Strong Authentication State of the Art 2012 / Sarajevo CSO
•
2 j'aime•1,227 vues
Sylvain Maret is a security expert with 17 years of experience who gave a presentation on strong authentication in web applications in 2012. He discussed various strong authentication technologies like PKI with digital certificates, biometrics, and one-time passwords. He explained how these technologies work at a technical level and emphasized standards from the Initiative for Open AuTHentication. Maret also touched on topics like token-based key generation and storage, and how strong authentication integrates with web applications and impacts application security best practices.
Recommandé
Recommandé
Contenu connexe
Tendances
Tendances (10)
En vedette
En vedette (20)
Similaire à Strong Authentication State of the Art 2012 / Sarajevo CSO
Similaire à Strong Authentication State of the Art 2012 / Sarajevo CSO (20)
Plus de Sylvain Maret
Plus de Sylvain Maret (19)
Strong Authentication State of the Art 2012 / Sarajevo CSO
- 1. Consultants of Security Operations d.o.o. Sarajevo
- 2. Strong Authentication in Web Application “State of the Art 2012” Sylvain Maret / Digital Security Expert / OpenID Switzerland @smaret Version 1.01 / 22.11.2012
- 3. Who am I? • Security Expert – 17 years of experience in ICT Security – Principal Consultant at MARET Consulting – Expert at Engineer School of Yverdon & Geneva University – Swiss French Area delegate at OpenID Switzerland – Co-founder Geneva Application Security Forum – OWASP Member – Author of the blog: la Citadelle Electronique – http://ch.linkedin.com/in/smaret or @smaret – http://www.slideshare.net/smaret • Chosen field – AppSec & Digital Identity Security
- 6. Protection of digital identities: a topical issue… Strong AuthN
- 7. RSA FAILED ?
- 9. «Digital identity is the cornerstone of trust» http://fr.wikipedia.org/wiki/Authentification_forte
- 10. Definition of strong authentication Strong Authentication on Wikipedia
- 11. Strong Authentication A new paradigm?
- 14. OTP PKI (HW) Biometry Strong authentication Encryption Digital signature Non repudiation Strong link with the user
- 15. Strong Authentication with PKI
- 16. PKI: Digital Certificate Hardware Token (Crypto PKI) Strong Authentication Software Certificate (PKCS#12;PFX)
- 17. SSL/TLS Mutual Authentication : how does it work? Validation CRL Authority or OCSP Request Valid Invalid Unknown SSL / TLS Mutual Authentication Alice Web Server
- 18. Strong Authentication with Biometry (Match on Card technology) • A reader – Biometry – SmartCard • A card with chip – Technology MOC – Crypto Processor • PC/SC • PKCS#11 • Digital certificate X509
- 19. Strong Authentication With (O)ne (T)ime (P)assword
- 20. (O)ne (T)ime (P)assword • OTP Time Based • Others: – Like SecurID – OTP via SMS • OTP Event Based – OTP via email – Biometry and OTP – Phone • OTP Challenge – Bingo Card Response Based – Etc.
- 21. OTP T-B? OTP E-B? OTP C-R-B? Crypto - 101
- 22. Crypto-101 / Time Based OTP HASH Function K=Secret Key / Seed OTP T=UTC Time ie = OTP(K,T) = Truncate(HMAC-SHA-1(K,T))
- 23. Crypto-101 / Event Based OTP HASH Function K=Secret Key / Seed OTP C = Counter ie = OTP(K,C) = Truncate(HMAC-SHA-1(K,C))
- 24. Crypto-101 / OTP Challenge Response Based HASH Function K=Secret Key / Seed OTP Challenge nonce ie:
- 25. Other[s] OTP technologies… OTP Via SMS “Flicker code” Generator Software that converts already encrypted data into optical screen animation
- 26. How to Store and Generate my Secret Key ? A Token !
- 27. OTP Token: Software vs Hardware ?
- 28. Software OTP for Smartphone http://itunes.apple.com/us/app/iotp/id328973960
- 29. Where are[is] the seed ?
- 31. Seed generation & distribution ? Still a good model ? K1 Threat Editor / Vendor Agent (APT) Secret Key are[is] generated on promise K1 K1 K1
- 32. TokenCode
- 33. New Standards & Open Source
- 34. Technologies accessible to everyone • Initiative for Open AuTHentication (OATH) – HOTP – TOTP – OCRA – Etc. • Mobile OTP – (Use MD5 …..)
- 35. Initiative for Open AuTHentication (OATH) • HOTP • Token Identifier – Event Based OTP Specification – RFC 4226 • IETF KeyProv Working • TOTP Group – Time Based OTP – PSKC - Portable Symmetric Key Container, RFC 6030 – Draft IETF Version 8 – DSKPP - Dynamic Symmetric Key Provisioning Protocol, RFC 6063 • OCRA – Challenge/Response OTP • And more ! – Draft IETF Version 13 http://www.openauthentication.org/specifications
- 37. RBA (Risk-Based Authentication) = Behavior Model
- 38. Use OATH-HOTP & TOTP http://code.google.com/p/google-authenticator/
- 41. Web application: basic authentication model
- 42. Web application: Strong Authentication Implementation Blueprint
- 43. “Shielding" approach: perimetric authentication using Reverse Proxy / WAF
- 46. ICAM: a changing paradigm on Strong Authentication
- 47. Federation of identity approach a change of paradigm: using IDP for Authentication and Strong Authentication
- 48. Identity Provider SAML, OpenID, etc
- 49. Strong Authentication Strong Authentication and Application Security & Application Security
- 50. Threat Modeling “detecting web application threats before coding”
- 51. Questions ?
- 52. Resources on Internet 1/2 • http://motp.sourceforge.net/ • http://www.clavid.ch/otp • http://code.google.com/p/mod-authn-otp/ • http://www.multiotp.net/ • http://www.openauthentication.org/ • http://wiki.openid.net/ • http://www.citadelle-electronique.net/ • http://code.google.com/p/mod-authn-otp/
- 53. Resources on Internet 2/2 • http://rcdevs.com/products/openotp/ • https://github.com/adulau/paper-token • http://www.yubico.com/yubikey • http://code.google.com/p/mod-authn-otp/ • http://www.nongnu.org/oath-toolkit/ • http://www.nongnu.org/oath-toolkit/ • http://www.gpaterno.com/publications/2010/du blin_ossbarcamp_2010_otp_with_oss.pdf