Ce diaporama a bien été signalé.
Nous utilisons votre profil LinkedIn et vos données d’activité pour vous proposer des publicités personnalisées et pertinentes. Vous pouvez changer vos préférences de publicités à tout moment.
A fully compliant strong authentication
server for less than $100!
Application Security Forum Western Switzerland 2014-11-...
Trainer
 SysCo systèmes de communication sa
 16 years old Swiss based company installed in Neuchâtel
 Security, consult...
Schedule
 Why regular passwords are never strong enough ?
 What are the different solutions for more security ?
 multiO...
Why regular passwords are
never strong enough ?
(on the Internet, but elsewhere too…)
2014-11-04
Why regular passwords are never strong enough ?
 Same password for different applications…
2014-11-04 5
Some nice hardware tools…
2014-11-04 6
Key logger…
Camera in car key…
fake USB Keyboard mounted in a memory stick…
... and some «nicer» hardware tools… ;-)
2014-11-04 7
wireless Key logger…
an...
What are the different solutions
for more security ?
2014-11-04
What are the different solutions for more security ?
 Two-factor authentication
 A daily usage for the combination of kn...
Strong authentication with one-time password
 No software installation is required for the user
(compatible with all OS a...
Passwords list
 Login = username
+ password
+ next code
2014-11-04 11
Lists on the server
List for User A
Historical market leader
 Time-based automatic generator with a secret algorithm
 70% of the market in 2003
(25 mio of d...
First open-source one-time password solution
 Mobile-OTP (2003)
 Hash (md5) of a “PIN code + time based algorithm”
 ope...
Standardized one-time password generator
 HOTP : HMAC-based One-time Password Algorithm (2005)
 code construction is bas...
HOTP authentication mechanism
2014-11-04 15
User
Server
0382
754812
0380-0384
0379
No synchronization problem anymore with TOTP
 TOTP : Time-based One-time Password Algorithm (2008)
 based on HOTP
 The ...
TOTP authentication mechanism
2014-11-04 17
User
Server
0382
754812
Yubico OTP
2014-11-04 18
YubiCloud
2014-11-04 19
Yubico OTP code
2014-11-04 20
Some HOTP and TOTP tokens
2014-11-04 21
OTP Server
SMS-Token
2014-11-04 22




username + password + token
multiOTP
our PHP open source library
… since June 2010 !
2014-11-04
History of the multiOTP package
 2009 PHP PoC implementing the Mobile-OTP protocol
 2010 class creation with basic TOTP/...
multiOTP
 Why did we develop the multiOTP package ?
 no free and easy to use solution for small companies
 a lot of exi...
multiOTP concept
 open source PHP class (embedded in only one file)
 OS independent
 Works also on any web server, incl...
multiOTP concept (2)
 common standards are supported
 Mobile-OTP, HOTP, TOTP, Yubico OTP
 SMS tokens
 scratch password...
multiOTP – Windows installation
 installed in 3 minutes !
 surf on http://www.multiOTP.net
 download the last version
...
multiOTP – how to create a user
 create the user on the server side
C:multiotp>multiotp -fastcreate bergen
11 INFO: User ...
multiOTP – how to provision the token received
2014-11-04 30
 install the Google Authenticator App
 Android, iOS, BlackB...
multiOTP – how to authenticate a user
 Authenticate the user
C:multiotp>multiotp bergen 452549
0 OK: Token accepted
 aut...
multiOTP – how to use hardware tokens
 Import the tokens definition file
C:multiotp>multiotp -import importAlpine.dat
(…)...
multiOTP typical usage
2014-11-04 33
How to build a working server
device for less than CHF 100 ?
2014-11-04
Hardware selection
2014-11-04 35
 Raspberry Pi
 very cheap (< CHF 40)
 no OS licence (Debian Linux or others)
 widely ...
How to make your own strong authentication server ?
2014-11-04 36
SD card with Debian Linux
for Raspberry Pi ($10)
Real-ti...
Let’s make a strong two factors
authentication device with a Raspberry Pi
2014-11-04
Build an authentication server in some easy steps
1/17
If you want to have a battery backed up Real Time Clock, install it...
Build an authentication server in some easy steps
2/17
Download the last image of Raspbian to be flashed
 http://download...
Build an authentication server in some easy steps
3/17
Format your SD Card using the SD Card Association’s formatting
tool...
Build an authentication server in some easy steps
4/17
Flash the raw image using the UNIX tool dd or the
Win32DiskImager f...
Build an authentication server in some easy steps
5/17
Surf on http://www.multiOTP.net and download the last version
Copy ...
Build an authentication server in some easy steps
6/17
When copy it's done, eject the SD Card
2014-11-04 43
Build an authentication server in some easy steps
7/17
Connect the Raspberry Pi to the local network
2014-11-04 44
Build an authentication server in some easy steps
8/17
Put the SD card into the Raspberry Pi and boot it
2014-11-04 45
Build an authentication server in some easy steps
9/17
Login directly on your Raspberry Pi, or using SSH, with the default...
Build an authentication server in some easy steps
10/17
Launch the initial configuration by typing sudo raspi-config
2014-...
Build an authentication server in some easy steps
11/17
Choose the following options
 1) Expand Filesystem
 2) Change Us...
Build an authentication server in some easy steps
12/17
Select Finish and answer "<Yes>" to reboot, or type "sudo reboot"
...
Build an authentication server in some easy steps
13/17
Login again directly on your Raspberry Pi, or using SSH, with the
...
Build an authentication server in some easy steps
14/17
Type "sudo /boot/install.sh“
Everything is done automatically (it ...
Build an authentication server in some easy steps
15/17
The fixed IP address is set to 192.168.1.44
with a default gateway...
Build an authentication server in some easy steps
16/17
Congratulations! You have now an open source and fully OATH
compli...
… or build an authentication server in ONE step ;-)
If you want to download a multiOTP Raspberry Pi
image ready to use, fo...
Any questions ?
2014-11-04 55
Crêt-Taconnet 13
tel 032 730 11 10
fax 032 730 11 09
2000 Neuchâtel
info@sysco.ch
www.sysco....
Prochain SlideShare
Chargement dans…5
×

Create a-strong-two-factors-authentication-device-for-less-than-chf-100

Strong AuthN - MultiOTP

  • Soyez le premier à commenter

Create a-strong-two-factors-authentication-device-for-less-than-chf-100

  1. 1. A fully compliant strong authentication server for less than $100! Application Security Forum Western Switzerland 2014-11-04 André Liechti (@multiOTP, @andreliechti) SysCo systèmes de communication sa, Neuchâtel, Switzerland Last update : 2014-12-09
  2. 2. Trainer  SysCo systèmes de communication sa  16 years old Swiss based company installed in Neuchâtel  Security, consulting services, customized development  Linux and Windows (Open Source) solutions  André Liechti  CTO of SysCo systèmes de communication sa  MSc in communication systems  Bsc in Electronics 2014-11-04 2
  3. 3. Schedule  Why regular passwords are never strong enough ?  What are the different solutions for more security ?  multiOTP, our PHP open source library solution  How to setup a device for less than CHF 100  Let’s make a strong two factors authentication device with a Raspberry Pi  Some questions ? 2014-11-04 3
  4. 4. Why regular passwords are never strong enough ? (on the Internet, but elsewhere too…) 2014-11-04
  5. 5. Why regular passwords are never strong enough ?  Same password for different applications… 2014-11-04 5
  6. 6. Some nice hardware tools… 2014-11-04 6 Key logger… Camera in car key…
  7. 7. fake USB Keyboard mounted in a memory stick… ... and some «nicer» hardware tools… ;-) 2014-11-04 7 wireless Key logger… and so on …
  8. 8. What are the different solutions for more security ? 2014-11-04
  9. 9. What are the different solutions for more security ?  Two-factor authentication  A daily usage for the combination of knowledge and possession factors. The ATM machine  We have the physical ATM card and we know our personal PIN. 2014-11-04 9
  10. 10. Strong authentication with one-time password  No software installation is required for the user (compatible with all OS and Internet navigator)  Passwords list 2014-11-04 10
  11. 11. Passwords list  Login = username + password + next code 2014-11-04 11 Lists on the server List for User A
  12. 12. Historical market leader  Time-based automatic generator with a secret algorithm  70% of the market in 2003 (25 mio of devices have been sold up to 2003) 2014-11-04 12
  13. 13. First open-source one-time password solution  Mobile-OTP (2003)  Hash (md5) of a “PIN code + time based algorithm”  open source, more than 40 different implementations  Java J2ME for mobile phones (at the beginning)  Unix shell script on server side 2014-11-04 13
  14. 14. Standardized one-time password generator  HOTP : HMAC-based One-time Password Algorithm (2005)  code construction is based on a HMAC hash function  open standard (OATH: Initiative for open authentication)  RFC 4226 2014-11-04 14
  15. 15. HOTP authentication mechanism 2014-11-04 15 User Server 0382 754812 0380-0384 0379
  16. 16. No synchronization problem anymore with TOTP  TOTP : Time-based One-time Password Algorithm (2008)  based on HOTP  The counter is now the time divided in slices of 30 seconds  RFC 6238 2014-11-04 16
  17. 17. TOTP authentication mechanism 2014-11-04 17 User Server 0382 754812
  18. 18. Yubico OTP 2014-11-04 18
  19. 19. YubiCloud 2014-11-04 19
  20. 20. Yubico OTP code 2014-11-04 20
  21. 21. Some HOTP and TOTP tokens 2014-11-04 21
  22. 22. OTP Server SMS-Token 2014-11-04 22     username + password + token
  23. 23. multiOTP our PHP open source library … since June 2010 ! 2014-11-04
  24. 24. History of the multiOTP package  2009 PHP PoC implementing the Mobile-OTP protocol  2010 class creation with basic TOTP/HOTP  2011 Workshop during ASFWS 2011 (Application Security Forum)  2012 Wider deployment in the community and feedbacks  2013 New functionalities  SMS tokens  scratch passwords list  QRcode/URL provisioning  Client/server implementation with local cache  MySQL backend support  2014 More functionalities  OATH certified  Yubico OTP support (Yubikey)  Active Directory and LDAP synchronization  Support for Active Directory / LDAP passwords (instead of PIN) 2014-11-04 24
  25. 25. multiOTP  Why did we develop the multiOTP package ?  no free and easy to use solution for small companies  a lot of existing commercial products need Windows Server  Existing products need a lot of resources  Why open source ?  To receive feedbacks and proposals from the users  security issues are analyzed by other developers  users can be sure that there is no Trojan and other NSA-friendly “tools” in our code 2014-11-04 25
  26. 26. multiOTP concept  open source PHP class (embedded in only one file)  OS independent  Works also on any web server, including in shared hosting  data or stored in flat files or in a MySQL database  all methods are implemented in a command line tool  Command line tool is compatible with the centralized open source authentication server FreeRADIUS (FreeRADIUS is also available for Windows)  The system administrator can create scripts in order to handle the package and to create users 2014-11-04 26
  27. 27. multiOTP concept (2)  common standards are supported  Mobile-OTP, HOTP, TOTP, Yubico OTP  SMS tokens  scratch passwords list  HOTP and TOTP software tokens can simply be configured by flashing a Qrcode generated by multiOTP  hardware tokens definition files can be imported  Authenex definition files (proprietary .sql file)  SafeNet definition files (proprietary .dat file)  any standard PSKC files (since December 2013)  Yubico log file in Traditional format (since November 2014)  simple web GUI 2014-11-04 27
  28. 28. multiOTP – Windows installation  installed in 3 minutes !  surf on http://www.multiOTP.net  download the last version  unpack the files in the C:multiotp folder  read the readme file ;-)  install the FreeRADIUS service  C:multiotpradius_install.cmd  that’s it ! 2014-11-04 28
  29. 29. multiOTP – how to create a user  create the user on the server side C:multiotp>multiotp -fastcreate bergen 11 INFO: User successfully created or updated (in real life, user must be created with an activated prefix PIN !)  save the QRcode image in a file C:multiotp>multiotp -qrcode bergen C:multiotptefo.png 16 INFO: QRcode successfully created  Send the QRcode to the user (using a secure channel !)  … or simply use the web interface to print a nice HTML provisioning page;-) ! 2014-11-04 29
  30. 30. multiOTP – how to provision the token received 2014-11-04 30  install the Google Authenticator App  Android, iOS, BlackBerry  scan the QRcode received  token is ready !
  31. 31. multiOTP – how to authenticate a user  Authenticate the user C:multiotp>multiotp bergen 452549 0 OK: Token accepted  authenticate again the user with the same token C:multiotp>multiotp bergen 452549 26 ERROR: The time based token has already been used  creating a scratch passwords list C:multiotp>multiotp -scratchlist bergen 317493, 134580, 326450, 941356, 000298, 412420, 456790, 222461, 645113, 837303 2014-11-04 31
  32. 32. multiOTP – how to use hardware tokens  Import the tokens definition file C:multiotp>multiotp -import importAlpine.dat (…) Info: Token 0003000b31da successfully imported 15 INFO: Tokens definition file successfully imported  create a user linked with the token 0003000b31da (and with the prefix PIN 1234) C:multiotp>multiotp -create demo -token-id 0003000b31da 1234 11 INFO: User successfully created or updated  require a prefix PIN for the user C:multiotp>multiotp -set demo prefix-pin=1 19 INFO: Requested operation successfully done 2014-11-04 32
  33. 33. multiOTP typical usage 2014-11-04 33
  34. 34. How to build a working server device for less than CHF 100 ? 2014-11-04
  35. 35. Hardware selection 2014-11-04 35  Raspberry Pi  very cheap (< CHF 40)  no OS licence (Debian Linux or others)  widely distributed  community support  microUSB powered  CPU 700 MHz (ARM)  RAM 512 MB
  36. 36. How to make your own strong authentication server ? 2014-11-04 36 SD card with Debian Linux for Raspberry Pi ($10) Real-time clock ($15) + multiOTP ($0) < CHF 100
  37. 37. Let’s make a strong two factors authentication device with a Raspberry Pi 2014-11-04
  38. 38. Build an authentication server in some easy steps 1/17 If you want to have a battery backed up Real Time Clock, install it in your Raspberry Pi  http://afterthoughtsoftware.com/products/rasclock  http://www.cjemicros.co.uk/micros/products/rpirtc.shtml  http://www.robotshop.com/ca/en/mini-real-time-clock-rtc-module.html  http://nicegear.co.nz/raspberry-pi/high-precision-real-time-clock-for-raspberry-pi/ 2014-11-04 38
  39. 39. Build an authentication server in some easy steps 2/17 Download the last image of Raspbian to be flashed  http://downloads.raspberrypi.org/raspbian_latest (currently 2014-09-09-wheezy-raspbian.zip) 2014-11-04 39
  40. 40. Build an authentication server in some easy steps 3/17 Format your SD Card using the SD Card Association’s formatting tool:  https://www.sdcard.org/downloads/formatter_4/ 2014-11-04 40
  41. 41. Build an authentication server in some easy steps 4/17 Flash the raw image using the UNIX tool dd or the Win32DiskImager for Windows  http://sourceforge.net/projects/win32diskimager/files/latest/download This should take about 10 minutes. 2014-11-04 41
  42. 42. Build an authentication server in some easy steps 5/17 Surf on http://www.multiOTP.net and download the last version Copy all files from multiotp/raspberry/boot-part to the root of the SD Card (it could overwrite some files like config.txt) 2014-11-04 42
  43. 43. Build an authentication server in some easy steps 6/17 When copy it's done, eject the SD Card 2014-11-04 43
  44. 44. Build an authentication server in some easy steps 7/17 Connect the Raspberry Pi to the local network 2014-11-04 44
  45. 45. Build an authentication server in some easy steps 8/17 Put the SD card into the Raspberry Pi and boot it 2014-11-04 45
  46. 46. Build an authentication server in some easy steps 9/17 Login directly on your Raspberry Pi, or using SSH, with the default username "pi" and the password "raspberry" 2014-11-04 46
  47. 47. Build an authentication server in some easy steps 10/17 Launch the initial configuration by typing sudo raspi-config 2014-11-04 47
  48. 48. Build an authentication server in some easy steps 11/17 Choose the following options  1) Expand Filesystem  2) Change User Password  4) Internationalisation Options (if needed)  8) Advanced Options A2 Hostname (change the hostname to your favorite name, like for example "multiotp") 2014-11-04 48
  49. 49. Build an authentication server in some easy steps 12/17 Select Finish and answer "<Yes>" to reboot, or type "sudo reboot" 2014-11-04 49
  50. 50. Build an authentication server in some easy steps 13/17 Login again directly on your Raspberry Pi, or using SSH, with the default username "pi" and your new password 2014-11-04 50
  51. 51. Build an authentication server in some easy steps 14/17 Type "sudo /boot/install.sh“ Everything is done automatically (it will take about 35 minutes) and the Raspberry Pi will reboot automatically at the end 2014-11-04 51
  52. 52. Build an authentication server in some easy steps 15/17 The fixed IP address is set to 192.168.1.44 with a default gateway at 192.168.1.1 To adapt the network configuration, edit the file /etc/network/interfaces 2014-11-04 52
  53. 53. Build an authentication server in some easy steps 16/17 Congratulations! You have now an open source and fully OATH compliant strong two factors authentication server ! Surf now on http(s)://192.168.1.44 to use the basic web interface (The default radius secret is set to myfirstpass for the subnet 192.168.0.0/16. To adapt the freeradius configuration, edit the file /etc/freeradius/clients.conf) 2014-11-04 53
  54. 54. … or build an authentication server in ONE step ;-) If you want to download a multiOTP Raspberry Pi image ready to use, follow this URL:  http://download.multiOTP.net/raspberry/ Nano-computer name: multiOTP IP address: 192.168.1.44 (netmask: 255.255.255.0) Username: pi Password: raspberry You can now flash the SD Card, put it into the Raspberry Pi and boot it. 2014-11-04 54
  55. 55. Any questions ? 2014-11-04 55 Crêt-Taconnet 13 tel 032 730 11 10 fax 032 730 11 09 2000 Neuchâtel info@sysco.ch www.sysco.ch S y s C o ® systèmes de communication sa

    Soyez le premier à commenter

    Identifiez-vous pour voir les commentaires

  • yylhope

    Dec. 10, 2015

Strong AuthN - MultiOTP

Vues

Nombre de vues

3 197

Sur Slideshare

0

À partir des intégrations

0

Nombre d'intégrations

3

Actions

Téléchargements

32

Partages

0

Commentaires

0

Mentions J'aime

1

×