www.yubico.com/yubikey http://code.google.com/p/mod-authn-otp/ http://www.nongnu.org/oath-toolkit/ http://www.nongnu.org/oath-toolkit/ http://www.gpaterno.com/publications/2010/dublin_oss barcamp_2010_otp_with_oss.pdf
Conseil en technologies

www.maret-consulting.ch

"Le conseil et l'expertise pour le choix et la mise en oeuvre des technologies innovantes dans la sécurité des systèmes d'information et de l'identité numérique"

www.maret-consulting.ch

Conseil en technologies

Une conviction forte !

Authentification forte
www.maret-consulting.ch
Conseil en technologies

A major event in the world of strong authentication

12 October 2005: the Federal Financial Institutions Examination Council (FFIEC) issues a directive

« Single Factor Authentication » is not enough for the web financial applications Before end 2006 it is compulsory to implement a strong authentication system http://www.ffiec.gov/press/pr101205.htm

And the PCI DSS norm

Compulsory strong authentication for distant accesses

And now European regulations

Payment Services (2007/64/CE) for banks

Social Networks, Open Source
Conseil en technologies

www.maret-consulting.ch

Out of Band Authentication

www.maret-consulting.ch

Conseil en technologies

Phone Factor

www.maret-consulting.ch

Conseil en technologies

SAML

www.maret-consulting.ch

Conseil en technologies

SAML AuthnRequst Transfer via Browser

Redirect-Binding

POST-Binding

www.maret-consulting.ch

Conseil en technologies

A SAML AuthnRequest (no magic, just XML)

<?xml version="1.0" encoding="UTF-8"?> <samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol“ ID="glcmfhikbbhohichialilnnpjakbeljekmkhppkb“ Version="2.0” IssueInstant="2008-10-14T00:57:14Z” ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST” ProviderName="google.com” ForceAuthn="false” IsPassive="false” AssertionConsumerServiceURL="https://www.google.com/a/unopass.net/acs"> <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"> google.com </saml:Issuer>

<samlp:NameIDPolicy AllowCreate="true" Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" />
</samlp:AuthnRequest>

www.maret-consulting.ch

Conseil en technologies

SAML Assertion Transfer via Browser

POST-Binding

www.maret-consulting.ch

Conseil en technologies

A SAML Assertion Response (no magic, just XML)
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="s247893b2ec90665dfd5d9bd4a092f5e3a7194fef4" InResponseTo="hkcmljnccpheoobdofbjcngjbadmgcfhaapdbnni" Version="2.0" IssueInstant="2008-10-15T17:24:46Z" Destination="https://www.google.com/a/unopass.net/acs"> <saml:Issuer> http://idp.unopass.net:80/opensso </saml:Issuer>

<samlp:Status> <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/> </samlp:Status>
<saml:Assertion ID="s295c56ccd7872209ae336b934d1eed5be52a8e6ec" IssueInstant="2008-10-15T17:24:46Z" Version="2.0"> <saml:Issuer>http://idp.unopass.net:80/opensso</saml:Issuer> <Signature> … A DIGITAL SIGNATURE … </Signature>

...

www.maret-consulting.ch

Conseil en technologies

A SAML Assertion Response (no magic, just XML)

...
<saml:Subject> <saml:NameID NameQualifier="http://idp.unopass.net:80/opensso"> sylvain.maret </saml:NameID> <saml:SubjectConfirmation Method="urn:oasis:...:bearer"> <saml:SubjectConfirmationData InResponseTo="hkcmljnccpheoobdofbjcngjbadmgcfhaapdbnni" NotOnOrAfter="2008-10-15T17:34:46Z" Recipient="https://www.google.com/a/unopass.net/acs"/> </saml:SubjectConfirmation> </saml:Subject> ...

www.maret-consulting.ch

Conseil en technologies

A SAML Assertion Response (no magic, just XML)

...

<saml:Conditions NotBefore="2008-10-15T17:14:46Z" NotOnOrAfter="2008-10-15T17:34:46Z"> <saml:AudienceRestriction> <saml:Audience>google.com</saml:Audience> </saml:AudienceRestriction> </saml:Conditions> <saml:AuthnStatement AuthnInstant="2008-10-15T17:24:46Z“ SessionIndex="s2bb816b5a8852dcc29f3301784c1640f245a9ec01"> <saml:AuthnContext> <saml:AuthnContextClassRef> urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport </saml:AuthnContextClassRef> </saml:AuthnContext> </saml:AuthnStatement> </saml:Assertion> </samlp:Response>

www.maret-consulting.ch

Conseil en technologies

Sign up to vote on this title
UsefulNot useful