SlideShare a Scribd company logo

INA Volume 1/3 Version 1.02 Released / Digital Identity and Authentication

Sylvain Maret, profile picture
Sylvain Maret

The document is an extensive guide on digital identity security and authentication, authored by Sylvain Maret, an expert with 18 years in ICT security. It covers various topics including definitions of identity and authentication, different authentication factors like passwords and biometrics, and the concepts of tokens and credentials used in electronic authentication. It also discusses threats to password security, characteristics of strong versus weak passwords, and the technologies and standards for implementing strong authentication methods.

Technology
1 of 255
Downloaded 67 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
INA – Volume 1 Sylvain MARET Version 1.02 Released 2013-03-13 INA Volume 1 – Version 1.02 / @smaret 2013
INA Volume 1 – Version 1.02 / @smaret 2013
Who am I?  ICT Security Consultant – 18 years of experience in ICT Security – Principal Consultant at MARET Consulting – Expert at Engineer School of Yverdon-les-Bains – Member of board OpenID Switzerland – Co-founder Application Security Forum #ASFWS – OWASP Member Switzerland – Author of the blog: la Citadelle Electronique – http://ch.linkedin.com/in/smaret or @smaret – http://www.slideshare.net/smaret  Chosen field – AppSec & Digital Identity Security INA Volume 1 – Version 1.02 / @smaret 2013
Agenda Volume 1  C0 - Introduction  C1 - Definition  C2 - Tokens / Authentication factors  C3 – Password  C4 - One Time Password - OTP  C5 - OTP / OATH standars  C6 - OTP solution  C7 - AuthN PKI  C8 - Biometrics  C9 - OATH approach INA Volume 1 – Version 1.02 / @smaret 2013
Digital Identity ? INA Volume 1 – Version 1.02 / @smaret 2013
Definition Wikipédia French INA Volume 1 – Version 1.02 / @smaret 2013
Definition INA Volume 1 – Version 1.02 / @smaret 2013
Identity  A set of attributes that uniquely describe a person or information system within a given context. Source = NIST Special Publication 800-63-1 INA Volume 1 – Version 1.02 / @smaret 2013
Authentication  The process of establishing confidence in the identity of users or information systems. Source = NIST Special Publication 800-63-1 INA Volume 1 – Version 1.02 / @smaret 2013
Electronic Authentication (E-Authentication)  The process of establishing confidence in user identities electronically presented to an information system. Source = NIST Special Publication 800-63-1 INA Volume 1 – Version 1.02 / @smaret 2013
Claimant  A party whose identity is to be verified using an authentication protocol. Source = NIST Special Publication 800-63-1 INA Volume 1 – Version 1.02 / @smaret 2013
Subscriber  A party who has received a credential or token from a CSP. Source = NIST Special Publication 800-63-1 INA Volume 1 – Version 1.02 / @smaret 2013
Token  Something that the Claimant possesses and controls (typically a cryptographic module or password) that is used to authenticate the Claimant’s identity. Source = NIST Special Publication 800-63-1 INA Volume 1 – Version 1.02 / @smaret 2013
TokenCode / PassCode  TokenCode = OTP Display  PassCode = PIN Code * TokenCode INA Volume 1 – Version 1.02 / @smaret 2013
Credential  An object or data structure that authoritatively binds an identity (and optionally, additional attributes) to a token possessed and controlled by a Subscriber. Source = NIST Special Publication 800-63-1 INA Volume 1 – Version 1.02 / @smaret 2013
Identity Proofing  The process by which a CSP and a Registration Authority (RA) collect and verify information about a person for the purpose of issuing credentials to that person. Source = NIST Special Publication 800-63-1 INA Volume 1 – Version 1.02 / @smaret 2013
Credential Service Provider (CSP)  A trusted entity that issues or registers Subscriber tokens and issues electronic credentials to Subscribers. The CSP may encompass Registration Authorities (RAs) and Verifiers that it operates. A CSP may be an independent third party, or may issue credentials for its own use. Source = NIST Special Publication 800-63-1 INA Volume 1 – Version 1.02 / @smaret 2013
Registration Authority (RA)  A trusted entity that establishes and vouches for the identity or attributes of a Subscriber to a CSP. The RA may be an integral part of a CSP, or it may be independent of a CSP, but it has a relationship to the CSP(s). Source = NIST Special Publication 800-63-1 INA Volume 1 – Version 1.02 / @smaret 2013
Verifier  An entity that verifies the Claimant’s identity by verifying the Claimant’s possession and control of a token using an authentication protocol. To do this, the Verifier may also need to validate credentials that link the token and identity and check their status. Source = NIST Special Publication 800-63-1 INA Volume 1 – Version 1.02 / @smaret 2013
Relying Party (RP)  An entity that relies upon the Subscriber's token and credentials or a Verifier's assertion of a Claimant’s identity, typically to process a transaction or grant access to information or a system. Source = NIST Special Publication 800-63-1 INA Volume 1 – Version 1.02 / @smaret 2013
Authentication Protocol  A defined sequence of messages between a Claimant and a Verifier that demonstrates that the Claimant has possession and control of a valid token to establish his/her identity, and optionally, demonstrates to the Claimant that he or she is communicating with the intended Verifier. Source = NIST Special Publication 800-63-1 INA Volume 1 – Version 1.02 / @smaret 2013
AuthN & AuthZ  Aka authentication process  Aka authorization process INA Volume 1 – Version 1.02 / @smaret 2013
INA Volume 1 – Version 1.02 / @smaret 2013
Tokens / Authentication factors INA Volume 1 – Version 1.02 / @smaret 2013
Authentication factors  Something you know  Something you have  Something you are INA Volume 1 – Version 1.02 / @smaret 2013
Strong Authentication / Multi-factor authentication  Multi-factor authentication refers to the use of more than one of the factors listed bellow: – Something you know – Something you have – Something you are INA Volume 1 – Version 1.02 / @smaret 2013
Two-factor authentication  Two-factor authentication – TFA – T-FA – 2FA INA Volume 1 – Version 1.02 / @smaret 2013
Knowledge factors: "something the user knows"  Password – password is a secret word or string of characters that is used for user authentication.  PIN – personal identification number (PIN) is a secret numeric password.  Pattern – Pattern is a sequence of cells in an array that is used for authenticating the users. INA Volume 1 – Version 1.02 / @smaret 2013
Possession factors: "something the user has"  Tokens with a display  USB tokens  Smartphone  Smartcards  Wireless (RFID, NFC)  Etc. INA Volume 1 – Version 1.02 / @smaret 2013
Inherence factors: "something the user is or do"  Physiological biometric – Fingerprint recognition – Facial recognition system – Iris recognition – Etc.  Behavioral biometrics – Keystroke dynamics – Speaker recognition – Geo Localization – Etc. INA Volume 1 – Version 1.02 / @smaret 2013
PASSWORD INA Volume 1 – Version 1.02 / @smaret 2013
http://www.wired.co.uk/magazine/archive/2013/01/features/hacked INA Volume 1 – Version 1.02 / @smaret 2013
http://www.wired.com/wiredenterprise/2013/01/google-password/ INA Volume 1 – Version 1.02 / @smaret 2013
Password Factor  Something you know  PIN Code  Password  Passphrase  Aka 1FA INA Volume 1 – Version 1.02 / @smaret 2013
Password Entropy / Password strength  Password strength is a measure of the effectiveness of a password in resisting guessing and brute-force attacks. INA Volume 1 – Version 1.02 / @smaret 2013
Password Entropy / Password strength http://en.wikipedia.org/wiki/Password_strength INA Volume 1 – Version 1.02 / @smaret 2013
Password Entropy / Password strength http://en.wikipedia.org/wiki/Password_strength INA Volume 1 – Version 1.02 / @smaret 2013
Characteristics of weak passwords  based on common dictionary words – Including dictionary words that have been altered: • Reversed (e.g., “terces”) • Mixed case (e.g., SeCreT) • Character/Symbol replacement (e.g., “$ecret”) • Words with vowels removed (e.g., “scrt”)  based on common names  short (under 6 characters)  based on keyboard patterns (e.g., “qwertz”)  composed of single symbol type (e.g., all characters) INA Volume 1 – Version 1.02 / @smaret 2013
Characteristics of strong passwords  Strong Passwords – contain at least one of each of the following: • digit (0..9) • letter (a..Z) • punctuation symbol (e.g., !) • control character – are based on a verse (e.g., passphrase) from an obscure work where the password is formed from the characters in the verse INA Volume 1 – Version 1.02 / @smaret 2013
https://xkcd.com/936/ INA Volume 1 – Version 1.02 / @smaret 2013
Test your password! https://www.microsoft.com/security/pc-security/password-checker.aspx INA Volume 1 – Version 1.02 / @smaret 2013
Password Manager http://keepass.info/ INA Volume 1 – Version 1.02 / @smaret 2013
Password Manager http://passwordsafe.sourceforge.net/ INA Volume 1 – Version 1.02 / @smaret 2013
Password Generator INA Volume 1 – Version 1.02 / @smaret 2013
Threat Model AuthN 1FA INA Volume 1 – Version 1.02 / @smaret 2013
Password / Threats  Man In The Middle Attacks  Phishing Attacks  Pharming Attacks – DNS Cache Poisoning  Trojan Attacks  Man-in-the-Phone Attacks (Man-in-the-Mobile/MitMo Attacks)  Man-in-the-Browser Attacks  Browser Poisoning  Password Sniffing  Brute Force Attack  Dictionary Attacks  Default Password  Social Engineering INA Volume 1 – Version 1.02 / @smaret 2013
Password Cracking Tools  Caen & Abel  John the Ripper  L0phtCrack  Ophcrack  THC hydra  Aircrack (WEP/WPA cracking tool)  Etc. INA Volume 1 – Version 1.02 / @smaret 2013
Rainbow table  A rainbow table is a precomputed table for reversing cryptographic hash functions, usually for cracking password hashes. INA Volume 1 – Version 1.02 / @smaret 2013
Ophcrack INA Volume 1 – Version 1.02 / @smaret 2013
Defense against rainbow tables  A rainbow table is ineffective against one-way hashes that include salts INA Volume 1 – Version 1.02 / @smaret 2013
Password Storage Cheat Sheet  Password Storage Rules – Rule 1: Use An Adaptive One-Way Function • bcrypt, PBKDF2 or scrypt – Rule 2: Use a Long Cryptographically Random Per- User Salt – Rule 3: Iterate the hash – Rule 4 : Encrypt the Hash Data With a Keyed Algorithm https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet INA Volume 1 – Version 1.02 / @smaret 2013
Hashcat / GPU  25-GPU cluster cracks every standard Windows password in <6 hours – It achieves the 350 billion-guess-per-second speed when cracking password hashes generated by the NTLM cryptographic algorithm that Microsoft has included in every version of Windows since Server 2003. http://arstechnica.com/security/2012/12/25-gpu-cluster-cracks-every-standard-windows-password-in-6-hours/ INA Volume 1 – Version 1.02 / @smaret 2013
Password sniffing INA Volume 1 – Version 1.02 / @smaret 2013
DFD – Weak Protocol (Telnet) INA Volume 1 – Version 1.02 / @smaret 2013
Weak protocols  Telnet  FTP  IMAP  POP3  LDAP  Etc. INA Volume 1 – Version 1.02 / @smaret 2013
ARP Spoofing INA Volume 1 – Version 1.02 / @smaret 2013
DFD - SSH INA Volume 1 – Version 1.02 / @smaret 2013
Man-in-the-middle attack  often abbreviated – MITM, MitM, MIM, MiM, MITMA INA Volume 1 – Version 1.02 / @smaret 2013
Man-in-the-middle attack  Ettercap  SSLStrip  SSLSniff  Mallory  Etc. INA Volume 1 – Version 1.02 / @smaret 2013
Keylogger / Keystroke logging  Software-based keyloggers – Malware – Mobile  Hardware-based keyloggers INA Volume 1 – Version 1.02 / @smaret 2013
Wireless sniffing – TEMPEST http://lasecwww.epfl.ch/keyboard/ INA Volume 1 – Version 1.02 / @smaret 2013
Malicious Code Evolution INA Volume 1 – Version 1.02 / @smaret 2013
Malware INA Volume 1 – Version 1.02 / @smaret 2013
Zeus INA Volume 1 – Version 1.02 / @smaret 2013
INA Volume 1 – Version 1.02 / @smaret 2013
Default Password INA Volume 1 – Version 1.02 / @smaret 2013
One Time Password - OTP Strong AuthN OTP INA Volume 1 – Version 1.02 / @smaret 2013
OTP Technology / Standards  Based on a shared secret Key (symmetric Crypto)  Approach – Time Based OTP – Event Based OTP – Challenge Response OTP – Out-of-band OTP – Transaction Signing OTP – Others  Standards – OATH INA Volume 1 – Version 1.02 / @smaret 2013
Time Based OTP K=Secret Key / Seed OTP T=UTC Time HMAC INA Volume 1 – Version 1.02 / @smaret 2013
Event Based OTP K=Secret Key / Seed OTP C = Counter HMAC INA Volume 1 – Version 1.02 / @smaret 2013
OTP Challenge Response Based HASH Function K=Secret Key / Seed OTP Challenge nonce INA Volume 1 – Version 1.02 / @smaret 2013
Source= CSE331: Introduction to Networks and Security INA Volume 1 – Version 1.02 / @smaret 2013
Transaction Signing OTP Source= Safenet INA Volume 1 – Version 1.02 / @smaret 2013
Token OTP pin protected Source: Richard E. Smith / Authentication INA Volume 1 – Version 1.02 / @smaret 2013
Token OTP pin protected Source: Richard E. Smith / Authentication INA Volume 1 – Version 1.02 / @smaret 2013
Others OTP  SMS OTP  TAN  paper-based OTP  Bingo Card  Etc. INA Volume 1 – Version 1.02 / @smaret 2013
Out-of-band - SMS OTP INA Volume 1 – Version 1.02 / @smaret 2013
Out-of-band - TAN OTP INA Volume 1 – Version 1.02 / @smaret 2013
paper-based OTP https://github.com/adulau/paper-token INA Volume 1 – Version 1.02 / @smaret 2013
Bingo Card OTP INA Volume 1 – Version 1.02 / @smaret 2013
Other[s] OTP technologies… “Flicker code” Generator Software that converts already encrypted data into optical screen animation INA Volume 1 – Version 1.02 / @smaret 2013
OTP / OATH standards Authentication Methods INA Volume 1 – Version 1.02 / @smaret 2013
HMAC – 101 (Keyed-Hashing for Message Authentication) http://www.ietf.org/rfc/rfc2104.txt INA Volume 1 – Version 1.02 / @smaret 2013
OATH - Authentication Methods  HOTP: An HMAC-Based OTP Algorithm (RFC 4226)  TOTP - Time-based One-time Password Algorithm (RFC 6238)  OCRA - OATH Challenge/Response Algorithms Specification (RFC 6287) INA Volume 1 – Version 1.02 / @smaret 2013
HOTP: An HMAC-Based One-Time Password Algorithm  RFC 4226  http://www.ietf.org/rfc/rfc4226.txt  Event Based OTP  Use HMAC: Keyed-Hashing for Message Authentication (RFC 2104) INA Volume 1 – Version 1.02 / @smaret 2013
HOTP – Crypto 101 INA Volume 1 – Version 1.02 / @smaret 2013
HOTP – Crypto 101 INA Volume 1 – Version 1.02 / @smaret 2013
TOTP - Time-based One-time Password Algorithm  RFC 6238  http://www.ietf.org/rfc/rfc6238.txt  Time Based OTP  Use HMAC: Keyed-Hashing for Message Authentication (RFC 2104) INA Volume 1 – Version 1.02 / @smaret 2013
TOTP – Crypto 101 INA Volume 1 – Version 1.02 / @smaret 2013
Challenge Response OTP  RFC 6287  http://www.ietf.org/rfc/rfc6287.txt  OCRA  OATH Challenge-Response Algorithm INA Volume 1 – Version 1.02 / @smaret 2013
OCRA – Crypto 101 INA Volume 1 – Version 1.02 / @smaret 2013
OCRA – Crypto 101 INA Volume 1 – Version 1.02 / @smaret 2013
OCRA – Crypto 101 INA Volume 1 – Version 1.02 / @smaret 2013
OATH module 1/2  http://packages.debian.org/source/testing/oath-toolkit  https://pypi.python.org/pypi/oath/1.0  http://www.nongnu.org/oath-toolkit/  https://github.com/jennings/OATH.Net  http://search.cpan.org/~sifukurt/Authen-OATH- v1.0.0/lib/Authen/OATH.pm  http://code.google.com/p/mod-authn-otp/  https://code.google.com/p/oathtoken/  http://code.google.com/p/oathtoken/wiki/WebProvisioning INA Volume 1 – Version 1.02 / @smaret 2013
OATH module 2/2  http://freecode.com/projects/linotp  http://sourceforge.net/projects/rcdevs-openotp/  http://www.multiotp.net/  http://www.rcdevs.com/products/openotp/  http://blog.josefsson.org/2011/01/20/introducing-the- oath-toolkit/  http://www.linotp.org/ INA Volume 1 – Version 1.02 / @smaret 2013
MobileOTP  Based on MD5  Time Based OTP  http://motp.sourceforge.net/  http://security.edu.pl/motp-as/login.php INA Volume 1 – Version 1.02 / @smaret 2013
OTP solution OTP AuthN INA Volume 1 – Version 1.02 / @smaret 2013
INA Volume 1 – Version 1.02 / @smaret 2013
INA Volume 1 – Version 1.02 / @smaret 2013
Software OTP for Smartphone http://itunes.apple.com/us/app/iotp/id328973960 INA Volume 1 – Version 1.02 / @smaret 2013
google-authenticator  These implementations support – HMAC-Based One-time Password (HOTP) algorithm specified in RFC 4226 – Time-based One-time Password (TOTP) algorithm specified in RFC 6238 – Google Authenticator • Android, IOS and Blackberry http://code.google.com/p/google-authenticator/ INA Volume 1 – Version 1.02 / @smaret 2013
google-authenticator INA Volume 1 – Version 1.02 / @smaret 2013
OCRA on a mobile INA Volume 1 – Version 1.02 / @smaret 2013
OCRA on Mobile INA Volume 1 – Version 1.02 / @smaret 2013
OTP without PIN INA Volume 1 – Version 1.02 / @smaret 2013
OTP Pin Protected INA Volume 1 – Version 1.02 / @smaret 2013
OTP on Smartcard INA Volume 1 – Version 1.02 / @smaret 2013
OTP with Smartcard INA Volume 1 – Version 1.02 / @smaret 2013
OTP hybrid (OTP & PKI) INA Volume 1 – Version 1.02 / @smaret 2013
YubiKey INA Volume 1 – Version 1.02 / @smaret 2013
YubiKey INA Volume 1 – Version 1.02 / @smaret 2013
INA Volume 1 – Version 1.02 / @smaret 2013
Yubikey  http://www.yubico.com/support/documentation/  http://forum.yubico.com/  http://code.google.com/p/yubico-pam/ INA Volume 1 – Version 1.02 / @smaret 2013
RSA SecurID 1/3 INA Volume 1 – Version 1.02 / @smaret 2013
RSA SecurID 2/3 INA Volume 1 – Version 1.02 / @smaret 2013
RSA SecurID 3/3 INA Volume 1 – Version 1.02 / @smaret 2013
INA Volume 1 – Version 1.02 / @smaret 2013
Where are[is] the seed ? INA Volume 1 – Version 1.02 / @smaret 2013
INA Volume 1 – Version 1.02 / @smaret 2013
Seed generation & distribution ? Still a good model ? K1 Threat Agent Editor / Vendor (APT) Secret Key are[is] generated on premise K1 K1 INA Volume 1 – Version 1.02 / @smaret 2013
RSA SecurID INA Volume 1 – Version 1.02 / @smaret 2013
TokenCode INA Volume 1 – Version 1.02 / @smaret 2013
Generate Seed on premise INA Volume 1 – Version 1.02 / @smaret 2013
INA Volume 1 – Version 1.02 / @smaret 2013
PKI PKI AuthN INA Volume 1 – Version 1.02 / @smaret 2013
PKI AuthN  Based on asymmetric encryption INA Volume 1 – Version 1.02 / @smaret 2013
PKI Tokens Storage INA Volume 1 – Version 1.02 / @smaret 2013
Public Key Cryptography 101 INA Volume 1 – Version 1.02 / @smaret 2013
Signature 101 INA Volume 1 – Version 1.02 / @smaret 2013
Signature – Verification 101 INA Volume 1 – Version 1.02 / @smaret 2013
Mutual AuthN SSL INA Volume 1 – Version 1.02 / @smaret 2013
PKI Certificate Validation  CRL  Delta CRL  OCSP INA Volume 1 – Version 1.02 / @smaret 2013
OSCP Validation INA Volume 1 – Version 1.02 / @smaret 2013
INA Volume 1 – Version 1.02 / @smaret 2013
INA Volume 1 – Version 1.02 / @smaret 2013
INA Volume 1 – Version 1.02 / @smaret 2013
Crypto Processor Source: Richard E. Smith / Authentication INA Volume 1 – Version 1.02 / @smaret 2013
INA Volume 1 – Version 1.02 / @smaret 2013
INA Volume 1 – Version 1.02 / @smaret 2013
Smart Card INA Volume 1 – Version 1.02 / @smaret 2013
Smart Card INA Volume 1 – Version 1.02 / @smaret 2013
Smart Card - Crypto INA Volume 1 – Version 1.02 / @smaret 2013
INA Volume 1 – Version 1.02 / @smaret 2013
INA Volume 1 – Version 1.02 / @smaret 2013
PKI Tokens INA Volume 1 – Version 1.02 / @smaret 2013
Biometrics BIO AuthN INA Volume 1 – Version 1.02 / @smaret 2013
Biometrics Source: http://www.biometrics.gov/ INA Volume 1 – Version 1.02 / @smaret 2013
Biometric Terms Source: http://www.biometrics.gov/ INA Volume 1 – Version 1.02 / @smaret 2013
Enrollment Process Source: http://www.biometrics.gov/ INA Volume 1 – Version 1.02 / @smaret 2013
Components Source: http://www.biometrics.gov/ INA Volume 1 – Version 1.02 / @smaret 2013
FRR / FAR Source: http://www.biometrics.gov/ INA Volume 1 – Version 1.02 / @smaret 2013
TAR Source: http://www.biometrics.gov/ INA Volume 1 – Version 1.02 / @smaret 2013
FAR Source: http://www.biometrics.gov/ INA Volume 1 – Version 1.02 / @smaret 2013
Accept Rate Threshold Source: http://www.biometrics.gov/ INA Volume 1 – Version 1.02 / @smaret 2013
Identification Source: http://www.biometrics.gov/ INA Volume 1 – Version 1.02 / @smaret 2013
Identification Source: http://www.biometrics.gov/ INA Volume 1 – Version 1.02 / @smaret 2013
Failure to Acquire Source: http://www.biometrics.gov/ INA Volume 1 – Version 1.02 / @smaret 2013
Biometric Modalities Source: http://www.biometrics.gov/ INA Volume 1 – Version 1.02 / @smaret 2013
Dynamic Signature Source: http://www.biometrics.gov/ INA Volume 1 – Version 1.02 / @smaret 2013
Dynamic Signature History Source: http://www.biometrics.gov/ INA Volume 1 – Version 1.02 / @smaret 2013
Dynamic Signature Technology Source: http://www.biometrics.gov/ INA Volume 1 – Version 1.02 / @smaret 2013
Face Recognition Source: http://www.biometrics.gov/ INA Volume 1 – Version 1.02 / @smaret 2013
Face Recognition History Source: http://www.biometrics.gov/ INA Volume 1 – Version 1.02 / @smaret 2013
Face Recognition Technologies Source: http://www.biometrics.gov/ INA Volume 1 – Version 1.02 / @smaret 2013
Principal Components Analysis (PCA) Source: http://www.biometrics.gov/ INA Volume 1 – Version 1.02 / @smaret 2013
Linear Discriminant Analysis Source: http://www.biometrics.gov/ INA Volume 1 – Version 1.02 / @smaret 2013
Elastic Bunch Graph Matching Source: http://www.biometrics.gov/ INA Volume 1 – Version 1.02 / @smaret 2013
Fingerprinting Source: http://www.biometrics.gov/ INA Volume 1 – Version 1.02 / @smaret 2013
Fingerprinting History Source: http://www.biometrics.gov/ INA Volume 1 – Version 1.02 / @smaret 2013
Fingerprinting Technology Source: http://www.biometrics.gov/ INA Volume 1 – Version 1.02 / @smaret 2013
Fingerprint Sensor Source: http://www.biometrics.gov/ INA Volume 1 – Version 1.02 / @smaret 2013
Sensors USB INA Volume 1 – Version 1.02 / @smaret 2013
Chipset INA Volume 1 – Version 1.02 / @smaret 2013
PIV-FIPS 201 Sensors INA Volume 1 – Version 1.02 / @smaret 2013
Tablet approach INA Volume 1 – Version 1.02 / @smaret 2013
Windows Biometric Framework Source= Microsoft INA Volume 1 – Version 1.02 / @smaret 2013
Fingerprint Software Source: http://www.biometrics.gov/ INA Volume 1 – Version 1.02 / @smaret 2013
INA Volume 1 – Version 1.02 / @smaret 2013
INA Volume 1 – Version 1.02 / @smaret 2013
Hand Geometry Source: http://www.biometrics.gov/ INA Volume 1 – Version 1.02 / @smaret 2013
Hand Geometry History Source: http://www.biometrics.gov/ INA Volume 1 – Version 1.02 / @smaret 2013
Hand Geometry History Source: http://www.biometrics.gov/ INA Volume 1 – Version 1.02 / @smaret 2013
Hand Geometry Technology Source: http://www.biometrics.gov/ INA Volume 1 – Version 1.02 / @smaret 2013
Iris Recognition Source: http://www.biometrics.gov/ INA Volume 1 – Version 1.02 / @smaret 2013
Iris Recognition History Source: http://www.biometrics.gov/ INA Volume 1 – Version 1.02 / @smaret 2013
Iris Recognition Technology Source: http://www.biometrics.gov/ INA Volume 1 – Version 1.02 / @smaret 2013
Iris Recognition Technology Source: http://www.biometrics.gov/ INA Volume 1 – Version 1.02 / @smaret 2013
Palm Print Source: http://www.biometrics.gov/ INA Volume 1 – Version 1.02 / @smaret 2013
Palm Print History Source: http://www.biometrics.gov/ INA Volume 1 – Version 1.02 / @smaret 2013
Palm Print Technology Source: http://www.biometrics.gov/ INA Volume 1 – Version 1.02 / @smaret 2013
Palm Print Technology Source: http://www.biometrics.gov/ INA Volume 1 – Version 1.02 / @smaret 2013
Speaker Verification INA Volume 1 – Version 1.02 / @smaret 2013
Speaker Verification History Source: http://www.biometrics.gov/ INA Volume 1 – Version 1.02 / @smaret 2013
Speaker Verification Technology Source: http://www.biometrics.gov/ INA Volume 1 – Version 1.02 / @smaret 2013
Speaker Verification Technology Source: http://www.biometrics.gov/ INA Volume 1 – Version 1.02 / @smaret 2013
Speaker Verification Technology Source: http://www.biometrics.gov/ INA Volume 1 – Version 1.02 / @smaret 2013
Vascular Pattern INA Volume 1 – Version 1.02 / @smaret 2013
Vascular Pattern History Source: http://www.biometrics.gov/ INA Volume 1 – Version 1.02 / @smaret 2013
Vascular Pattern Technology Source: http://www.biometrics.gov/ INA Volume 1 – Version 1.02 / @smaret 2013
Vascular Pattern Technology Source: http://www.biometrics.gov/ INA Volume 1 – Version 1.02 / @smaret 2013
Vascular Pattern Technology INA Volume 1 – Version 1.02 / @smaret 2013
Device fingerprint - DNA  A device fingerprint or machine fingerprint or browser fingerprint is information collected about a remote computing device for the purpose of identification INA Volume 1 – Version 1.02 / @smaret 2013
Fingerprint a Computer Source = The Wall Street Journa INA Volume 1 – Version 1.02 / @smaret 2013
Biometrics Technology INA Volume 1 – Version 1.02 / @smaret 2013
Match-on-Card INA Volume 1 – Version 1.02 / @smaret 2013
INA Volume 1 – Version 1.02 / @smaret 2013
MOC INA Volume 1 – Version 1.02 / @smaret 2013
MOC – Athena & Precise Biometrics INA Volume 1 – Version 1.02 / @smaret 2013
INA Volume 1 – Version 1.02 / @smaret 2013
OATH approach Open Authentication INA Volume 1 – Version 1.02 / @smaret 2013
OATH Approach INA Volume 1 – Version 1.02 / @smaret 2013
OATH Logical view INA Volume 1 – Version 1.02 / @smaret 2013
OATH Physical view INA Volume 1 – Version 1.02 / @smaret 2013
OATH Authentication Framework INA Volume 1 – Version 1.02 / @smaret 2013
OATH Client framework INA Volume 1 – Version 1.02 / @smaret 2013
OATH AuthN methods 1/2 INA Volume 1 – Version 1.02 / @smaret 2013
OATH AuthN methods 2/2 INA Volume 1 – Version 1.02 / @smaret 2013
OATH AuthN protocols 1/3 INA Volume 1 – Version 1.02 / @smaret 2013
OATH AuthN protocols 2/3 INA Volume 1 – Version 1.02 / @smaret 2013
OATH AuthN protocols 3/3 INA Volume 1 – Version 1.02 / @smaret 2013
OATH AuthN validation framework INA Volume 1 – Version 1.02 / @smaret 2013
OATH validation protocols INA Volume 1 – Version 1.02 / @smaret 2013
OATH provisioning INA Volume 1 – Version 1.02 / @smaret 2013
Existing Credential Provisioning Protocols 1/2 INA Volume 1 – Version 1.02 / @smaret 2013
Existing Credential Provisioning Protocols 2/2 INA Volume 1 – Version 1.02 / @smaret 2013
Software Provisioning Protocols INA Volume 1 – Version 1.02 / @smaret 2013
End Volume 1 Sylvain MARET / @smaret sylvain.maret@openid.ch http://www.slideshare.net/smaret http://www.linkedin.com/in/smaret INA Volume 1 – Version 1.02 / @smaret 2013
Appendices INA Volume 1 – Version 1.02 / @smaret 2013
Threat Modeling DFD STRIDE INA Volume 1 – Version 1.02 / @smaret 2013
Threat Modeling Process Vision Diagram Identify Validate Threats Mitigate INA Volume 1 – Version 1.02 / @smaret 2013
DFD symbols INA Volume 1 – Version 1.02 / @smaret 2013
DFD Symbols INA Volume 1 – Version 1.02 / @smaret 2013
DFD Symbols INA Volume 1 – Version 1.02 / @smaret 2013
Trust boundaries that intersect data flows  Points/surfaces where an attacker can interject – Machine boundaries, privilege boundaries, integrity boundaries are examples of trust boundaries – Threads in a native process are often inside a trust boundary, because they share the same privs, rights, identifiers and access  Processes talking across a network always have a trust boundary INA Volume 1 – Version 1.02 / @smaret 2013
DFD Level  Level 0 - Context Diagram – Very high-level; entire component / product / system  Level 1 Diagram – High level; single feature / scenario  Level 2 Diagram – Low level; detailed sub-components of features  Level 3 Diagram – More detailed – Rare to need more layers, except in huge projects or when you’re drawing more trust boundaries INA Volume 1 – Version 1.02 / @smaret 2013
STRIDE - Tool Threat Property Definition Example Spoofing Authentication Impersonating Pretending to be any of billg, xbox.com or a something or system update someone else. Tampering Integrity Modifying data or Modifying a game config file on disk, or a code packet as it traverses the network Repudiation Non-repudiation Claiming to have not “I didn’t cheat!” performed an action Information Confidentiality Exposing information Reading key material from an app Disclosure to someone not authorized to see it Denial of Service Availability Deny or degrade Crashing the web site, sending a packet and service to users absorbing seconds of CPU time, or routing packets into a black hole Elevation of Privilege Authorization Gain capabilities Allowing a remote internet user to run without proper commands is the classic example, but running authorization kernel code from lower trust levels is also EoP INA Volume 1 – Version 1.02 / @smaret 2013
STRIDE – Security Controls STRIDE Threat List Security Type Examples Control Threat action aimed to illegally access and use another Spoofing Authentication user's credentials, such as username and password. Threat action aimed to maliciously change/modify persistent data, such as persistent data in a database, and Tampering Integrity the alteration of data in transit between two computers over an open network, such as the Internet. Threat action aimed to perform illegal operations in a Non- Repudiation system that lacks the ability to trace the prohibited Repudiation operations. Information Threat action to read a file that one was not granted Confidentiality disclosure access to, or to read data in transit. Denial of Threat aimed to deny access to valid users, such as by Availability service making a web server temporarily unavailable or unusable. Threat aimed to gain privileged access to resources for Elevation of gaining unauthorized access to information or to Authorization privilege compromise a system. INA Volume 1 – Version 1.02 / @smaret 2013
SRIDE INA Volume 1 – Version 1.02 / @smaret 2013
SRIDE INA Volume 1 – Version 1.02 / @smaret 2013
DFD & STRIDE INA Volume 1 – Version 1.02 / @smaret 2013
DFD AuthN 1FA INA Volume 1 – Version 1.02 / @smaret 2013
DFD – AuthN 1FA / STRIDE INA Volume 1 – Version 1.02 / @smaret 2013
HSPD-12 PIV AuthN INA Volume 1 – Version 1.02 / @smaret 2013
Homeland Security Presidential Directive/Hspd-12 http://www.dhs.gov/homeland-security-presidential-directive-12 INA Volume 1 – Version 1.02 / @smaret 2013
FIPS 201 / PIV  Federal Information Processing Standard 201, Personal Identity Verification (PIV) of Federal Employees and Contractors, March 2006. – (See http://csrc.nist.gov)  FIPS 201 (Federal Information Processing Standard Publication 201) is a United States federal government standard that specifies Personal Identity Verification (PIV) requirements for Federal employees and contractors.  http://www.idmanagement.gov/ INA Volume 1 – Version 1.02 / @smaret 2013
FICAM Roadmap INA Volume 1 – Version 1.02 / @smaret 2013
INA Volume 1 – Version 1.02 / @smaret 2013
INA Volume 1 – Version 1.02 / @smaret 2013
LOA http://www.idmanagement.gov/ INA Volume 1 – Version 1.02 / @smaret 2013
LOA INA Volume 1 – Version 1.02 / @smaret 2013
FICAM Roadmap - PACS INA Volume 1 – Version 1.02 / @smaret 2013
FICAM Roadmap - PACS INA Volume 1 – Version 1.02 / @smaret 2013
FICAM Roadmap INA Volume 1 – Version 1.02 / @smaret 2013
PIV Card & Reader INA Volume 1 – Version 1.02 / @smaret 2013
PIVMAN – FIPS 201 INA Volume 1 – Version 1.02 / @smaret 2013

More Related Content

PDF
INA Volume 1/3 Version 1.0 Released / Digital Identity and Authentication
Sylvain Maret
 
PDF
Improving Mobile Authentication for Public Safety and First Responders
Priyanka Aash
 
PDF
Two factor authentication-in_your_network_e_guide
Nick Owen
 
PDF
Toward Better Password Requirements
Jim Fenton
 
PDF
PSCR 2019 - ICAM Standards
Adam Lewis
 
PPTX
[DSBW Spring 2009] Unit 08: WebApp Security
Carles Farré
 
PDF
Android Malware Detection Mechanisms
Talha Kabakus
 
PDF
Two Aspect Endorsement Access Control for web Based Cloud Computing
IRJET Journal
 
INA Volume 1/3 Version 1.0 Released / Digital Identity and Authentication
Sylvain Maret
 
Improving Mobile Authentication for Public Safety and First Responders
Priyanka Aash
 
Two factor authentication-in_your_network_e_guide
Nick Owen
 
Toward Better Password Requirements
Jim Fenton
 
PSCR 2019 - ICAM Standards
Adam Lewis
 
[DSBW Spring 2009] Unit 08: WebApp Security
Carles Farré
 
Android Malware Detection Mechanisms
Talha Kabakus
 
Two Aspect Endorsement Access Control for web Based Cloud Computing
IRJET Journal
 

What's hot (20)

PDF
Making User Authentication More Usable
Jim Fenton
 
PPTX
Seminar-Two Factor Authentication
Dilip Kr. Jangir
 
PDF
2FYSH: two-factor authentication you should have for password replacement
TELKOMNIKA JOURNAL
 
PDF
Biometrics: Sexy, Secure and... Stupid - RSAC 2018
Adam Englander
 
PDF
User Authentication: Passwords and Beyond
Jim Fenton
 
PDF
IRJET- SteganoPIN:Two Faced Human-Machine Interface for Practical Enforcement...
IRJET Journal
 
PDF
Android malware overview, status and dilemmas
Tech and Law Center
 
PPTX
Digital signatures
kajalsharma161
 
PPTX
Two Factor Authentication
Nikhil Shaw
 
PDF
hacking_ble_smartwatch @idsecconf2019 cirebon
Rama Nanda
 
PPTX
Multifactor Authentication
Ronnie Isherwood
 
PDF
CompTIA Security+ SY0-601 Domain 1
ShivamSharma909
 
PDF
The Password Is Dead: An Argument for Multifactor Biometric Authentication
Veridium
 
PDF
IRJET- Configurable Intelligent Secures - 3FA Smart Lock
IRJET Journal
 
PDF
Penetration and hacking training brief
Bill Nelson
 
PDF
Pentesting Mobile Applications (Prashant Verma)
ClubHack
 
PDF
Security Checklist: how iOS can help protecting your data.
Tomek Cejner
 
PDF
The New Mobile Landscape - OWASP Ireland
Tyler Shields
 
DOCX
Case Study of RSA Data Breach
Kunal Sharma
 
PDF
Stop Passing the Bug: IoT Supply Chain Security
Synopsys Software Integrity Group
 
Making User Authentication More Usable
Jim Fenton
 
Seminar-Two Factor Authentication
Dilip Kr. Jangir
 
2FYSH: two-factor authentication you should have for password replacement
TELKOMNIKA JOURNAL
 
Biometrics: Sexy, Secure and... Stupid - RSAC 2018
Adam Englander
 
User Authentication: Passwords and Beyond
Jim Fenton
 
IRJET- SteganoPIN:Two Faced Human-Machine Interface for Practical Enforcement...
IRJET Journal
 
Android malware overview, status and dilemmas
Tech and Law Center
 
Digital signatures
kajalsharma161
 
Two Factor Authentication
Nikhil Shaw
 
hacking_ble_smartwatch @idsecconf2019 cirebon
Rama Nanda
 
Multifactor Authentication
Ronnie Isherwood
 
CompTIA Security+ SY0-601 Domain 1
ShivamSharma909
 
The Password Is Dead: An Argument for Multifactor Biometric Authentication
Veridium
 
IRJET- Configurable Intelligent Secures - 3FA Smart Lock
IRJET Journal
 
Penetration and hacking training brief
Bill Nelson
 
Pentesting Mobile Applications (Prashant Verma)
ClubHack
 
Security Checklist: how iOS can help protecting your data.
Tomek Cejner
 
The New Mobile Landscape - OWASP Ireland
Tyler Shields
 
Case Study of RSA Data Breach
Kunal Sharma
 
Stop Passing the Bug: IoT Supply Chain Security
Synopsys Software Integrity Group
 
Ad

Similar to INA Volume 1/3 Version 1.02 Released / Digital Identity and Authentication (20)

PDF
INA Volume 1/3 Version 1.0 RC / Digital Identity and Authentication
Sylvain Maret
 
PDF
Network security unit 4,5,6
WE-IT TUTORIALS
 
PDF
NIST SP 800-63-3 #idcon vol.22
Nov Matake
 
PDF
Asegurarme de la Seguridad?, Un Vistazo al Penetration Testing
Software Guru
 
PDF
NIST 800-63 Guidance & FIDO Authentication
FIDO Alliance
 
PPTX
Standards and methodology for application security assessment
Mykhailo Antonishyn
 
PPTX
2022 APIsecure_Method for exploiting IDOR on nodejs+mongodb based backend
APIsecure_ Official
 
PPTX
The Road to Identity 2.0
Adam Lewis
 
PDF
Bg24375379
IJERA Editor
 
PDF
How to 2FA-enable Open Source Applications
All Things Open
 
DOCX
Multifactor authenticationMultifactor authentication or MFA .docx
gilpinleeanna
 
PPTX
An Authentication and Authorization Architecture for a Microservices World
VMware Tanzu
 
PDF
IRJET- Data Security with Multifactor Authentication
IRJET Journal
 
PPT
Mutual Authentication For Wireless Communication
manish kumar
 
PPT
Crypto Analysis slides presentation slides
tahirsaleem54
 
PDF
FIDO UAF 1.0 Specs: Overview and Insights
FIDO Alliance
 
PDF
Generic threats to mobile application
Vikrant Kansal
 
PDF
A Review Study on Secure Authentication in Mobile System
Editor IJCATR
 
PDF
Iaetsd fpga implementation of rf technology and biometric authentication
Iaetsd Iaetsd
 
PDF
Frost & Sullivan: Moving Forward with Distributed Cryptography
EMC
 
INA Volume 1/3 Version 1.0 RC / Digital Identity and Authentication
Sylvain Maret
 
Network security unit 4,5,6
WE-IT TUTORIALS
 
NIST SP 800-63-3 #idcon vol.22
Nov Matake
 
Asegurarme de la Seguridad?, Un Vistazo al Penetration Testing
Software Guru
 
NIST 800-63 Guidance & FIDO Authentication
FIDO Alliance
 
Standards and methodology for application security assessment
Mykhailo Antonishyn
 
2022 APIsecure_Method for exploiting IDOR on nodejs+mongodb based backend
APIsecure_ Official
 
The Road to Identity 2.0
Adam Lewis
 
Bg24375379
IJERA Editor
 
How to 2FA-enable Open Source Applications
All Things Open
 
Multifactor authenticationMultifactor authentication or MFA .docx
gilpinleeanna
 
An Authentication and Authorization Architecture for a Microservices World
VMware Tanzu
 
IRJET- Data Security with Multifactor Authentication
IRJET Journal
 
Mutual Authentication For Wireless Communication
manish kumar
 
Crypto Analysis slides presentation slides
tahirsaleem54
 
FIDO UAF 1.0 Specs: Overview and Insights
FIDO Alliance
 
Generic threats to mobile application
Vikrant Kansal
 
A Review Study on Secure Authentication in Mobile System
Editor IJCATR
 
Iaetsd fpga implementation of rf technology and biometric authentication
Iaetsd Iaetsd
 
Frost & Sullivan: Moving Forward with Distributed Cryptography
EMC
 
Ad

More from Sylvain Maret (20)

PDF
Air Navigation Service Providers - Unsecurity on Voice over IP Radion
Sylvain Maret
 
PDF
factsheet_4g_critical_comm_en_vl
Sylvain Maret
 
PDF
Securite des Web Services (SOAP vs REST) / OWASP Geneva dec. 2012
Sylvain Maret
 
PDF
Strong Authentication State of the Art 2012 / Sarajevo CSO
Sylvain Maret
 
PDF
ASFWS 2012 / Initiation à la sécurité des Web Services par Sylvain Maret
Sylvain Maret
 
PDF
Threat Modeling / iPad
Sylvain Maret
 
PDF
Strong Authentication in Web Application #SCS III
Sylvain Maret
 
PDF
Strong Authentication in Web Applications: State of the Art 2011
Sylvain Maret
 
PDF
Strong Authentication in Web Application / ConFoo.ca 2011
Sylvain Maret
 
PPT
Authentication and strong authentication for Web Application
Sylvain Maret
 
PDF
Geneva Application Security Forum 2010
Sylvain Maret
 
PDF
Final conclusions of Working Group 3 at Workshop Münchenwiler 20-21 of May 20...
Sylvain Maret
 
PPTX
Comment protéger de façon efficace son/ses identité(s) numérique(s) sur le We...
Sylvain Maret
 
PPTX
Digital identity trust & confidence
Sylvain Maret
 
PDF
Implementation of a Biometric Solution Providing Strong Authentication To Gai...
Sylvain Maret
 
PDF
Geneva Application Security Forum: Vers une authentification plus forte dans ...
Sylvain Maret
 
PDF
Geneva Application Security Forum: Vers une authentification plus forte dans ...
Sylvain Maret
 
PDF
Geneva Application Security Forum: Vers une authentification plus forte dans ...
Sylvain Maret
 
PPTX
Geneva Application Security Forum: Vers une authentification plus forte dans ...
Sylvain Maret
 
PDF
Corrélation d'évènements dans un environnement VoIP avec ExaProtect
Sylvain Maret
 
Air Navigation Service Providers - Unsecurity on Voice over IP Radion
Sylvain Maret
 
factsheet_4g_critical_comm_en_vl
Sylvain Maret
 
Securite des Web Services (SOAP vs REST) / OWASP Geneva dec. 2012
Sylvain Maret
 
Strong Authentication State of the Art 2012 / Sarajevo CSO
Sylvain Maret
 
ASFWS 2012 / Initiation à la sécurité des Web Services par Sylvain Maret
Sylvain Maret
 
Threat Modeling / iPad
Sylvain Maret
 
Strong Authentication in Web Application #SCS III
Sylvain Maret
 
Strong Authentication in Web Applications: State of the Art 2011
Sylvain Maret
 
Strong Authentication in Web Application / ConFoo.ca 2011
Sylvain Maret
 
Authentication and strong authentication for Web Application
Sylvain Maret
 
Geneva Application Security Forum 2010
Sylvain Maret
 
Final conclusions of Working Group 3 at Workshop Münchenwiler 20-21 of May 20...
Sylvain Maret
 
Comment protéger de façon efficace son/ses identité(s) numérique(s) sur le We...
Sylvain Maret
 
Digital identity trust & confidence
Sylvain Maret
 
Implementation of a Biometric Solution Providing Strong Authentication To Gai...
Sylvain Maret
 
Geneva Application Security Forum: Vers une authentification plus forte dans ...
Sylvain Maret
 
Geneva Application Security Forum: Vers une authentification plus forte dans ...
Sylvain Maret
 
Geneva Application Security Forum: Vers une authentification plus forte dans ...
Sylvain Maret
 
Geneva Application Security Forum: Vers une authentification plus forte dans ...
Sylvain Maret
 
Corrélation d'évènements dans un environnement VoIP avec ExaProtect
Sylvain Maret
 

Recently uploaded (20)

PDF
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
PDF
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
PPTX
Cloud computing and distributed systems.
kkkkkhan
 
PPTX
PA Analog/Digital System: The Backbone of Modern Surveillance and Communication
AVTRON Technologies LLC
 
PDF
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
PDF
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
PDF
Shreyas Phanse Resume: Experienced Backend Engineer | Java • Spring Boot • Ka...
SHREYAS PHANSE
 
PDF
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
PDF
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
PPTX
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
PDF
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
PPTX
A Presentation on Artificial Intelligence
memembruh336
 
PDF
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
PPTX
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
PDF
NewMind AI Monthly Chronicles - July 2025
NewMind AI
 
PDF
Modernizing your data center with Dell and AMD
Principled Technologies
 
PDF
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
PDF
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
PDF
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
PDF
Encapsulation theory and applications.pdf
gurumoop
 
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
Cloud computing and distributed systems.
kkkkkhan
 
PA Analog/Digital System: The Backbone of Modern Surveillance and Communication
AVTRON Technologies LLC
 
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
Shreyas Phanse Resume: Experienced Backend Engineer | Java • Spring Boot • Ka...
SHREYAS PHANSE
 
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
A Presentation on Artificial Intelligence
memembruh336
 
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
NewMind AI Monthly Chronicles - July 2025
NewMind AI
 
Modernizing your data center with Dell and AMD
Principled Technologies
 
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
Encapsulation theory and applications.pdf
gurumoop
 

INA Volume 1/3 Version 1.02 Released / Digital Identity and Authentication

  • 1. INA – Volume 1 Sylvain MARET Version 1.02 Released 2013-03-13 INA Volume 1 – Version 1.02 / @smaret 2013
  • 2. INA Volume 1 – Version 1.02 / @smaret 2013
  • 3. Who am I?  ICT Security Consultant – 18 years of experience in ICT Security – Principal Consultant at MARET Consulting – Expert at Engineer School of Yverdon-les-Bains – Member of board OpenID Switzerland – Co-founder Application Security Forum #ASFWS – OWASP Member Switzerland – Author of the blog: la Citadelle Electronique – http://ch.linkedin.com/in/smaret or @smaret – http://www.slideshare.net/smaret  Chosen field – AppSec & Digital Identity Security INA Volume 1 – Version 1.02 / @smaret 2013
  • 4. Agenda Volume 1  C0 - Introduction  C1 - Definition  C2 - Tokens / Authentication factors  C3 – Password  C4 - One Time Password - OTP  C5 - OTP / OATH standars  C6 - OTP solution  C7 - AuthN PKI  C8 - Biometrics  C9 - OATH approach INA Volume 1 – Version 1.02 / @smaret 2013
  • 5. Digital Identity ? INA Volume 1 – Version 1.02 / @smaret 2013
  • 6. Definition Wikipédia French INA Volume 1 – Version 1.02 / @smaret 2013
  • 7. Definition INA Volume 1 – Version 1.02 / @smaret 2013
  • 8. Identity  A set of attributes that uniquely describe a person or information system within a given context. Source = NIST Special Publication 800-63-1 INA Volume 1 – Version 1.02 / @smaret 2013
  • 9. Authentication  The process of establishing confidence in the identity of users or information systems. Source = NIST Special Publication 800-63-1 INA Volume 1 – Version 1.02 / @smaret 2013
  • 10. Electronic Authentication (E-Authentication)  The process of establishing confidence in user identities electronically presented to an information system. Source = NIST Special Publication 800-63-1 INA Volume 1 – Version 1.02 / @smaret 2013
  • 11. Claimant  A party whose identity is to be verified using an authentication protocol. Source = NIST Special Publication 800-63-1 INA Volume 1 – Version 1.02 / @smaret 2013
  • 12. Subscriber  A party who has received a credential or token from a CSP. Source = NIST Special Publication 800-63-1 INA Volume 1 – Version 1.02 / @smaret 2013
  • 13. Token  Something that the Claimant possesses and controls (typically a cryptographic module or password) that is used to authenticate the Claimant’s identity. Source = NIST Special Publication 800-63-1 INA Volume 1 – Version 1.02 / @smaret 2013
  • 14. TokenCode / PassCode  TokenCode = OTP Display  PassCode = PIN Code * TokenCode INA Volume 1 – Version 1.02 / @smaret 2013
  • 15. Credential  An object or data structure that authoritatively binds an identity (and optionally, additional attributes) to a token possessed and controlled by a Subscriber. Source = NIST Special Publication 800-63-1 INA Volume 1 – Version 1.02 / @smaret 2013
  • 16. Identity Proofing  The process by which a CSP and a Registration Authority (RA) collect and verify information about a person for the purpose of issuing credentials to that person. Source = NIST Special Publication 800-63-1 INA Volume 1 – Version 1.02 / @smaret 2013
  • 17. Credential Service Provider (CSP)  A trusted entity that issues or registers Subscriber tokens and issues electronic credentials to Subscribers. The CSP may encompass Registration Authorities (RAs) and Verifiers that it operates. A CSP may be an independent third party, or may issue credentials for its own use. Source = NIST Special Publication 800-63-1 INA Volume 1 – Version 1.02 / @smaret 2013
  • 18. Registration Authority (RA)  A trusted entity that establishes and vouches for the identity or attributes of a Subscriber to a CSP. The RA may be an integral part of a CSP, or it may be independent of a CSP, but it has a relationship to the CSP(s). Source = NIST Special Publication 800-63-1 INA Volume 1 – Version 1.02 / @smaret 2013
  • 19. Verifier  An entity that verifies the Claimant’s identity by verifying the Claimant’s possession and control of a token using an authentication protocol. To do this, the Verifier may also need to validate credentials that link the token and identity and check their status. Source = NIST Special Publication 800-63-1 INA Volume 1 – Version 1.02 / @smaret 2013
  • 20. Relying Party (RP)  An entity that relies upon the Subscriber's token and credentials or a Verifier's assertion of a Claimant’s identity, typically to process a transaction or grant access to information or a system. Source = NIST Special Publication 800-63-1 INA Volume 1 – Version 1.02 / @smaret 2013
  • 21. Authentication Protocol  A defined sequence of messages between a Claimant and a Verifier that demonstrates that the Claimant has possession and control of a valid token to establish his/her identity, and optionally, demonstrates to the Claimant that he or she is communicating with the intended Verifier. Source = NIST Special Publication 800-63-1 INA Volume 1 – Version 1.02 / @smaret 2013
  • 22. AuthN & AuthZ  Aka authentication process  Aka authorization process INA Volume 1 – Version 1.02 / @smaret 2013
  • 23. INA Volume 1 – Version 1.02 / @smaret 2013
  • 24. Tokens / Authentication factors INA Volume 1 – Version 1.02 / @smaret 2013
  • 25. Authentication factors  Something you know  Something you have  Something you are INA Volume 1 – Version 1.02 / @smaret 2013
  • 26. Strong Authentication / Multi-factor authentication  Multi-factor authentication refers to the use of more than one of the factors listed bellow: – Something you know – Something you have – Something you are INA Volume 1 – Version 1.02 / @smaret 2013
  • 27. Two-factor authentication  Two-factor authentication – TFA – T-FA – 2FA INA Volume 1 – Version 1.02 / @smaret 2013
  • 28. Knowledge factors: "something the user knows"  Password – password is a secret word or string of characters that is used for user authentication.  PIN – personal identification number (PIN) is a secret numeric password.  Pattern – Pattern is a sequence of cells in an array that is used for authenticating the users. INA Volume 1 – Version 1.02 / @smaret 2013
  • 29. Possession factors: "something the user has"  Tokens with a display  USB tokens  Smartphone  Smartcards  Wireless (RFID, NFC)  Etc. INA Volume 1 – Version 1.02 / @smaret 2013
  • 30. Inherence factors: "something the user is or do"  Physiological biometric – Fingerprint recognition – Facial recognition system – Iris recognition – Etc.  Behavioral biometrics – Keystroke dynamics – Speaker recognition – Geo Localization – Etc. INA Volume 1 – Version 1.02 / @smaret 2013
  • 31. PASSWORD INA Volume 1 – Version 1.02 / @smaret 2013
  • 34. Password Factor  Something you know  PIN Code  Password  Passphrase  Aka 1FA INA Volume 1 – Version 1.02 / @smaret 2013
  • 35. Password Entropy / Password strength  Password strength is a measure of the effectiveness of a password in resisting guessing and brute-force attacks. INA Volume 1 – Version 1.02 / @smaret 2013
  • 36. Password Entropy / Password strength http://en.wikipedia.org/wiki/Password_strength INA Volume 1 – Version 1.02 / @smaret 2013
  • 37. Password Entropy / Password strength http://en.wikipedia.org/wiki/Password_strength INA Volume 1 – Version 1.02 / @smaret 2013
  • 38. Characteristics of weak passwords  based on common dictionary words – Including dictionary words that have been altered: • Reversed (e.g., “terces”) • Mixed case (e.g., SeCreT) • Character/Symbol replacement (e.g., “$ecret”) • Words with vowels removed (e.g., “scrt”)  based on common names  short (under 6 characters)  based on keyboard patterns (e.g., “qwertz”)  composed of single symbol type (e.g., all characters) INA Volume 1 – Version 1.02 / @smaret 2013
  • 39. Characteristics of strong passwords  Strong Passwords – contain at least one of each of the following: • digit (0..9) • letter (a..Z) • punctuation symbol (e.g., !) • control character – are based on a verse (e.g., passphrase) from an obscure work where the password is formed from the characters in the verse INA Volume 1 – Version 1.02 / @smaret 2013
  • 40. https://xkcd.com/936/ INA Volume 1 – Version 1.02 / @smaret 2013
  • 41. Test your password! https://www.microsoft.com/security/pc-security/password-checker.aspx INA Volume 1 – Version 1.02 / @smaret 2013
  • 42. Password Manager http://keepass.info/ INA Volume 1 – Version 1.02 / @smaret 2013
  • 43. Password Manager http://passwordsafe.sourceforge.net/ INA Volume 1 – Version 1.02 / @smaret 2013
  • 44. Password Generator INA Volume 1 – Version 1.02 / @smaret 2013
  • 45. Threat Model AuthN 1FA INA Volume 1 – Version 1.02 / @smaret 2013
  • 46. Password / Threats  Man In The Middle Attacks  Phishing Attacks  Pharming Attacks – DNS Cache Poisoning  Trojan Attacks  Man-in-the-Phone Attacks (Man-in-the-Mobile/MitMo Attacks)  Man-in-the-Browser Attacks  Browser Poisoning  Password Sniffing  Brute Force Attack  Dictionary Attacks  Default Password  Social Engineering INA Volume 1 – Version 1.02 / @smaret 2013
  • 47. Password Cracking Tools  Caen & Abel  John the Ripper  L0phtCrack  Ophcrack  THC hydra  Aircrack (WEP/WPA cracking tool)  Etc. INA Volume 1 – Version 1.02 / @smaret 2013
  • 48. Rainbow table  A rainbow table is a precomputed table for reversing cryptographic hash functions, usually for cracking password hashes. INA Volume 1 – Version 1.02 / @smaret 2013
  • 49. Ophcrack INA Volume 1 – Version 1.02 / @smaret 2013
  • 50. Defense against rainbow tables  A rainbow table is ineffective against one-way hashes that include salts INA Volume 1 – Version 1.02 / @smaret 2013
  • 51. Password Storage Cheat Sheet  Password Storage Rules – Rule 1: Use An Adaptive One-Way Function • bcrypt, PBKDF2 or scrypt – Rule 2: Use a Long Cryptographically Random Per- User Salt – Rule 3: Iterate the hash – Rule 4 : Encrypt the Hash Data With a Keyed Algorithm https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet INA Volume 1 – Version 1.02 / @smaret 2013
  • 52. Hashcat / GPU  25-GPU cluster cracks every standard Windows password in <6 hours – It achieves the 350 billion-guess-per-second speed when cracking password hashes generated by the NTLM cryptographic algorithm that Microsoft has included in every version of Windows since Server 2003. http://arstechnica.com/security/2012/12/25-gpu-cluster-cracks-every-standard-windows-password-in-6-hours/ INA Volume 1 – Version 1.02 / @smaret 2013
  • 53. Password sniffing INA Volume 1 – Version 1.02 / @smaret 2013
  • 54. DFD – Weak Protocol (Telnet) INA Volume 1 – Version 1.02 / @smaret 2013
  • 55. Weak protocols  Telnet  FTP  IMAP  POP3  LDAP  Etc. INA Volume 1 – Version 1.02 / @smaret 2013
  • 56. ARP Spoofing INA Volume 1 – Version 1.02 / @smaret 2013
  • 57. DFD - SSH INA Volume 1 – Version 1.02 / @smaret 2013
  • 58. Man-in-the-middle attack  often abbreviated – MITM, MitM, MIM, MiM, MITMA INA Volume 1 – Version 1.02 / @smaret 2013
  • 59. Man-in-the-middle attack  Ettercap  SSLStrip  SSLSniff  Mallory  Etc. INA Volume 1 – Version 1.02 / @smaret 2013
  • 60. Keylogger / Keystroke logging  Software-based keyloggers – Malware – Mobile  Hardware-based keyloggers INA Volume 1 – Version 1.02 / @smaret 2013
  • 61. Wireless sniffing – TEMPEST http://lasecwww.epfl.ch/keyboard/ INA Volume 1 – Version 1.02 / @smaret 2013
  • 62. Malicious Code Evolution INA Volume 1 – Version 1.02 / @smaret 2013
  • 63. Malware INA Volume 1 – Version 1.02 / @smaret 2013
  • 64. Zeus INA Volume 1 – Version 1.02 / @smaret 2013
  • 65. INA Volume 1 – Version 1.02 / @smaret 2013
  • 66. Default Password INA Volume 1 – Version 1.02 / @smaret 2013
  • 67. One Time Password - OTP Strong AuthN OTP INA Volume 1 – Version 1.02 / @smaret 2013
  • 68. OTP Technology / Standards  Based on a shared secret Key (symmetric Crypto)  Approach – Time Based OTP – Event Based OTP – Challenge Response OTP – Out-of-band OTP – Transaction Signing OTP – Others  Standards – OATH INA Volume 1 – Version 1.02 / @smaret 2013
  • 69. Time Based OTP K=Secret Key / Seed OTP T=UTC Time HMAC INA Volume 1 – Version 1.02 / @smaret 2013
  • 70. Event Based OTP K=Secret Key / Seed OTP C = Counter HMAC INA Volume 1 – Version 1.02 / @smaret 2013
  • 71. OTP Challenge Response Based HASH Function K=Secret Key / Seed OTP Challenge nonce INA Volume 1 – Version 1.02 / @smaret 2013
  • 72. Source= CSE331: Introduction to Networks and Security INA Volume 1 – Version 1.02 / @smaret 2013
  • 73. Transaction Signing OTP Source= Safenet INA Volume 1 – Version 1.02 / @smaret 2013
  • 74. Token OTP pin protected Source: Richard E. Smith / Authentication INA Volume 1 – Version 1.02 / @smaret 2013
  • 75. Token OTP pin protected Source: Richard E. Smith / Authentication INA Volume 1 – Version 1.02 / @smaret 2013
  • 76. Others OTP  SMS OTP  TAN  paper-based OTP  Bingo Card  Etc. INA Volume 1 – Version 1.02 / @smaret 2013
  • 77. Out-of-band - SMS OTP INA Volume 1 – Version 1.02 / @smaret 2013
  • 78. Out-of-band - TAN OTP INA Volume 1 – Version 1.02 / @smaret 2013
  • 79. paper-based OTP https://github.com/adulau/paper-token INA Volume 1 – Version 1.02 / @smaret 2013
  • 80. Bingo Card OTP INA Volume 1 – Version 1.02 / @smaret 2013
  • 81. Other[s] OTP technologies… “Flicker code” Generator Software that converts already encrypted data into optical screen animation INA Volume 1 – Version 1.02 / @smaret 2013
  • 82. OTP / OATH standards Authentication Methods INA Volume 1 – Version 1.02 / @smaret 2013
  • 83. HMAC – 101 (Keyed-Hashing for Message Authentication) http://www.ietf.org/rfc/rfc2104.txt INA Volume 1 – Version 1.02 / @smaret 2013
  • 84. OATH - Authentication Methods  HOTP: An HMAC-Based OTP Algorithm (RFC 4226)  TOTP - Time-based One-time Password Algorithm (RFC 6238)  OCRA - OATH Challenge/Response Algorithms Specification (RFC 6287) INA Volume 1 – Version 1.02 / @smaret 2013
  • 85. HOTP: An HMAC-Based One-Time Password Algorithm  RFC 4226  http://www.ietf.org/rfc/rfc4226.txt  Event Based OTP  Use HMAC: Keyed-Hashing for Message Authentication (RFC 2104) INA Volume 1 – Version 1.02 / @smaret 2013
  • 86. HOTP – Crypto 101 INA Volume 1 – Version 1.02 / @smaret 2013
  • 87. HOTP – Crypto 101 INA Volume 1 – Version 1.02 / @smaret 2013
  • 88. TOTP - Time-based One-time Password Algorithm  RFC 6238  http://www.ietf.org/rfc/rfc6238.txt  Time Based OTP  Use HMAC: Keyed-Hashing for Message Authentication (RFC 2104) INA Volume 1 – Version 1.02 / @smaret 2013
  • 89. TOTP – Crypto 101 INA Volume 1 – Version 1.02 / @smaret 2013
  • 90. Challenge Response OTP  RFC 6287  http://www.ietf.org/rfc/rfc6287.txt  OCRA  OATH Challenge-Response Algorithm INA Volume 1 – Version 1.02 / @smaret 2013
  • 91. OCRA – Crypto 101 INA Volume 1 – Version 1.02 / @smaret 2013
  • 92. OCRA – Crypto 101 INA Volume 1 – Version 1.02 / @smaret 2013
  • 93. OCRA – Crypto 101 INA Volume 1 – Version 1.02 / @smaret 2013
  • 94. OATH module 1/2  http://packages.debian.org/source/testing/oath-toolkit  https://pypi.python.org/pypi/oath/1.0  http://www.nongnu.org/oath-toolkit/  https://github.com/jennings/OATH.Net  http://search.cpan.org/~sifukurt/Authen-OATH- v1.0.0/lib/Authen/OATH.pm  http://code.google.com/p/mod-authn-otp/  https://code.google.com/p/oathtoken/  http://code.google.com/p/oathtoken/wiki/WebProvisioning INA Volume 1 – Version 1.02 / @smaret 2013
  • 95. OATH module 2/2  http://freecode.com/projects/linotp  http://sourceforge.net/projects/rcdevs-openotp/  http://www.multiotp.net/  http://www.rcdevs.com/products/openotp/  http://blog.josefsson.org/2011/01/20/introducing-the- oath-toolkit/  http://www.linotp.org/ INA Volume 1 – Version 1.02 / @smaret 2013
  • 96. MobileOTP  Based on MD5  Time Based OTP  http://motp.sourceforge.net/  http://security.edu.pl/motp-as/login.php INA Volume 1 – Version 1.02 / @smaret 2013
  • 97. OTP solution OTP AuthN INA Volume 1 – Version 1.02 / @smaret 2013
  • 98. INA Volume 1 – Version 1.02 / @smaret 2013
  • 99. INA Volume 1 – Version 1.02 / @smaret 2013
  • 100. Software OTP for Smartphone http://itunes.apple.com/us/app/iotp/id328973960 INA Volume 1 – Version 1.02 / @smaret 2013
  • 101. google-authenticator  These implementations support – HMAC-Based One-time Password (HOTP) algorithm specified in RFC 4226 – Time-based One-time Password (TOTP) algorithm specified in RFC 6238 – Google Authenticator • Android, IOS and Blackberry http://code.google.com/p/google-authenticator/ INA Volume 1 – Version 1.02 / @smaret 2013
  • 102. google-authenticator INA Volume 1 – Version 1.02 / @smaret 2013
  • 103. OCRA on a mobile INA Volume 1 – Version 1.02 / @smaret 2013
  • 104. OCRA on Mobile INA Volume 1 – Version 1.02 / @smaret 2013
  • 105. OTP without PIN INA Volume 1 – Version 1.02 / @smaret 2013
  • 106. OTP Pin Protected INA Volume 1 – Version 1.02 / @smaret 2013
  • 107. OTP on Smartcard INA Volume 1 – Version 1.02 / @smaret 2013
  • 108. OTP with Smartcard INA Volume 1 – Version 1.02 / @smaret 2013
  • 109. OTP hybrid (OTP & PKI) INA Volume 1 – Version 1.02 / @smaret 2013
  • 110. YubiKey INA Volume 1 – Version 1.02 / @smaret 2013
  • 111. YubiKey INA Volume 1 – Version 1.02 / @smaret 2013
  • 112. INA Volume 1 – Version 1.02 / @smaret 2013
  • 113. Yubikey  http://www.yubico.com/support/documentation/  http://forum.yubico.com/  http://code.google.com/p/yubico-pam/ INA Volume 1 – Version 1.02 / @smaret 2013
  • 114. RSA SecurID 1/3 INA Volume 1 – Version 1.02 / @smaret 2013
  • 115. RSA SecurID 2/3 INA Volume 1 – Version 1.02 / @smaret 2013
  • 116. RSA SecurID 3/3 INA Volume 1 – Version 1.02 / @smaret 2013
  • 117. INA Volume 1 – Version 1.02 / @smaret 2013
  • 118. Where are[is] the seed ? INA Volume 1 – Version 1.02 / @smaret 2013
  • 119. INA Volume 1 – Version 1.02 / @smaret 2013
  • 120. Seed generation & distribution ? Still a good model ? K1 Threat Agent Editor / Vendor (APT) Secret Key are[is] generated on premise K1 K1 INA Volume 1 – Version 1.02 / @smaret 2013
  • 121. RSA SecurID INA Volume 1 – Version 1.02 / @smaret 2013
  • 122. TokenCode INA Volume 1 – Version 1.02 / @smaret 2013
  • 123. Generate Seed on premise INA Volume 1 – Version 1.02 / @smaret 2013
  • 124. INA Volume 1 – Version 1.02 / @smaret 2013
  • 125. PKI PKI AuthN INA Volume 1 – Version 1.02 / @smaret 2013
  • 126. PKI AuthN  Based on asymmetric encryption INA Volume 1 – Version 1.02 / @smaret 2013
  • 127. PKI Tokens Storage INA Volume 1 – Version 1.02 / @smaret 2013
  • 128. Public Key Cryptography 101 INA Volume 1 – Version 1.02 / @smaret 2013
  • 129. Signature 101 INA Volume 1 – Version 1.02 / @smaret 2013
  • 130. Signature – Verification 101 INA Volume 1 – Version 1.02 / @smaret 2013
  • 131. Mutual AuthN SSL INA Volume 1 – Version 1.02 / @smaret 2013
  • 132. PKI Certificate Validation  CRL  Delta CRL  OCSP INA Volume 1 – Version 1.02 / @smaret 2013
  • 133. OSCP Validation INA Volume 1 – Version 1.02 / @smaret 2013
  • 134. INA Volume 1 – Version 1.02 / @smaret 2013
  • 135. INA Volume 1 – Version 1.02 / @smaret 2013
  • 136. INA Volume 1 – Version 1.02 / @smaret 2013
  • 137. Crypto Processor Source: Richard E. Smith / Authentication INA Volume 1 – Version 1.02 / @smaret 2013
  • 138. INA Volume 1 – Version 1.02 / @smaret 2013
  • 139. INA Volume 1 – Version 1.02 / @smaret 2013
  • 140. Smart Card INA Volume 1 – Version 1.02 / @smaret 2013
  • 141. Smart Card INA Volume 1 – Version 1.02 / @smaret 2013
  • 142. Smart Card - Crypto INA Volume 1 – Version 1.02 / @smaret 2013
  • 143. INA Volume 1 – Version 1.02 / @smaret 2013
  • 144. INA Volume 1 – Version 1.02 / @smaret 2013
  • 145. PKI Tokens INA Volume 1 – Version 1.02 / @smaret 2013
  • 146. Biometrics BIO AuthN INA Volume 1 – Version 1.02 / @smaret 2013
  • 147. Biometrics Source: http://www.biometrics.gov/ INA Volume 1 – Version 1.02 / @smaret 2013
  • 148. Biometric Terms Source: http://www.biometrics.gov/ INA Volume 1 – Version 1.02 / @smaret 2013
  • 149. Enrollment Process Source: http://www.biometrics.gov/ INA Volume 1 – Version 1.02 / @smaret 2013
  • 150. Components Source: http://www.biometrics.gov/ INA Volume 1 – Version 1.02 / @smaret 2013
  • 151. FRR / FAR Source: http://www.biometrics.gov/ INA Volume 1 – Version 1.02 / @smaret 2013
  • 152. TAR Source: http://www.biometrics.gov/ INA Volume 1 – Version 1.02 / @smaret 2013
  • 153. FAR Source: http://www.biometrics.gov/ INA Volume 1 – Version 1.02 / @smaret 2013
  • 154. Accept Rate Threshold Source: http://www.biometrics.gov/ INA Volume 1 – Version 1.02 / @smaret 2013
  • 155. Identification Source: http://www.biometrics.gov/ INA Volume 1 – Version 1.02 / @smaret 2013
  • 156. Identification Source: http://www.biometrics.gov/ INA Volume 1 – Version 1.02 / @smaret 2013
  • 157. Failure to Acquire Source: http://www.biometrics.gov/ INA Volume 1 – Version 1.02 / @smaret 2013
  • 158. Biometric Modalities Source: http://www.biometrics.gov/ INA Volume 1 – Version 1.02 / @smaret 2013
  • 159. Dynamic Signature Source: http://www.biometrics.gov/ INA Volume 1 – Version 1.02 / @smaret 2013
  • 160. Dynamic Signature History Source: http://www.biometrics.gov/ INA Volume 1 – Version 1.02 / @smaret 2013
  • 161. Dynamic Signature Technology Source: http://www.biometrics.gov/ INA Volume 1 – Version 1.02 / @smaret 2013
  • 162. Face Recognition Source: http://www.biometrics.gov/ INA Volume 1 – Version 1.02 / @smaret 2013
  • 163. Face Recognition History Source: http://www.biometrics.gov/ INA Volume 1 – Version 1.02 / @smaret 2013
  • 164. Face Recognition Technologies Source: http://www.biometrics.gov/ INA Volume 1 – Version 1.02 / @smaret 2013
  • 165. Principal Components Analysis (PCA) Source: http://www.biometrics.gov/ INA Volume 1 – Version 1.02 / @smaret 2013
  • 166. Linear Discriminant Analysis Source: http://www.biometrics.gov/ INA Volume 1 – Version 1.02 / @smaret 2013
  • 167. Elastic Bunch Graph Matching Source: http://www.biometrics.gov/ INA Volume 1 – Version 1.02 / @smaret 2013
  • 168. Fingerprinting Source: http://www.biometrics.gov/ INA Volume 1 – Version 1.02 / @smaret 2013
  • 169. Fingerprinting History Source: http://www.biometrics.gov/ INA Volume 1 – Version 1.02 / @smaret 2013
  • 170. Fingerprinting Technology Source: http://www.biometrics.gov/ INA Volume 1 – Version 1.02 / @smaret 2013
  • 171. Fingerprint Sensor Source: http://www.biometrics.gov/ INA Volume 1 – Version 1.02 / @smaret 2013
  • 172. Sensors USB INA Volume 1 – Version 1.02 / @smaret 2013
  • 173. Chipset INA Volume 1 – Version 1.02 / @smaret 2013
  • 174. PIV-FIPS 201 Sensors INA Volume 1 – Version 1.02 / @smaret 2013
  • 175. Tablet approach INA Volume 1 – Version 1.02 / @smaret 2013
  • 176. Windows Biometric Framework Source= Microsoft INA Volume 1 – Version 1.02 / @smaret 2013
  • 177. Fingerprint Software Source: http://www.biometrics.gov/ INA Volume 1 – Version 1.02 / @smaret 2013
  • 178. INA Volume 1 – Version 1.02 / @smaret 2013
  • 179. INA Volume 1 – Version 1.02 / @smaret 2013
  • 180. Hand Geometry Source: http://www.biometrics.gov/ INA Volume 1 – Version 1.02 / @smaret 2013
  • 181. Hand Geometry History Source: http://www.biometrics.gov/ INA Volume 1 – Version 1.02 / @smaret 2013
  • 182. Hand Geometry History Source: http://www.biometrics.gov/ INA Volume 1 – Version 1.02 / @smaret 2013
  • 183. Hand Geometry Technology Source: http://www.biometrics.gov/ INA Volume 1 – Version 1.02 / @smaret 2013
  • 184. Iris Recognition Source: http://www.biometrics.gov/ INA Volume 1 – Version 1.02 / @smaret 2013
  • 185. Iris Recognition History Source: http://www.biometrics.gov/ INA Volume 1 – Version 1.02 / @smaret 2013
  • 186. Iris Recognition Technology Source: http://www.biometrics.gov/ INA Volume 1 – Version 1.02 / @smaret 2013
  • 187. Iris Recognition Technology Source: http://www.biometrics.gov/ INA Volume 1 – Version 1.02 / @smaret 2013
  • 188. Palm Print Source: http://www.biometrics.gov/ INA Volume 1 – Version 1.02 / @smaret 2013
  • 189. Palm Print History Source: http://www.biometrics.gov/ INA Volume 1 – Version 1.02 / @smaret 2013
  • 190. Palm Print Technology Source: http://www.biometrics.gov/ INA Volume 1 – Version 1.02 / @smaret 2013
  • 191. Palm Print Technology Source: http://www.biometrics.gov/ INA Volume 1 – Version 1.02 / @smaret 2013
  • 192. Speaker Verification INA Volume 1 – Version 1.02 / @smaret 2013
  • 193. Speaker Verification History Source: http://www.biometrics.gov/ INA Volume 1 – Version 1.02 / @smaret 2013
  • 194. Speaker Verification Technology Source: http://www.biometrics.gov/ INA Volume 1 – Version 1.02 / @smaret 2013
  • 195. Speaker Verification Technology Source: http://www.biometrics.gov/ INA Volume 1 – Version 1.02 / @smaret 2013
  • 196. Speaker Verification Technology Source: http://www.biometrics.gov/ INA Volume 1 – Version 1.02 / @smaret 2013
  • 197. Vascular Pattern INA Volume 1 – Version 1.02 / @smaret 2013
  • 198. Vascular Pattern History Source: http://www.biometrics.gov/ INA Volume 1 – Version 1.02 / @smaret 2013
  • 199. Vascular Pattern Technology Source: http://www.biometrics.gov/ INA Volume 1 – Version 1.02 / @smaret 2013
  • 200. Vascular Pattern Technology Source: http://www.biometrics.gov/ INA Volume 1 – Version 1.02 / @smaret 2013
  • 201. Vascular Pattern Technology INA Volume 1 – Version 1.02 / @smaret 2013
  • 202. Device fingerprint - DNA  A device fingerprint or machine fingerprint or browser fingerprint is information collected about a remote computing device for the purpose of identification INA Volume 1 – Version 1.02 / @smaret 2013
  • 203. Fingerprint a Computer Source = The Wall Street Journa INA Volume 1 – Version 1.02 / @smaret 2013
  • 204. Biometrics Technology INA Volume 1 – Version 1.02 / @smaret 2013
  • 205. Match-on-Card INA Volume 1 – Version 1.02 / @smaret 2013
  • 206. INA Volume 1 – Version 1.02 / @smaret 2013
  • 207. MOC INA Volume 1 – Version 1.02 / @smaret 2013
  • 208. MOC – Athena & Precise Biometrics INA Volume 1 – Version 1.02 / @smaret 2013
  • 209. INA Volume 1 – Version 1.02 / @smaret 2013
  • 210. OATH approach Open Authentication INA Volume 1 – Version 1.02 / @smaret 2013
  • 211. OATH Approach INA Volume 1 – Version 1.02 / @smaret 2013
  • 212. OATH Logical view INA Volume 1 – Version 1.02 / @smaret 2013
  • 213. OATH Physical view INA Volume 1 – Version 1.02 / @smaret 2013
  • 214. OATH Authentication Framework INA Volume 1 – Version 1.02 / @smaret 2013
  • 215. OATH Client framework INA Volume 1 – Version 1.02 / @smaret 2013
  • 216. OATH AuthN methods 1/2 INA Volume 1 – Version 1.02 / @smaret 2013
  • 217. OATH AuthN methods 2/2 INA Volume 1 – Version 1.02 / @smaret 2013
  • 218. OATH AuthN protocols 1/3 INA Volume 1 – Version 1.02 / @smaret 2013
  • 219. OATH AuthN protocols 2/3 INA Volume 1 – Version 1.02 / @smaret 2013
  • 220. OATH AuthN protocols 3/3 INA Volume 1 – Version 1.02 / @smaret 2013
  • 221. OATH AuthN validation framework INA Volume 1 – Version 1.02 / @smaret 2013
  • 222. OATH validation protocols INA Volume 1 – Version 1.02 / @smaret 2013
  • 223. OATH provisioning INA Volume 1 – Version 1.02 / @smaret 2013
  • 224. Existing Credential Provisioning Protocols 1/2 INA Volume 1 – Version 1.02 / @smaret 2013
  • 225. Existing Credential Provisioning Protocols 2/2 INA Volume 1 – Version 1.02 / @smaret 2013
  • 226. Software Provisioning Protocols INA Volume 1 – Version 1.02 / @smaret 2013
  • 227. End Volume 1 Sylvain MARET / @smaret sylvain.maret@openid.ch http://www.slideshare.net/smaret http://www.linkedin.com/in/smaret INA Volume 1 – Version 1.02 / @smaret 2013
  • 228. Appendices INA Volume 1 – Version 1.02 / @smaret 2013
  • 229. Threat Modeling DFD STRIDE INA Volume 1 – Version 1.02 / @smaret 2013
  • 230. Threat Modeling Process Vision Diagram Identify Validate Threats Mitigate INA Volume 1 – Version 1.02 / @smaret 2013
  • 231. DFD symbols INA Volume 1 – Version 1.02 / @smaret 2013
  • 232. DFD Symbols INA Volume 1 – Version 1.02 / @smaret 2013
  • 233. DFD Symbols INA Volume 1 – Version 1.02 / @smaret 2013
  • 234. Trust boundaries that intersect data flows  Points/surfaces where an attacker can interject – Machine boundaries, privilege boundaries, integrity boundaries are examples of trust boundaries – Threads in a native process are often inside a trust boundary, because they share the same privs, rights, identifiers and access  Processes talking across a network always have a trust boundary INA Volume 1 – Version 1.02 / @smaret 2013
  • 235. DFD Level  Level 0 - Context Diagram – Very high-level; entire component / product / system  Level 1 Diagram – High level; single feature / scenario  Level 2 Diagram – Low level; detailed sub-components of features  Level 3 Diagram – More detailed – Rare to need more layers, except in huge projects or when you’re drawing more trust boundaries INA Volume 1 – Version 1.02 / @smaret 2013
  • 236. STRIDE - Tool Threat Property Definition Example Spoofing Authentication Impersonating Pretending to be any of billg, xbox.com or a something or system update someone else. Tampering Integrity Modifying data or Modifying a game config file on disk, or a code packet as it traverses the network Repudiation Non-repudiation Claiming to have not “I didn’t cheat!” performed an action Information Confidentiality Exposing information Reading key material from an app Disclosure to someone not authorized to see it Denial of Service Availability Deny or degrade Crashing the web site, sending a packet and service to users absorbing seconds of CPU time, or routing packets into a black hole Elevation of Privilege Authorization Gain capabilities Allowing a remote internet user to run without proper commands is the classic example, but running authorization kernel code from lower trust levels is also EoP INA Volume 1 – Version 1.02 / @smaret 2013
  • 237. STRIDE – Security Controls STRIDE Threat List Security Type Examples Control Threat action aimed to illegally access and use another Spoofing Authentication user's credentials, such as username and password. Threat action aimed to maliciously change/modify persistent data, such as persistent data in a database, and Tampering Integrity the alteration of data in transit between two computers over an open network, such as the Internet. Threat action aimed to perform illegal operations in a Non- Repudiation system that lacks the ability to trace the prohibited Repudiation operations. Information Threat action to read a file that one was not granted Confidentiality disclosure access to, or to read data in transit. Denial of Threat aimed to deny access to valid users, such as by Availability service making a web server temporarily unavailable or unusable. Threat aimed to gain privileged access to resources for Elevation of gaining unauthorized access to information or to Authorization privilege compromise a system. INA Volume 1 – Version 1.02 / @smaret 2013
  • 238. SRIDE INA Volume 1 – Version 1.02 / @smaret 2013
  • 239. SRIDE INA Volume 1 – Version 1.02 / @smaret 2013
  • 240. DFD & STRIDE INA Volume 1 – Version 1.02 / @smaret 2013
  • 241. DFD AuthN 1FA INA Volume 1 – Version 1.02 / @smaret 2013
  • 242. DFD – AuthN 1FA / STRIDE INA Volume 1 – Version 1.02 / @smaret 2013
  • 243. HSPD-12 PIV AuthN INA Volume 1 – Version 1.02 / @smaret 2013
  • 244. Homeland Security Presidential Directive/Hspd-12 http://www.dhs.gov/homeland-security-presidential-directive-12 INA Volume 1 – Version 1.02 / @smaret 2013
  • 245. FIPS 201 / PIV  Federal Information Processing Standard 201, Personal Identity Verification (PIV) of Federal Employees and Contractors, March 2006. – (See http://csrc.nist.gov)  FIPS 201 (Federal Information Processing Standard Publication 201) is a United States federal government standard that specifies Personal Identity Verification (PIV) requirements for Federal employees and contractors.  http://www.idmanagement.gov/ INA Volume 1 – Version 1.02 / @smaret 2013
  • 246. FICAM Roadmap INA Volume 1 – Version 1.02 / @smaret 2013
  • 247. INA Volume 1 – Version 1.02 / @smaret 2013
  • 248. INA Volume 1 – Version 1.02 / @smaret 2013
  • 249. LOA http://www.idmanagement.gov/ INA Volume 1 – Version 1.02 / @smaret 2013
  • 250. LOA INA Volume 1 – Version 1.02 / @smaret 2013
  • 251. FICAM Roadmap - PACS INA Volume 1 – Version 1.02 / @smaret 2013
  • 252. FICAM Roadmap - PACS INA Volume 1 – Version 1.02 / @smaret 2013
  • 253. FICAM Roadmap INA Volume 1 – Version 1.02 / @smaret 2013
  • 254. PIV Card & Reader INA Volume 1 – Version 1.02 / @smaret 2013
  • 255. PIVMAN – FIPS 201 INA Volume 1 – Version 1.02 / @smaret 2013