You are on page 1of 73
MARET Consulting | Boulevard Georges Favon 43 | CH 1204 Geneva | Tél +41 22

MARET Consulting | Boulevard Georges Favon 43 | CH 1204 Geneva | Tél +41 22 575 30 35 | info@maret-consulting.ch | www.maret-consulting.ch

35 | info@maret-consulting.ch | www.maret-consulting.ch Strong Authentication in Web Application Sylvain Maret /

Strong Authentication in Web Application

Strong Authentication in Web Application Sylvain Maret / Digital Security Expert / OpenID Switzerland

Sylvain Maret / Digital Security Expert / OpenID Switzerland

ConFoo.ca / 2011 - 03 - 10

Sylvain Maret / Digital Security Expert / OpenID Switzerland ConFoo.ca / 2011 - 03 - 10
Sylvain Maret / Digital Security Expert / OpenID Switzerland ConFoo.ca / 2011 - 03 - 10

Agenda

Agenda www.maret-consulting.ch Conseil en technologies
www.maret-consulting.ch
www.maret-consulting.ch
Agenda www.maret-consulting.ch Conseil en technologies
Agenda www.maret-consulting.ch Conseil en technologies

Conseil en technologies

Who am I?

Who am I?  Security Expert  17 years of experience in ICT Security  Principal

Security Expert

17 years of experience in ICT Security

Principal Consultant at MARET Consulting

Expert at Engineer School of Yverdon & Geneva University

Swiss French Area delegate at OpenID Switzerland

Co-founder Geneva Application Security Forum

OWASP Member

Author of the blog: la Citadelle Electronique

 http://ch.linkedin.com/in/smaret or @smaret  Chosen field  AppSec & Digital Identity
 http://ch.linkedin.com/in/smaret or @smaret  Chosen field  AppSec & Digital Identity

Chosen field

AppSec & Digital Identity Security

www.maret-consulting.ch
www.maret-consulting.ch
or @smaret  Chosen field  AppSec & Digital Identity Security www.maret-consulting.ch Conseil en technologies

Conseil en technologies

Protection of digital identities: a topical issue…

Strong Authentication
Strong Authentication

www.maret-consulting.ch

Conseil en technologies

Multi-factor Authentication-101: Talk by Philippe Gamache

Multi-factor Authentication-101: Talk by Philippe Gamache 2011-03-09 Montréal 2011-03-08 Montréal OWASP Meeting Conseil
Multi-factor Authentication-101: Talk by Philippe Gamache 2011-03-09 Montréal 2011-03-08 Montréal OWASP Meeting Conseil

2011-03-09 Montréal

Talk by Philippe Gamache 2011-03-09 Montréal 2011-03-08 Montréal OWASP Meeting Conseil en technologies

2011-03-08 Montréal

OWASP Meeting

Philippe Gamache 2011-03-09 Montréal 2011-03-08 Montréal OWASP Meeting Conseil en technologies www.maret-consulting.ch
Philippe Gamache 2011-03-09 Montréal 2011-03-08 Montréal OWASP Meeting Conseil en technologies www.maret-consulting.ch

Conseil en technologies

Philippe Gamache 2011-03-09 Montréal 2011-03-08 Montréal OWASP Meeting Conseil en technologies www.maret-consulting.ch
www.maret-consulting.ch
www.maret-consulting.ch

«Digital identity is the cornerstone of trust»

«Digital identity is the cornerstone of trust» http://fr.wikipedia.org/wiki/Authentification_forte

www.maret-consulting.ch

cornerstone of trust» http://fr.wikipedia.org/wiki/Authentification_forte www.maret-consulting.ch Conseil en technologies

Conseil en technologies

MARET Consulting | Boulevard Georges Favon 43 | CH 1204 Geneva | Tél +41 22

MARET Consulting | Boulevard Georges Favon 43 | CH 1204 Geneva | Tél +41 22 575 30 35 | info@maret-consulting.ch | www.maret-consulting.ch

Strong Authentication

A new paradigm !

35 | info@maret-consulting.ch | www.maret-consulting.ch Strong Authentication A new paradigm ! Conseil en technologies

Conseil en technologies

Which Strong Authentication technology ?

Legacy Token / Old Model ? / Open Source Solution ?

technology ? Legacy Token / Old Model ? / Open Source Solution ? www.maret-consulting.ch Conseil en

www.maret-consulting.ch

technology ? Legacy Token / Old Model ? / Open Source Solution ? www.maret-consulting.ch Conseil en

Conseil en technologies

www.maret-consulting.ch Conseil en technologies
www.maret-consulting.ch Conseil en technologies
www.maret-consulting.ch Conseil en technologies
www.maret-consulting.ch
www.maret-consulting.ch

Conseil en technologies

  OTP PKI (HW) Biometry Strong     * authentication Encryption   Digital
  OTP PKI (HW) Biometry Strong     * authentication Encryption   Digital
  OTP PKI (HW) Biometry Strong     * authentication Encryption   Digital
 

OTP

PKI (HW)

Biometry

Strong

Strong     *
 
Strong     *
 
Strong     *

*

authentication

Encryption

Encryption  
 
Encryption  
Encryption  

Digital signature

Digital signature  
 
Digital signature  
Digital signature  

Non repudiation

     
     
     
     

Strong link with

Strong link with    
 
Strong link with    
Strong link with    
 

the user

www.maret-consulting.ch
www.maret-consulting.ch

* Biometry type Fingerprinting

Strong link with     the user www.maret-consulting.ch * Biometry type Fingerprinting Conseil en technologies

Conseil en technologies

Strong Authentication with PKI

www.maret-consulting.ch
www.maret-consulting.ch
Strong Authentication with PKI www.maret-consulting.ch Conseil en technologies

Conseil en technologies

PKI: Digital Certificate

Hardware Token (Crypto PKI)

Strong Authentication

Software Certificate

(PKCS#12;PFX)

(Crypto PKI) Strong Authentication Software Certificate (PKCS#12;PFX) TPM www.maret-consulting.ch Conseil en technologies
(Crypto PKI) Strong Authentication Software Certificate (PKCS#12;PFX) TPM www.maret-consulting.ch Conseil en technologies
(Crypto PKI) Strong Authentication Software Certificate (PKCS#12;PFX) TPM www.maret-consulting.ch Conseil en technologies
(Crypto PKI) Strong Authentication Software Certificate (PKCS#12;PFX) TPM www.maret-consulting.ch Conseil en technologies
(Crypto PKI) Strong Authentication Software Certificate (PKCS#12;PFX) TPM www.maret-consulting.ch Conseil en technologies
TPM
TPM
(Crypto PKI) Strong Authentication Software Certificate (PKCS#12;PFX) TPM www.maret-consulting.ch Conseil en technologies
www.maret-consulting.ch
www.maret-consulting.ch

Conseil en technologies

SSL/TLS Mutual Athentication : how does it work?

Validation

Authority

Athentication : how does it work? Validation Authority Valid OCSP request Invalid Unknown SSL / TLS
Athentication : how does it work? Validation Authority Valid OCSP request Invalid Unknown SSL / TLS

Valid

OCSP request

: how does it work? Validation Authority Valid OCSP request Invalid Unknown SSL / TLS Mutual
: how does it work? Validation Authority Valid OCSP request Invalid Unknown SSL / TLS Mutual

Invalid

Unknown

Validation Authority Valid OCSP request Invalid Unknown SSL / TLS Mutual Authentication www.maret-consulting.ch Web
Validation Authority Valid OCSP request Invalid Unknown SSL / TLS Mutual Authentication www.maret-consulting.ch Web

SSL / TLS Mutual Authentication

www.maret-consulting.ch
www.maret-consulting.ch

Web Server

request Invalid Unknown SSL / TLS Mutual Authentication www.maret-consulting.ch Web Server Alice Conseil en technologies
request Invalid Unknown SSL / TLS Mutual Authentication www.maret-consulting.ch Web Server Alice Conseil en technologies
request Invalid Unknown SSL / TLS Mutual Authentication www.maret-consulting.ch Web Server Alice Conseil en technologies

Alice

request Invalid Unknown SSL / TLS Mutual Authentication www.maret-consulting.ch Web Server Alice Conseil en technologies

Conseil en technologies

Demo #1: OpenID and Software Certificate using Clavid.ch

Demo #1: OpenID and Software Certificate using Clavid.ch www.maret-consulting.ch http://www.clavid.com/ Conseil en
Demo #1: OpenID and Software Certificate using Clavid.ch www.maret-consulting.ch http://www.clavid.com/ Conseil en
www.maret-consulting.ch
www.maret-consulting.ch
#1: OpenID and Software Certificate using Clavid.ch www.maret-consulting.ch http://www.clavid.com/ Conseil en technologies

Conseil en technologies

Strong Authentication with Biometry (Match on Card technology)

Authentication with Biometry (Match on Card technology)  A reader  Biometry  SmartCard  A

A reader

Biometry

SmartCard

Card technology)  A reader  Biometry  SmartCard  A card with chip www.maret-consulting.ch 

A card with chip

A reader  Biometry  SmartCard  A card with chip www.maret-consulting.ch  Technology MOC 
A reader  Biometry  SmartCard  A card with chip www.maret-consulting.ch  Technology MOC 

www.maret-consulting.ch

Technology MOC

Crypto Processor

PC/SC

PKCS#11

Digital certificate X509

 Technology MOC  Crypto Processor  PC/SC  PKCS#11  Digital certificate X509 Conseil en
 Technology MOC  Crypto Processor  PC/SC  PKCS#11  Digital certificate X509 Conseil en

Conseil en technologies

Strong Authentication

With

(O)ne (T)ime (P)assword

www.maret-consulting.ch
www.maret-consulting.ch
Strong Authentication With (O)ne (T)ime (P)assword www.maret-consulting.ch Conseil en technologies

Conseil en technologies

(O)ne (T)ime (P)assword

OTP Time Based

OTP Event Based

OTP Challenge Response Based

Others:

Event Based  OTP Challenge Response Based  Others:  OTP via SMS  OTP via

OTP via SMS

OTP via email

Biometry and OTP

Bingo Card

Etc.

www.maret-consulting.ch
www.maret-consulting.ch
via SMS  OTP via email  Biometry and OTP  Bingo Card  Etc. www.maret-consulting.ch

Conseil en technologies

OTP T-B? OTP E-B? OTP C-R-B?

www.maret-consulting.ch
www.maret-consulting.ch

Crypto - 101

Conseil en technologies

Crypto-101 / Time Based OTP

Crypto-101 / Time Based OTP K=Secret Key / Seed HASH Function T=UTC Time OTP ie =

K=Secret Key / Seed

Crypto-101 / Time Based OTP K=Secret Key / Seed HASH Function T=UTC Time OTP ie =

HASH Function

Crypto-101 / Time Based OTP K=Secret Key / Seed HASH Function T=UTC Time OTP ie =

T=UTC Time

Time Based OTP K=Secret Key / Seed HASH Function T=UTC Time OTP ie = OTP(K,T) =
Time Based OTP K=Secret Key / Seed HASH Function T=UTC Time OTP ie = OTP(K,T) =
Time Based OTP K=Secret Key / Seed HASH Function T=UTC Time OTP ie = OTP(K,T) =
Time Based OTP K=Secret Key / Seed HASH Function T=UTC Time OTP ie = OTP(K,T) =

OTP

ie = OTP(K,T) = Truncate(HMAC-SHA-1(K,T))

www.maret-consulting.ch
www.maret-consulting.ch
HASH Function T=UTC Time OTP ie = OTP(K,T) = Truncate(HMAC-SHA-1(K,T)) www.maret-consulting.ch Conseil en technologies

Conseil en technologies

Crypto-101 / Event Based OTP

Crypto-101 / Event Based OTP K=Secret Key / Seed HASH Function C = Counter OTP ie

K=Secret Key / Seed

Crypto-101 / Event Based OTP K=Secret Key / Seed HASH Function C = Counter OTP ie

HASH Function

/ Event Based OTP K=Secret Key / Seed HASH Function C = Counter OTP ie =

C = Counter

Based OTP K=Secret Key / Seed HASH Function C = Counter OTP ie = OTP(K,C) =
Based OTP K=Secret Key / Seed HASH Function C = Counter OTP ie = OTP(K,C) =
Based OTP K=Secret Key / Seed HASH Function C = Counter OTP ie = OTP(K,C) =

OTP

ie = OTP(K,C) = Truncate(HMAC-SHA-1(K,C))

www.maret-consulting.ch
www.maret-consulting.ch
HASH Function C = Counter OTP ie = OTP(K,C) = Truncate(HMAC-SHA-1(K,C)) www.maret-consulting.ch Conseil en technologies

Conseil en technologies

Crypto-101 / OTP Challenge Response Based

Crypto-101 / OTP Challenge Response Based K=Secret Key / Seed HASH Function nonce OTP Challenge www.maret-consulting.ch

K=Secret Key / Seed

Crypto-101 / OTP Challenge Response Based K=Secret Key / Seed HASH Function nonce OTP Challenge www.maret-consulting.ch

HASH Function

Challenge Response Based K=Secret Key / Seed HASH Function nonce OTP Challenge www.maret-consulting.ch Conseil en

nonce

Response Based K=Secret Key / Seed HASH Function nonce OTP Challenge www.maret-consulting.ch Conseil en technologies
Response Based K=Secret Key / Seed HASH Function nonce OTP Challenge www.maret-consulting.ch Conseil en technologies
Response Based K=Secret Key / Seed HASH Function nonce OTP Challenge www.maret-consulting.ch Conseil en technologies

OTP

Challenge

www.maret-consulting.ch
www.maret-consulting.ch
Response Based K=Secret Key / Seed HASH Function nonce OTP Challenge www.maret-consulting.ch Conseil en technologies

Conseil en technologies

Others OTP technologies…

“Flicker code” Generator Software that converts already encrypted data into optical screen animation
“Flicker code” Generator Software that converts already encrypted data into optical screen animation

“Flicker code” Generator Software

that converts already encrypted data into

optical screen animation

already encrypted data into optical screen animation Conseil en technologies OTP Via SMS By Elcard

Conseil en technologies

encrypted data into optical screen animation Conseil en technologies OTP Via SMS By Elcard www.maret-consulting.ch

OTP Via SMS

encrypted data into optical screen animation Conseil en technologies OTP Via SMS By Elcard www.maret-consulting.ch

By Elcard

www.maret-consulting.ch
www.maret-consulting.ch
Demo #2: Protect WordPress (OTP Via SMS) Conseil en technologies www.maret-consulting.ch

Demo #2: Protect WordPress (OTP Via SMS)

Demo #2: Protect WordPress (OTP Via SMS) Conseil en technologies www.maret-consulting.ch
Demo #2: Protect WordPress (OTP Via SMS) Conseil en technologies www.maret-consulting.ch
Conseil en technologies
Conseil en technologies

www.maret-consulting.ch

How to Store

my Secret Key ?

A Token !

www.maret-consulting.ch
www.maret-consulting.ch
How to Store my Secret Key ? A Token ! www.maret-consulting.ch Conseil en technologies

Conseil en technologies

OTP Token: Software vs Hardware ?

OTP Token: Software vs Hardware ? www.maret-consulting.ch Conseil en technologies
OTP Token: Software vs Hardware ? www.maret-consulting.ch Conseil en technologies
OTP Token: Software vs Hardware ? www.maret-consulting.ch Conseil en technologies
OTP Token: Software vs Hardware ? www.maret-consulting.ch Conseil en technologies
OTP Token: Software vs Hardware ? www.maret-consulting.ch Conseil en technologies
OTP Token: Software vs Hardware ? www.maret-consulting.ch Conseil en technologies
www.maret-consulting.ch
www.maret-consulting.ch
OTP Token: Software vs Hardware ? www.maret-consulting.ch Conseil en technologies
OTP Token: Software vs Hardware ? www.maret-consulting.ch Conseil en technologies
OTP Token: Software vs Hardware ? www.maret-consulting.ch Conseil en technologies
OTP Token: Software vs Hardware ? www.maret-consulting.ch Conseil en technologies

Conseil en technologies

Software OTP for Smartphone

Software OTP for Smartphone http://itunes.apple.com/us/app/iotp/id328973960 www.maret-consulting.ch Conseil en technologies
Software OTP for Smartphone http://itunes.apple.com/us/app/iotp/id328973960 www.maret-consulting.ch Conseil en technologies
Software OTP for Smartphone http://itunes.apple.com/us/app/iotp/id328973960 www.maret-consulting.ch Conseil en technologies
www.maret-consulting.ch
www.maret-consulting.ch
Software OTP for Smartphone http://itunes.apple.com/us/app/iotp/id328973960 www.maret-consulting.ch Conseil en technologies

Conseil en technologies

New Standards

&

Open Source

www.maret-consulting.ch
www.maret-consulting.ch
New Standards & Open Source www.maret-consulting.ch Conseil en technologies

Conseil en technologies

Technologies accessible to everyone

Technologies accessible to everyone   Initiative for Open AuTHentication (OATH)  HOTP  TOTP
Technologies accessible to everyone   Initiative for Open AuTHentication (OATH)  HOTP  TOTP

Initiative for Open AuTHentication (OATH)

HOTP

TOTP

OCRA

Etc.

Mobile OTP

(Use MD5 … )

TOTP  OCRA  Etc.  Mobile OTP  (Use MD5 … ) www.maret-consulting.ch Conseil en
TOTP  OCRA  Etc.  Mobile OTP  (Use MD5 … ) www.maret-consulting.ch Conseil en
www.maret-consulting.ch
www.maret-consulting.ch
TOTP  OCRA  Etc.  Mobile OTP  (Use MD5 … ) www.maret-consulting.ch Conseil en

Conseil en technologies

OATH Reference Architecture, Release 2.0

OATH Reference Architecture, Release 2.0 www.maret-consulting.ch http://www.openauthentication.org/ Conseil en technologies
OATH Reference Architecture, Release 2.0 www.maret-consulting.ch http://www.openauthentication.org/ Conseil en technologies
www.maret-consulting.ch
www.maret-consulting.ch
OATH Reference Architecture, Release 2.0 www.maret-consulting.ch http://www.openauthentication.org/ Conseil en technologies

Conseil en technologies

Initiative for Open AuTHentication (OATH)

Initiative for Open AuTHentication (OATH)  HOTP  Event Based OTP  RFC 4226  TOTP

HOTP

Event Based OTP

RFC 4226

TOTP

Time Based OTP

Draft IETF Version 8

OCRA

Challenge/Response

OTP

Draft IETF Version 13

Token Identifier Specification

www.maret-consulting.ch
www.maret-consulting.ch

Etc.

 Draft IETF Version 13  Token Identifier Specification www.maret-consulting.ch  Etc. Conseil en technologies

Conseil en technologies

(R)isk (B)ased (A)uthentication www.maret-consulting.ch Conseil en technologies

(R)isk

(B)ased

(A)uthentication

www.maret-consulting.ch
www.maret-consulting.ch
(R)isk (B)ased (A)uthentication www.maret-consulting.ch Conseil en technologies

Conseil en technologies

RBA (Risk-Based Authentication) = Behavior Model

RBA (Risk-Based Authentication) = Behavior Model www.maret-consulting.ch Conseil en technologies
RBA (Risk-Based Authentication) = Behavior Model www.maret-consulting.ch Conseil en technologies
www.maret-consulting.ch
www.maret-consulting.ch
RBA (Risk-Based Authentication) = Behavior Model www.maret-consulting.ch Conseil en technologies

Conseil en technologies

2 Step Verification from Google !

2 Step Verification from Google ! Use OATH-HOTP & TOTP http://code.google.com/p/google-authenticator/

Use OATH-HOTP & TOTP

! Use OATH-HOTP & TOTP http://code.google.com/p/google-authenticator/ www.maret-consulting.ch Conseil en technologies
www.maret-consulting.ch
www.maret-consulting.ch
! Use OATH-HOTP & TOTP http://code.google.com/p/google-authenticator/ www.maret-consulting.ch Conseil en technologies

Conseil en technologies

Integration with

web application

www.maret-consulting.ch
www.maret-consulting.ch
Integration with web application www.maret-consulting.ch Conseil en technologies

Conseil en technologies

Web application: basic authentication model

Web application: basic authentication model www.maret-consulting.ch Conseil en technologies
Web application: basic authentication model www.maret-consulting.ch Conseil en technologies
www.maret-consulting.ch
www.maret-consulting.ch
Web application: basic authentication model www.maret-consulting.ch Conseil en technologies

Conseil en technologies

Web application: Strong Authentication model

Web application: Strong Authentication model www.maret-consulting.ch Conseil en technologies
www.maret-consulting.ch
www.maret-consulting.ch
Web application: Strong Authentication model www.maret-consulting.ch Conseil en technologies

Conseil en technologies

Shielding" approach: perimetric authentication using WAF

“ Shielding" approach: perimetric authentication using WAF www.maret-consulting.ch Conseil en technologies
www.maret-consulting.ch
www.maret-consulting.ch
“ Shielding" approach: perimetric authentication using WAF www.maret-consulting.ch Conseil en technologies

Conseil en technologies

Module/Agent-based approach (example)

Module/Agent-based approach (example) www.maret-consulting.ch Conseil en technologies
www.maret-consulting.ch
www.maret-consulting.ch
Module/Agent-based approach (example) www.maret-consulting.ch Conseil en technologies

Conseil en technologies

API/SDK based approach (example)
API/SDK based approach (example)
www.maret-consulting.ch
www.maret-consulting.ch
API/SDK based approach (example) www.maret-consulting.ch Conseil en technologies

Conseil en technologies

Demo 3#: PHP Integration for phpmyadmin
Demo 3#: PHP Integration for phpmyadmin
www.maret-consulting.ch
www.maret-consulting.ch
Demo 3#: PHP Integration for phpmyadmin www.maret-consulting.ch Conseil en technologies

Conseil en technologies

Multi OTP PHP Class by André Liechti (Switzerland)

Multi OTP PHP Class by André Liechti (Switzerland) Source Code will be publish soon:

Source Code will be publish soon:

will be publish soon: http://www.citadelle-electronique.net/ www.maret-consulting.ch http://www.multiotp.net/ Conseil en
will be publish soon: http://www.citadelle-electronique.net/ www.maret-consulting.ch http://www.multiotp.net/ Conseil en
www.maret-consulting.ch
www.maret-consulting.ch
soon: http://www.citadelle-electronique.net/ www.maret-consulting.ch http://www.multiotp.net/ Conseil en technologies

Conseil en technologies

Proof of Concept Code by Anne Gosselin, Antonio Fontes ! if (! empty($_REQUEST['pma_username'])) { //
Proof of Concept Code by Anne Gosselin, Antonio Fontes ! if (! empty($_REQUEST['pma_username'])) { //

Proof of Concept Code by

Anne Gosselin, Antonio Fontes !

if (! empty($_REQUEST['pma_username'])) {

// The user just logged in

$GLOBALS['PHP_AUTH_USER'] = $_REQUEST['pma_username'];

// we combine both OTP + PIN code for the token verification

$fooPass = empty($_REQUEST['pma_password']) ? '' : $_REQUEST['pma_password'];

$fooOtp = empty($_REQUEST['pma_otp']) ? '' : $_REQUEST['pma_otp'];

$GLOBALS['PHP_AUTH_PW'] = $fooPass.''.$fooOtp;

// OTP CHECK

require_once('./libraries/multiotp.class.php');

$multiotp = new Multiotp();

$multiotp->SetUser($GLOBALS['PHP_AUTH_USER']);

$multiotp->SetEncryptionKey('DefaultCliEncryptionKey');

$multiotp->SetUsersFolder('./libraries/users/');

$multiotp->SetLogFolder('./libraries/log/');

$multiotp->EnableVerboseLog();

$otpCheckResult = $multiotp->CheckToken($GLOBALS['PHP_AUTH_PW']);

// the PIN code use kept for accessing the database

$GLOBALS['PHP_AUTH_PW'] = substr($GLOBALS['PHP_AUTH_PW'], 0, strlen($GLOBALS['PHP_AUTH_PW']

if($otpCheckResult == 0) return true;

else

die("auth failed.");

www.maret-consulting.ch
www.maret-consulting.ch
if($otpCheckResult == 0) return true; else die("auth failed."); www.maret-consulting.ch Conseil en technologies

Conseil en technologies

Think about Software Security !

Think about Software Security ! Cf Talk Philippe Gamache Cf Talk Antonio Fontes Cf Talk Sébastien
Think about Software Security ! Cf Talk Philippe Gamache Cf Talk Antonio Fontes Cf Talk Sébastien

Cf Talk Philippe Gamache

Think about Software Security ! Cf Talk Philippe Gamache Cf Talk Antonio Fontes Cf Talk Sébastien

Cf Talk Antonio Fontes

Security ! Cf Talk Philippe Gamache Cf Talk Antonio Fontes Cf Talk Sébastien Giora www.maret-consulting.ch Conseil

Cf Talk Sébastien Giora

www.maret-consulting.ch
www.maret-consulting.ch
! Cf Talk Philippe Gamache Cf Talk Antonio Fontes Cf Talk Sébastien Giora www.maret-consulting.ch Conseil en

Conseil en technologies

Federated identities: a changing paradigm on authentication www.maret-consulting.ch Conseil en technologies

Federated identities:

a changing paradigm

on authentication

www.maret-consulting.ch
www.maret-consulting.ch
Federated identities: a changing paradigm on authentication www.maret-consulting.ch Conseil en technologies

Conseil en technologies

Federation of identity approach a change of paradigm:

using IDP for Authentication and Strong Authentication

Identity Provider

Authentication and Strong Authentication Identity Provider www.maret-consulting.ch Web App X Web App Y Conseil en
www.maret-consulting.ch
www.maret-consulting.ch
and Strong Authentication Identity Provider www.maret-consulting.ch Web App X Web App Y Conseil en technologies
and Strong Authentication Identity Provider www.maret-consulting.ch Web App X Web App Y Conseil en technologies

Web App X

Web App Y

Conseil en technologies

SECTION 2 OpenID > > How does it work? > How to integrate? What is
SECTION 2 OpenID > > How does it work? > How to integrate? What is

SECTION 2

OpenID

>

> How does it work?

> How to integrate?

What is it?

www.maret-consulting.ch
www.maret-consulting.ch
2 OpenID > > How does it work? > How to integrate? What is it? www.maret-consulting.ch

Conseil en technologies

OpenID - What is it?

OpenID - What is it? > Internet SingleSignOn > Relatively Simple Protocol > User-Centric Identity

> Internet SingleSignOn

> Relatively Simple Protocol

> User-Centric Identity Management

> Internet Scalable

> Free Choice of Identity Provider

> No License Fee

> Independent of Identification Methods

> Non-Profit Organization

www.maret-consulting.ch
www.maret-consulting.ch
Independent of Identification Methods > Non-Profit Organization www.maret-consulting.ch Conseil en technologies

Conseil en technologies

OpenID - How does it work?

www.maret-consulting.ch
www.maret-consulting.ch
OpenID - How does it work? www.maret-consulting.ch 3 User Hans Muster hans.muster.clavid.com 4, 4a 6 Identity

3

User Hans Muster

How does it work? www.maret-consulting.ch 3 User Hans Muster hans.muster.clavid.com 4, 4a 6 Identity Provider e.g.
How does it work? www.maret-consulting.ch 3 User Hans Muster hans.muster.clavid.com 4, 4a 6 Identity Provider e.g.

hans.muster.clavid.com

3 User Hans Muster hans.muster.clavid.com 4, 4a 6 Identity Provider e.g. clavid.com 5 1 2 Identity

4, 4a

3 User Hans Muster hans.muster.clavid.com 4, 4a 6 Identity Provider e.g. clavid.com 5 1 2 Identity
6
6
3 User Hans Muster hans.muster.clavid.com 4, 4a 6 Identity Provider e.g. clavid.com 5 1 2 Identity

Identity Provider

e.g. clavid.com

5 1
5
1

2 Identity URL https://hans.muster.clavid.com

Caption

1.

User enters OpenID

2.

Discovery

3.

Authentication

4.

Approval

4a. Change Attributes

5.

Send Attributes

6.

Validation

4. Approval 4a. Change Attributes 5. Send Attributes 6. Validation Enabled Service Conseil en technologies

Enabled Service

4. Approval 4a. Change Attributes 5. Send Attributes 6. Validation Enabled Service Conseil en technologies
4. Approval 4a. Change Attributes 5. Send Attributes 6. Validation Enabled Service Conseil en technologies

Conseil en technologies

Demo #4: Apache and Mod_OpenID (Using Biometry / OTP)

Demo #4: Apache and Mod_OpenID (Using Biometry / OTP) www.maret-consulting.ch Conseil en technologies
www.maret-consulting.ch
www.maret-consulting.ch
Demo #4: Apache and Mod_OpenID (Using Biometry / OTP) www.maret-consulting.ch Conseil en technologies

Conseil en technologies

Demo #4: Challenge / Response OTP with Biometry www.maret-consulting.ch Conseil en technologies

Demo #4: Challenge / Response OTP with Biometry

Demo #4: Challenge / Response OTP with Biometry www.maret-consulting.ch Conseil en technologies
Demo #4: Challenge / Response OTP with Biometry www.maret-consulting.ch Conseil en technologies

www.maret-consulting.ch

Demo #4: Challenge / Response OTP with Biometry www.maret-consulting.ch Conseil en technologies

Conseil en technologies

Surprise! You may already have an OpenID !

www.maret-consulting.ch
www.maret-consulting.ch
Surprise! You may already have an OpenID ! www.maret-consulting.ch Conseil en technologies

Conseil en technologies

Other Well Known

&

Simple Providers

Other Well Known & Simple Providers http://en.wikipedia.org/wiki/List_of_OpenID_providers www.maret-consulting.ch
Other Well Known & Simple Providers http://en.wikipedia.org/wiki/List_of_OpenID_providers www.maret-consulting.ch
Other Well Known & Simple Providers http://en.wikipedia.org/wiki/List_of_OpenID_providers www.maret-consulting.ch
Other Well Known & Simple Providers http://en.wikipedia.org/wiki/List_of_OpenID_providers www.maret-consulting.ch
www.maret-consulting.ch
www.maret-consulting.ch
Simple Providers http://en.wikipedia.org/wiki/List_of_OpenID_providers www.maret-consulting.ch Conseil en technologies

Conseil en technologies

Get an OpenID with Strong Authentication for free !

Get an OpenID with Strong Authentication for free ! www.maret-consulting.ch Conseil en technologies
Get an OpenID with Strong Authentication for free ! www.maret-consulting.ch Conseil en technologies
www.maret-consulting.ch
www.maret-consulting.ch
Get an OpenID with Strong Authentication for free ! www.maret-consulting.ch Conseil en technologies

Conseil en technologies

SECTION 1 www.maret-consulting.ch SAML >What is it? >How does it work? Conseil en technologies

SECTION 1

www.maret-consulting.ch
www.maret-consulting.ch

SAML

>What is it?

>How does it work?

SECTION 1 www.maret-consulting.ch SAML >What is it? >How does it work? Conseil en technologies

Conseil en technologies

Using SAML for Authentication and Strong Authentication

(Assertion Consumer Service)
(Assertion
Consumer Service)
www.maret-consulting.ch
www.maret-consulting.ch
for Authentication and Strong Authentication (Assertion Consumer Service) www.maret-consulting.ch Conseil en technologies

Conseil en technologies

SAML What is it?

SAML (Security Assertion Markup Language):

> Defined by the Oasis Group

> Well and Academically Designed Specification

> Uses XML Syntax

> Used for Authentication & Authorization

> SAML Assertions

> Statements: Authentication, Attribute, Authorization

> SAML Protocols

> Queries: Authentication, Artifact, Name Identifier Mapping, etc.

> SAML Bindings

> SOAP, Reverse-SOAP, HTTP-Get, HTTP-Post, HTTP-Artifact

> SAML Profiles

HTTP-Get, HTTP-Post, HTTP-Artifact > SAML Profiles > Web Browser SingleSignOn Profile , Identity Provider

> Web Browser SingleSignOn Profile, Identity Provider Discovery Profile, Assertion Query / Request Profile, Attribute Profile

www.maret-consulting.ch
www.maret-consulting.ch
Discovery Profile, Assertion Query / Request Profile, Attribute Profile www.maret-consulting.ch Conseil en technologies

Conseil en technologies

SAML How does it work?

SAML – How does it work? User Hans Muster 3 2 4 4 2 1 6

User Hans Muster

SAML – How does it work? User Hans Muster 3 2 4 4 2 1 6
SAML – How does it work? User Hans Muster 3 2 4 4 2 1 6
SAML – How does it work? User Hans Muster 3 2 4 4 2 1 6

3

2

4

4 2 1 6
4
2
1
6
How does it work? User Hans Muster 3 2 4 4 2 1 6 Enabled Service
How does it work? User Hans Muster 3 2 4 4 2 1 6 Enabled Service
How does it work? User Hans Muster 3 2 4 4 2 1 6 Enabled Service

Enabled Service

User Hans Muster 3 2 4 4 2 1 6 Enabled Service e.g. Google Apps for

e.g. Google Apps for Business

4 4 2 1 6 Enabled Service e.g. Google Apps for Business Identity Provider e.g. clavid.ch

Identity Provider e.g. clavid.ch

www.maret-consulting.ch
www.maret-consulting.ch
Service e.g. Google Apps for Business Identity Provider e.g. clavid.ch www.maret-consulting.ch Conseil en technologies

Conseil en technologies

Example with HTTP POST Binding

Access Resource Browser Web App SAML Ready 1 AuthN 2 <AuthnRequest> 3 Redirect 302 ACS
Access Resource
Browser
Web App SAML Ready
1
AuthN
2
<AuthnRequest>
3
Redirect 302
ACS
POST
7
<Response>
Ressource
8
Ressource
<Response>
6
in HTML Form
Single Sign On
Service
<AuthnRequest>
4
Credential
5a
Challenge
IDP MC
User Login
5b
4 Credential 5a Challenge IDP MC User Login 5b + PIN www.maret-consulting.ch Conseil en technologies
4 Credential 5a Challenge IDP MC User Login 5b + PIN www.maret-consulting.ch Conseil en technologies

+ PIN

www.maret-consulting.ch
www.maret-consulting.ch

Conseil en technologies

Questions ?

www.maret-consulting.ch
www.maret-consulting.ch
Questions ? www.maret-consulting.ch Conseil en technologies

Conseil en technologies

"Le conseil et l'expertise pour le choix et la mise

en oeuvre des technologies innovantes dans la sécurité

des systèmes d'information et de l'identité numérique"

www.maret-consulting.ch
www.maret-consulting.ch
des systèmes d'information et de l'identité numérique" www.maret-consulting.ch Conseil en technologies

Conseil en technologies

Une conviction forte !

Authentification forte

www.maret-consulting.ch
www.maret-consulting.ch
Une conviction forte ! Authentification forte www.maret-consulting.ch Conseil en technologies

Conseil en technologies

A major event in the world of strong authentication

12 October 2005: the Federal Financial Institutions Examination

Council (FFIEC) issues a directive

« Single Factor Authentication » is not enough for the web financial

applications

Before end 2006 it is compulsory to implement a strong

authentication system

And the PCI DSS norm

Compulsory strong authentication for distant accesses

And now European regulations

Social Networks, Open Source

www.maret-consulting.ch
www.maret-consulting.ch
Payment Services (2007/64/CE) for banks  Social Networks, Open Source www.maret-consulting.ch Conseil en technologies

Conseil en technologies

Out of Band Authentication

Out of Band Authentication www.maret-consulting.ch Conseil en technologies
www.maret-consulting.ch
www.maret-consulting.ch
Out of Band Authentication www.maret-consulting.ch Conseil en technologies

Conseil en technologies

Phone Factor www.maret-consulting.ch Conseil en technologies

Phone Factor

Phone Factor www.maret-consulting.ch Conseil en technologies
www.maret-consulting.ch
www.maret-consulting.ch
Phone Factor www.maret-consulting.ch Conseil en technologies

Conseil en technologies

SAML

SAML www.maret-consulting.ch Conseil en technologies
www.maret-consulting.ch
www.maret-consulting.ch
SAML www.maret-consulting.ch Conseil en technologies

Conseil en technologies

SAML AuthnRequst Transfer via Browser

Redirect-Binding

SAML AuthnRequst Transfer via Browser Redirect-Binding POST-Binding www.maret-consulting.ch Conseil en technologies

POST-Binding

SAML AuthnRequst Transfer via Browser Redirect-Binding POST-Binding www.maret-consulting.ch Conseil en technologies
www.maret-consulting.ch
www.maret-consulting.ch
SAML AuthnRequst Transfer via Browser Redirect-Binding POST-Binding www.maret-consulting.ch Conseil en technologies

Conseil en technologies

A SAML AuthnRequest (no magic, just XML)

<?xml version="1.0" encoding="UTF-8"?>

<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol“

ID="glcmfhikbbhohichialilnnpjakbeljekmkhppkb

Version="2.0”

IssueInstant="2008-10-14T00:57:14Z”

ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST”

ProviderName="google.com”

ForceAuthn="false

IsPassive="false

AssertionConsumerServiceURL="https://www.google.com/a/unopass.net/acs">

<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"> google.com </saml:Issuer>

<samlp:NameIDPolicy AllowCreate="true"

Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" />

</samlp:AuthnRequest>

www.maret-consulting.ch
www.maret-consulting.ch
/> </samlp:AuthnRequest> www.maret-consulting.ch Conseil en technologies

Conseil en technologies

SAML Assertion Transfer via Browser

POST-Binding

SAML Assertion Transfer via Browser POST-Binding www.maret-consulting.ch Conseil en technologies
www.maret-consulting.ch
www.maret-consulting.ch
SAML Assertion Transfer via Browser POST-Binding www.maret-consulting.ch Conseil en technologies

Conseil en technologies

A SAML Assertion Response (no magic, just XML)

<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"

ID="s247893b2ec90665dfd5d9bd4a092f5e3a7194fef4"

InResponseTo="hkcmljnccpheoobdofbjcngjbadmgcfhaapdbnni"

Version="2.0"

IssueInstant="2008-10-15T17:24:46Z"

Destination="https://www.google.com/a/unopass.net/acs">

<saml:Issuer>

http://idp.unopass.net:80/opensso

</saml:Issuer>

<samlp:Status>

<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>

</samlp:Status>

<saml:Assertion

ID="s295c56ccd7872209ae336b934d1eed5be52a8e6ec"

IssueInstant="2008-10-15T17:24:46Z"

Version="2.0">

<saml:Issuer>http://idp.unopass.net:80/opensso</saml:Issuer>

<Signature>

www.maret-consulting.ch
www.maret-consulting.ch

… A DIGITAL SIGNATURE …

</Signature>

<Signature> www.maret-consulting.ch … A DIGITAL SIGNATURE … </Signature> Conseil en technologies

Conseil en technologies

A SAML Assertion Response (no magic, just XML)

www.maret-consulting.ch
www.maret-consulting.ch

<saml:Subject>

<saml:NameID

NameQualifier="http://idp.unopass.net:80/opensso">

sylvain.maret

</saml:NameID> <saml:SubjectConfirmation Method="urn:oasis:

<saml:SubjectConfirmationData

:bearer">

InResponseTo="hkcmljnccpheoobdofbjcngjbadmgcfhaapdbnni"

NotOnOrAfter="2008-10-15T17:34:46Z"

Recipient="https://www.google.com/a/unopass.net/acs"/>

</saml:SubjectConfirmation>

</saml:Subject>

</saml:SubjectConfirmation> </saml:Subject> Conseil en technologies

Conseil en technologies

A SAML Assertion Response (no magic, just XML)

<saml:Conditions NotBefore="2008-10-15T17:14:46Z"

NotOnOrAfter="2008-10-15T17:34:46Z">

<saml:AudienceRestriction>

<saml:Audience>google.com</saml:Audience>

</saml:AudienceRestriction>

</saml:Conditions>

<saml:AuthnStatement AuthnInstant="2008-10-15T17:24:46Z“

SessionIndex="s2bb816b5a8852dcc29f3301784c1640f245a9ec01">

<saml:AuthnContext>

<saml:AuthnContextClassRef>

urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport

</saml:AuthnContextClassRef>

</saml:AuthnContext>

</saml:AuthnStatement>

</saml:Assertion>

</samlp:Response>

www.maret-consulting.ch
www.maret-consulting.ch
</saml:Assertion> </samlp:Response> www.maret-consulting.ch Conseil en technologies

Conseil en technologies