MARET Consulting | 109, chemin du Pont-du-Centenaire | CH 1228 Plan-les-Ouates | Tél +41 22 727 05 57 | Fax +41 22 727 05 50 | www

.maret-consulting.ch

Authentication and Strong Authentication in Web Application

Sylvain Maret / Digital Security Expert @ MARET Consulting BrightTALK - October 7th 2010

Conseil en technologies

Agenda

f

Protecting digital identities strong authentication?
f

f

f

Strong Authentication: A new paradigm !
f

Integration with web applications Identity Federation for Authentication SAML / OpenID

f

New Standards
f

www.maret-consulting.ch

Conseil en technologies

Who am I?

f

Security Expert
f f f f f f f f

15 years of experience in ICT Security CEO and Founder of MARET Consulting Expert at Engineer School of Yverdon & Geneva University Swiss French Area delegate at OpenID Switzerland Co-founder Geneva Application Security Forum OWASP Member Author of the blog: la Citadelle Electronique http://ch.linkedin.com/in/smaret

f

Chosen field
f

Digital Identity Security
Conseil en technologies

www.maret-consulting.ch

Protection of digital identities: a topical issue«

www.maret-consulting.ch

Conseil en technologies

threats on the authentication

www.maret-consulting.ch

Conseil en technologies

Facts !

f f f f f f f

Keylogger (hard and soft) Malware Man in the Middle Browser in the Middle Password Sniffer Social Engineering Phishing / Pharming The number of identity thefts is increasing dramatically!

f

www.maret-consulting.ch

Conseil en technologies

A major event in the world of strong authentication

f

12 October 2005: the Federal Financial Institutions Examination Council (FFIEC) issues a directive
f

f

f

Single Factor Authentication » is not enough for the web financial applications Before end 2006 it is compulsory to implement a strong authentication system http://www.ffiec.gov/press/pr101205.htm

f

And the PCI DSS norm
f

Compulsory strong authentication for distant accesses

f

And now European regulations
f

Payment Services (2007/64/CE) for banks

f

Social Networks, Open Source
Conseil en technologies

www.maret-consulting.ch

Definition of strong authentication

Strong Authentication on Wikipedia
www.maret-consulting.ch Conseil en technologies

Digital identity is the cornerstone of trust»

More information on the subject
www.maret-consulting.ch Conseil en technologies

MARET Consulting | 109, chemin du Pont-du-Centenaire | CH 1228 Plan-les-Ouates | Tél +41 22 727 05 57 | Fax +41 22 727 05 50 | www.maret-consulting.ch

Strong Authentication A new paradigm !
Conseil en technologies

Which strong authentication technology? (Legacy Token «..)

www.maret-consulting.ch

Conseil en technologies

www.maret-consulting.ch

Conseil en technologies

OTP Strong authentication Encryption Digital signature Non repudiation Strong link with the user
* Biometry type Fingerprinting
www.maret-consulting.ch

PKI (HW)

Biometry
*

Conseil en technologies

Strong Authentication with Biometry (Match on Card technology)

f

A reader
f f

Biometry SmartCard

f

A card with chip
f f

Technology MOC Crypto processor
f f f

PC/SC PKCS#11 Digital certificate X509
Conseil en technologies

www.maret-consulting.ch

Authentication Server must be agnostic

www.maret-consulting.ch

Conseil en technologies

New Standards & Open Source

www.maret-consulting.ch

Conseil en technologies

Technologies accessible to everyone

f

Based on Standards
f

f

Open Solutions
f

Open Authentication (OATH)
f

Mobile One Time Passwords
f

OATH authentication algorithms
f

strong, two-factor authentication with mobile phones

f

f

HOTP (HMAC Event Based) OCRA (Challenge/Response) TOTP (Time Based)

f

OATH Token Identifier Specification
Conseil en technologies

www.maret-consulting.ch

Integration with web application
www.maret-consulting.ch Conseil en technologies

Web applications: basic authentication model

www.maret-consulting.ch

Conseil en technologies

Web application: strong authentication model

www.maret-consulting.ch

Conseil en technologies

³Shielding" approach: perimetric authentication

www.maret-consulting.ch

Conseil en technologies

Module/Agent-based approach

www.maret-consulting.ch

Conseil en technologies

API/SDK based approach

www.maret-consulting.ch

Conseil en technologies

SSL PKI: how does it work?
Validation Authority

OCSP request Valid Invalid Unknown

SSL / TLS Mutual Authentication Alice Web Server
www.maret-consulting.ch Conseil en technologies

Federated identities: a changing paradigm on authentication
www.maret-consulting.ch Conseil en technologies

Federation of identity approach a change of paradigm: using IDP for Authentication and Strong Authentication

Identity Provider

Web App X

Web App Y

www.maret-consulting.ch

Conseil en technologies

SECTION 1 SAML
>What is it? >How does it work?

www.maret-consulting.ch

Conseil en technologies

Using SAML for Authentication and Strong Authentication

(Assertion Consumer Service)

www.maret-consulting.ch

Conseil en technologies

SAML ± What is it?

SAML (Security Assertion Markup Language): > Defined by the Oasis Group > Well and Academically Designed Specification > Uses XML Syntax > Used for Authentication & Authorization > SAML Assertions
> Statements: Authentication, Attribute, Authorization

> SAML Protocols
> Queries: Authentication, Artifact, Name Identifier Mapping, etc.

> SAML Bindings
> SOAP, Reverse-SOAP, HTTP-Get, HTTP-Post, HTTP-Artifact

> SAML Profiles
> Web Browser SingleSignOn Profile, Identity Provider Discovery Profile, Assertion Query / Request Profile, Attribute Profile

www.maret-consulting.ch

Conseil en technologies

SAML ± How does it work?

User Hans Muster
3 2 4 4 2 1 6 Identity Provider e.g. clavid.ch

Enabled Service
e.g. Google Apps for Business

www.maret-consulting.ch

Conseil en technologies

Example with HTTP POST Binding

www.maret-consulting.ch

Conseil en technologies

SAML AuthN & ACS integration in Web Application

www.maret-consulting.ch

Conseil en technologies

1A

SECTION 2 OpenID
> What is it? > How does it work? > How to integrate?

www.maret-consulting.ch

Conseil en technologies

OpenID - What is it?

> > > >

Internet SingleSignOn Relatively Simple Protocol User-Centric Identity Management Internet Scalable

> > > >

Free Choice of Identity Provider No License Fee Independent of Identification Methods Non-Profit Organization

www.maret-consulting.ch

Conseil en technologies

OpenID - How does it work?

User Hans Muster 3 4, 4a
hans.muster.clavid.com Identity Provider e.g. clavid.com

5 1

6 2 Identity URL
https://hans.muster.clavid.com

Caption 1. User enters OpenID 2. Discovery 3. Authentication 4. Approval 4a. Change Attributes 5. Send Attributes 6. Validation

Enabled Service

www.maret-consulting.ch

Conseil en technologies

Architecture IPD Authentication Server

www.maret-consulting.ch

Conseil en technologies

SAML

Unique Interface Agnostic / Easy
www.maret-consulting.ch Conseil en technologies

www.maret-consulting.ch

Conseil en technologies

Conclusion #1

f
‡

Authentication Server need to be agnostic to any Token
Support Open Standards

f
‡ ‡ ‡

Federation of identity: a change of paradigm for authentication
Not Only for Federation or Web SSO SAML and OpenID can support all authentication technologies Develop only one authentication interface for all Web Application

www.maret-consulting.ch

Conseil en technologies

Conclusion #2

f
‡

Users can choose his Strong Authentication Token
Users Friendly and Reduce Costs

f
‡ ‡

New Standards and Open Source Solution
OTP Software Token is no free Strong Authentication for Social Networks (OpenID IPD & Strong Authentication)

f
‡

Think about Web Application Security
OWASP - Application Security Verification Standard Project OWASP - Best Practices: Use of Web Application Firewalls 2010 CWE/SANS - Top 25 Most Dangerous Software Errors

‡ ‡

www.maret-consulting.ch

Conseil en technologies

Quelques liens pour aller approfondir le sujet

f

MARET Consulting
f

http://maret-consulting.ch/ http://www.citadelle-electronique.net/

f

La Citadelle Electronique (le blog sur les identités numériques)
f

f

Articles banque et finance:
f

Usurper une identité? Impossible avec la biométrie!
f

http://www.banque-finance.ch/numeros/88/59.pdf http://www.banque-finance.ch/numeros/97/62.pdf

f

Biométrie et Mobilité
f

f

Présentations publiques
f

OSSIR Paris 2009: Retour d'expérience sur le déploiement de biométrie à grande échelle
f

http://www.ossir.org/paris/supports/2009/2009-10-13/Sylvain_Maret_Biometrie.pdf http://blog.b3b.ch/wp-content/uploads/mise-en-oeuvre-de28099une-solution-biometriquede28099authentification-forte.pdf
Conseil en technologies

f

ISACA, Clusis: Accès à l¶information : Rôles et responsabilités
f

www.maret-consulting.ch

"Le conseil et l'expertise pour le choix et la mise en oeuvre des technologies innovantes dans la sécurité des systèmes d'information et de l'identité numérique"

www.maret-consulting.ch

Conseil en technologies

www.maret-consulting.ch

Conseil en technologies

Sign up to vote on this title
UsefulNot useful