SlideShare une entreprise Scribd logo

Create a-strong-two-factors-authentication-device-for-less-than-chf-100

Cyber Security Alliance
Cyber Security Alliance

Strong AuthN - MultiOTP

Technologie
1  sur  55
Télécharger pour lire hors ligne
A fully compliant strong authentication server for less than $100! Application Security Forum Western Switzerland 2014-11-04 André Liechti (@multiOTP, @andreliechti) SysCo systèmes de communication sa, Neuchâtel, Switzerland Last update : 2014-12-09
Trainer  SysCo systèmes de communication sa  16 years old Swiss based company installed in Neuchâtel  Security, consulting services, customized development  Linux and Windows (Open Source) solutions  André Liechti  CTO of SysCo systèmes de communication sa  MSc in communication systems  Bsc in Electronics 2014-11-04 2
Schedule  Why regular passwords are never strong enough ?  What are the different solutions for more security ?  multiOTP, our PHP open source library solution  How to setup a device for less than CHF 100  Let’s make a strong two factors authentication device with a Raspberry Pi  Some questions ? 2014-11-04 3
Why regular passwords are never strong enough ? (on the Internet, but elsewhere too…) 2014-11-04
Why regular passwords are never strong enough ?  Same password for different applications… 2014-11-04 5
Some nice hardware tools… 2014-11-04 6 Key logger… Camera in car key…
fake USB Keyboard mounted in a memory stick… ... and some «nicer» hardware tools… ;-) 2014-11-04 7 wireless Key logger… and so on …
What are the different solutions for more security ? 2014-11-04
What are the different solutions for more security ?  Two-factor authentication  A daily usage for the combination of knowledge and possession factors. The ATM machine  We have the physical ATM card and we know our personal PIN. 2014-11-04 9
Strong authentication with one-time password  No software installation is required for the user (compatible with all OS and Internet navigator)  Passwords list 2014-11-04 10
Passwords list  Login = username + password + next code 2014-11-04 11 Lists on the server List for User A
Historical market leader  Time-based automatic generator with a secret algorithm  70% of the market in 2003 (25 mio of devices have been sold up to 2003) 2014-11-04 12
First open-source one-time password solution  Mobile-OTP (2003)  Hash (md5) of a “PIN code + time based algorithm”  open source, more than 40 different implementations  Java J2ME for mobile phones (at the beginning)  Unix shell script on server side 2014-11-04 13
Standardized one-time password generator  HOTP : HMAC-based One-time Password Algorithm (2005)  code construction is based on a HMAC hash function  open standard (OATH: Initiative for open authentication)  RFC 4226 2014-11-04 14
HOTP authentication mechanism 2014-11-04 15 User Server 0382 754812 0380-0384 0379
No synchronization problem anymore with TOTP  TOTP : Time-based One-time Password Algorithm (2008)  based on HOTP  The counter is now the time divided in slices of 30 seconds  RFC 6238 2014-11-04 16
TOTP authentication mechanism 2014-11-04 17 User Server 0382 754812
Yubico OTP 2014-11-04 18
YubiCloud 2014-11-04 19
Yubico OTP code 2014-11-04 20
Some HOTP and TOTP tokens 2014-11-04 21
OTP Server SMS-Token 2014-11-04 22     username + password + token
multiOTP our PHP open source library … since June 2010 ! 2014-11-04
History of the multiOTP package  2009 PHP PoC implementing the Mobile-OTP protocol  2010 class creation with basic TOTP/HOTP  2011 Workshop during ASFWS 2011 (Application Security Forum)  2012 Wider deployment in the community and feedbacks  2013 New functionalities  SMS tokens  scratch passwords list  QRcode/URL provisioning  Client/server implementation with local cache  MySQL backend support  2014 More functionalities  OATH certified  Yubico OTP support (Yubikey)  Active Directory and LDAP synchronization  Support for Active Directory / LDAP passwords (instead of PIN) 2014-11-04 24
multiOTP  Why did we develop the multiOTP package ?  no free and easy to use solution for small companies  a lot of existing commercial products need Windows Server  Existing products need a lot of resources  Why open source ?  To receive feedbacks and proposals from the users  security issues are analyzed by other developers  users can be sure that there is no Trojan and other NSA-friendly “tools” in our code 2014-11-04 25
multiOTP concept  open source PHP class (embedded in only one file)  OS independent  Works also on any web server, including in shared hosting  data or stored in flat files or in a MySQL database  all methods are implemented in a command line tool  Command line tool is compatible with the centralized open source authentication server FreeRADIUS (FreeRADIUS is also available for Windows)  The system administrator can create scripts in order to handle the package and to create users 2014-11-04 26
multiOTP concept (2)  common standards are supported  Mobile-OTP, HOTP, TOTP, Yubico OTP  SMS tokens  scratch passwords list  HOTP and TOTP software tokens can simply be configured by flashing a Qrcode generated by multiOTP  hardware tokens definition files can be imported  Authenex definition files (proprietary .sql file)  SafeNet definition files (proprietary .dat file)  any standard PSKC files (since December 2013)  Yubico log file in Traditional format (since November 2014)  simple web GUI 2014-11-04 27
multiOTP – Windows installation  installed in 3 minutes !  surf on http://www.multiOTP.net  download the last version  unpack the files in the C:multiotp folder  read the readme file ;-)  install the FreeRADIUS service  C:multiotpradius_install.cmd  that’s it ! 2014-11-04 28
multiOTP – how to create a user  create the user on the server side C:multiotp>multiotp -fastcreate bergen 11 INFO: User successfully created or updated (in real life, user must be created with an activated prefix PIN !)  save the QRcode image in a file C:multiotp>multiotp -qrcode bergen C:multiotptefo.png 16 INFO: QRcode successfully created  Send the QRcode to the user (using a secure channel !)  … or simply use the web interface to print a nice HTML provisioning page;-) ! 2014-11-04 29
multiOTP – how to provision the token received 2014-11-04 30  install the Google Authenticator App  Android, iOS, BlackBerry  scan the QRcode received  token is ready !
multiOTP – how to authenticate a user  Authenticate the user C:multiotp>multiotp bergen 452549 0 OK: Token accepted  authenticate again the user with the same token C:multiotp>multiotp bergen 452549 26 ERROR: The time based token has already been used  creating a scratch passwords list C:multiotp>multiotp -scratchlist bergen 317493, 134580, 326450, 941356, 000298, 412420, 456790, 222461, 645113, 837303 2014-11-04 31
multiOTP – how to use hardware tokens  Import the tokens definition file C:multiotp>multiotp -import importAlpine.dat (…) Info: Token 0003000b31da successfully imported 15 INFO: Tokens definition file successfully imported  create a user linked with the token 0003000b31da (and with the prefix PIN 1234) C:multiotp>multiotp -create demo -token-id 0003000b31da 1234 11 INFO: User successfully created or updated  require a prefix PIN for the user C:multiotp>multiotp -set demo prefix-pin=1 19 INFO: Requested operation successfully done 2014-11-04 32
multiOTP typical usage 2014-11-04 33
How to build a working server device for less than CHF 100 ? 2014-11-04
Hardware selection 2014-11-04 35  Raspberry Pi  very cheap (< CHF 40)  no OS licence (Debian Linux or others)  widely distributed  community support  microUSB powered  CPU 700 MHz (ARM)  RAM 512 MB
How to make your own strong authentication server ? 2014-11-04 36 SD card with Debian Linux for Raspberry Pi ($10) Real-time clock ($15) + multiOTP ($0) < CHF 100
Let’s make a strong two factors authentication device with a Raspberry Pi 2014-11-04
Build an authentication server in some easy steps 1/17 If you want to have a battery backed up Real Time Clock, install it in your Raspberry Pi  http://afterthoughtsoftware.com/products/rasclock  http://www.cjemicros.co.uk/micros/products/rpirtc.shtml  http://www.robotshop.com/ca/en/mini-real-time-clock-rtc-module.html  http://nicegear.co.nz/raspberry-pi/high-precision-real-time-clock-for-raspberry-pi/ 2014-11-04 38
Build an authentication server in some easy steps 2/17 Download the last image of Raspbian to be flashed  http://downloads.raspberrypi.org/raspbian_latest (currently 2014-09-09-wheezy-raspbian.zip) 2014-11-04 39
Build an authentication server in some easy steps 3/17 Format your SD Card using the SD Card Association’s formatting tool:  https://www.sdcard.org/downloads/formatter_4/ 2014-11-04 40
Build an authentication server in some easy steps 4/17 Flash the raw image using the UNIX tool dd or the Win32DiskImager for Windows  http://sourceforge.net/projects/win32diskimager/files/latest/download This should take about 10 minutes. 2014-11-04 41
Build an authentication server in some easy steps 5/17 Surf on http://www.multiOTP.net and download the last version Copy all files from multiotp/raspberry/boot-part to the root of the SD Card (it could overwrite some files like config.txt) 2014-11-04 42
Build an authentication server in some easy steps 6/17 When copy it's done, eject the SD Card 2014-11-04 43
Build an authentication server in some easy steps 7/17 Connect the Raspberry Pi to the local network 2014-11-04 44
Build an authentication server in some easy steps 8/17 Put the SD card into the Raspberry Pi and boot it 2014-11-04 45
Build an authentication server in some easy steps 9/17 Login directly on your Raspberry Pi, or using SSH, with the default username "pi" and the password "raspberry" 2014-11-04 46
Build an authentication server in some easy steps 10/17 Launch the initial configuration by typing sudo raspi-config 2014-11-04 47
Build an authentication server in some easy steps 11/17 Choose the following options  1) Expand Filesystem  2) Change User Password  4) Internationalisation Options (if needed)  8) Advanced Options A2 Hostname (change the hostname to your favorite name, like for example "multiotp") 2014-11-04 48
Build an authentication server in some easy steps 12/17 Select Finish and answer "<Yes>" to reboot, or type "sudo reboot" 2014-11-04 49
Build an authentication server in some easy steps 13/17 Login again directly on your Raspberry Pi, or using SSH, with the default username "pi" and your new password 2014-11-04 50
Build an authentication server in some easy steps 14/17 Type "sudo /boot/install.sh“ Everything is done automatically (it will take about 35 minutes) and the Raspberry Pi will reboot automatically at the end 2014-11-04 51
Build an authentication server in some easy steps 15/17 The fixed IP address is set to 192.168.1.44 with a default gateway at 192.168.1.1 To adapt the network configuration, edit the file /etc/network/interfaces 2014-11-04 52
Build an authentication server in some easy steps 16/17 Congratulations! You have now an open source and fully OATH compliant strong two factors authentication server ! Surf now on http(s)://192.168.1.44 to use the basic web interface (The default radius secret is set to myfirstpass for the subnet 192.168.0.0/16. To adapt the freeradius configuration, edit the file /etc/freeradius/clients.conf) 2014-11-04 53
… or build an authentication server in ONE step ;-) If you want to download a multiOTP Raspberry Pi image ready to use, follow this URL:  http://download.multiOTP.net/raspberry/ Nano-computer name: multiOTP IP address: 192.168.1.44 (netmask: 255.255.255.0) Username: pi Password: raspberry You can now flash the SD Card, put it into the Raspberry Pi and boot it. 2014-11-04 54
Any questions ? 2014-11-04 55 Crêt-Taconnet 13 tel 032 730 11 10 fax 032 730 11 09 2000 Neuchâtel info@sysco.ch www.sysco.ch S y s C o ® systèmes de communication sa

Recommandé

An easy way into your sap systems v3.0
An easy way into your sap systems v3.0An easy way into your sap systems v3.0
An easy way into your sap systems v3.0Cyber Security Alliance
 
Operation emmental appsec
Operation emmental appsecOperation emmental appsec
Operation emmental appsecCyber Security Alliance
 
Easy public-private-keys-strong-authentication-using-u2 f
Easy public-private-keys-strong-authentication-using-u2 fEasy public-private-keys-strong-authentication-using-u2 f
Easy public-private-keys-strong-authentication-using-u2 fCyber Security Alliance
 
iOS malware: what's the risk and how to reduce it
iOS malware: what's the risk and how to reduce itiOS malware: what's the risk and how to reduce it
iOS malware: what's the risk and how to reduce itCyber Security Alliance
 
Defcon 22-david-wyde-client-side-http-cookie-security
Defcon 22-david-wyde-client-side-http-cookie-securityDefcon 22-david-wyde-client-side-http-cookie-security
Defcon 22-david-wyde-client-side-http-cookie-securityPriyanka Aash
 
Shameful secrets of proprietary network protocols
Shameful secrets of proprietary network protocolsShameful secrets of proprietary network protocols
Shameful secrets of proprietary network protocolsSlawomir Jasek
 
Defcon 22-cesar-cerrudo-hacking-traffic-control-systems
Defcon 22-cesar-cerrudo-hacking-traffic-control-systemsDefcon 22-cesar-cerrudo-hacking-traffic-control-systems
Defcon 22-cesar-cerrudo-hacking-traffic-control-systemsPriyanka Aash
 
Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014
Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014
Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014Jakub Kałużny
 

Recommandé

An easy way into your sap systems v3.0
An easy way into your sap systems v3.0An easy way into your sap systems v3.0
An easy way into your sap systems v3.0Cyber Security Alliance
 
Operation emmental appsec
Operation emmental appsecOperation emmental appsec
Operation emmental appsecCyber Security Alliance
 
Easy public-private-keys-strong-authentication-using-u2 f
Easy public-private-keys-strong-authentication-using-u2 fEasy public-private-keys-strong-authentication-using-u2 f
Easy public-private-keys-strong-authentication-using-u2 fCyber Security Alliance
 
iOS malware: what's the risk and how to reduce it
iOS malware: what's the risk and how to reduce itiOS malware: what's the risk and how to reduce it
iOS malware: what's the risk and how to reduce itCyber Security Alliance
 
Defcon 22-david-wyde-client-side-http-cookie-security
Defcon 22-david-wyde-client-side-http-cookie-securityDefcon 22-david-wyde-client-side-http-cookie-security
Defcon 22-david-wyde-client-side-http-cookie-securityPriyanka Aash
 
Shameful secrets of proprietary network protocols
Shameful secrets of proprietary network protocolsShameful secrets of proprietary network protocols
Shameful secrets of proprietary network protocolsSlawomir Jasek
 
Defcon 22-cesar-cerrudo-hacking-traffic-control-systems
Defcon 22-cesar-cerrudo-hacking-traffic-control-systemsDefcon 22-cesar-cerrudo-hacking-traffic-control-systems
Defcon 22-cesar-cerrudo-hacking-traffic-control-systemsPriyanka Aash
 
Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014
Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014
Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014Jakub Kałużny
 
Zeronights 2015 - Big problems with big data - Hadoop interfaces security
Zeronights 2015 - Big problems with big data - Hadoop interfaces securityZeronights 2015 - Big problems with big data - Hadoop interfaces security
Zeronights 2015 - Big problems with big data - Hadoop interfaces securityJakub Kałużny
 
Internal Pentest: from z3r0 to h3r0
Internal Pentest: from z3r0 to h3r0Internal Pentest: from z3r0 to h3r0
Internal Pentest: from z3r0 to h3r0marcioalma
 
Man in the NFC by Haoqi Shan and Qing Yang
Man in the NFC by Haoqi Shan and Qing YangMan in the NFC by Haoqi Shan and Qing Yang
Man in the NFC by Haoqi Shan and Qing YangCODE BLUE
 
CCNP Security-Secure
CCNP Security-SecureCCNP Security-Secure
CCNP Security-Securemohannadalhanahnah
 
Introduction to Mobile Application Security - Techcity 2015 (Vilnius)
Introduction to Mobile Application Security - Techcity 2015 (Vilnius)Introduction to Mobile Application Security - Techcity 2015 (Vilnius)
Introduction to Mobile Application Security - Techcity 2015 (Vilnius)Luca Bongiorni
 
Критически опасные уязвимости в популярных 3G- и 4G-модемах или как построить...
Критически опасные уязвимости в популярных 3G- и 4G-модемах или как построить...Критически опасные уязвимости в популярных 3G- и 4G-модемах или как построить...
Критически опасные уязвимости в популярных 3G- и 4G-модемах или как построить...Positive Hack Days
 
Nikita Abdullin - Reverse-engineering of embedded MIPS devices. Case Study - ...
Nikita Abdullin - Reverse-engineering of embedded MIPS devices. Case Study - ...Nikita Abdullin - Reverse-engineering of embedded MIPS devices. Case Study - ...
Nikita Abdullin - Reverse-engineering of embedded MIPS devices. Case Study - ...DefconRussia
 
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...Zoltan Balazs
 
IoThings you don't even need to hack
IoThings you don't even need to hackIoThings you don't even need to hack
IoThings you don't even need to hackSlawomir Jasek
 
BOX of Illusion MOSEC'17
BOX of Illusion MOSEC'17BOX of Illusion MOSEC'17
BOX of Illusion MOSEC'17Python0x0
 
Adventures in Femtoland: 350 Yuan for Invaluable Fun
Adventures in Femtoland: 350 Yuan for Invaluable FunAdventures in Femtoland: 350 Yuan for Invaluable Fun
Adventures in Femtoland: 350 Yuan for Invaluable Funarbitrarycode
 
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon Yang
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon YangPractical IoT Exploitation (DEFCON23 IoTVillage) - Lyon Yang
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon YangLyon Yang
 
Building Security Acсess to Remote Devices
Building Security Acсess to Remote DevicesBuilding Security Acсess to Remote Devices
Building Security Acсess to Remote DevicesGlobalLogic Ukraine
 
CSW2017 Geshev+Miller logic bug hunting in chrome on android
CSW2017 Geshev+Miller logic bug hunting in chrome on androidCSW2017 Geshev+Miller logic bug hunting in chrome on android
CSW2017 Geshev+Miller logic bug hunting in chrome on androidCanSecWest
 
CCNP Security-VPN
CCNP Security-VPNCCNP Security-VPN
CCNP Security-VPNmohannadalhanahnah
 
Top 10 secure boot mistakes
Top 10 secure boot mistakesTop 10 secure boot mistakes
Top 10 secure boot mistakesJustin Black
 
How to do Cryptography right in Android Part Two
How to do Cryptography right in Android Part TwoHow to do Cryptography right in Android Part Two
How to do Cryptography right in Android Part TwoArash Ramez
 
How to do right cryptography in android part 3 / Gated Authentication reviewed
How to do right cryptography in android part 3 / Gated Authentication reviewedHow to do right cryptography in android part 3 / Gated Authentication reviewed
How to do right cryptography in android part 3 / Gated Authentication reviewedArash Ramez
 
Defcon 22-fatih-ozavci-vo ip-wars-attack-of-the-cisco-phones
Defcon 22-fatih-ozavci-vo ip-wars-attack-of-the-cisco-phonesDefcon 22-fatih-ozavci-vo ip-wars-attack-of-the-cisco-phones
Defcon 22-fatih-ozavci-vo ip-wars-attack-of-the-cisco-phonesPriyanka Aash
 
Certificate pinning in android applications
Certificate pinning in android applicationsCertificate pinning in android applications
Certificate pinning in android applicationsArash Ramez
 
One time password(otp)
One time password(otp)One time password(otp)
One time password(otp)Anjali Agrawal
 
One Time Password - A two factor authentication system
One Time Password - A two factor authentication systemOne Time Password - A two factor authentication system
One Time Password - A two factor authentication systemSwetha Kogatam
 

Contenu connexe

Tendances

Zeronights 2015 - Big problems with big data - Hadoop interfaces security
Zeronights 2015 - Big problems with big data - Hadoop interfaces securityZeronights 2015 - Big problems with big data - Hadoop interfaces security
Zeronights 2015 - Big problems with big data - Hadoop interfaces securityJakub Kałużny
 
Internal Pentest: from z3r0 to h3r0
Internal Pentest: from z3r0 to h3r0Internal Pentest: from z3r0 to h3r0
Internal Pentest: from z3r0 to h3r0marcioalma
 
Man in the NFC by Haoqi Shan and Qing Yang
Man in the NFC by Haoqi Shan and Qing YangMan in the NFC by Haoqi Shan and Qing Yang
Man in the NFC by Haoqi Shan and Qing YangCODE BLUE
 
Introduction to Mobile Application Security - Techcity 2015 (Vilnius)
Introduction to Mobile Application Security - Techcity 2015 (Vilnius)Introduction to Mobile Application Security - Techcity 2015 (Vilnius)
Introduction to Mobile Application Security - Techcity 2015 (Vilnius)Luca Bongiorni
 
Критически опасные уязвимости в популярных 3G- и 4G-модемах или как построить...
Критически опасные уязвимости в популярных 3G- и 4G-модемах или как построить...Критически опасные уязвимости в популярных 3G- и 4G-модемах или как построить...
Критически опасные уязвимости в популярных 3G- и 4G-модемах или как построить...Positive Hack Days
 
Nikita Abdullin - Reverse-engineering of embedded MIPS devices. Case Study - ...
Nikita Abdullin - Reverse-engineering of embedded MIPS devices. Case Study - ...Nikita Abdullin - Reverse-engineering of embedded MIPS devices. Case Study - ...
Nikita Abdullin - Reverse-engineering of embedded MIPS devices. Case Study - ...DefconRussia
 
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...Zoltan Balazs
 
IoThings you don't even need to hack
IoThings you don't even need to hackIoThings you don't even need to hack
IoThings you don't even need to hackSlawomir Jasek
 
BOX of Illusion MOSEC'17
BOX of Illusion MOSEC'17BOX of Illusion MOSEC'17
BOX of Illusion MOSEC'17Python0x0
 
Adventures in Femtoland: 350 Yuan for Invaluable Fun
Adventures in Femtoland: 350 Yuan for Invaluable FunAdventures in Femtoland: 350 Yuan for Invaluable Fun
Adventures in Femtoland: 350 Yuan for Invaluable Funarbitrarycode
 
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon Yang
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon YangPractical IoT Exploitation (DEFCON23 IoTVillage) - Lyon Yang
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon YangLyon Yang
 
Building Security Acсess to Remote Devices
Building Security Acсess to Remote DevicesBuilding Security Acсess to Remote Devices
Building Security Acсess to Remote DevicesGlobalLogic Ukraine
 
CSW2017 Geshev+Miller logic bug hunting in chrome on android
CSW2017 Geshev+Miller logic bug hunting in chrome on androidCSW2017 Geshev+Miller logic bug hunting in chrome on android
CSW2017 Geshev+Miller logic bug hunting in chrome on androidCanSecWest
 
Top 10 secure boot mistakes
Top 10 secure boot mistakesTop 10 secure boot mistakes
Top 10 secure boot mistakesJustin Black
 
How to do Cryptography right in Android Part Two
How to do Cryptography right in Android Part TwoHow to do Cryptography right in Android Part Two
How to do Cryptography right in Android Part TwoArash Ramez
 
How to do right cryptography in android part 3 / Gated Authentication reviewed
How to do right cryptography in android part 3 / Gated Authentication reviewedHow to do right cryptography in android part 3 / Gated Authentication reviewed
How to do right cryptography in android part 3 / Gated Authentication reviewedArash Ramez
 
Defcon 22-fatih-ozavci-vo ip-wars-attack-of-the-cisco-phones
Defcon 22-fatih-ozavci-vo ip-wars-attack-of-the-cisco-phonesDefcon 22-fatih-ozavci-vo ip-wars-attack-of-the-cisco-phones
Defcon 22-fatih-ozavci-vo ip-wars-attack-of-the-cisco-phonesPriyanka Aash
 
Certificate pinning in android applications
Certificate pinning in android applicationsCertificate pinning in android applications
Certificate pinning in android applicationsArash Ramez
 

Tendances (20)

Zeronights 2015 - Big problems with big data - Hadoop interfaces security
Zeronights 2015 - Big problems with big data - Hadoop interfaces securityZeronights 2015 - Big problems with big data - Hadoop interfaces security
Zeronights 2015 - Big problems with big data - Hadoop interfaces security
 
Internal Pentest: from z3r0 to h3r0
Internal Pentest: from z3r0 to h3r0Internal Pentest: from z3r0 to h3r0
Internal Pentest: from z3r0 to h3r0
 
Man in the NFC by Haoqi Shan and Qing Yang
Man in the NFC by Haoqi Shan and Qing YangMan in the NFC by Haoqi Shan and Qing Yang
Man in the NFC by Haoqi Shan and Qing Yang
 
CCNP Security-Secure
CCNP Security-SecureCCNP Security-Secure
CCNP Security-Secure
 
Introduction to Mobile Application Security - Techcity 2015 (Vilnius)
Introduction to Mobile Application Security - Techcity 2015 (Vilnius)Introduction to Mobile Application Security - Techcity 2015 (Vilnius)
Introduction to Mobile Application Security - Techcity 2015 (Vilnius)
 
Критически опасные уязвимости в популярных 3G- и 4G-модемах или как построить...
Критически опасные уязвимости в популярных 3G- и 4G-модемах или как построить...Критически опасные уязвимости в популярных 3G- и 4G-модемах или как построить...
Критически опасные уязвимости в популярных 3G- и 4G-модемах или как построить...
 
Nikita Abdullin - Reverse-engineering of embedded MIPS devices. Case Study - ...
Nikita Abdullin - Reverse-engineering of embedded MIPS devices. Case Study - ...Nikita Abdullin - Reverse-engineering of embedded MIPS devices. Case Study - ...
Nikita Abdullin - Reverse-engineering of embedded MIPS devices. Case Study - ...
 
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
 
IoThings you don't even need to hack
IoThings you don't even need to hackIoThings you don't even need to hack
IoThings you don't even need to hack
 
BOX of Illusion MOSEC'17
BOX of Illusion MOSEC'17BOX of Illusion MOSEC'17
BOX of Illusion MOSEC'17
 
Adventures in Femtoland: 350 Yuan for Invaluable Fun
Adventures in Femtoland: 350 Yuan for Invaluable FunAdventures in Femtoland: 350 Yuan for Invaluable Fun
Adventures in Femtoland: 350 Yuan for Invaluable Fun
 
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon Yang
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon YangPractical IoT Exploitation (DEFCON23 IoTVillage) - Lyon Yang
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon Yang
 
Building Security Acсess to Remote Devices
Building Security Acсess to Remote DevicesBuilding Security Acсess to Remote Devices
Building Security Acсess to Remote Devices
 
CSW2017 Geshev+Miller logic bug hunting in chrome on android
CSW2017 Geshev+Miller logic bug hunting in chrome on androidCSW2017 Geshev+Miller logic bug hunting in chrome on android
CSW2017 Geshev+Miller logic bug hunting in chrome on android
 
CCNP Security-VPN
CCNP Security-VPNCCNP Security-VPN
CCNP Security-VPN
 
Top 10 secure boot mistakes
Top 10 secure boot mistakesTop 10 secure boot mistakes
Top 10 secure boot mistakes
 
How to do Cryptography right in Android Part Two
How to do Cryptography right in Android Part TwoHow to do Cryptography right in Android Part Two
How to do Cryptography right in Android Part Two
 
How to do right cryptography in android part 3 / Gated Authentication reviewed
How to do right cryptography in android part 3 / Gated Authentication reviewedHow to do right cryptography in android part 3 / Gated Authentication reviewed
How to do right cryptography in android part 3 / Gated Authentication reviewed
 
Defcon 22-fatih-ozavci-vo ip-wars-attack-of-the-cisco-phones
Defcon 22-fatih-ozavci-vo ip-wars-attack-of-the-cisco-phonesDefcon 22-fatih-ozavci-vo ip-wars-attack-of-the-cisco-phones
Defcon 22-fatih-ozavci-vo ip-wars-attack-of-the-cisco-phones
 
Certificate pinning in android applications
Certificate pinning in android applicationsCertificate pinning in android applications
Certificate pinning in android applications
 

En vedette

One time password(otp)
One time password(otp)One time password(otp)
One time password(otp)Anjali Agrawal
 
One Time Password - A two factor authentication system
One Time Password - A two factor authentication systemOne Time Password - A two factor authentication system
One Time Password - A two factor authentication systemSwetha Kogatam
 
INA Volume 1/3 Version 1.0 RC / Digital Identity and Authentication
INA Volume 1/3 Version 1.0 RC / Digital Identity and AuthenticationINA Volume 1/3 Version 1.0 RC / Digital Identity and Authentication
INA Volume 1/3 Version 1.0 RC / Digital Identity and AuthenticationSylvain Maret
 
Two factor Authentication using Telegram Messenger - www.tgauth.com
Two factor Authentication using Telegram Messenger - www.tgauth.com Two factor Authentication using Telegram Messenger - www.tgauth.com
Two factor Authentication using Telegram Messenger - www.tgauth.comCognalys
 
Shariff V10- BSc (Hons) Project
Shariff V10- BSc (Hons) ProjectShariff V10- BSc (Hons) Project
Shariff V10- BSc (Hons) Projectsharmarke sharif
 
Creating OTP with free software
Creating OTP with free softwareCreating OTP with free software
Creating OTP with free softwareGiuseppe Paterno'
 
Implementing FISMA Moderate Applications on AWS
Implementing FISMA Moderate Applications on AWSImplementing FISMA Moderate Applications on AWS
Implementing FISMA Moderate Applications on AWSAmazon Web Services
 
SecureOTP: Total One-Time-Password Solution
SecureOTP: Total One-Time-Password SolutionSecureOTP: Total One-Time-Password Solution
SecureOTP: Total One-Time-Password SolutionRafidah Ariffin
 

En vedette (10)

One time password(otp)
One time password(otp)One time password(otp)
One time password(otp)
 
One Time Password - A two factor authentication system
One Time Password - A two factor authentication systemOne Time Password - A two factor authentication system
One Time Password - A two factor authentication system
 
One Time Password
One Time PasswordOne Time Password
One Time Password
 
One-Time Password
One-Time PasswordOne-Time Password
One-Time Password
 
INA Volume 1/3 Version 1.0 RC / Digital Identity and Authentication
INA Volume 1/3 Version 1.0 RC / Digital Identity and AuthenticationINA Volume 1/3 Version 1.0 RC / Digital Identity and Authentication
INA Volume 1/3 Version 1.0 RC / Digital Identity and Authentication
 
Two factor Authentication using Telegram Messenger - www.tgauth.com
Two factor Authentication using Telegram Messenger - www.tgauth.com Two factor Authentication using Telegram Messenger - www.tgauth.com
Two factor Authentication using Telegram Messenger - www.tgauth.com
 
Shariff V10- BSc (Hons) Project
Shariff V10- BSc (Hons) ProjectShariff V10- BSc (Hons) Project
Shariff V10- BSc (Hons) Project
 
Creating OTP with free software
Creating OTP with free softwareCreating OTP with free software
Creating OTP with free software
 
Implementing FISMA Moderate Applications on AWS
Implementing FISMA Moderate Applications on AWSImplementing FISMA Moderate Applications on AWS
Implementing FISMA Moderate Applications on AWS
 
SecureOTP: Total One-Time-Password Solution
SecureOTP: Total One-Time-Password SolutionSecureOTP: Total One-Time-Password Solution
SecureOTP: Total One-Time-Password Solution
 

Similaire à Create a-strong-two-factors-authentication-device-for-less-than-chf-100

An open source strong authentication server for less than $100!
An open source strong authentication server for less than $100!An open source strong authentication server for less than $100!
An open source strong authentication server for less than $100!André Liechti
 
DevOPS training - Day 1/2
DevOPS training - Day 1/2DevOPS training - Day 1/2
DevOPS training - Day 1/2Vincent Mercier
 
Federico Cabiddu - VoIP2DAY 2016 | VoIP and RTC Troubleshooting using the Sip...
Federico Cabiddu - VoIP2DAY 2016 | VoIP and RTC Troubleshooting using the Sip...Federico Cabiddu - VoIP2DAY 2016 | VoIP and RTC Troubleshooting using the Sip...
Federico Cabiddu - VoIP2DAY 2016 | VoIP and RTC Troubleshooting using the Sip...VOIP2DAY
 
Redfish and python-redfish for Software Defined Infrastructure
Redfish and python-redfish for Software Defined InfrastructureRedfish and python-redfish for Software Defined Infrastructure
Redfish and python-redfish for Software Defined InfrastructureBruno Cornec
 
Respond to the following by writing at least one paragraph for each .pdf
Respond to the following by writing at least one paragraph for each .pdfRespond to the following by writing at least one paragraph for each .pdf
Respond to the following by writing at least one paragraph for each .pdftrishacolsyn25353
 
FIWARE Primer - Learn FIWARE in 60 Minutes
FIWARE Primer - Learn FIWARE in 60 MinutesFIWARE Primer - Learn FIWARE in 60 Minutes
FIWARE Primer - Learn FIWARE in 60 MinutesFederico Michele Facca
 
Federico Michele Facca - FIWARE Primer - Learn FIWARE in 60 Minutes
Federico Michele Facca - FIWARE Primer - Learn FIWARE in 60 MinutesFederico Michele Facca - FIWARE Primer - Learn FIWARE in 60 Minutes
Federico Michele Facca - FIWARE Primer - Learn FIWARE in 60 MinutesCodemotion
 
[workshop] The Revolutionary WebRTC
[workshop] The Revolutionary WebRTC[workshop] The Revolutionary WebRTC
[workshop] The Revolutionary WebRTCGiacomo Vacca
 
FBI & Secret Service- Business Email Compromise Workshop
FBI & Secret Service- Business Email Compromise WorkshopFBI & Secret Service- Business Email Compromise Workshop
FBI & Secret Service- Business Email Compromise WorkshopErnest Staats
 
CodeMotion 2023 - Deep dive nella supply chain della nostra infrastruttura cl...
CodeMotion 2023 - Deep dive nella supply chain della nostra infrastruttura cl...CodeMotion 2023 - Deep dive nella supply chain della nostra infrastruttura cl...
CodeMotion 2023 - Deep dive nella supply chain della nostra infrastruttura cl...sparkfabrik
 
Nassim_TLILI_resume
Nassim_TLILI_resumeNassim_TLILI_resume
Nassim_TLILI_resumeNassim TLILI
 
FBI & Secret Service- Business Email Compromise Workshop
FBI & Secret Service- Business Email Compromise WorkshopFBI & Secret Service- Business Email Compromise Workshop
FBI & Secret Service- Business Email Compromise WorkshopErnest Staats
 
SensorStudio introduction (IDC 2016)
SensorStudio introduction (IDC 2016)SensorStudio introduction (IDC 2016)
SensorStudio introduction (IDC 2016)Herve Blanc
 
Windows 10 IoT Core, a real sample
Windows 10 IoT Core, a real sampleWindows 10 IoT Core, a real sample
Windows 10 IoT Core, a real sampleMirco Vanini
 
Srikanth_PILLI_CV_latest
Srikanth_PILLI_CV_latestSrikanth_PILLI_CV_latest
Srikanth_PILLI_CV_latestSrikanth Pilli
 
"Wie passen Serverless & Autonomous zusammen?"
"Wie passen Serverless & Autonomous zusammen?""Wie passen Serverless & Autonomous zusammen?"
"Wie passen Serverless & Autonomous zusammen?"Volker Linz
 
Baby Steps: A WebRTC Tutorial
Baby Steps: A WebRTC TutorialBaby Steps: A WebRTC Tutorial
Baby Steps: A WebRTC TutorialTsahi Levent-levi
 
OSDC 2014: Thomas Schend - Introduction to Synnefo open source cloud stack
OSDC 2014: Thomas Schend - Introduction to Synnefo open source cloud stackOSDC 2014: Thomas Schend - Introduction to Synnefo open source cloud stack
OSDC 2014: Thomas Schend - Introduction to Synnefo open source cloud stackNETWAYS
 
Spring Boot & Spring Cloud Apps on Pivotal Application Service - Daniel Lavoie
Spring Boot & Spring Cloud Apps on Pivotal Application Service - Daniel LavoieSpring Boot & Spring Cloud Apps on Pivotal Application Service - Daniel Lavoie
Spring Boot & Spring Cloud Apps on Pivotal Application Service - Daniel LavoieVMware Tanzu
 
Workshop: HCL Notes 14 Upgrades einfach gemacht – von A bis Z
Workshop: HCL Notes 14 Upgrades einfach gemacht – von A bis ZWorkshop: HCL Notes 14 Upgrades einfach gemacht – von A bis Z
Workshop: HCL Notes 14 Upgrades einfach gemacht – von A bis Zpanagenda
 

Similaire à Create a-strong-two-factors-authentication-device-for-less-than-chf-100 (20)

An open source strong authentication server for less than $100!
An open source strong authentication server for less than $100!An open source strong authentication server for less than $100!
An open source strong authentication server for less than $100!
 
DevOPS training - Day 1/2
DevOPS training - Day 1/2DevOPS training - Day 1/2
DevOPS training - Day 1/2
 
Federico Cabiddu - VoIP2DAY 2016 | VoIP and RTC Troubleshooting using the Sip...
Federico Cabiddu - VoIP2DAY 2016 | VoIP and RTC Troubleshooting using the Sip...Federico Cabiddu - VoIP2DAY 2016 | VoIP and RTC Troubleshooting using the Sip...
Federico Cabiddu - VoIP2DAY 2016 | VoIP and RTC Troubleshooting using the Sip...
 
Redfish and python-redfish for Software Defined Infrastructure
Redfish and python-redfish for Software Defined InfrastructureRedfish and python-redfish for Software Defined Infrastructure
Redfish and python-redfish for Software Defined Infrastructure
 
Respond to the following by writing at least one paragraph for each .pdf
Respond to the following by writing at least one paragraph for each .pdfRespond to the following by writing at least one paragraph for each .pdf
Respond to the following by writing at least one paragraph for each .pdf
 
FIWARE Primer - Learn FIWARE in 60 Minutes
FIWARE Primer - Learn FIWARE in 60 MinutesFIWARE Primer - Learn FIWARE in 60 Minutes
FIWARE Primer - Learn FIWARE in 60 Minutes
 
Federico Michele Facca - FIWARE Primer - Learn FIWARE in 60 Minutes
Federico Michele Facca - FIWARE Primer - Learn FIWARE in 60 MinutesFederico Michele Facca - FIWARE Primer - Learn FIWARE in 60 Minutes
Federico Michele Facca - FIWARE Primer - Learn FIWARE in 60 Minutes
 
[workshop] The Revolutionary WebRTC
[workshop] The Revolutionary WebRTC[workshop] The Revolutionary WebRTC
[workshop] The Revolutionary WebRTC
 
FBI & Secret Service- Business Email Compromise Workshop
FBI & Secret Service- Business Email Compromise WorkshopFBI & Secret Service- Business Email Compromise Workshop
FBI & Secret Service- Business Email Compromise Workshop
 
CodeMotion 2023 - Deep dive nella supply chain della nostra infrastruttura cl...
CodeMotion 2023 - Deep dive nella supply chain della nostra infrastruttura cl...CodeMotion 2023 - Deep dive nella supply chain della nostra infrastruttura cl...
CodeMotion 2023 - Deep dive nella supply chain della nostra infrastruttura cl...
 
Nassim_TLILI_resume
Nassim_TLILI_resumeNassim_TLILI_resume
Nassim_TLILI_resume
 
FBI & Secret Service- Business Email Compromise Workshop
FBI & Secret Service- Business Email Compromise WorkshopFBI & Secret Service- Business Email Compromise Workshop
FBI & Secret Service- Business Email Compromise Workshop
 
SensorStudio introduction (IDC 2016)
SensorStudio introduction (IDC 2016)SensorStudio introduction (IDC 2016)
SensorStudio introduction (IDC 2016)
 
Windows 10 IoT Core, a real sample
Windows 10 IoT Core, a real sampleWindows 10 IoT Core, a real sample
Windows 10 IoT Core, a real sample
 
Srikanth_PILLI_CV_latest
Srikanth_PILLI_CV_latestSrikanth_PILLI_CV_latest
Srikanth_PILLI_CV_latest
 
"Wie passen Serverless & Autonomous zusammen?"
"Wie passen Serverless & Autonomous zusammen?""Wie passen Serverless & Autonomous zusammen?"
"Wie passen Serverless & Autonomous zusammen?"
 
Baby Steps: A WebRTC Tutorial
Baby Steps: A WebRTC TutorialBaby Steps: A WebRTC Tutorial
Baby Steps: A WebRTC Tutorial
 
OSDC 2014: Thomas Schend - Introduction to Synnefo open source cloud stack
OSDC 2014: Thomas Schend - Introduction to Synnefo open source cloud stackOSDC 2014: Thomas Schend - Introduction to Synnefo open source cloud stack
OSDC 2014: Thomas Schend - Introduction to Synnefo open source cloud stack
 
Spring Boot & Spring Cloud Apps on Pivotal Application Service - Daniel Lavoie
Spring Boot & Spring Cloud Apps on Pivotal Application Service - Daniel LavoieSpring Boot & Spring Cloud Apps on Pivotal Application Service - Daniel Lavoie
Spring Boot & Spring Cloud Apps on Pivotal Application Service - Daniel Lavoie
 
Workshop: HCL Notes 14 Upgrades einfach gemacht – von A bis Z
Workshop: HCL Notes 14 Upgrades einfach gemacht – von A bis ZWorkshop: HCL Notes 14 Upgrades einfach gemacht – von A bis Z
Workshop: HCL Notes 14 Upgrades einfach gemacht – von A bis Z
 

Plus de Cyber Security Alliance

Robots are among us, but who takes responsibility?
Robots are among us, but who takes responsibility?Robots are among us, but who takes responsibility?
Robots are among us, but who takes responsibility?Cyber Security Alliance
 
Why huntung IoC fails at protecting against targeted attacks
Why huntung IoC fails at protecting against targeted attacksWhy huntung IoC fails at protecting against targeted attacks
Why huntung IoC fails at protecting against targeted attacksCyber Security Alliance
 
Corporations - the new victims of targeted ransomware
Corporations - the new victims of targeted ransomwareCorporations - the new victims of targeted ransomware
Corporations - the new victims of targeted ransomwareCyber Security Alliance
 
Introducing Man in the Contacts attack to trick encrypted messaging apps
Introducing Man in the Contacts attack to trick encrypted messaging appsIntroducing Man in the Contacts attack to trick encrypted messaging apps
Introducing Man in the Contacts attack to trick encrypted messaging appsCyber Security Alliance
 
Understanding the fundamentals of attacks
Understanding the fundamentals of attacksUnderstanding the fundamentals of attacks
Understanding the fundamentals of attacksCyber Security Alliance
 
Reverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande ModemReverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande ModemCyber Security Alliance
 
Offline bruteforce attack on wi fi protected setup
Offline bruteforce attack on wi fi protected setupOffline bruteforce attack on wi fi protected setup
Offline bruteforce attack on wi fi protected setupCyber Security Alliance
 
App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...
App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...
App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...Cyber Security Alliance
 
Warning Ahead: SecurityStorms are Brewing in Your JavaScript
Warning Ahead: SecurityStorms are Brewing in Your JavaScriptWarning Ahead: SecurityStorms are Brewing in Your JavaScript
Warning Ahead: SecurityStorms are Brewing in Your JavaScriptCyber Security Alliance
 
Killing any security product … using a Mimikatz undocumented feature
Killing any security product … using a Mimikatz undocumented featureKilling any security product … using a Mimikatz undocumented feature
Killing any security product … using a Mimikatz undocumented featureCyber Security Alliance
 
Asfws 2014 slides why .net needs ma-cs and other serial(-ization) tales_v2.0
Asfws 2014 slides why .net needs ma-cs and other serial(-ization) tales_v2.0Asfws 2014 slides why .net needs ma-cs and other serial(-ization) tales_v2.0
Asfws 2014 slides why .net needs ma-cs and other serial(-ization) tales_v2.0Cyber Security Alliance
 

Plus de Cyber Security Alliance (20)

Bug Bounty @ Swisscom
Bug Bounty @ SwisscomBug Bounty @ Swisscom
Bug Bounty @ Swisscom
 
Robots are among us, but who takes responsibility?
Robots are among us, but who takes responsibility?Robots are among us, but who takes responsibility?
Robots are among us, but who takes responsibility?
 
Why huntung IoC fails at protecting against targeted attacks
Why huntung IoC fails at protecting against targeted attacksWhy huntung IoC fails at protecting against targeted attacks
Why huntung IoC fails at protecting against targeted attacks
 
Corporations - the new victims of targeted ransomware
Corporations - the new victims of targeted ransomwareCorporations - the new victims of targeted ransomware
Corporations - the new victims of targeted ransomware
 
Blockchain for Beginners
Blockchain for Beginners Blockchain for Beginners
Blockchain for Beginners
 
Le pentest pour les nuls #cybsec16
Le pentest pour les nuls #cybsec16Le pentest pour les nuls #cybsec16
Le pentest pour les nuls #cybsec16
 
Introducing Man in the Contacts attack to trick encrypted messaging apps
Introducing Man in the Contacts attack to trick encrypted messaging appsIntroducing Man in the Contacts attack to trick encrypted messaging apps
Introducing Man in the Contacts attack to trick encrypted messaging apps
 
Understanding the fundamentals of attacks
Understanding the fundamentals of attacksUnderstanding the fundamentals of attacks
Understanding the fundamentals of attacks
 
Rump : iOS patch diffing
Rump : iOS patch diffingRump : iOS patch diffing
Rump : iOS patch diffing
 
Reverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande ModemReverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande Modem
 
Offline bruteforce attack on wi fi protected setup
Offline bruteforce attack on wi fi protected setupOffline bruteforce attack on wi fi protected setup
Offline bruteforce attack on wi fi protected setup
 
App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...
App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...
App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...
 
Warning Ahead: SecurityStorms are Brewing in Your JavaScript
Warning Ahead: SecurityStorms are Brewing in Your JavaScriptWarning Ahead: SecurityStorms are Brewing in Your JavaScript
Warning Ahead: SecurityStorms are Brewing in Your JavaScript
 
Killing any security product … using a Mimikatz undocumented feature
Killing any security product … using a Mimikatz undocumented featureKilling any security product … using a Mimikatz undocumented feature
Killing any security product … using a Mimikatz undocumented feature
 
Rump attaque usb_caralinda_fabrice
Rump attaque usb_caralinda_fabriceRump attaque usb_caralinda_fabrice
Rump attaque usb_caralinda_fabrice
 
Hacking the swisscom modem
Hacking the swisscom modemHacking the swisscom modem
Hacking the swisscom modem
 
Colt sp sec2014_appsec-nf-vfinal
Colt sp sec2014_appsec-nf-vfinalColt sp sec2014_appsec-nf-vfinal
Colt sp sec2014_appsec-nf-vfinal
 
Asfws2014 tproxy
Asfws2014 tproxyAsfws2014 tproxy
Asfws2014 tproxy
 
Asfws 2014 slides why .net needs ma-cs and other serial(-ization) tales_v2.0
Asfws 2014 slides why .net needs ma-cs and other serial(-ization) tales_v2.0Asfws 2014 slides why .net needs ma-cs and other serial(-ization) tales_v2.0
Asfws 2014 slides why .net needs ma-cs and other serial(-ization) tales_v2.0
 
Appsec rump reverse-i_os_machook
Appsec rump reverse-i_os_machookAppsec rump reverse-i_os_machook
Appsec rump reverse-i_os_machook
 

Dernier

Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024The Digital Insurer
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Wonjun Hwang
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostZilliz
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 

Dernier (20)

DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 

Create a-strong-two-factors-authentication-device-for-less-than-chf-100

  • 1. A fully compliant strong authentication server for less than $100! Application Security Forum Western Switzerland 2014-11-04 André Liechti (@multiOTP, @andreliechti) SysCo systèmes de communication sa, Neuchâtel, Switzerland Last update : 2014-12-09
  • 2. Trainer  SysCo systèmes de communication sa  16 years old Swiss based company installed in Neuchâtel  Security, consulting services, customized development  Linux and Windows (Open Source) solutions  André Liechti  CTO of SysCo systèmes de communication sa  MSc in communication systems  Bsc in Electronics 2014-11-04 2
  • 3. Schedule  Why regular passwords are never strong enough ?  What are the different solutions for more security ?  multiOTP, our PHP open source library solution  How to setup a device for less than CHF 100  Let’s make a strong two factors authentication device with a Raspberry Pi  Some questions ? 2014-11-04 3
  • 4. Why regular passwords are never strong enough ? (on the Internet, but elsewhere too…) 2014-11-04
  • 5. Why regular passwords are never strong enough ?  Same password for different applications… 2014-11-04 5
  • 6. Some nice hardware tools… 2014-11-04 6 Key logger… Camera in car key…
  • 7. fake USB Keyboard mounted in a memory stick… ... and some «nicer» hardware tools… ;-) 2014-11-04 7 wireless Key logger… and so on …
  • 8. What are the different solutions for more security ? 2014-11-04
  • 9. What are the different solutions for more security ?  Two-factor authentication  A daily usage for the combination of knowledge and possession factors. The ATM machine  We have the physical ATM card and we know our personal PIN. 2014-11-04 9
  • 10. Strong authentication with one-time password  No software installation is required for the user (compatible with all OS and Internet navigator)  Passwords list 2014-11-04 10
  • 11. Passwords list  Login = username + password + next code 2014-11-04 11 Lists on the server List for User A
  • 12. Historical market leader  Time-based automatic generator with a secret algorithm  70% of the market in 2003 (25 mio of devices have been sold up to 2003) 2014-11-04 12
  • 13. First open-source one-time password solution  Mobile-OTP (2003)  Hash (md5) of a “PIN code + time based algorithm”  open source, more than 40 different implementations  Java J2ME for mobile phones (at the beginning)  Unix shell script on server side 2014-11-04 13
  • 14. Standardized one-time password generator  HOTP : HMAC-based One-time Password Algorithm (2005)  code construction is based on a HMAC hash function  open standard (OATH: Initiative for open authentication)  RFC 4226 2014-11-04 14
  • 15. HOTP authentication mechanism 2014-11-04 15 User Server 0382 754812 0380-0384 0379
  • 16. No synchronization problem anymore with TOTP  TOTP : Time-based One-time Password Algorithm (2008)  based on HOTP  The counter is now the time divided in slices of 30 seconds  RFC 6238 2014-11-04 16
  • 17. TOTP authentication mechanism 2014-11-04 17 User Server 0382 754812
  • 21. Some HOTP and TOTP tokens 2014-11-04 21
  • 23. multiOTP our PHP open source library … since June 2010 ! 2014-11-04
  • 24. History of the multiOTP package  2009 PHP PoC implementing the Mobile-OTP protocol  2010 class creation with basic TOTP/HOTP  2011 Workshop during ASFWS 2011 (Application Security Forum)  2012 Wider deployment in the community and feedbacks  2013 New functionalities  SMS tokens  scratch passwords list  QRcode/URL provisioning  Client/server implementation with local cache  MySQL backend support  2014 More functionalities  OATH certified  Yubico OTP support (Yubikey)  Active Directory and LDAP synchronization  Support for Active Directory / LDAP passwords (instead of PIN) 2014-11-04 24
  • 25. multiOTP  Why did we develop the multiOTP package ?  no free and easy to use solution for small companies  a lot of existing commercial products need Windows Server  Existing products need a lot of resources  Why open source ?  To receive feedbacks and proposals from the users  security issues are analyzed by other developers  users can be sure that there is no Trojan and other NSA-friendly “tools” in our code 2014-11-04 25
  • 26. multiOTP concept  open source PHP class (embedded in only one file)  OS independent  Works also on any web server, including in shared hosting  data or stored in flat files or in a MySQL database  all methods are implemented in a command line tool  Command line tool is compatible with the centralized open source authentication server FreeRADIUS (FreeRADIUS is also available for Windows)  The system administrator can create scripts in order to handle the package and to create users 2014-11-04 26
  • 27. multiOTP concept (2)  common standards are supported  Mobile-OTP, HOTP, TOTP, Yubico OTP  SMS tokens  scratch passwords list  HOTP and TOTP software tokens can simply be configured by flashing a Qrcode generated by multiOTP  hardware tokens definition files can be imported  Authenex definition files (proprietary .sql file)  SafeNet definition files (proprietary .dat file)  any standard PSKC files (since December 2013)  Yubico log file in Traditional format (since November 2014)  simple web GUI 2014-11-04 27
  • 28. multiOTP – Windows installation  installed in 3 minutes !  surf on http://www.multiOTP.net  download the last version  unpack the files in the C:multiotp folder  read the readme file ;-)  install the FreeRADIUS service  C:multiotpradius_install.cmd  that’s it ! 2014-11-04 28
  • 29. multiOTP – how to create a user  create the user on the server side C:multiotp>multiotp -fastcreate bergen 11 INFO: User successfully created or updated (in real life, user must be created with an activated prefix PIN !)  save the QRcode image in a file C:multiotp>multiotp -qrcode bergen C:multiotptefo.png 16 INFO: QRcode successfully created  Send the QRcode to the user (using a secure channel !)  … or simply use the web interface to print a nice HTML provisioning page;-) ! 2014-11-04 29
  • 30. multiOTP – how to provision the token received 2014-11-04 30  install the Google Authenticator App  Android, iOS, BlackBerry  scan the QRcode received  token is ready !
  • 31. multiOTP – how to authenticate a user  Authenticate the user C:multiotp>multiotp bergen 452549 0 OK: Token accepted  authenticate again the user with the same token C:multiotp>multiotp bergen 452549 26 ERROR: The time based token has already been used  creating a scratch passwords list C:multiotp>multiotp -scratchlist bergen 317493, 134580, 326450, 941356, 000298, 412420, 456790, 222461, 645113, 837303 2014-11-04 31
  • 32. multiOTP – how to use hardware tokens  Import the tokens definition file C:multiotp>multiotp -import importAlpine.dat (…) Info: Token 0003000b31da successfully imported 15 INFO: Tokens definition file successfully imported  create a user linked with the token 0003000b31da (and with the prefix PIN 1234) C:multiotp>multiotp -create demo -token-id 0003000b31da 1234 11 INFO: User successfully created or updated  require a prefix PIN for the user C:multiotp>multiotp -set demo prefix-pin=1 19 INFO: Requested operation successfully done 2014-11-04 32
  • 34. How to build a working server device for less than CHF 100 ? 2014-11-04
  • 35. Hardware selection 2014-11-04 35  Raspberry Pi  very cheap (< CHF 40)  no OS licence (Debian Linux or others)  widely distributed  community support  microUSB powered  CPU 700 MHz (ARM)  RAM 512 MB
  • 36. How to make your own strong authentication server ? 2014-11-04 36 SD card with Debian Linux for Raspberry Pi ($10) Real-time clock ($15) + multiOTP ($0) < CHF 100
  • 37. Let’s make a strong two factors authentication device with a Raspberry Pi 2014-11-04
  • 38. Build an authentication server in some easy steps 1/17 If you want to have a battery backed up Real Time Clock, install it in your Raspberry Pi  http://afterthoughtsoftware.com/products/rasclock  http://www.cjemicros.co.uk/micros/products/rpirtc.shtml  http://www.robotshop.com/ca/en/mini-real-time-clock-rtc-module.html  http://nicegear.co.nz/raspberry-pi/high-precision-real-time-clock-for-raspberry-pi/ 2014-11-04 38
  • 39. Build an authentication server in some easy steps 2/17 Download the last image of Raspbian to be flashed  http://downloads.raspberrypi.org/raspbian_latest (currently 2014-09-09-wheezy-raspbian.zip) 2014-11-04 39
  • 40. Build an authentication server in some easy steps 3/17 Format your SD Card using the SD Card Association’s formatting tool:  https://www.sdcard.org/downloads/formatter_4/ 2014-11-04 40
  • 41. Build an authentication server in some easy steps 4/17 Flash the raw image using the UNIX tool dd or the Win32DiskImager for Windows  http://sourceforge.net/projects/win32diskimager/files/latest/download This should take about 10 minutes. 2014-11-04 41
  • 42. Build an authentication server in some easy steps 5/17 Surf on http://www.multiOTP.net and download the last version Copy all files from multiotp/raspberry/boot-part to the root of the SD Card (it could overwrite some files like config.txt) 2014-11-04 42
  • 43. Build an authentication server in some easy steps 6/17 When copy it's done, eject the SD Card 2014-11-04 43
  • 44. Build an authentication server in some easy steps 7/17 Connect the Raspberry Pi to the local network 2014-11-04 44
  • 45. Build an authentication server in some easy steps 8/17 Put the SD card into the Raspberry Pi and boot it 2014-11-04 45
  • 46. Build an authentication server in some easy steps 9/17 Login directly on your Raspberry Pi, or using SSH, with the default username "pi" and the password "raspberry" 2014-11-04 46
  • 47. Build an authentication server in some easy steps 10/17 Launch the initial configuration by typing sudo raspi-config 2014-11-04 47
  • 48. Build an authentication server in some easy steps 11/17 Choose the following options  1) Expand Filesystem  2) Change User Password  4) Internationalisation Options (if needed)  8) Advanced Options A2 Hostname (change the hostname to your favorite name, like for example "multiotp") 2014-11-04 48
  • 49. Build an authentication server in some easy steps 12/17 Select Finish and answer "<Yes>" to reboot, or type "sudo reboot" 2014-11-04 49
  • 50. Build an authentication server in some easy steps 13/17 Login again directly on your Raspberry Pi, or using SSH, with the default username "pi" and your new password 2014-11-04 50
  • 51. Build an authentication server in some easy steps 14/17 Type "sudo /boot/install.sh“ Everything is done automatically (it will take about 35 minutes) and the Raspberry Pi will reboot automatically at the end 2014-11-04 51
  • 52. Build an authentication server in some easy steps 15/17 The fixed IP address is set to 192.168.1.44 with a default gateway at 192.168.1.1 To adapt the network configuration, edit the file /etc/network/interfaces 2014-11-04 52
  • 53. Build an authentication server in some easy steps 16/17 Congratulations! You have now an open source and fully OATH compliant strong two factors authentication server ! Surf now on http(s)://192.168.1.44 to use the basic web interface (The default radius secret is set to myfirstpass for the subnet 192.168.0.0/16. To adapt the freeradius configuration, edit the file /etc/freeradius/clients.conf) 2014-11-04 53
  • 54. … or build an authentication server in ONE step ;-) If you want to download a multiOTP Raspberry Pi image ready to use, follow this URL:  http://download.multiOTP.net/raspberry/ Nano-computer name: multiOTP IP address: 192.168.1.44 (netmask: 255.255.255.0) Username: pi Password: raspberry You can now flash the SD Card, put it into the Raspberry Pi and boot it. 2014-11-04 54
  • 55. Any questions ? 2014-11-04 55 Crêt-Taconnet 13 tel 032 730 11 10 fax 032 730 11 09 2000 Neuchâtel info@sysco.ch www.sysco.ch S y s C o ® systèmes de communication sa