Access management
- 1. Presented by Venkatesh Jambulingam Cloud Security Expert 05-Dec-2021 Access Management
- 2. | 05-Dec-2021 | Venkatesh Jambulingam | ▶Authentication & Authorization ▶Authentication – Multi-Factor Authentication – Password less Authentication – Certificate Based Authentication – Risk Based Authentication / Adaptive Authentication ▶Authorization – Single Sign on – Federation – SSO Protocols 2 Contents
- 3. | 05-Dec-2021 | Venkatesh Jambulingam | 3 Authentication & Authorization Authorization (AuthZ) What can you do Authentication (AuthN) Who you are Authentication is the process of verifying a user’s details to identify the user and grant access to the system Verification is done by confirming the truth of an attribute / piece of data claimed by an identity e.g., User ID & Password, Biometric, Govt Issued ID card Verifies Users Credentials Occurs before authorization Authorization is the process of verifying the authenticated user’s privileges or permissions to access the resources of the system Verification is done by checking the privileges granted to the user in authoritative system such as identity provider Verifies users’ permissions to for specific resources Occurs after authentication
- 4. | 05-Dec-2021 | Venkatesh Jambulingam | Multifactor authentication (MFA) is a security system that requires more than one method of authentication to verify the user’s identity. It combines two or more independent credentials to verify the identity. Below given are some of the authentication factors. 4 Multifactor Authentication The context within which this information is captured e.g. Geo location, IP address, Links to others, Device used Age Gender Irises Fingerprints Voice Face is Access badge Smart Card Security token Mobile phone ID document has Motor skills Gait Analysis Keystrokes Application use Handwriting Gestures does Password PIN Passphrase Pattern Image knows
- 5. | 05-Dec-2021 | Venkatesh Jambulingam | 5 One Time Password Hashing algorithms are used to generate OTPs. The algorithms use two inputs to generate the OTP: a seed and a moving factor The seed is a static value (secret key) that’s created when you establish a new account on the authentication server. Based on the moving factor, two types of OTPs are available namely HOTP & TOTP. The “H” in HOTP stands for Hash-based Message Authentication Code (HMAC). HMAC-based One-time Password algorithm (HOTP) is an event-based OTP where the moving factor in each code is based on a counter. OTP code is valid till you request next one. Time-based One-time Password (TOTP) is a time- based OTP. The seed for TOTP is static, just like in HOTP, but the moving factor in a TOTP is time-based rather than counter-based. The amount of time in which each password is valid is called a timestep. 12345678 Secret Key Moving Factor (Counter) HOTP Generator Yubikey OTP 12345678 OTP Secret Key Moving Factor (Time) TOTP Generator Authenticator App
- 6. | 05-Dec-2021 | Venkatesh Jambulingam | 6 Risk Based / Adaptive Authentication Application Classification Certificates & Authenticators Session Cookie fingerprint Current & Historical Behavior HTTP Headers Geolocation, Geo velocity & IP Reputation Device Type used for login User Profile & Level of Access Low risk Allow Access High Risk Deny Access Medium Risk Step-up Authentication Risk Score Risk Engine It works based on analyzing signals from various sources and arriving at a risk score for a given session. Organization policies define the action to be taken based on the risk score calculated.
- 7. | 05-Dec-2021 | Venkatesh Jambulingam | ▶Password less authentication is a type of multi-factor authentication (MFA) where passwords are replaced with a more secure authentication factor, such as a fingerprint or a PIN. Password less authentication relies on the same principles as digital certificates: a cryptographic key pair with a private and a public key ▶An individual wishing to create a secure account uses a tool (a mobile app, a browser extension, etc.) to generate a public-private key pair. The private key is stored on the user’s local device and is tied to an authentication factor, such as a fingerprint, PIN, or voice recognition and it can only be accessed with this gesture. ▶The public key is provided to the website, application, browser, or other online system for which the user wants to have an account. 7 Password less Authentication PKI (or Public Key Infrastructure) is the framework of encryption and cybersecurity that protects communications between the server (your website) and the client (the users). Fast Identity Online (FIDO) is an initiative of a group of companies to reduce the use of multiple usernames and passwords through the efficient and interoperable use of authentication factors. A security key is a small physical device that looks like a USB thumb drive and works in addition to your password on sites that support it.
- 8. | 05-Dec-2021 | Venkatesh Jambulingam | 8 Certificate Based Authentication Processes involved in request/response 3. PIN/Password to access the private key is entered 4.Password is verified and username is extracted from the certificate 1. Login request initiated with the card inserted 7. Sign the challenge with user’s private key 9. Verify the signature using the public key of the user stored in the authentication server and send the AuthN status response 5. Only username is sent 2.Certificate Selection and password prompt for the private key 6. After verifying the username and certificate validity, a random challenge is sent in plain text Validation of server certificate + HTTPS Connection 8.Signed Challenge is sent to the server OCSP CRL Authentication Server Server Trust Store & Cryptography Service Provider Validation of server certificate Validation of user certificate Smart Card or Certificate Store User Smart Card Cryptography Service Provider User Trust Store
- 9. | 05-Dec-2021 | Venkatesh Jambulingam | ▶Federation (Between different domains) –Federation is the trust relationship that exists between these organizations; it is concerned with where the user’s credentials are actually stored and how trusted third-parties can authenticate against those credentials without actually seeing them ▶SSO (Various apps in single domain) –Single Sign on is used to authenticate and sign in through different applications in the same domain by signing in only once at the IDP side and activating a session 9 SSO / FIM SAML OIDC Federated Identity Management (FIM) Single Sign on (SSO) OAUTH 2.0
- 10. | 05-Dec-2021 | Venkatesh Jambulingam | ▶Security Assertion Markup Language (SAML) is a XML based protocol used for single sign on (SSO) that supports both authentication and authorization over SOAP/HTTP request between Identity Provider (IDP) & Service Provider (SP). ▶Before the SP can talk to the IdP for identity verification, the two players should define a SAML contract and exchange preliminary information, via metadata, which includes details like: –Public keys (used for encryption), Supported encryption algorithms, Endpoint URLs (where to send SAML messages) –Supported connection methods and Supported XML attribute formats ▶Once both the SP and the IdP know these specifics about each other, they reconfigure themselves accordingly. 10 SAML 1. User attempts to login to service provider directly 2. Service provider redirects the user’s browser to the identity provider 3. User logs into identity provider 4. Identity provider confirms the authentication status as successful 5. SAML assertion is sent to the user’s browser. It contains authN & authZ related information along with corresponding user profile 6. SAML assertion is sent to the service provider by the browser 7. Service provider analyses the response and the user is validated. 8. Access is granted to user based on the authorization data / user profile in the application Service Provider (SP) Identity Provider (IDP)
- 11. | 05-Dec-2021 | Venkatesh Jambulingam | ▶OIDC is a newer protocol built on top of the OAuth 2.0 framework and uses JSON-based web tokens (JWT) to structure data. ▶JWT is an industry standard used to define the rules to represent and securely transfer claims between two parties namely Identity Provider (IDP) & Relying Party (RP). Claims are encrypted, sensitive user data, used to support identity verification. ▶OIDC scopes define the claims (the user attributes) that an application can have access to. The IDP maintains a list of acceptable scopes and after a user explicitly consents to sharing their details (which includes the scopes), the IDP makes the scopes available to the relying party (application). ▶Before communicating, the Relying Party (RP) and the IDP must exchange metadata. Both parties must agree on possible scopes, the IDP must assign a secret and client-ID to the RP, and the RP must share the endpoint to receive codes and tokens. 11 OIDC 1. User attempts to login to service provider directly 2. Service provider redirects the user’s browser to the identity provider 3. User logs into identity provider 4. Identity provider confirms the authentication status as successful. Users are prompted to grant the application access to their data (specified by the requested scopes). 5. JWT is sent to the user’s browser. It contains authN & authZ related information along with corresponding user profile 6. JWT is sent to the service provider by the browser 7. Service provider analyses the response and the user is validated. 8. Access is granted to user based on the authorization data / user profile in the application Relying Party (RP) Identity Provider (IDP)
- 12. | 05-Dec-2021 | Venkatesh Jambulingam | 12 SAML VS OIDC ▶SAML is an authentication & authorization protocol that has been in use for long time. ▶SAML uses XML to exchange information. SAML Assertions/Tokens are larger, and relatively difficult to process. ▶Does not support user consent natively but can be achieved with extensive manual development ▶Since SAML has been around for much longer, it’s still trusted by a lot of organizations, including government entities. It’s certainly more feature-rich. ▶Suited for organizations and B2B Setup ▶OIDC is a newer protocol and is built on top of the OAuth 2.0 framework ▶OIDC uses JWTs, which are smaller in size, and require lightweight processing. ▶OIDC supports user consent by default. ▶OIDC is now starting to catch up with features supported by SAML ▶Suited for B2C setup and supports authenticating modern application types like single-page applications (SPAs) and smartphone applications.
- 13. Thank you Creative Commons By Non Commercial Share Alike This document is shared under CC BY-NC-SA 4.0 license
- 14. | 05-Dec-2021 | Venkatesh Jambulingam | 14 About me Venkatesh Jambulingam Cloud Security Expert Email: cybervattam@gmail.com cybervattam@outlook.com Follow me on