Strong Authentication State of the Art 2012 / Sarajevo CSO
2 likes1,234 views
Sylvain Maret is a security expert with 17 years of experience who gave a presentation on strong authentication in web applications in 2012. He discussed various strong authentication technologies like PKI with digital certificates, biometrics, and one-time passwords. He explained how these technologies work at a technical level and emphasized standards from the Initiative for Open AuTHentication. Maret also touched on topics like token-based key generation and storage, and how strong authentication integrates with web applications and impacts application security best practices.
![Other[s] OTP technologies…
OTP Via SMS
“Flicker code” Generator Software
that converts already
encrypted data into
optical screen animation](https://image.slidesharecdn.com/smaretstrongauthn22-11-12version1-01-121122084239-phpapp02/85/Strong-Authentication-State-of-the-Art-2012-Sarajevo-CSO-25-320.jpg)
![Where are[is] the seed ?](https://image.slidesharecdn.com/smaretstrongauthn22-11-12version1-01-121122084239-phpapp02/85/Strong-Authentication-State-of-the-Art-2012-Sarajevo-CSO-29-320.jpg)
![Seed generation & distribution ?
Still a good model ?
K1
Threat Editor / Vendor
Agent
(APT) Secret Key are[is]
generated on promise
K1 K1
K1](https://image.slidesharecdn.com/smaretstrongauthn22-11-12version1-01-121122084239-phpapp02/85/Strong-Authentication-State-of-the-Art-2012-Sarajevo-CSO-31-320.jpg)
Strong Authentication State of the Art 2012 / Sarajevo CSO
- 1. Consultants of Security Operations d.o.o. Sarajevo
- 2. Strong Authentication in Web Application “State of the Art 2012” Sylvain Maret / Digital Security Expert / OpenID Switzerland @smaret Version 1.01 / 22.11.2012
- 3. Who am I? • Security Expert – 17 years of experience in ICT Security – Principal Consultant at MARET Consulting – Expert at Engineer School of Yverdon & Geneva University – Swiss French Area delegate at OpenID Switzerland – Co-founder Geneva Application Security Forum – OWASP Member – Author of the blog: la Citadelle Electronique – http://ch.linkedin.com/in/smaret or @smaret – http://www.slideshare.net/smaret • Chosen field – AppSec & Digital Identity Security
- 6. Protection of digital identities: a topical issue… Strong AuthN
- 7. RSA FAILED ?
- 9. «Digital identity is the cornerstone of trust» http://fr.wikipedia.org/wiki/Authentification_forte
- 10. Definition of strong authentication Strong Authentication on Wikipedia
- 11. Strong Authentication A new paradigm?
- 14. OTP PKI (HW) Biometry Strong authentication Encryption Digital signature Non repudiation Strong link with the user
- 15. Strong Authentication with PKI
- 16. PKI: Digital Certificate Hardware Token (Crypto PKI) Strong Authentication Software Certificate (PKCS#12;PFX)
- 17. SSL/TLS Mutual Authentication : how does it work? Validation CRL Authority or OCSP Request Valid Invalid Unknown SSL / TLS Mutual Authentication Alice Web Server
- 18. Strong Authentication with Biometry (Match on Card technology) • A reader – Biometry – SmartCard • A card with chip – Technology MOC – Crypto Processor • PC/SC • PKCS#11 • Digital certificate X509
- 19. Strong Authentication With (O)ne (T)ime (P)assword
- 20. (O)ne (T)ime (P)assword • OTP Time Based • Others: – Like SecurID – OTP via SMS • OTP Event Based – OTP via email – Biometry and OTP – Phone • OTP Challenge – Bingo Card Response Based – Etc.
- 21. OTP T-B? OTP E-B? OTP C-R-B? Crypto - 101
- 22. Crypto-101 / Time Based OTP HASH Function K=Secret Key / Seed OTP T=UTC Time ie = OTP(K,T) = Truncate(HMAC-SHA-1(K,T))
- 23. Crypto-101 / Event Based OTP HASH Function K=Secret Key / Seed OTP C = Counter ie = OTP(K,C) = Truncate(HMAC-SHA-1(K,C))
- 24. Crypto-101 / OTP Challenge Response Based HASH Function K=Secret Key / Seed OTP Challenge nonce ie:
- 25. Other[s] OTP technologies… OTP Via SMS “Flicker code” Generator Software that converts already encrypted data into optical screen animation
- 26. How to Store and Generate my Secret Key ? A Token !
- 27. OTP Token: Software vs Hardware ?
- 28. Software OTP for Smartphone http://itunes.apple.com/us/app/iotp/id328973960
- 29. Where are[is] the seed ?
- 31. Seed generation & distribution ? Still a good model ? K1 Threat Editor / Vendor Agent (APT) Secret Key are[is] generated on promise K1 K1 K1
- 32. TokenCode
- 33. New Standards & Open Source
- 34. Technologies accessible to everyone • Initiative for Open AuTHentication (OATH) – HOTP – TOTP – OCRA – Etc. • Mobile OTP – (Use MD5 …..)
- 35. Initiative for Open AuTHentication (OATH) • HOTP • Token Identifier – Event Based OTP Specification – RFC 4226 • IETF KeyProv Working • TOTP Group – Time Based OTP – PSKC - Portable Symmetric Key Container, RFC 6030 – Draft IETF Version 8 – DSKPP - Dynamic Symmetric Key Provisioning Protocol, RFC 6063 • OCRA – Challenge/Response OTP • And more ! – Draft IETF Version 13 http://www.openauthentication.org/specifications
- 37. RBA (Risk-Based Authentication) = Behavior Model
- 38. Use OATH-HOTP & TOTP http://code.google.com/p/google-authenticator/
- 41. Web application: basic authentication model
- 42. Web application: Strong Authentication Implementation Blueprint
- 43. “Shielding" approach: perimetric authentication using Reverse Proxy / WAF
- 46. ICAM: a changing paradigm on Strong Authentication
- 47. Federation of identity approach a change of paradigm: using IDP for Authentication and Strong Authentication
- 48. Identity Provider SAML, OpenID, etc
- 49. Strong Authentication Strong Authentication and Application Security & Application Security
- 50. Threat Modeling “detecting web application threats before coding”
- 51. Questions ?
- 52. Resources on Internet 1/2 • http://motp.sourceforge.net/ • http://www.clavid.ch/otp • http://code.google.com/p/mod-authn-otp/ • http://www.multiotp.net/ • http://www.openauthentication.org/ • http://wiki.openid.net/ • http://www.citadelle-electronique.net/ • http://code.google.com/p/mod-authn-otp/
- 53. Resources on Internet 2/2 • http://rcdevs.com/products/openotp/ • https://github.com/adulau/paper-token • http://www.yubico.com/yubikey • http://code.google.com/p/mod-authn-otp/ • http://www.nongnu.org/oath-toolkit/ • http://www.nongnu.org/oath-toolkit/ • http://www.gpaterno.com/publications/2010/du blin_ossbarcamp_2010_otp_with_oss.pdf