SlideShare a Scribd company logo

INA Volume 1/3 Version 1.0 RC / Digital Identity and Authentication

Sylvain Maret, profile picture
Sylvain Maret

This document provides an overview and definitions related to digital identity and authentication. It discusses identity, authentication, tokens, and standards like NIST 800-63-1. Passwords and threats like cracking are covered. It also summarizes one-time password (OTP) technologies like time-based, event-based, and out-of-band OTP as well as standards like HOTP, TOTP, and OCRA. The document aims to introduce concepts and topics around digital identity and strong authentication.

Technology
1 of 191
Downloaded 20 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
INA – Volume 1 Sylvain MARET Version 1.0 RC1 2013-02-17 INA Volume 1 / @smaret 2013
INA Volume 1 / @smaret 2013
Who am I?  ICT Security Consultant – 18 years of experience in ICT Security – Principal Consultant at MARET Consulting – Expert at Engineer School of Yverdon-les-Bains – Member of board OpenID Switzerland – Co-founder Application Security Forum #ASFWS – OWASP Member Switzerland – Author of the blog: la Citadelle Electronique – http://ch.linkedin.com/in/smaret or @smaret – http://www.slideshare.net/smaret  Chosen field – AppSec & Digital Identity Security INA Volume 1 / @smaret 2013
Agenda Volume 1  C0 - Introduction  C1 - Definition  C2 - Tokens / Authentication factors  C3 – Password  C4 - One Time Password - OTP  C5 - OTP / OATH standars  C6 - OTP solution  C7 - AuthN PKI  C8 - Biometrics INA Volume 1 / @smaret 2013
Digital Identity ? INA Volume 1 / @smaret 2013
Definition Wikipédia French INA Volume 1 / @smaret 2013
Definition INA Volume 1 / @smaret 2013
Identity  A set of attributes that uniquely describe a person or information system within a given context. Source = NIST Special Publication 800-63-1 INA Volume 1 / @smaret 2013
Authentication  The process of establishing confidence in the identity of users or information systems. Source = NIST Special Publication 800-63-1 INA Volume 1 / @smaret 2013
Electronic Authentication (E-Authentication)  The process of establishing confidence in user identities electronically presented to an information system. Source = NIST Special Publication 800-63-1 INA Volume 1 / @smaret 2013
Claimant  A party whose identity is to be verified using an authentication protocol. Source = NIST Special Publication 800-63-1 INA Volume 1 / @smaret 2013
Subscriber  A party who has received a credential or token from a CSP. Source = NIST Special Publication 800-63-1 INA Volume 1 / @smaret 2013
Token  Something that the Claimant possesses and controls (typically a cryptographic module or password) that is used to authenticate the Claimant’s identity. Source = NIST Special Publication 800-63-1 INA Volume 1 / @smaret 2013
Credential  An object or data structure that authoritatively binds an identity (and optionally, additional attributes) to a token possessed and controlled by a Subscriber. Source = NIST Special Publication 800-63-1 INA Volume 1 / @smaret 2013
Identity Proofing  The process by which a CSP and a Registration Authority (RA) collect and verify information about a person for the purpose of issuing credentials to that person. Source = NIST Special Publication 800-63-1 INA Volume 1 / @smaret 2013
Credential Service Provider (CSP)  A trusted entity that issues or registers Subscriber tokens and issues electronic credentials to Subscribers. The CSP may encompass Registration Authorities (RAs) and Verifiers that it operates. A CSP may be an independent third party, or may issue credentials for its own use. Source = NIST Special Publication 800-63-1 INA Volume 1 / @smaret 2013
Registration Authority (RA)  A trusted entity that establishes and vouches for the identity or attributes of a Subscriber to a CSP. The RA may be an integral part of a CSP, or it may be independent of a CSP, but it has a relationship to the CSP(s). Source = NIST Special Publication 800-63-1 INA Volume 1 / @smaret 2013
Verifier  An entity that verifies the Claimant’s identity by verifying the Claimant’s possession and control of a token using an authentication protocol. To do this, the Verifier may also need to validate credentials that link the token and identity and check their status. Source = NIST Special Publication 800-63-1 INA Volume 1 / @smaret 2013
Relying Party (RP)  An entity that relies upon the Subscriber's token and credentials or a Verifier's assertion of a Claimant’s identity, typically to process a transaction or grant access to information or a system. Source = NIST Special Publication 800-63-1 INA Volume 1 / @smaret 2013
Authentication Protocol  A defined sequence of messages between a Claimant and a Verifier that demonstrates that the Claimant has possession and control of a valid token to establish his/her identity, and optionally, demonstrates to the Claimant that he or she is communicating with the intended Verifier. Source = NIST Special Publication 800-63-1 INA Volume 1 / @smaret 2013
AuthN & AuthZ  Aka authentication process  Aka authorization process INA Volume 1 / @smaret 2013
INA Volume 1 / @smaret 2013
Tokens / Authentication factors INA Volume 1 / @smaret 2013
Authentication factors  Something you know  Something you have  Something you are INA Volume 1 / @smaret 2013
Strong Authentication / Multi-factor authentication  Multi-factor authentication refers to the use of more than one of the factors listed bellow: – Something you know – Something you have – Something you are INA Volume 1 / @smaret 2013
Two-factor authentication  Two-factor authentication – TFA – T-FA – 2FA INA Volume 1 / @smaret 2013
Knowledge factors: "something the user knows"  Password – password is a secret word or string of characters that is used for user authentication.  PIN – personal identification number (PIN) is a secret numeric password.  Pattern – Pattern is a sequence of cells in an array that is used for authenticating the users. INA Volume 1 / @smaret 2013
Possession factors: "something the user has"  Tokens with a display  USB tokens  Smartphone  Smartcards  Wireless (RFID, NFC)  Etc. INA Volume 1 / @smaret 2013
Inherence factors: "something the user is or do"  Physiological biometric – Fingerprint recognition – Facial recognition system – Iris recognition – Etc.  Behavioral biometrics – Keystroke dynamics – Speaker recognition – Geo Localization – Etc. INA Volume 1 / @smaret 2013
PASSWORD INA Volume 1 / @smaret 2013
http://www.wired.co.uk/magazine/archive/2013/01/features/hacked INA Volume 1 / @smaret 2013
http://www.wired.com/wiredenterprise/2013/01/google-password/ INA Volume 1 / @smaret 2013
Password Factor  Something you know  PIN Code  Password  Passphrase  Aka 1FA INA Volume 1 / @smaret 2013
Password Entropy / Password strength  Password strength is a measure of the effectiveness of a password in resisting guessing and brute-force attacks. INA Volume 1 / @smaret 2013
Password Entropy / Password strength http://en.wikipedia.org/wiki/Password_strength INA Volume 1 / @smaret 2013
Password Entropy / Password strength http://en.wikipedia.org/wiki/Password_strength INA Volume 1 / @smaret 2013
Characteristics of weak passwords  based on common dictionary words – Including dictionary words that have been altered: • Reversed (e.g., “terces”) • Mixed case (e.g., SeCreT) • Character/Symbol replacement (e.g., “$ecret”) • Words with vowels removed (e.g., “scrt”)  based on common names  short (under 6 characters)  based on keyboard patterns (e.g., “qwertz”)  composed of single symbol type (e.g., all characters) INA Volume 1 / @smaret 2013
Characteristics of strong passwords  Strong Passwords – contain at least one of each of the following: • digit (0..9) • letter (a..Z) • punctuation symbol (e.g., !) • control character (e.g., ^s, Ctrl-s) – are based on a verse (e.g., passphrase) from an obscure work where the password is formed from the characters in the verse INA Volume 1 / @smaret 2013
Test your password! https://www.microsoft.com/security/pc-security/password-checker.aspx INA Volume 1 / @smaret 2013
Password Manager http://keepass.info/ INA Volume 1 / @smaret 2013
Password Manager http://passwordsafe.sourceforge.net/ INA Volume 1 / @smaret 2013
Password Generator INA Volume 1 / @smaret 2013
Threat Model AuthN 1FA INA Volume 1 / @smaret 2013
Password / Threats  Man In The Middle Attacks  Phishing Attacks  Pharming Attacks  DNS Cache Poisoning  Trojan Attacks  Man-in-the-Phone Attacks (Man-in-the-Mobile/MitMo Attacks)  Man-in-the-Browser Attacks  Browser Poisoning  Password Sniffing  Brute Force Attack  Dictionary Attacks INA Volume 1 / @smaret 2013
Password Attacks  Password Cracking – Brute force – Dictionary attack – Hybride  Password sniffing  Man-in-the-middle attack  Malware – Keylogger  Default Password  Phishing  Etc. INA Volume 1 / @smaret 2013
Password Cracking Tools  Caen & Abel  John the Ripper  L0phtCrack  Ophcrack  THC hydra  Aircrack (WEP/WPA cracking tool)  Etc. INA Volume 1 / @smaret 2013
Rainbow table  A rainbow table is a precomputed table for reversing cryptographic hash functions, usually for cracking password hashes. INA Volume 1 / @smaret 2013
Ophcrack INA Volume 1 / @smaret 2013
Defense against rainbow tables  A rainbow table is ineffective against one-way hashes that include salts INA Volume 1 / @smaret 2013
Password Storage Cheat Sheet  Password Storage Rules – Rule 1: Use An Adaptive One-Way Function • bcrypt, PBKDF2 or scrypt – Rule 2: Use a Long Cryptographically Random Per- User Salt – Rule 3: Iterate the hash – Rule 4 : Encrypt the Hash Data With a Keyed Algorithm https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet INA Volume 1 / @smaret 2013
Hashcat / GPU  25-GPU cluster cracks every standard Windows password in <6 hours – It achieves the 350 billion-guess-per-second speed when cracking password hashes generated by the NTLM cryptographic algorithm that Microsoft has included in every version of Windows since Server 2003. http://arstechnica.com/security/2012/12/25-gpu-cluster-cracks-every-standard-windows-password-in-6-hours/ INA Volume 1 / @smaret 2013
Password sniffing INA Volume 1 / @smaret 2013
DFD – Weak Protocol (Telnet) INA Volume 1 / @smaret 2013
Weak protocols  Telnet  FTP  IMAP  POP3  LDAP  Etc. INA Volume 1 / @smaret 2013
ARP Spoofing INA Volume 1 / @smaret 2013
DFD - SSH INA Volume 1 / @smaret 2013
Man-in-the-middle attack  often abbreviated – MITM, MitM, MIM, MiM, MITMA INA Volume 1 / @smaret 2013
Man-in-the-middle attack  Ettercap  SSLStrip  SSLSniff  Mallory  Etc. INA Volume 1 / @smaret 2013
Keylogger / Keystroke logging  Software-based keyloggers – Malware – Mobile  Hardware-based keyloggers INA Volume 1 / @smaret 2013
Wireless sniffing – TEMPEST http://lasecwww.epfl.ch/keyboard/ INA Volume 1 / @smaret 2013
Malicious Code Evolution INA Volume 1 / @smaret 2013
Malware INA Volume 1 / @smaret 2013
Zeus INA Volume 1 / @smaret 2013
INA Volume 1 / @smaret 2013
Default Password INA Volume 1 / @smaret 2013
One Time Password - OTP Strong AuthN OTP INA Volume 1 / @smaret 2013
OTP Technology / Standards  Based on a shared secret Key  Approach – Time Based OTP – Event Based OTP – Challenge Response OTP – Out-of-band OTP – Others  Standards – OATH INA Volume 1 / @smaret 2013
Time Based OTP K=Secret Key / Seed OTP T=UTC Time Hash function INA Volume 1 / @smaret 2013
Event Based OTP K=Secret Key / Seed OTP C = Counter HASH Function INA Volume 1 / @smaret 2013
OTP Challenge Response Based HASH Function K=Secret Key / Seed OTP Challenge nonce INA Volume 1 / @smaret 2013
Out-of-band OTP  SMS OTP  TAN  Email  Etc. INA Volume 1 / @smaret 2013
Out-of-band - SMS OTP INA Volume 1 / @smaret 2013
Out-of-band - TAN INA Volume 1 / @smaret 2013
Bingo Card OTP INA Volume 1 / @smaret 2013
Other[s] OTP technologies… “Flicker code” Generator Software that converts already encrypted data into optical screen animation INA Volume 1 / @smaret 2013
OTP / OATH standards Authentication Methods INA Volume 1 / @smaret 2013
OATH - Authentication Methods  HOTP: An HMAC-Based OTP Algorithm (RFC 4226)  TOTP - Time-based One-time Password Algorithm (RFC 6238)  OCRA - OATH Challenge/Response Algorithms Specification (RFC 6287) INA Volume 1 / @smaret 2013
HOTP: An HMAC-Based One-Time Password Algorithm  RFC 4226  http://www.ietf.org/rfc/rfc4226.txt  Event Based OTP  Use HMAC: Keyed-Hashing for Message Authentication (RFC 2104) INA Volume 1 / @smaret 2013
HOTP – Crypto 101 INA Volume 1 / @smaret 2013
HOTP – Crypto 101 INA Volume 1 / @smaret 2013
TOTP - Time-based One-time Password Algorithm  RFC 6238  http://www.ietf.org/rfc/rfc6238.txt  Time Based OTP  Use HMAC: Keyed-Hashing for Message Authentication (RFC 2104) INA Volume 1 / @smaret 2013
TOTP – Crypto 101 INA Volume 1 / @smaret 2013
Challenge Response OTP  RFC 6287  http://www.ietf.org/rfc/rfc6287.txt  OCRA  OATH Challenge-Response Algorithm INA Volume 1 / @smaret 2013
OCRA – Crypto 101 INA Volume 1 / @smaret 2013
OTP solution INA Volume 1 / @smaret 2013
INA Volume 1 / @smaret 2013
INA Volume 1 / @smaret 2013
Software OTP for Smartphone http://itunes.apple.com/us/app/iotp/id328973960 INA Volume 1 / @smaret 2013
OCRA on a mobile INA Volume 1 / @smaret 2013
google-authenticator  These implementations support – HMAC-Based One-time Password (HOTP) algorithm specified in RFC 4226 – Time-based One-time Password (TOTP) algorithm specified in RFC 6238 – Google Authenticator • Android, IOS and Blackberry http://code.google.com/p/google-authenticator/ INA Volume 1 / @smaret 2013
google-authenticator INA Volume 1 / @smaret 2013
OCRA on Mobile INA Volume 1 / @smaret 2013
OTP without PIN INA Volume 1 / @smaret 2013
OTP Pin Protected INA Volume 1 / @smaret 2013
OTP on Smartcard INA Volume 1 / @smaret 2013
OTP with Smartcard INA Volume 1 / @smaret 2013
OTP hybrid (OTP & PKI) INA Volume 1 / @smaret 2013
YubiKey INA Volume 1 / @smaret 2013
YubiKey INA Volume 1 / @smaret 2013
PKI PKI Strong AuthN INA Volume 1 / @smaret 2013
PKI Tokens Storage INA Volume 1 / @smaret 2013
Public Key Cryptography 101 INA Volume 1 / @smaret 2013
Signature 101 INA Volume 1 / @smaret 2013
Signature – Verification 101 INA Volume 1 / @smaret 2013
Mutual AuthN SSL INA Volume 1 / @smaret 2013
PKI Certificate Validation  CRL  Delta CRL  OCSP INA Volume 1 / @smaret 2013
OSCP Validation INA Volume 1 / @smaret 2013
INA Volume 1 / @smaret 2013
INA Volume 1 / @smaret 2013
INA Volume 1 / @smaret 2013
INA Volume 1 / @smaret 2013
INA Volume 1 / @smaret 2013
Smart Card INA Volume 1 / @smaret 2013
Smart Card INA Volume 1 / @smaret 2013
Smart Card - Crypto INA Volume 1 / @smaret 2013
INA Volume 1 / @smaret 2013
INA Volume 1 / @smaret 2013
Biometrics BIO AuthN INA Volume 1 / @smaret 2013
Biometrics Source: http://www.biometrics.gov/ INA Volume 1 / @smaret 2013
Biometric Terms Source: http://www.biometrics.gov/ INA Volume 1 / @smaret 2013
Enrollment Process Source: http://www.biometrics.gov/ INA Volume 1 / @smaret 2013
Components Source: http://www.biometrics.gov/ INA Volume 1 / @smaret 2013
FRR / FAR Source: http://www.biometrics.gov/ INA Volume 1 / @smaret 2013
TAR Source: http://www.biometrics.gov/ INA Volume 1 / @smaret 2013
FAR Source: http://www.biometrics.gov/ INA Volume 1 / @smaret 2013
Accept Rate Threshold Source: http://www.biometrics.gov/ INA Volume 1 / @smaret 2013
Identification Source: http://www.biometrics.gov/ INA Volume 1 / @smaret 2013
Identification Source: http://www.biometrics.gov/ INA Volume 1 / @smaret 2013
Failure to Acquire Source: http://www.biometrics.gov/ INA Volume 1 / @smaret 2013
Biometric Modalities Source: http://www.biometrics.gov/ INA Volume 1 / @smaret 2013
Dynamic Signature Source: http://www.biometrics.gov/ INA Volume 1 / @smaret 2013
Dynamic Signature History Source: http://www.biometrics.gov/ INA Volume 1 / @smaret 2013
Dynamic Signature Technology Source: http://www.biometrics.gov/ INA Volume 1 / @smaret 2013
Face Recognition Source: http://www.biometrics.gov/ INA Volume 1 / @smaret 2013
Face Recognition History Source: http://www.biometrics.gov/ INA Volume 1 / @smaret 2013
Face Recognition Technologies Source: http://www.biometrics.gov/ INA Volume 1 / @smaret 2013
Principal Components Analysis (PCA) Source: http://www.biometrics.gov/ INA Volume 1 / @smaret 2013
Linear Discriminant Analysis Source: http://www.biometrics.gov/ INA Volume 1 / @smaret 2013
Elastic Bunch Graph Matching Source: http://www.biometrics.gov/ INA Volume 1 / @smaret 2013
Fingerprinting Source: http://www.biometrics.gov/ INA Volume 1 / @smaret 2013
Fingerprinting History Source: http://www.biometrics.gov/ INA Volume 1 / @smaret 2013
Fingerprinting Technology Source: http://www.biometrics.gov/ INA Volume 1 / @smaret 2013
Fingerprint Sensor Source: http://www.biometrics.gov/ INA Volume 1 / @smaret 2013
Fingerprint Software Source: http://www.biometrics.gov/ INA Volume 1 / @smaret 2013
INA Volume 1 / @smaret 2013
INA Volume 1 / @smaret 2013
Hand Geometry Source: http://www.biometrics.gov/ INA Volume 1 / @smaret 2013
Hand Geometry History Source: http://www.biometrics.gov/ INA Volume 1 / @smaret 2013
Hand Geometry History Source: http://www.biometrics.gov/ INA Volume 1 / @smaret 2013
Hand Geometry Technology Source: http://www.biometrics.gov/ INA Volume 1 / @smaret 2013
Iris Recognition Source: http://www.biometrics.gov/ INA Volume 1 / @smaret 2013
Iris Recognition History Source: http://www.biometrics.gov/ INA Volume 1 / @smaret 2013
Iris Recognition Technology Source: http://www.biometrics.gov/ INA Volume 1 / @smaret 2013
Iris Recognition Technology Source: http://www.biometrics.gov/ INA Volume 1 / @smaret 2013
Palm Print Source: http://www.biometrics.gov/ INA Volume 1 / @smaret 2013
Palm Print History Source: http://www.biometrics.gov/ INA Volume 1 / @smaret 2013
Palm Print Technology Source: http://www.biometrics.gov/ INA Volume 1 / @smaret 2013
Palm Print Technology Source: http://www.biometrics.gov/ INA Volume 1 / @smaret 2013
Speaker Verification INA Volume 1 / @smaret 2013
Speaker Verification History Source: http://www.biometrics.gov/ INA Volume 1 / @smaret 2013
Speaker Verification Technology Source: http://www.biometrics.gov/ INA Volume 1 / @smaret 2013
Speaker Verification Technology Source: http://www.biometrics.gov/ INA Volume 1 / @smaret 2013
Speaker Verification Technology Source: http://www.biometrics.gov/ INA Volume 1 / @smaret 2013
Vascular Pattern INA Volume 1 / @smaret 2013
Vascular Pattern History Source: http://www.biometrics.gov/ INA Volume 1 / @smaret 2013
Vascular Pattern Technology Source: http://www.biometrics.gov/ INA Volume 1 / @smaret 2013
Vascular Pattern Technology Source: http://www.biometrics.gov/ INA Volume 1 / @smaret 2013
Vascular Pattern Technology INA Volume 1 / @smaret 2013
Biometrics Technology INA Volume 1 / @smaret 2013
Biometrics Technology INA Volume 1 / @smaret 2013
Match-on-Card INA Volume 1 / @smaret 2013
INA Volume 1 / @smaret 2013
MOC INA Volume 1 / @smaret 2013
MOC – Athena & Precise Biometrics INA Volume 1 / @smaret 2013
INA Volume 1 / @smaret 2013
End Volume 1 Sylvain MARET / @smaret sylvain.maret@openid.ch http://www.slideshare.net/smaret http://www.linkedin.com/in/smaret INA Volume 1 / @smaret 2013
Appendices INA Volume 1 / @smaret 2013
Threat Modeling DFD STRIDE INA Volume 1 / @smaret 2013
Threat Modeling Process Vision Diagram Identify Validate Threats Mitigate INA Volume 1 / @smaret 2013
DFD symbols INA Volume 1 / @smaret 2013
DFD Symbols INA Volume 1 / @smaret 2013
DFD Symbols INA Volume 1 / @smaret 2013
Trust boundaries that intersect data flows  Points/surfaces where an attacker can interject – Machine boundaries, privilege boundaries, integrity boundaries are examples of trust boundaries – Threads in a native process are often inside a trust boundary, because they share the same privs, rights, identifiers and access  Processes talking across a network always have a trust boundary INA Volume 1 / @smaret 2013
DFD Level  Level 0 - Context Diagram – Very high-level; entire component / product / system  Level 1 Diagram – High level; single feature / scenario  Level 2 Diagram – Low level; detailed sub-components of features  Level 3 Diagram – More detailed – Rare to need more layers, except in huge projects or when you’re drawing more trust boundaries INA Volume 1 / @smaret 2013
STRIDE - Tool Threat Property Definition Example Spoofing Authentication Impersonating Pretending to be any of billg, xbox.com or a something or system update someone else. Tampering Integrity Modifying data or Modifying a game config file on disk, or a code packet as it traverses the network Repudiation Non-repudiation Claiming to have not “I didn’t cheat!” performed an action Information Confidentiality Exposing information Reading key material from an app Disclosure to someone not authorized to see it Denial of Service Availability Deny or degrade Crashing the web site, sending a packet and service to users absorbing seconds of CPU time, or routing packets into a black hole Elevation of Privilege Authorization Gain capabilities Allowing a remote internet user to run without proper commands is the classic example, but running authorization kernel code from lower trust1levels is also EoP INA Volume / @smaret 2013
STRIDE – Security Controls STRIDE Threat List Security Type Examples Control Threat action aimed to illegally access and use another Spoofing Authentication user's credentials, such as username and password. Threat action aimed to maliciously change/modify persistent data, such as persistent data in a database, and Tampering Integrity the alteration of data in transit between two computers over an open network, such as the Internet. Threat action aimed to perform illegal operations in a Non- Repudiation system that lacks the ability to trace the prohibited Repudiation operations. Information Threat action to read a file that one was not granted Confidentiality disclosure access to, or to read data in transit. Denial of Threat aimed to deny access to valid users, such as by Availability service making a web server temporarily unavailable or unusable. Threat aimed to gain privileged access to resources for Elevation of gaining unauthorized access to information or to Authorization privilege compromise a system. INA Volume 1 / @smaret 2013
SRIDE INA Volume 1 / @smaret 2013
SRIDE INA Volume 1 / @smaret 2013
DFD & STRIDE INA Volume 1 / @smaret 2013
DFD AuthN 1FA INA Volume 1 / @smaret 2013
DFD – AuthN 1FA / STRIDE INA Volume 1 / @smaret 2013

More Related Content

PDF
INA Volume 1/3 Version 1.0 Released / Digital Identity and Authentication
Sylvain Maret
 
PDF
Improving Mobile Authentication for Public Safety and First Responders
Priyanka Aash
 
PDF
Two factor authentication-in_your_network_e_guide
Nick Owen
 
PDF
Toward Better Password Requirements
Jim Fenton
 
PDF
PSCR 2019 - ICAM Standards
Adam Lewis
 
PPTX
[DSBW Spring 2009] Unit 08: WebApp Security
Carles Farré
 
PDF
Android Malware Detection Mechanisms
Talha Kabakus
 
PDF
Two Aspect Endorsement Access Control for web Based Cloud Computing
IRJET Journal
 
INA Volume 1/3 Version 1.0 Released / Digital Identity and Authentication
Sylvain Maret
 
Improving Mobile Authentication for Public Safety and First Responders
Priyanka Aash
 
Two factor authentication-in_your_network_e_guide
Nick Owen
 
Toward Better Password Requirements
Jim Fenton
 
PSCR 2019 - ICAM Standards
Adam Lewis
 
[DSBW Spring 2009] Unit 08: WebApp Security
Carles Farré
 
Android Malware Detection Mechanisms
Talha Kabakus
 
Two Aspect Endorsement Access Control for web Based Cloud Computing
IRJET Journal
 

What's hot (19)

PDF
Making User Authentication More Usable
Jim Fenton
 
PDF
Mobile Hacking
Novizul Evendi
 
PPTX
Seminar-Two Factor Authentication
Dilip Kr. Jangir
 
PDF
Biometrics: Sexy, Secure and... Stupid - RSAC 2018
Adam Englander
 
PPTX
Digital signatures
kajalsharma161
 
PDF
2FYSH: two-factor authentication you should have for password replacement
TELKOMNIKA JOURNAL
 
PDF
User Authentication: Passwords and Beyond
Jim Fenton
 
PDF
Android malware overview, status and dilemmas
Tech and Law Center
 
PDF
IRJET- SteganoPIN:Two Faced Human-Machine Interface for Practical Enforcement...
IRJET Journal
 
PDF
hacking_ble_smartwatch @idsecconf2019 cirebon
Rama Nanda
 
PPTX
Two Factor Authentication
Nikhil Shaw
 
PPTX
Multifactor Authentication
Ronnie Isherwood
 
PDF
OWASP AppSec USA 2015, San Francisco
Clare Nelson, CISSP, CIPP-E
 
PPTX
Owasp for testing_mobile_apps_opd
Pawel Rzepa
 
PDF
CompTIA Security+ SY0-601 Domain 1
ShivamSharma909
 
PDF
The Password Is Dead: An Argument for Multifactor Biometric Authentication
Veridium
 
PDF
Usability vs. Security: Find the Right Balance in Mobile Apps
Josiah Renaudin
 
PDF
Penetration and hacking training brief
Bill Nelson
 
PDF
Les 10 risques liés aux applications mobiles
Bee_Ware
 
Making User Authentication More Usable
Jim Fenton
 
Mobile Hacking
Novizul Evendi
 
Seminar-Two Factor Authentication
Dilip Kr. Jangir
 
Biometrics: Sexy, Secure and... Stupid - RSAC 2018
Adam Englander
 
Digital signatures
kajalsharma161
 
2FYSH: two-factor authentication you should have for password replacement
TELKOMNIKA JOURNAL
 
User Authentication: Passwords and Beyond
Jim Fenton
 
Android malware overview, status and dilemmas
Tech and Law Center
 
IRJET- SteganoPIN:Two Faced Human-Machine Interface for Practical Enforcement...
IRJET Journal
 
hacking_ble_smartwatch @idsecconf2019 cirebon
Rama Nanda
 
Two Factor Authentication
Nikhil Shaw
 
Multifactor Authentication
Ronnie Isherwood
 
OWASP AppSec USA 2015, San Francisco
Clare Nelson, CISSP, CIPP-E
 
Owasp for testing_mobile_apps_opd
Pawel Rzepa
 
CompTIA Security+ SY0-601 Domain 1
ShivamSharma909
 
The Password Is Dead: An Argument for Multifactor Biometric Authentication
Veridium
 
Usability vs. Security: Find the Right Balance in Mobile Apps
Josiah Renaudin
 
Penetration and hacking training brief
Bill Nelson
 
Les 10 risques liés aux applications mobiles
Bee_Ware
 
Ad

Similar to INA Volume 1/3 Version 1.0 RC / Digital Identity and Authentication (20)

PDF
INA Volume 1/3 Version 1.02 Released / Digital Identity and Authentication
Sylvain Maret
 
PPTX
Cryptography and authentication
mbadhi
 
PDF
Application Security explanation of SDLC
OmarKhattab41
 
PPT
Eds user authenticationuser authentication methods
lapao2014
 
PDF
INT 1010 05-1.pdf
Luis R Castellanos
 
PPT
Electronic authentication more than just a password
Nicholas Davis
 
PPT
Electronic Authentication More Than Just A Password
Nicholas Davis
 
PPTX
Unit 5
KRAMANJANEYULU1
 
PPT
Authentication Technologies
Nicholas Davis
 
PPT
Authentication technologies
Nicholas Davis
 
PDF
Implementing High Grade Security in Cloud Application using Multifactor Auth...
IJwest
 
PDF
Class paper final
Anusha Manchala
 
PPT
CTO-CyberSecurityForum-2010-Brisson-Boren
segughana
 
DOCX
Biometric Authentication Technology - Report
Navin Kumar
 
PDF
ASFWS 2011: Harmonizing Identity and Privacy in Digital Identity and Authenti...
Cyber Security Alliance
 
PDF
Security Basics
ArchitecTerra Ltd.
 
PDF
Two-factor authentication- A sample writing _Zaman
Asad Zaman
 
PDF
Stronger/Multi-factor Authentication for Enterprise Applications
Ramesh Nagappan
 
PDF
CISSP Domain 05 Identity and Access Management (IAM).pdf
gealehegn
 
PPT
Topic 6 authentication2 12_dec_2012-1
Khawar Nehal khawar.nehal@atrc.net.pk
 
INA Volume 1/3 Version 1.02 Released / Digital Identity and Authentication
Sylvain Maret
 
Cryptography and authentication
mbadhi
 
Application Security explanation of SDLC
OmarKhattab41
 
Eds user authenticationuser authentication methods
lapao2014
 
INT 1010 05-1.pdf
Luis R Castellanos
 
Electronic authentication more than just a password
Nicholas Davis
 
Electronic Authentication More Than Just A Password
Nicholas Davis
 
Unit 5
KRAMANJANEYULU1
 
Authentication Technologies
Nicholas Davis
 
Authentication technologies
Nicholas Davis
 
Implementing High Grade Security in Cloud Application using Multifactor Auth...
IJwest
 
Class paper final
Anusha Manchala
 
CTO-CyberSecurityForum-2010-Brisson-Boren
segughana
 
Biometric Authentication Technology - Report
Navin Kumar
 
ASFWS 2011: Harmonizing Identity and Privacy in Digital Identity and Authenti...
Cyber Security Alliance
 
Security Basics
ArchitecTerra Ltd.
 
Two-factor authentication- A sample writing _Zaman
Asad Zaman
 
Stronger/Multi-factor Authentication for Enterprise Applications
Ramesh Nagappan
 
CISSP Domain 05 Identity and Access Management (IAM).pdf
gealehegn
 
Topic 6 authentication2 12_dec_2012-1
Khawar Nehal khawar.nehal@atrc.net.pk
 
Ad

More from Sylvain Maret (20)

PDF
Air Navigation Service Providers - Unsecurity on Voice over IP Radion
Sylvain Maret
 
PDF
factsheet_4g_critical_comm_en_vl
Sylvain Maret
 
PDF
Securite des Web Services (SOAP vs REST) / OWASP Geneva dec. 2012
Sylvain Maret
 
PDF
Strong Authentication State of the Art 2012 / Sarajevo CSO
Sylvain Maret
 
PDF
ASFWS 2012 / Initiation à la sécurité des Web Services par Sylvain Maret
Sylvain Maret
 
PDF
Threat Modeling / iPad
Sylvain Maret
 
PDF
Strong Authentication in Web Application #SCS III
Sylvain Maret
 
PDF
Strong Authentication in Web Applications: State of the Art 2011
Sylvain Maret
 
PDF
Strong Authentication in Web Application / ConFoo.ca 2011
Sylvain Maret
 
PPT
Authentication and strong authentication for Web Application
Sylvain Maret
 
PDF
Geneva Application Security Forum 2010
Sylvain Maret
 
PDF
Final conclusions of Working Group 3 at Workshop Münchenwiler 20-21 of May 20...
Sylvain Maret
 
PPTX
Comment protéger de façon efficace son/ses identité(s) numérique(s) sur le We...
Sylvain Maret
 
PPTX
Digital identity trust & confidence
Sylvain Maret
 
PDF
Implementation of a Biometric Solution Providing Strong Authentication To Gai...
Sylvain Maret
 
PDF
Geneva Application Security Forum: Vers une authentification plus forte dans ...
Sylvain Maret
 
PDF
Geneva Application Security Forum: Vers une authentification plus forte dans ...
Sylvain Maret
 
PDF
Geneva Application Security Forum: Vers une authentification plus forte dans ...
Sylvain Maret
 
PPTX
Geneva Application Security Forum: Vers une authentification plus forte dans ...
Sylvain Maret
 
PDF
Corrélation d'évènements dans un environnement VoIP avec ExaProtect
Sylvain Maret
 
Air Navigation Service Providers - Unsecurity on Voice over IP Radion
Sylvain Maret
 
factsheet_4g_critical_comm_en_vl
Sylvain Maret
 
Securite des Web Services (SOAP vs REST) / OWASP Geneva dec. 2012
Sylvain Maret
 
Strong Authentication State of the Art 2012 / Sarajevo CSO
Sylvain Maret
 
ASFWS 2012 / Initiation à la sécurité des Web Services par Sylvain Maret
Sylvain Maret
 
Threat Modeling / iPad
Sylvain Maret
 
Strong Authentication in Web Application #SCS III
Sylvain Maret
 
Strong Authentication in Web Applications: State of the Art 2011
Sylvain Maret
 
Strong Authentication in Web Application / ConFoo.ca 2011
Sylvain Maret
 
Authentication and strong authentication for Web Application
Sylvain Maret
 
Geneva Application Security Forum 2010
Sylvain Maret
 
Final conclusions of Working Group 3 at Workshop Münchenwiler 20-21 of May 20...
Sylvain Maret
 
Comment protéger de façon efficace son/ses identité(s) numérique(s) sur le We...
Sylvain Maret
 
Digital identity trust & confidence
Sylvain Maret
 
Implementation of a Biometric Solution Providing Strong Authentication To Gai...
Sylvain Maret
 
Geneva Application Security Forum: Vers une authentification plus forte dans ...
Sylvain Maret
 
Geneva Application Security Forum: Vers une authentification plus forte dans ...
Sylvain Maret
 
Geneva Application Security Forum: Vers une authentification plus forte dans ...
Sylvain Maret
 
Geneva Application Security Forum: Vers une authentification plus forte dans ...
Sylvain Maret
 
Corrélation d'évènements dans un environnement VoIP avec ExaProtect
Sylvain Maret
 

Recently uploaded (20)

PDF
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
PPTX
PA Analog/Digital System: The Backbone of Modern Surveillance and Communication
AVTRON Technologies LLC
 
PDF
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
PDF
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
PPTX
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
PDF
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
DOCX
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
PDF
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
PDF
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
PDF
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
PDF
NewMind AI Monthly Chronicles - July 2025
NewMind AI
 
PDF
Shreyas Phanse Resume: Experienced Backend Engineer | Java • Spring Boot • Ka...
SHREYAS PHANSE
 
PPTX
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
PPTX
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
PDF
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
PDF
Bridging biosciences and deep learning for revolutionary discoveries: a compr...
IAESIJAI
 
PDF
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
PDF
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
PDF
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
PPTX
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
PA Analog/Digital System: The Backbone of Modern Surveillance and Communication
AVTRON Technologies LLC
 
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
NewMind AI Monthly Chronicles - July 2025
NewMind AI
 
Shreyas Phanse Resume: Experienced Backend Engineer | Java • Spring Boot • Ka...
SHREYAS PHANSE
 
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
Bridging biosciences and deep learning for revolutionary discoveries: a compr...
IAESIJAI
 
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 

INA Volume 1/3 Version 1.0 RC / Digital Identity and Authentication

  • 1. INA – Volume 1 Sylvain MARET Version 1.0 RC1 2013-02-17 INA Volume 1 / @smaret 2013
  • 2. INA Volume 1 / @smaret 2013
  • 3. Who am I?  ICT Security Consultant – 18 years of experience in ICT Security – Principal Consultant at MARET Consulting – Expert at Engineer School of Yverdon-les-Bains – Member of board OpenID Switzerland – Co-founder Application Security Forum #ASFWS – OWASP Member Switzerland – Author of the blog: la Citadelle Electronique – http://ch.linkedin.com/in/smaret or @smaret – http://www.slideshare.net/smaret  Chosen field – AppSec & Digital Identity Security INA Volume 1 / @smaret 2013
  • 4. Agenda Volume 1  C0 - Introduction  C1 - Definition  C2 - Tokens / Authentication factors  C3 – Password  C4 - One Time Password - OTP  C5 - OTP / OATH standars  C6 - OTP solution  C7 - AuthN PKI  C8 - Biometrics INA Volume 1 / @smaret 2013
  • 5. Digital Identity ? INA Volume 1 / @smaret 2013
  • 6. Definition Wikipédia French INA Volume 1 / @smaret 2013
  • 7. Definition INA Volume 1 / @smaret 2013
  • 8. Identity  A set of attributes that uniquely describe a person or information system within a given context. Source = NIST Special Publication 800-63-1 INA Volume 1 / @smaret 2013
  • 9. Authentication  The process of establishing confidence in the identity of users or information systems. Source = NIST Special Publication 800-63-1 INA Volume 1 / @smaret 2013
  • 10. Electronic Authentication (E-Authentication)  The process of establishing confidence in user identities electronically presented to an information system. Source = NIST Special Publication 800-63-1 INA Volume 1 / @smaret 2013
  • 11. Claimant  A party whose identity is to be verified using an authentication protocol. Source = NIST Special Publication 800-63-1 INA Volume 1 / @smaret 2013
  • 12. Subscriber  A party who has received a credential or token from a CSP. Source = NIST Special Publication 800-63-1 INA Volume 1 / @smaret 2013
  • 13. Token  Something that the Claimant possesses and controls (typically a cryptographic module or password) that is used to authenticate the Claimant’s identity. Source = NIST Special Publication 800-63-1 INA Volume 1 / @smaret 2013
  • 14. Credential  An object or data structure that authoritatively binds an identity (and optionally, additional attributes) to a token possessed and controlled by a Subscriber. Source = NIST Special Publication 800-63-1 INA Volume 1 / @smaret 2013
  • 15. Identity Proofing  The process by which a CSP and a Registration Authority (RA) collect and verify information about a person for the purpose of issuing credentials to that person. Source = NIST Special Publication 800-63-1 INA Volume 1 / @smaret 2013
  • 16. Credential Service Provider (CSP)  A trusted entity that issues or registers Subscriber tokens and issues electronic credentials to Subscribers. The CSP may encompass Registration Authorities (RAs) and Verifiers that it operates. A CSP may be an independent third party, or may issue credentials for its own use. Source = NIST Special Publication 800-63-1 INA Volume 1 / @smaret 2013
  • 17. Registration Authority (RA)  A trusted entity that establishes and vouches for the identity or attributes of a Subscriber to a CSP. The RA may be an integral part of a CSP, or it may be independent of a CSP, but it has a relationship to the CSP(s). Source = NIST Special Publication 800-63-1 INA Volume 1 / @smaret 2013
  • 18. Verifier  An entity that verifies the Claimant’s identity by verifying the Claimant’s possession and control of a token using an authentication protocol. To do this, the Verifier may also need to validate credentials that link the token and identity and check their status. Source = NIST Special Publication 800-63-1 INA Volume 1 / @smaret 2013
  • 19. Relying Party (RP)  An entity that relies upon the Subscriber's token and credentials or a Verifier's assertion of a Claimant’s identity, typically to process a transaction or grant access to information or a system. Source = NIST Special Publication 800-63-1 INA Volume 1 / @smaret 2013
  • 20. Authentication Protocol  A defined sequence of messages between a Claimant and a Verifier that demonstrates that the Claimant has possession and control of a valid token to establish his/her identity, and optionally, demonstrates to the Claimant that he or she is communicating with the intended Verifier. Source = NIST Special Publication 800-63-1 INA Volume 1 / @smaret 2013
  • 21. AuthN & AuthZ  Aka authentication process  Aka authorization process INA Volume 1 / @smaret 2013
  • 22. INA Volume 1 / @smaret 2013
  • 23. Tokens / Authentication factors INA Volume 1 / @smaret 2013
  • 24. Authentication factors  Something you know  Something you have  Something you are INA Volume 1 / @smaret 2013
  • 25. Strong Authentication / Multi-factor authentication  Multi-factor authentication refers to the use of more than one of the factors listed bellow: – Something you know – Something you have – Something you are INA Volume 1 / @smaret 2013
  • 26. Two-factor authentication  Two-factor authentication – TFA – T-FA – 2FA INA Volume 1 / @smaret 2013
  • 27. Knowledge factors: "something the user knows"  Password – password is a secret word or string of characters that is used for user authentication.  PIN – personal identification number (PIN) is a secret numeric password.  Pattern – Pattern is a sequence of cells in an array that is used for authenticating the users. INA Volume 1 / @smaret 2013
  • 28. Possession factors: "something the user has"  Tokens with a display  USB tokens  Smartphone  Smartcards  Wireless (RFID, NFC)  Etc. INA Volume 1 / @smaret 2013
  • 29. Inherence factors: "something the user is or do"  Physiological biometric – Fingerprint recognition – Facial recognition system – Iris recognition – Etc.  Behavioral biometrics – Keystroke dynamics – Speaker recognition – Geo Localization – Etc. INA Volume 1 / @smaret 2013
  • 30. PASSWORD INA Volume 1 / @smaret 2013
  • 33. Password Factor  Something you know  PIN Code  Password  Passphrase  Aka 1FA INA Volume 1 / @smaret 2013
  • 34. Password Entropy / Password strength  Password strength is a measure of the effectiveness of a password in resisting guessing and brute-force attacks. INA Volume 1 / @smaret 2013
  • 35. Password Entropy / Password strength http://en.wikipedia.org/wiki/Password_strength INA Volume 1 / @smaret 2013
  • 36. Password Entropy / Password strength http://en.wikipedia.org/wiki/Password_strength INA Volume 1 / @smaret 2013
  • 37. Characteristics of weak passwords  based on common dictionary words – Including dictionary words that have been altered: • Reversed (e.g., “terces”) • Mixed case (e.g., SeCreT) • Character/Symbol replacement (e.g., “$ecret”) • Words with vowels removed (e.g., “scrt”)  based on common names  short (under 6 characters)  based on keyboard patterns (e.g., “qwertz”)  composed of single symbol type (e.g., all characters) INA Volume 1 / @smaret 2013
  • 38. Characteristics of strong passwords  Strong Passwords – contain at least one of each of the following: • digit (0..9) • letter (a..Z) • punctuation symbol (e.g., !) • control character (e.g., ^s, Ctrl-s) – are based on a verse (e.g., passphrase) from an obscure work where the password is formed from the characters in the verse INA Volume 1 / @smaret 2013
  • 39. Test your password! https://www.microsoft.com/security/pc-security/password-checker.aspx INA Volume 1 / @smaret 2013
  • 40. Password Manager http://keepass.info/ INA Volume 1 / @smaret 2013
  • 41. Password Manager http://passwordsafe.sourceforge.net/ INA Volume 1 / @smaret 2013
  • 42. Password Generator INA Volume 1 / @smaret 2013
  • 43. Threat Model AuthN 1FA INA Volume 1 / @smaret 2013
  • 44. Password / Threats  Man In The Middle Attacks  Phishing Attacks  Pharming Attacks  DNS Cache Poisoning  Trojan Attacks  Man-in-the-Phone Attacks (Man-in-the-Mobile/MitMo Attacks)  Man-in-the-Browser Attacks  Browser Poisoning  Password Sniffing  Brute Force Attack  Dictionary Attacks INA Volume 1 / @smaret 2013
  • 45. Password Attacks  Password Cracking – Brute force – Dictionary attack – Hybride  Password sniffing  Man-in-the-middle attack  Malware – Keylogger  Default Password  Phishing  Etc. INA Volume 1 / @smaret 2013
  • 46. Password Cracking Tools  Caen & Abel  John the Ripper  L0phtCrack  Ophcrack  THC hydra  Aircrack (WEP/WPA cracking tool)  Etc. INA Volume 1 / @smaret 2013
  • 47. Rainbow table  A rainbow table is a precomputed table for reversing cryptographic hash functions, usually for cracking password hashes. INA Volume 1 / @smaret 2013
  • 48. Ophcrack INA Volume 1 / @smaret 2013
  • 49. Defense against rainbow tables  A rainbow table is ineffective against one-way hashes that include salts INA Volume 1 / @smaret 2013
  • 50. Password Storage Cheat Sheet  Password Storage Rules – Rule 1: Use An Adaptive One-Way Function • bcrypt, PBKDF2 or scrypt – Rule 2: Use a Long Cryptographically Random Per- User Salt – Rule 3: Iterate the hash – Rule 4 : Encrypt the Hash Data With a Keyed Algorithm https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet INA Volume 1 / @smaret 2013
  • 51. Hashcat / GPU  25-GPU cluster cracks every standard Windows password in <6 hours – It achieves the 350 billion-guess-per-second speed when cracking password hashes generated by the NTLM cryptographic algorithm that Microsoft has included in every version of Windows since Server 2003. http://arstechnica.com/security/2012/12/25-gpu-cluster-cracks-every-standard-windows-password-in-6-hours/ INA Volume 1 / @smaret 2013
  • 52. Password sniffing INA Volume 1 / @smaret 2013
  • 53. DFD – Weak Protocol (Telnet) INA Volume 1 / @smaret 2013
  • 54. Weak protocols  Telnet  FTP  IMAP  POP3  LDAP  Etc. INA Volume 1 / @smaret 2013
  • 55. ARP Spoofing INA Volume 1 / @smaret 2013
  • 56. DFD - SSH INA Volume 1 / @smaret 2013
  • 57. Man-in-the-middle attack  often abbreviated – MITM, MitM, MIM, MiM, MITMA INA Volume 1 / @smaret 2013
  • 58. Man-in-the-middle attack  Ettercap  SSLStrip  SSLSniff  Mallory  Etc. INA Volume 1 / @smaret 2013
  • 59. Keylogger / Keystroke logging  Software-based keyloggers – Malware – Mobile  Hardware-based keyloggers INA Volume 1 / @smaret 2013
  • 60. Wireless sniffing – TEMPEST http://lasecwww.epfl.ch/keyboard/ INA Volume 1 / @smaret 2013
  • 61. Malicious Code Evolution INA Volume 1 / @smaret 2013
  • 62. Malware INA Volume 1 / @smaret 2013
  • 63. Zeus INA Volume 1 / @smaret 2013
  • 64. INA Volume 1 / @smaret 2013
  • 65. Default Password INA Volume 1 / @smaret 2013
  • 66. One Time Password - OTP Strong AuthN OTP INA Volume 1 / @smaret 2013
  • 67. OTP Technology / Standards  Based on a shared secret Key  Approach – Time Based OTP – Event Based OTP – Challenge Response OTP – Out-of-band OTP – Others  Standards – OATH INA Volume 1 / @smaret 2013
  • 68. Time Based OTP K=Secret Key / Seed OTP T=UTC Time Hash function INA Volume 1 / @smaret 2013
  • 69. Event Based OTP K=Secret Key / Seed OTP C = Counter HASH Function INA Volume 1 / @smaret 2013
  • 70. OTP Challenge Response Based HASH Function K=Secret Key / Seed OTP Challenge nonce INA Volume 1 / @smaret 2013
  • 71. Out-of-band OTP  SMS OTP  TAN  Email  Etc. INA Volume 1 / @smaret 2013
  • 72. Out-of-band - SMS OTP INA Volume 1 / @smaret 2013
  • 73. Out-of-band - TAN INA Volume 1 / @smaret 2013
  • 74. Bingo Card OTP INA Volume 1 / @smaret 2013
  • 75. Other[s] OTP technologies… “Flicker code” Generator Software that converts already encrypted data into optical screen animation INA Volume 1 / @smaret 2013
  • 76. OTP / OATH standards Authentication Methods INA Volume 1 / @smaret 2013
  • 77. OATH - Authentication Methods  HOTP: An HMAC-Based OTP Algorithm (RFC 4226)  TOTP - Time-based One-time Password Algorithm (RFC 6238)  OCRA - OATH Challenge/Response Algorithms Specification (RFC 6287) INA Volume 1 / @smaret 2013
  • 78. HOTP: An HMAC-Based One-Time Password Algorithm  RFC 4226  http://www.ietf.org/rfc/rfc4226.txt  Event Based OTP  Use HMAC: Keyed-Hashing for Message Authentication (RFC 2104) INA Volume 1 / @smaret 2013
  • 79. HOTP – Crypto 101 INA Volume 1 / @smaret 2013
  • 80. HOTP – Crypto 101 INA Volume 1 / @smaret 2013
  • 81. TOTP - Time-based One-time Password Algorithm  RFC 6238  http://www.ietf.org/rfc/rfc6238.txt  Time Based OTP  Use HMAC: Keyed-Hashing for Message Authentication (RFC 2104) INA Volume 1 / @smaret 2013
  • 82. TOTP – Crypto 101 INA Volume 1 / @smaret 2013
  • 83. Challenge Response OTP  RFC 6287  http://www.ietf.org/rfc/rfc6287.txt  OCRA  OATH Challenge-Response Algorithm INA Volume 1 / @smaret 2013
  • 84. OCRA – Crypto 101 INA Volume 1 / @smaret 2013
  • 85. OTP solution INA Volume 1 / @smaret 2013
  • 86. INA Volume 1 / @smaret 2013
  • 87. INA Volume 1 / @smaret 2013
  • 88. Software OTP for Smartphone http://itunes.apple.com/us/app/iotp/id328973960 INA Volume 1 / @smaret 2013
  • 89. OCRA on a mobile INA Volume 1 / @smaret 2013
  • 90. google-authenticator  These implementations support – HMAC-Based One-time Password (HOTP) algorithm specified in RFC 4226 – Time-based One-time Password (TOTP) algorithm specified in RFC 6238 – Google Authenticator • Android, IOS and Blackberry http://code.google.com/p/google-authenticator/ INA Volume 1 / @smaret 2013
  • 91. google-authenticator INA Volume 1 / @smaret 2013
  • 92. OCRA on Mobile INA Volume 1 / @smaret 2013
  • 93. OTP without PIN INA Volume 1 / @smaret 2013
  • 94. OTP Pin Protected INA Volume 1 / @smaret 2013
  • 95. OTP on Smartcard INA Volume 1 / @smaret 2013
  • 96. OTP with Smartcard INA Volume 1 / @smaret 2013
  • 97. OTP hybrid (OTP & PKI) INA Volume 1 / @smaret 2013
  • 98. YubiKey INA Volume 1 / @smaret 2013
  • 99. YubiKey INA Volume 1 / @smaret 2013
  • 100. PKI PKI Strong AuthN INA Volume 1 / @smaret 2013
  • 101. PKI Tokens Storage INA Volume 1 / @smaret 2013
  • 102. Public Key Cryptography 101 INA Volume 1 / @smaret 2013
  • 103. Signature 101 INA Volume 1 / @smaret 2013
  • 104. Signature – Verification 101 INA Volume 1 / @smaret 2013
  • 105. Mutual AuthN SSL INA Volume 1 / @smaret 2013
  • 106. PKI Certificate Validation  CRL  Delta CRL  OCSP INA Volume 1 / @smaret 2013
  • 107. OSCP Validation INA Volume 1 / @smaret 2013
  • 108. INA Volume 1 / @smaret 2013
  • 109. INA Volume 1 / @smaret 2013
  • 110. INA Volume 1 / @smaret 2013
  • 111. INA Volume 1 / @smaret 2013
  • 112. INA Volume 1 / @smaret 2013
  • 113. Smart Card INA Volume 1 / @smaret 2013
  • 114. Smart Card INA Volume 1 / @smaret 2013
  • 115. Smart Card - Crypto INA Volume 1 / @smaret 2013
  • 116. INA Volume 1 / @smaret 2013
  • 117. INA Volume 1 / @smaret 2013
  • 118. Biometrics BIO AuthN INA Volume 1 / @smaret 2013
  • 119. Biometrics Source: http://www.biometrics.gov/ INA Volume 1 / @smaret 2013
  • 120. Biometric Terms Source: http://www.biometrics.gov/ INA Volume 1 / @smaret 2013
  • 121. Enrollment Process Source: http://www.biometrics.gov/ INA Volume 1 / @smaret 2013
  • 122. Components Source: http://www.biometrics.gov/ INA Volume 1 / @smaret 2013
  • 123. FRR / FAR Source: http://www.biometrics.gov/ INA Volume 1 / @smaret 2013
  • 124. TAR Source: http://www.biometrics.gov/ INA Volume 1 / @smaret 2013
  • 125. FAR Source: http://www.biometrics.gov/ INA Volume 1 / @smaret 2013
  • 126. Accept Rate Threshold Source: http://www.biometrics.gov/ INA Volume 1 / @smaret 2013
  • 127. Identification Source: http://www.biometrics.gov/ INA Volume 1 / @smaret 2013
  • 128. Identification Source: http://www.biometrics.gov/ INA Volume 1 / @smaret 2013
  • 129. Failure to Acquire Source: http://www.biometrics.gov/ INA Volume 1 / @smaret 2013
  • 130. Biometric Modalities Source: http://www.biometrics.gov/ INA Volume 1 / @smaret 2013
  • 131. Dynamic Signature Source: http://www.biometrics.gov/ INA Volume 1 / @smaret 2013
  • 132. Dynamic Signature History Source: http://www.biometrics.gov/ INA Volume 1 / @smaret 2013
  • 133. Dynamic Signature Technology Source: http://www.biometrics.gov/ INA Volume 1 / @smaret 2013
  • 134. Face Recognition Source: http://www.biometrics.gov/ INA Volume 1 / @smaret 2013
  • 135. Face Recognition History Source: http://www.biometrics.gov/ INA Volume 1 / @smaret 2013
  • 136. Face Recognition Technologies Source: http://www.biometrics.gov/ INA Volume 1 / @smaret 2013
  • 137. Principal Components Analysis (PCA) Source: http://www.biometrics.gov/ INA Volume 1 / @smaret 2013
  • 138. Linear Discriminant Analysis Source: http://www.biometrics.gov/ INA Volume 1 / @smaret 2013
  • 139. Elastic Bunch Graph Matching Source: http://www.biometrics.gov/ INA Volume 1 / @smaret 2013
  • 140. Fingerprinting Source: http://www.biometrics.gov/ INA Volume 1 / @smaret 2013
  • 141. Fingerprinting History Source: http://www.biometrics.gov/ INA Volume 1 / @smaret 2013
  • 142. Fingerprinting Technology Source: http://www.biometrics.gov/ INA Volume 1 / @smaret 2013
  • 143. Fingerprint Sensor Source: http://www.biometrics.gov/ INA Volume 1 / @smaret 2013
  • 144. Fingerprint Software Source: http://www.biometrics.gov/ INA Volume 1 / @smaret 2013
  • 145. INA Volume 1 / @smaret 2013
  • 146. INA Volume 1 / @smaret 2013
  • 147. Hand Geometry Source: http://www.biometrics.gov/ INA Volume 1 / @smaret 2013
  • 148. Hand Geometry History Source: http://www.biometrics.gov/ INA Volume 1 / @smaret 2013
  • 149. Hand Geometry History Source: http://www.biometrics.gov/ INA Volume 1 / @smaret 2013
  • 150. Hand Geometry Technology Source: http://www.biometrics.gov/ INA Volume 1 / @smaret 2013
  • 151. Iris Recognition Source: http://www.biometrics.gov/ INA Volume 1 / @smaret 2013
  • 152. Iris Recognition History Source: http://www.biometrics.gov/ INA Volume 1 / @smaret 2013
  • 153. Iris Recognition Technology Source: http://www.biometrics.gov/ INA Volume 1 / @smaret 2013
  • 154. Iris Recognition Technology Source: http://www.biometrics.gov/ INA Volume 1 / @smaret 2013
  • 155. Palm Print Source: http://www.biometrics.gov/ INA Volume 1 / @smaret 2013
  • 156. Palm Print History Source: http://www.biometrics.gov/ INA Volume 1 / @smaret 2013
  • 157. Palm Print Technology Source: http://www.biometrics.gov/ INA Volume 1 / @smaret 2013
  • 158. Palm Print Technology Source: http://www.biometrics.gov/ INA Volume 1 / @smaret 2013
  • 159. Speaker Verification INA Volume 1 / @smaret 2013
  • 160. Speaker Verification History Source: http://www.biometrics.gov/ INA Volume 1 / @smaret 2013
  • 161. Speaker Verification Technology Source: http://www.biometrics.gov/ INA Volume 1 / @smaret 2013
  • 162. Speaker Verification Technology Source: http://www.biometrics.gov/ INA Volume 1 / @smaret 2013
  • 163. Speaker Verification Technology Source: http://www.biometrics.gov/ INA Volume 1 / @smaret 2013
  • 164. Vascular Pattern INA Volume 1 / @smaret 2013
  • 165. Vascular Pattern History Source: http://www.biometrics.gov/ INA Volume 1 / @smaret 2013
  • 166. Vascular Pattern Technology Source: http://www.biometrics.gov/ INA Volume 1 / @smaret 2013
  • 167. Vascular Pattern Technology Source: http://www.biometrics.gov/ INA Volume 1 / @smaret 2013
  • 168. Vascular Pattern Technology INA Volume 1 / @smaret 2013
  • 169. Biometrics Technology INA Volume 1 / @smaret 2013
  • 170. Biometrics Technology INA Volume 1 / @smaret 2013
  • 171. Match-on-Card INA Volume 1 / @smaret 2013
  • 172. INA Volume 1 / @smaret 2013
  • 173. MOC INA Volume 1 / @smaret 2013
  • 174. MOC – Athena & Precise Biometrics INA Volume 1 / @smaret 2013
  • 175. INA Volume 1 / @smaret 2013
  • 176. End Volume 1 Sylvain MARET / @smaret sylvain.maret@openid.ch http://www.slideshare.net/smaret http://www.linkedin.com/in/smaret INA Volume 1 / @smaret 2013
  • 177. Appendices INA Volume 1 / @smaret 2013
  • 178. Threat Modeling DFD STRIDE INA Volume 1 / @smaret 2013
  • 179. Threat Modeling Process Vision Diagram Identify Validate Threats Mitigate INA Volume 1 / @smaret 2013
  • 180. DFD symbols INA Volume 1 / @smaret 2013
  • 181. DFD Symbols INA Volume 1 / @smaret 2013
  • 182. DFD Symbols INA Volume 1 / @smaret 2013
  • 183. Trust boundaries that intersect data flows  Points/surfaces where an attacker can interject – Machine boundaries, privilege boundaries, integrity boundaries are examples of trust boundaries – Threads in a native process are often inside a trust boundary, because they share the same privs, rights, identifiers and access  Processes talking across a network always have a trust boundary INA Volume 1 / @smaret 2013
  • 184. DFD Level  Level 0 - Context Diagram – Very high-level; entire component / product / system  Level 1 Diagram – High level; single feature / scenario  Level 2 Diagram – Low level; detailed sub-components of features  Level 3 Diagram – More detailed – Rare to need more layers, except in huge projects or when you’re drawing more trust boundaries INA Volume 1 / @smaret 2013
  • 185. STRIDE - Tool Threat Property Definition Example Spoofing Authentication Impersonating Pretending to be any of billg, xbox.com or a something or system update someone else. Tampering Integrity Modifying data or Modifying a game config file on disk, or a code packet as it traverses the network Repudiation Non-repudiation Claiming to have not “I didn’t cheat!” performed an action Information Confidentiality Exposing information Reading key material from an app Disclosure to someone not authorized to see it Denial of Service Availability Deny or degrade Crashing the web site, sending a packet and service to users absorbing seconds of CPU time, or routing packets into a black hole Elevation of Privilege Authorization Gain capabilities Allowing a remote internet user to run without proper commands is the classic example, but running authorization kernel code from lower trust1levels is also EoP INA Volume / @smaret 2013
  • 186. STRIDE – Security Controls STRIDE Threat List Security Type Examples Control Threat action aimed to illegally access and use another Spoofing Authentication user's credentials, such as username and password. Threat action aimed to maliciously change/modify persistent data, such as persistent data in a database, and Tampering Integrity the alteration of data in transit between two computers over an open network, such as the Internet. Threat action aimed to perform illegal operations in a Non- Repudiation system that lacks the ability to trace the prohibited Repudiation operations. Information Threat action to read a file that one was not granted Confidentiality disclosure access to, or to read data in transit. Denial of Threat aimed to deny access to valid users, such as by Availability service making a web server temporarily unavailable or unusable. Threat aimed to gain privileged access to resources for Elevation of gaining unauthorized access to information or to Authorization privilege compromise a system. INA Volume 1 / @smaret 2013
  • 187. SRIDE INA Volume 1 / @smaret 2013
  • 188. SRIDE INA Volume 1 / @smaret 2013
  • 189. DFD & STRIDE INA Volume 1 / @smaret 2013
  • 190. DFD AuthN 1FA INA Volume 1 / @smaret 2013
  • 191. DFD – AuthN 1FA / STRIDE INA Volume 1 / @smaret 2013