SlideShare une entreprise Scribd logo

Creating OTP Infrastructures Using Open Source

Giuseppe Paterno'
Giuseppe Paterno'

Giuseppe Paternò is a visiting researcher at Trinity College Dublin who discusses creating one time password (OTP) infrastructures using open source software. He describes how the Open Authentication (OATH) Alliance created a common HMAC-Based One Time Password (HOTP) algorithm standard to facilitate two-factor authentication across different implementations. Paternò then demonstrates an OTP infrastructure using the open source OTPD server, FreeRADIUS server, and soft token clients, allowing authentication for systems like wireless networks, VPNs, and web applications through standards like RADIUS and CAS.

Technologie
1  sur  25
Télécharger pour lire hors ligne
Creating One Time Password (OTP) infrastructures using Open Source sofware Giuseppe “Gippa” Paternò Visiting Researcher Trinity College Dublin
Who am I ● Visiting Researcher at Trinity College Dublin (Ireland) ● Solution Architect and EMEA Security Expert in Red Hat ● Previously Security Solution Architect in Sun and also in IBM ● Red Hat Certified Security Specialist (RHCSS), Red Hat Certified Architect (RHCA) and Cisco Certified Network Professinal (CCNP) ● Part of the italian security community sikurezza.org ● Published books and whitepapers ● Forensic analisys for local govs ● More on: – http://www.scss.tcd.ie/Giuseppe.Paterno/ – http://www.gpaterno.com/ – http://www.linkedin.com/in/gpaterno
Disclaimer I do not speak on behalf of my employer, nor I am authorized to represent it publicly. All and any opinion and results expressed in this presentation are solely mine and do not represent my employer point-of-view. All the tests and any project contribution are done as a TCD researcher out of business hours.
Global IT scenario ● ● Even more in this recession phase, the IT budget is getting lower and lower The projects (demand) are increasing with significantly less money available
Lowering TCO "The economic crisis is going to be a catalyst for open source, much like the technology crash of 2001 catapulted Linux front and center" Laurie Wurster, a Gartner analyst. The adoption of Open Source software can lower the TCO … and increase your security!
How Open Source can increase Security? Open Source = Open Standards = Choice
The OATH Alliance ● The Initiative for Open Authentication (OATH) ● Open alliance of vendors – ● ● ActiveIdentity, Vasco, Gemalto, Aladdin, ... http://www.openauthentication.org/ Created a common algorithm for one time password tokens (HOTP) – A common “protocol” for the interoperability of the several impementations available
What is HOTP ● ● An HMAC-Based One-Time Password Algorithm (HOTP) A common shared algorithm that is meant to facilitate the adoption of two-factor authentication ● Alogorithm published as RFC 4226 ● The complete standard on: – http://www.rfc-editor.org/
HOTP: Internals The algorithm is: HOTP(K,C) = Truncate(HMAC-SHA-1(K,C)) K Shared key between client and server C 8-byte counter value syncronized between client and server Truncate() Perform a dynamic truncation and reduction of the string to extract a 4-byte dynamic binary code. The result must extract minimum a 6-digit code, but also 7 and 8-digit code
Anathomy of HOTP ● The shared key between the OTP peers (token and authenticator) is an hexadecimal string – ● The lenght is a SHA-1 digest Example of generating a new HMAC 6-digit shared key: dd if=/dev/random bs=4096 count=1 2>/dev/null | sha1sum | awk '{print $1}'
HOTP implementations ● ● ● ● Both commercial and open source implementations available Most of the hardware tokens adhere to the HOTP algorithm Few software implementations, most of which proprietary/closed source Some software client available: – J2ME, iPhone and Windows Mobile – Publically available algorithm makes it simple to implement a client
How does it fit all together?
The software ● An open source OTP server: – Only one server implementation available (OTPD), formelly from TRI-D Systems – Now I made it available on http://otpd.googlecode.com ● FreeRADIUS, the popular radius server for Linux ● Two tested freely available client: – – ● oathdsss.jar (DSSS) for Java MIDP (Nokia) iToken (Quest Software) for iPhone Also tried some hardware tokens
OTPD server ● It handle the validation of the One Time Passwords – Uses files and LDAP as repository ● Keeps the state of the OTP token (counter) ● Supported tokens: – – CRYPTOCard – ● HOTP Plain old x9.9 (based on DES, unsecure!) It listen to autentication requests
FreeRADIUS ● Well known high-performance open source RADIUS server – – ● Handle authentication and accounting Plug-in based One of the plug-in is rlm_otpd – Developed by TRI-D Systems – Communicate via Unix sockets with the OTPD server to verify an OTP token
The soft-token ● An OTP token in software ● Less “secure” than an hardware – ● What if my laptop is stolen? A compromise is using a softtoken on a mobile platform – Easy to manage – Lower costs – Better security over a “fat” client on laptops/desktops – Available for most mobile phones
What can I authenticate? ● Any RADIUS compliant system, ex: – – Wireless LANs – Routers/network equipments – Core UNIX systems (through pam_radius) – ● VPN systems Captive portals Any application can use the RADIUS protocol: – common APIs available in C, PHP, Python, Ruby, Java (J2EE)
Enteprise scenario
Demo scenario ● Authentication server: – OTP Server – FreeRADIUS Server ● Client UNIX ● Web application (PHP) ● Centralized Web Single Sign-On (CAS)
Demo (the clients) ● Client Unix – – ● Interactive log-in Leverage the pam_radius module Web Single Sign-On – – ● Based on Yale CAS Customized to login through RADIUS PHP web application – Dummy application to demonstrate CAS' capabilities with OTP integration – Virtually every application can leverage CAS architecture
Demo scenario (big picture)
Interactive log-in OTP/Radius Server Authentication Request (RADIUS) Log-on request
Web Application OTP/Radius Server Redirect to CAS' Single Sign-on Portal Authentication Request (RADIUS) Web Access
Demo now!
Thank you!! Giuseppe “Gippa” Paternò Visiting Researcher Trinity College Dublin paternog@cs.tcd.ie http://www.scss.tcd.ie/Giuseppe.Paterno/ http://www.gpaterno.com/

Recommandé

Cartes Asia Dem 2010 V2
Cartes Asia Dem 2010 V2Cartes Asia Dem 2010 V2
Cartes Asia Dem 2010 V2Donald Malloy
 
SecureOTP: Total One-Time-Password Solution
SecureOTP: Total One-Time-Password SolutionSecureOTP: Total One-Time-Password Solution
SecureOTP: Total One-Time-Password SolutionRafidah Ariffin
 
10 1 otp all
10 1 otp all10 1 otp all
10 1 otp allMohammad Alyan
 
One-Time Password
One-Time PasswordOne-Time Password
One-Time PasswordAta Ebrahimi
 
Secure Your Encryption with HSM
Secure Your Encryption with HSMSecure Your Encryption with HSM
Secure Your Encryption with HSMNarudom Roongsiriwong, CISSP
 
Create a-strong-two-factors-authentication-device-for-less-than-chf-100
Create a-strong-two-factors-authentication-device-for-less-than-chf-100Create a-strong-two-factors-authentication-device-for-less-than-chf-100
Create a-strong-two-factors-authentication-device-for-less-than-chf-100Cyber Security Alliance
 
Certificate pinning in android applications
Certificate pinning in android applicationsCertificate pinning in android applications
Certificate pinning in android applicationsArash Ramez
 
How to do Cryptography right in Android Part One
How to do Cryptography right in Android Part OneHow to do Cryptography right in Android Part One
How to do Cryptography right in Android Part OneArash Ramez
 

Recommandé

Cartes Asia Dem 2010 V2
Cartes Asia Dem 2010 V2Cartes Asia Dem 2010 V2
Cartes Asia Dem 2010 V2Donald Malloy
 
SecureOTP: Total One-Time-Password Solution
SecureOTP: Total One-Time-Password SolutionSecureOTP: Total One-Time-Password Solution
SecureOTP: Total One-Time-Password SolutionRafidah Ariffin
 
10 1 otp all
10 1 otp all10 1 otp all
10 1 otp allMohammad Alyan
 
One-Time Password
One-Time PasswordOne-Time Password
One-Time PasswordAta Ebrahimi
 
Secure Your Encryption with HSM
Secure Your Encryption with HSMSecure Your Encryption with HSM
Secure Your Encryption with HSMNarudom Roongsiriwong, CISSP
 
Create a-strong-two-factors-authentication-device-for-less-than-chf-100
Create a-strong-two-factors-authentication-device-for-less-than-chf-100Create a-strong-two-factors-authentication-device-for-less-than-chf-100
Create a-strong-two-factors-authentication-device-for-less-than-chf-100Cyber Security Alliance
 
Certificate pinning in android applications
Certificate pinning in android applicationsCertificate pinning in android applications
Certificate pinning in android applicationsArash Ramez
 
How to do Cryptography right in Android Part One
How to do Cryptography right in Android Part OneHow to do Cryptography right in Android Part One
How to do Cryptography right in Android Part OneArash Ramez
 
How to do right cryptography in android part 3 / Gated Authentication reviewed
How to do right cryptography in android part 3 / Gated Authentication reviewedHow to do right cryptography in android part 3 / Gated Authentication reviewed
How to do right cryptography in android part 3 / Gated Authentication reviewedArash Ramez
 
Cryptography101
Cryptography101Cryptography101
Cryptography101NCC Group
 
HSM (Hardware Security Module)
HSM (Hardware Security Module)HSM (Hardware Security Module)
HSM (Hardware Security Module)Umesh Kolhe
 
Bypass Security Checking with Frida
Bypass Security Checking with FridaBypass Security Checking with Frida
Bypass Security Checking with FridaSatria Ady Pradana
 
CNIT 141: 13. TLS
CNIT 141: 13. TLSCNIT 141: 13. TLS
CNIT 141: 13. TLSSam Bowne
 
Operation emmental appsec
Operation emmental appsecOperation emmental appsec
Operation emmental appsecCyber Security Alliance
 
How to do Cryptography right in Android Part Two
How to do Cryptography right in Android Part TwoHow to do Cryptography right in Android Part Two
How to do Cryptography right in Android Part TwoArash Ramez
 
CNIT 129S Ch 7: Attacking Session Management
CNIT 129S Ch 7: Attacking Session ManagementCNIT 129S Ch 7: Attacking Session Management
CNIT 129S Ch 7: Attacking Session ManagementSam Bowne
 
Defcon 22-alex zacharis-nikolaos-tsagkarakis-po s-attacking-t
Defcon 22-alex zacharis-nikolaos-tsagkarakis-po s-attacking-tDefcon 22-alex zacharis-nikolaos-tsagkarakis-po s-attacking-t
Defcon 22-alex zacharis-nikolaos-tsagkarakis-po s-attacking-tPriyanka Aash
 
Infrastructure Saturday 2011 - Understanding PKI and Certificate Services
Infrastructure Saturday 2011 - Understanding PKI and Certificate ServicesInfrastructure Saturday 2011 - Understanding PKI and Certificate Services
Infrastructure Saturday 2011 - Understanding PKI and Certificate Serviceskieranjacobsen
 
CNIT 141: 13. TLS
CNIT 141: 13. TLSCNIT 141: 13. TLS
CNIT 141: 13. TLSSam Bowne
 
CRYPTOGRAPHY AND NETWORK SECURITY
CRYPTOGRAPHY AND NETWORK SECURITYCRYPTOGRAPHY AND NETWORK SECURITY
CRYPTOGRAPHY AND NETWORK SECURITYKathirvel Ayyaswamy
 
Pki 201 Key Management
Pki 201 Key ManagementPki 201 Key Management
Pki 201 Key ManagementNCC Group
 
Malware for Red Team
Malware for Red TeamMalware for Red Team
Malware for Red TeamSatria Ady Pradana
 
18CS2005 Cryptography and Network Security
18CS2005 Cryptography and Network Security18CS2005 Cryptography and Network Security
18CS2005 Cryptography and Network SecurityKathirvel Ayyaswamy
 
Mobile Authentication - Moving Towards a Passwordless Future
Mobile Authentication - Moving Towards a Passwordless FutureMobile Authentication - Moving Towards a Passwordless Future
Mobile Authentication - Moving Towards a Passwordless FutureForgeRock Identity Tech Talks
 
18CS2005 Cryptography and Network Security
18CS2005 Cryptography and Network Security18CS2005 Cryptography and Network Security
18CS2005 Cryptography and Network SecurityKathirvel Ayyaswamy
 
18CS2005 Cryptography and Network Security
18CS2005 Cryptography and Network Security18CS2005 Cryptography and Network Security
18CS2005 Cryptography and Network SecurityKathirvel Ayyaswamy
 
Extracting the Painful (Blue)Tooth - Presentation
Extracting the Painful (Blue)Tooth - PresentationExtracting the Painful (Blue)Tooth - Presentation
Extracting the Painful (Blue)Tooth - PresentationOpposing Force S.r.l.
 
PBKDF2: Storing Sensitive Data Securely in Android Applications
PBKDF2: Storing Sensitive Data Securely in Android ApplicationsPBKDF2: Storing Sensitive Data Securely in Android Applications
PBKDF2: Storing Sensitive Data Securely in Android ApplicationsShiv Sahni
 
One Time Password - A two factor authentication system
One Time Password - A two factor authentication systemOne Time Password - A two factor authentication system
One Time Password - A two factor authentication systemSwetha Kogatam
 
One time password(otp)
One time password(otp)One time password(otp)
One time password(otp)Anjali Agrawal
 

Contenu connexe

Tendances

How to do right cryptography in android part 3 / Gated Authentication reviewed
How to do right cryptography in android part 3 / Gated Authentication reviewedHow to do right cryptography in android part 3 / Gated Authentication reviewed
How to do right cryptography in android part 3 / Gated Authentication reviewedArash Ramez
 
Cryptography101
Cryptography101Cryptography101
Cryptography101NCC Group
 
HSM (Hardware Security Module)
HSM (Hardware Security Module)HSM (Hardware Security Module)
HSM (Hardware Security Module)Umesh Kolhe
 
Bypass Security Checking with Frida
Bypass Security Checking with FridaBypass Security Checking with Frida
Bypass Security Checking with FridaSatria Ady Pradana
 
CNIT 141: 13. TLS
CNIT 141: 13. TLSCNIT 141: 13. TLS
CNIT 141: 13. TLSSam Bowne
 
How to do Cryptography right in Android Part Two
How to do Cryptography right in Android Part TwoHow to do Cryptography right in Android Part Two
How to do Cryptography right in Android Part TwoArash Ramez
 
CNIT 129S Ch 7: Attacking Session Management
CNIT 129S Ch 7: Attacking Session ManagementCNIT 129S Ch 7: Attacking Session Management
CNIT 129S Ch 7: Attacking Session ManagementSam Bowne
 
Defcon 22-alex zacharis-nikolaos-tsagkarakis-po s-attacking-t
Defcon 22-alex zacharis-nikolaos-tsagkarakis-po s-attacking-tDefcon 22-alex zacharis-nikolaos-tsagkarakis-po s-attacking-t
Defcon 22-alex zacharis-nikolaos-tsagkarakis-po s-attacking-tPriyanka Aash
 
Infrastructure Saturday 2011 - Understanding PKI and Certificate Services
Infrastructure Saturday 2011 - Understanding PKI and Certificate ServicesInfrastructure Saturday 2011 - Understanding PKI and Certificate Services
Infrastructure Saturday 2011 - Understanding PKI and Certificate Serviceskieranjacobsen
 
CNIT 141: 13. TLS
CNIT 141: 13. TLSCNIT 141: 13. TLS
CNIT 141: 13. TLSSam Bowne
 
CRYPTOGRAPHY AND NETWORK SECURITY
CRYPTOGRAPHY AND NETWORK SECURITYCRYPTOGRAPHY AND NETWORK SECURITY
CRYPTOGRAPHY AND NETWORK SECURITYKathirvel Ayyaswamy
 
Pki 201 Key Management
Pki 201 Key ManagementPki 201 Key Management
Pki 201 Key ManagementNCC Group
 
18CS2005 Cryptography and Network Security
18CS2005 Cryptography and Network Security18CS2005 Cryptography and Network Security
18CS2005 Cryptography and Network SecurityKathirvel Ayyaswamy
 
Mobile Authentication - Moving Towards a Passwordless Future
Mobile Authentication - Moving Towards a Passwordless FutureMobile Authentication - Moving Towards a Passwordless Future
Mobile Authentication - Moving Towards a Passwordless FutureForgeRock Identity Tech Talks
 
18CS2005 Cryptography and Network Security
18CS2005 Cryptography and Network Security18CS2005 Cryptography and Network Security
18CS2005 Cryptography and Network SecurityKathirvel Ayyaswamy
 
18CS2005 Cryptography and Network Security
18CS2005 Cryptography and Network Security18CS2005 Cryptography and Network Security
18CS2005 Cryptography and Network SecurityKathirvel Ayyaswamy
 
Extracting the Painful (Blue)Tooth - Presentation
Extracting the Painful (Blue)Tooth - PresentationExtracting the Painful (Blue)Tooth - Presentation
Extracting the Painful (Blue)Tooth - PresentationOpposing Force S.r.l.
 
PBKDF2: Storing Sensitive Data Securely in Android Applications
PBKDF2: Storing Sensitive Data Securely in Android ApplicationsPBKDF2: Storing Sensitive Data Securely in Android Applications
PBKDF2: Storing Sensitive Data Securely in Android ApplicationsShiv Sahni
 

Tendances (20)

How to do right cryptography in android part 3 / Gated Authentication reviewed
How to do right cryptography in android part 3 / Gated Authentication reviewedHow to do right cryptography in android part 3 / Gated Authentication reviewed
How to do right cryptography in android part 3 / Gated Authentication reviewed
 
Cryptography101
Cryptography101Cryptography101
Cryptography101
 
HSM (Hardware Security Module)
HSM (Hardware Security Module)HSM (Hardware Security Module)
HSM (Hardware Security Module)
 
Bypass Security Checking with Frida
Bypass Security Checking with FridaBypass Security Checking with Frida
Bypass Security Checking with Frida
 
CNIT 141: 13. TLS
CNIT 141: 13. TLSCNIT 141: 13. TLS
CNIT 141: 13. TLS
 
Operation emmental appsec
Operation emmental appsecOperation emmental appsec
Operation emmental appsec
 
How to do Cryptography right in Android Part Two
How to do Cryptography right in Android Part TwoHow to do Cryptography right in Android Part Two
How to do Cryptography right in Android Part Two
 
CNIT 129S Ch 7: Attacking Session Management
CNIT 129S Ch 7: Attacking Session ManagementCNIT 129S Ch 7: Attacking Session Management
CNIT 129S Ch 7: Attacking Session Management
 
Defcon 22-alex zacharis-nikolaos-tsagkarakis-po s-attacking-t
Defcon 22-alex zacharis-nikolaos-tsagkarakis-po s-attacking-tDefcon 22-alex zacharis-nikolaos-tsagkarakis-po s-attacking-t
Defcon 22-alex zacharis-nikolaos-tsagkarakis-po s-attacking-t
 
Infrastructure Saturday 2011 - Understanding PKI and Certificate Services
Infrastructure Saturday 2011 - Understanding PKI and Certificate ServicesInfrastructure Saturday 2011 - Understanding PKI and Certificate Services
Infrastructure Saturday 2011 - Understanding PKI and Certificate Services
 
CNIT 141: 13. TLS
CNIT 141: 13. TLSCNIT 141: 13. TLS
CNIT 141: 13. TLS
 
CRYPTOGRAPHY AND NETWORK SECURITY
CRYPTOGRAPHY AND NETWORK SECURITYCRYPTOGRAPHY AND NETWORK SECURITY
CRYPTOGRAPHY AND NETWORK SECURITY
 
Pki 201 Key Management
Pki 201 Key ManagementPki 201 Key Management
Pki 201 Key Management
 
Malware for Red Team
Malware for Red TeamMalware for Red Team
Malware for Red Team
 
18CS2005 Cryptography and Network Security
18CS2005 Cryptography and Network Security18CS2005 Cryptography and Network Security
18CS2005 Cryptography and Network Security
 
Mobile Authentication - Moving Towards a Passwordless Future
Mobile Authentication - Moving Towards a Passwordless FutureMobile Authentication - Moving Towards a Passwordless Future
Mobile Authentication - Moving Towards a Passwordless Future
 
18CS2005 Cryptography and Network Security
18CS2005 Cryptography and Network Security18CS2005 Cryptography and Network Security
18CS2005 Cryptography and Network Security
 
18CS2005 Cryptography and Network Security
18CS2005 Cryptography and Network Security18CS2005 Cryptography and Network Security
18CS2005 Cryptography and Network Security
 
Extracting the Painful (Blue)Tooth - Presentation
Extracting the Painful (Blue)Tooth - PresentationExtracting the Painful (Blue)Tooth - Presentation
Extracting the Painful (Blue)Tooth - Presentation
 
PBKDF2: Storing Sensitive Data Securely in Android Applications
PBKDF2: Storing Sensitive Data Securely in Android ApplicationsPBKDF2: Storing Sensitive Data Securely in Android Applications
PBKDF2: Storing Sensitive Data Securely in Android Applications
 

En vedette

One Time Password - A two factor authentication system
One Time Password - A two factor authentication systemOne Time Password - A two factor authentication system
One Time Password - A two factor authentication systemSwetha Kogatam
 
One time password(otp)
One time password(otp)One time password(otp)
One time password(otp)Anjali Agrawal
 
Strong Authentication - Open Source
Strong Authentication - Open SourceStrong Authentication - Open Source
Strong Authentication - Open SourceDonald Malloy
 
[artifactconf] Github for People Who Don't Code
[artifactconf] Github for People Who Don't Code[artifactconf] Github for People Who Don't Code
[artifactconf] Github for People Who Don't CodeChristopher Schmitt
 
Two factor Authentication using Telegram Messenger - www.tgauth.com
Two factor Authentication using Telegram Messenger - www.tgauth.com Two factor Authentication using Telegram Messenger - www.tgauth.com
Two factor Authentication using Telegram Messenger - www.tgauth.comCognalys
 
Security Tokens
Security TokensSecurity Tokens
Security Tokenstkisason
 
Shariff V10- BSc (Hons) Project
Shariff V10- BSc (Hons) ProjectShariff V10- BSc (Hons) Project
Shariff V10- BSc (Hons) Projectsharmarke sharif
 
카카오팬 보안OTP가이드
카카오팬 보안OTP가이드카카오팬 보안OTP가이드
카카오팬 보안OTP가이드Nemustech
 
Open (source) API for the Internet of Things - APIdays 2013
Open (source) API for the Internet of Things - APIdays 2013Open (source) API for the Internet of Things - APIdays 2013
Open (source) API for the Internet of Things - APIdays 2013Benjamin Cabé
 
Evolution of it in 2020
Evolution of it in 2020Evolution of it in 2020
Evolution of it in 2020Saurabh Tiwari
 
08 인터페이 t zsign 소개-dcamp_150630
08 인터페이 t zsign 소개-dcamp_15063008 인터페이 t zsign 소개-dcamp_150630
08 인터페이 t zsign 소개-dcamp_150630D.CAMP
 
Selenium and Open Source Advanced Testing
Selenium and Open Source Advanced TestingSelenium and Open Source Advanced Testing
Selenium and Open Source Advanced TestingAustin Marie Gay
 
Google Authenticator, possible attacks and prevention
Google Authenticator, possible attacks and preventionGoogle Authenticator, possible attacks and prevention
Google Authenticator, possible attacks and preventionBoštjan Cigan
 
핀테크 기업조사- TransferWise, CurrencyCloud, TOSS
핀테크 기업조사- TransferWise, CurrencyCloud, TOSS핀테크 기업조사- TransferWise, CurrencyCloud, TOSS
핀테크 기업조사- TransferWise, CurrencyCloud, TOSSMad Scientists
 
Retail Banking 2020: evolution or revolution
Retail Banking 2020: evolution or revolutionRetail Banking 2020: evolution or revolution
Retail Banking 2020: evolution or revolutionIgnasi Martín Morales
 
Sua 정보보호관리체계 cissp_접근통제_강의교안
Sua 정보보호관리체계 cissp_접근통제_강의교안Sua 정보보호관리체계 cissp_접근통제_강의교안
Sua 정보보호관리체계 cissp_접근통제_강의교안Lee Chanwoo
 
WiFi HotSpot Marketin
WiFi HotSpot MarketinWiFi HotSpot Marketin
WiFi HotSpot MarketinKody Smith
 
Open Source in the Cloud Computing Era
Open Source in the Cloud Computing EraOpen Source in the Cloud Computing Era
Open Source in the Cloud Computing EraTim O'Reilly
 

En vedette (20)

One Time Password - A two factor authentication system
One Time Password - A two factor authentication systemOne Time Password - A two factor authentication system
One Time Password - A two factor authentication system
 
One time password(otp)
One time password(otp)One time password(otp)
One time password(otp)
 
One Time Password
One Time PasswordOne Time Password
One Time Password
 
Strong Authentication - Open Source
Strong Authentication - Open SourceStrong Authentication - Open Source
Strong Authentication - Open Source
 
[artifactconf] Github for People Who Don't Code
[artifactconf] Github for People Who Don't Code[artifactconf] Github for People Who Don't Code
[artifactconf] Github for People Who Don't Code
 
Two factor Authentication using Telegram Messenger - www.tgauth.com
Two factor Authentication using Telegram Messenger - www.tgauth.com Two factor Authentication using Telegram Messenger - www.tgauth.com
Two factor Authentication using Telegram Messenger - www.tgauth.com
 
Security Tokens
Security TokensSecurity Tokens
Security Tokens
 
Shariff V10- BSc (Hons) Project
Shariff V10- BSc (Hons) ProjectShariff V10- BSc (Hons) Project
Shariff V10- BSc (Hons) Project
 
카카오팬 보안OTP가이드
카카오팬 보안OTP가이드카카오팬 보안OTP가이드
카카오팬 보안OTP가이드
 
Open (source) API for the Internet of Things - APIdays 2013
Open (source) API for the Internet of Things - APIdays 2013Open (source) API for the Internet of Things - APIdays 2013
Open (source) API for the Internet of Things - APIdays 2013
 
Profiling Ruby
Profiling RubyProfiling Ruby
Profiling Ruby
 
Evolution of it in 2020
Evolution of it in 2020Evolution of it in 2020
Evolution of it in 2020
 
08 인터페이 t zsign 소개-dcamp_150630
08 인터페이 t zsign 소개-dcamp_15063008 인터페이 t zsign 소개-dcamp_150630
08 인터페이 t zsign 소개-dcamp_150630
 
Selenium and Open Source Advanced Testing
Selenium and Open Source Advanced TestingSelenium and Open Source Advanced Testing
Selenium and Open Source Advanced Testing
 
Google Authenticator, possible attacks and prevention
Google Authenticator, possible attacks and preventionGoogle Authenticator, possible attacks and prevention
Google Authenticator, possible attacks and prevention
 
핀테크 기업조사- TransferWise, CurrencyCloud, TOSS
핀테크 기업조사- TransferWise, CurrencyCloud, TOSS핀테크 기업조사- TransferWise, CurrencyCloud, TOSS
핀테크 기업조사- TransferWise, CurrencyCloud, TOSS
 
Retail Banking 2020: evolution or revolution
Retail Banking 2020: evolution or revolutionRetail Banking 2020: evolution or revolution
Retail Banking 2020: evolution or revolution
 
Sua 정보보호관리체계 cissp_접근통제_강의교안
Sua 정보보호관리체계 cissp_접근통제_강의교안Sua 정보보호관리체계 cissp_접근통제_강의교안
Sua 정보보호관리체계 cissp_접근통제_강의교안
 
WiFi HotSpot Marketin
WiFi HotSpot MarketinWiFi HotSpot Marketin
WiFi HotSpot Marketin
 
Open Source in the Cloud Computing Era
Open Source in the Cloud Computing EraOpen Source in the Cloud Computing Era
Open Source in the Cloud Computing Era
 

Similaire à Creating OTP Infrastructures Using Open Source

BKK16-110 A Gentle Introduction to Trusted Execution and OP-TEE
BKK16-110 A Gentle Introduction to Trusted Execution and OP-TEEBKK16-110 A Gentle Introduction to Trusted Execution and OP-TEE
BKK16-110 A Gentle Introduction to Trusted Execution and OP-TEELinaro
 
Remote security with Red Hat Enterprise Linux
Remote security with Red Hat Enterprise LinuxRemote security with Red Hat Enterprise Linux
Remote security with Red Hat Enterprise LinuxGiuseppe Paterno'
 
Homer metrics | LORENZO MANGANI Y FEDERICO CABIDDU - VoIP2DAY 2017
Homer metrics | LORENZO MANGANI Y FEDERICO CABIDDU - VoIP2DAY 2017Homer metrics | LORENZO MANGANI Y FEDERICO CABIDDU - VoIP2DAY 2017
Homer metrics | LORENZO MANGANI Y FEDERICO CABIDDU - VoIP2DAY 2017VOIP2DAY
 
Securing IoT Applications
Securing IoT Applications Securing IoT Applications
Securing IoT Applications WSO2
 
Federico Cabiddu - VoIP2DAY 2016 | VoIP and RTC Troubleshooting using the Sip...
Federico Cabiddu - VoIP2DAY 2016 | VoIP and RTC Troubleshooting using the Sip...Federico Cabiddu - VoIP2DAY 2016 | VoIP and RTC Troubleshooting using the Sip...
Federico Cabiddu - VoIP2DAY 2016 | VoIP and RTC Troubleshooting using the Sip...VOIP2DAY
 
TEE - kernel support is now upstream. What this means for open source security
TEE - kernel support is now upstream. What this means for open source securityTEE - kernel support is now upstream. What this means for open source security
TEE - kernel support is now upstream. What this means for open source securityLinaro
 
FluentD for end to end monitoring
FluentD for end to end monitoringFluentD for end to end monitoring
FluentD for end to end monitoringPhil Wilkins
 
Suricata: A Decade Under the Influence (of packet sniffing)
Suricata: A Decade Under the Influence (of packet sniffing)Suricata: A Decade Under the Influence (of packet sniffing)
Suricata: A Decade Under the Influence (of packet sniffing)Jason Williams
 
Secure Developer Access at Decisiv
Secure Developer Access at DecisivSecure Developer Access at Decisiv
Secure Developer Access at DecisivTeleport
 
Getting More Out of the Node.js, PHP, and Python Agents - AppSphere16
Getting More Out of the Node.js, PHP, and Python Agents - AppSphere16Getting More Out of the Node.js, PHP, and Python Agents - AppSphere16
Getting More Out of the Node.js, PHP, and Python Agents - AppSphere16AppDynamics
 
Not my problem - Delegating responsibility to infrastructure
Not my problem - Delegating responsibility to infrastructureNot my problem - Delegating responsibility to infrastructure
Not my problem - Delegating responsibility to infrastructureYshay Yaacobi
 
DEF CON 27 - DANIEL ROMERO and MARIO RIVAS - why you should fear your mundane...
DEF CON 27 - DANIEL ROMERO and MARIO RIVAS - why you should fear your mundane...DEF CON 27 - DANIEL ROMERO and MARIO RIVAS - why you should fear your mundane...
DEF CON 27 - DANIEL ROMERO and MARIO RIVAS - why you should fear your mundane...Felipe Prado
 
BYOD Revisited: Build Your Own Device (Embedded Linux Conference 2014)
BYOD Revisited: Build Your Own Device (Embedded Linux Conference 2014)BYOD Revisited: Build Your Own Device (Embedded Linux Conference 2014)
BYOD Revisited: Build Your Own Device (Embedded Linux Conference 2014)Ron Munitz
 
FIWARE Global Summit - Real-time Media Stream Processing Using Kurento
FIWARE Global Summit - Real-time Media Stream Processing Using KurentoFIWARE Global Summit - Real-time Media Stream Processing Using Kurento
FIWARE Global Summit - Real-time Media Stream Processing Using KurentoFIWARE
 
Network-Connected Development with ZeroMQ
Network-Connected Development with ZeroMQNetwork-Connected Development with ZeroMQ
Network-Connected Development with ZeroMQICS
 
Hacking Highly Secured Enterprise Environments by Zoltan Balazs
Hacking Highly Secured Enterprise Environments by Zoltan BalazsHacking Highly Secured Enterprise Environments by Zoltan Balazs
Hacking Highly Secured Enterprise Environments by Zoltan BalazsShakacon
 
LCU14 310- Cisco ODP v2
LCU14 310- Cisco ODP v2LCU14 310- Cisco ODP v2
LCU14 310- Cisco ODP v2Linaro
 
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...Zoltan Balazs
 

Similaire à Creating OTP Infrastructures Using Open Source (20)

BKK16-110 A Gentle Introduction to Trusted Execution and OP-TEE
BKK16-110 A Gentle Introduction to Trusted Execution and OP-TEEBKK16-110 A Gentle Introduction to Trusted Execution and OP-TEE
BKK16-110 A Gentle Introduction to Trusted Execution and OP-TEE
 
Remote security with Red Hat Enterprise Linux
Remote security with Red Hat Enterprise LinuxRemote security with Red Hat Enterprise Linux
Remote security with Red Hat Enterprise Linux
 
Homer metrics | LORENZO MANGANI Y FEDERICO CABIDDU - VoIP2DAY 2017
Homer metrics | LORENZO MANGANI Y FEDERICO CABIDDU - VoIP2DAY 2017Homer metrics | LORENZO MANGANI Y FEDERICO CABIDDU - VoIP2DAY 2017
Homer metrics | LORENZO MANGANI Y FEDERICO CABIDDU - VoIP2DAY 2017
 
Programming Decentralized Application
Programming Decentralized ApplicationProgramming Decentralized Application
Programming Decentralized Application
 
Securing IoT Applications
Securing IoT Applications Securing IoT Applications
Securing IoT Applications
 
Federico Cabiddu - VoIP2DAY 2016 | VoIP and RTC Troubleshooting using the Sip...
Federico Cabiddu - VoIP2DAY 2016 | VoIP and RTC Troubleshooting using the Sip...Federico Cabiddu - VoIP2DAY 2016 | VoIP and RTC Troubleshooting using the Sip...
Federico Cabiddu - VoIP2DAY 2016 | VoIP and RTC Troubleshooting using the Sip...
 
TEE - kernel support is now upstream. What this means for open source security
TEE - kernel support is now upstream. What this means for open source securityTEE - kernel support is now upstream. What this means for open source security
TEE - kernel support is now upstream. What this means for open source security
 
FluentD for end to end monitoring
FluentD for end to end monitoringFluentD for end to end monitoring
FluentD for end to end monitoring
 
Suricata: A Decade Under the Influence (of packet sniffing)
Suricata: A Decade Under the Influence (of packet sniffing)Suricata: A Decade Under the Influence (of packet sniffing)
Suricata: A Decade Under the Influence (of packet sniffing)
 
Secure Developer Access at Decisiv
Secure Developer Access at DecisivSecure Developer Access at Decisiv
Secure Developer Access at Decisiv
 
Getting More Out of the Node.js, PHP, and Python Agents - AppSphere16
Getting More Out of the Node.js, PHP, and Python Agents - AppSphere16Getting More Out of the Node.js, PHP, and Python Agents - AppSphere16
Getting More Out of the Node.js, PHP, and Python Agents - AppSphere16
 
Not my problem - Delegating responsibility to infrastructure
Not my problem - Delegating responsibility to infrastructureNot my problem - Delegating responsibility to infrastructure
Not my problem - Delegating responsibility to infrastructure
 
RAT - Repurposing Adversarial Tradecraft
RAT - Repurposing Adversarial TradecraftRAT - Repurposing Adversarial Tradecraft
RAT - Repurposing Adversarial Tradecraft
 
DEF CON 27 - DANIEL ROMERO and MARIO RIVAS - why you should fear your mundane...
DEF CON 27 - DANIEL ROMERO and MARIO RIVAS - why you should fear your mundane...DEF CON 27 - DANIEL ROMERO and MARIO RIVAS - why you should fear your mundane...
DEF CON 27 - DANIEL ROMERO and MARIO RIVAS - why you should fear your mundane...
 
BYOD Revisited: Build Your Own Device (Embedded Linux Conference 2014)
BYOD Revisited: Build Your Own Device (Embedded Linux Conference 2014)BYOD Revisited: Build Your Own Device (Embedded Linux Conference 2014)
BYOD Revisited: Build Your Own Device (Embedded Linux Conference 2014)
 
FIWARE Global Summit - Real-time Media Stream Processing Using Kurento
FIWARE Global Summit - Real-time Media Stream Processing Using KurentoFIWARE Global Summit - Real-time Media Stream Processing Using Kurento
FIWARE Global Summit - Real-time Media Stream Processing Using Kurento
 
Network-Connected Development with ZeroMQ
Network-Connected Development with ZeroMQNetwork-Connected Development with ZeroMQ
Network-Connected Development with ZeroMQ
 
Hacking Highly Secured Enterprise Environments by Zoltan Balazs
Hacking Highly Secured Enterprise Environments by Zoltan BalazsHacking Highly Secured Enterprise Environments by Zoltan Balazs
Hacking Highly Secured Enterprise Environments by Zoltan Balazs
 
LCU14 310- Cisco ODP v2
LCU14 310- Cisco ODP v2LCU14 310- Cisco ODP v2
LCU14 310- Cisco ODP v2
 
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
 

Plus de Giuseppe Paterno'

OpenStack e le nuove Infrastrutture IT
OpenStack e le nuove Infrastrutture ITOpenStack e le nuove Infrastrutture IT
OpenStack e le nuove Infrastrutture ITGiuseppe Paterno'
 
OpenStack Explained: Learn OpenStack architecture and the secret of a success...
OpenStack Explained: Learn OpenStack architecture and the secret of a success...OpenStack Explained: Learn OpenStack architecture and the secret of a success...
OpenStack Explained: Learn OpenStack architecture and the secret of a success...Giuseppe Paterno'
 
Let's sleep better: programming techniques to face new security attacks in cloud
Let's sleep better: programming techniques to face new security attacks in cloudLet's sleep better: programming techniques to face new security attacks in cloud
Let's sleep better: programming techniques to face new security attacks in cloudGiuseppe Paterno'
 
OpenStack: Security Beyond Firewalls
OpenStack: Security Beyond FirewallsOpenStack: Security Beyond Firewalls
OpenStack: Security Beyond FirewallsGiuseppe Paterno'
 
Il problema dei furti di identità nelle infrastrutture Cloud e possibili rimedi
Il problema dei furti di identità nelle infrastrutture Cloud e possibili rimediIl problema dei furti di identità nelle infrastrutture Cloud e possibili rimedi
Il problema dei furti di identità nelle infrastrutture Cloud e possibili rimediGiuseppe Paterno'
 
How the Post-PC era changed IT Ubuntu for next gen datacenters
How the Post-PC era changed IT Ubuntu for next gen datacentersHow the Post-PC era changed IT Ubuntu for next gen datacenters
How the Post-PC era changed IT Ubuntu for next gen datacentersGiuseppe Paterno'
 
Filesystem Comparison: NFS vs GFS2 vs OCFS2
Filesystem Comparison: NFS vs GFS2 vs OCFS2Filesystem Comparison: NFS vs GFS2 vs OCFS2
Filesystem Comparison: NFS vs GFS2 vs OCFS2Giuseppe Paterno'
 
Protecting confidential files using SE-Linux
Protecting confidential files using SE-LinuxProtecting confidential files using SE-Linux
Protecting confidential files using SE-LinuxGiuseppe Paterno'
 
Comparing IaaS: VMware vs OpenStack vs Google’s Ganeti
Comparing IaaS: VMware vs OpenStack vs Google’s GanetiComparing IaaS: VMware vs OpenStack vs Google’s Ganeti
Comparing IaaS: VMware vs OpenStack vs Google’s GanetiGiuseppe Paterno'
 
La gestione delle identità per il controllo delle frodi bancarie
La gestione delle identità per il controllo delle frodi bancarieLa gestione delle identità per il controllo delle frodi bancarie
La gestione delle identità per il controllo delle frodi bancarieGiuseppe Paterno'
 
Secure real-time collaboration with SecurePass and Etherpad
Secure real-time collaboration with SecurePass and EtherpadSecure real-time collaboration with SecurePass and Etherpad
Secure real-time collaboration with SecurePass and EtherpadGiuseppe Paterno'
 
Identity theft in the Cloud and remedies
Identity theft in the Cloud and remediesIdentity theft in the Cloud and remedies
Identity theft in the Cloud and remediesGiuseppe Paterno'
 
Il problema dei furti di identita' nelle infrastrutture Cloud e possibili rimedi
Il problema dei furti di identita' nelle infrastrutture Cloud e possibili rimediIl problema dei furti di identita' nelle infrastrutture Cloud e possibili rimedi
Il problema dei furti di identita' nelle infrastrutture Cloud e possibili rimediGiuseppe Paterno'
 

Plus de Giuseppe Paterno' (14)

OpenStack e le nuove Infrastrutture IT
OpenStack e le nuove Infrastrutture ITOpenStack e le nuove Infrastrutture IT
OpenStack e le nuove Infrastrutture IT
 
OpenStack Explained: Learn OpenStack architecture and the secret of a success...
OpenStack Explained: Learn OpenStack architecture and the secret of a success...OpenStack Explained: Learn OpenStack architecture and the secret of a success...
OpenStack Explained: Learn OpenStack architecture and the secret of a success...
 
Let's sleep better: programming techniques to face new security attacks in cloud
Let's sleep better: programming techniques to face new security attacks in cloudLet's sleep better: programming techniques to face new security attacks in cloud
Let's sleep better: programming techniques to face new security attacks in cloud
 
SecurePass at OpenBrighton
SecurePass at OpenBrightonSecurePass at OpenBrighton
SecurePass at OpenBrighton
 
OpenStack: Security Beyond Firewalls
OpenStack: Security Beyond FirewallsOpenStack: Security Beyond Firewalls
OpenStack: Security Beyond Firewalls
 
Il problema dei furti di identità nelle infrastrutture Cloud e possibili rimedi
Il problema dei furti di identità nelle infrastrutture Cloud e possibili rimediIl problema dei furti di identità nelle infrastrutture Cloud e possibili rimedi
Il problema dei furti di identità nelle infrastrutture Cloud e possibili rimedi
 
How the Post-PC era changed IT Ubuntu for next gen datacenters
How the Post-PC era changed IT Ubuntu for next gen datacentersHow the Post-PC era changed IT Ubuntu for next gen datacenters
How the Post-PC era changed IT Ubuntu for next gen datacenters
 
Filesystem Comparison: NFS vs GFS2 vs OCFS2
Filesystem Comparison: NFS vs GFS2 vs OCFS2Filesystem Comparison: NFS vs GFS2 vs OCFS2
Filesystem Comparison: NFS vs GFS2 vs OCFS2
 
Protecting confidential files using SE-Linux
Protecting confidential files using SE-LinuxProtecting confidential files using SE-Linux
Protecting confidential files using SE-Linux
 
Comparing IaaS: VMware vs OpenStack vs Google’s Ganeti
Comparing IaaS: VMware vs OpenStack vs Google’s GanetiComparing IaaS: VMware vs OpenStack vs Google’s Ganeti
Comparing IaaS: VMware vs OpenStack vs Google’s Ganeti
 
La gestione delle identità per il controllo delle frodi bancarie
La gestione delle identità per il controllo delle frodi bancarieLa gestione delle identità per il controllo delle frodi bancarie
La gestione delle identità per il controllo delle frodi bancarie
 
Secure real-time collaboration with SecurePass and Etherpad
Secure real-time collaboration with SecurePass and EtherpadSecure real-time collaboration with SecurePass and Etherpad
Secure real-time collaboration with SecurePass and Etherpad
 
Identity theft in the Cloud and remedies
Identity theft in the Cloud and remediesIdentity theft in the Cloud and remedies
Identity theft in the Cloud and remedies
 
Il problema dei furti di identita' nelle infrastrutture Cloud e possibili rimedi
Il problema dei furti di identita' nelle infrastrutture Cloud e possibili rimediIl problema dei furti di identita' nelle infrastrutture Cloud e possibili rimedi
Il problema dei furti di identita' nelle infrastrutture Cloud e possibili rimedi
 

Dernier

Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Farhan Tariq
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfpanagenda
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Hiroshi SHIBATA
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...Scott Andery
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality AssuranceInflectra
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersNicole Novielli
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
Fact vs. Fiction: Autodetecting Hallucinations in LLMs
Fact vs. Fiction: Autodetecting Hallucinations in LLMsFact vs. Fiction: Autodetecting Hallucinations in LLMs
Fact vs. Fiction: Autodetecting Hallucinations in LLMsZilliz
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsNathaniel Shimoni
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...AliaaTarek5
 

Dernier (20)

Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software Developers
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
Fact vs. Fiction: Autodetecting Hallucinations in LLMs
Fact vs. Fiction: Autodetecting Hallucinations in LLMsFact vs. Fiction: Autodetecting Hallucinations in LLMs
Fact vs. Fiction: Autodetecting Hallucinations in LLMs
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directions
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
 

Creating OTP Infrastructures Using Open Source

  • 1. Creating One Time Password (OTP) infrastructures using Open Source sofware Giuseppe “Gippa” Paternò Visiting Researcher Trinity College Dublin
  • 2. Who am I ● Visiting Researcher at Trinity College Dublin (Ireland) ● Solution Architect and EMEA Security Expert in Red Hat ● Previously Security Solution Architect in Sun and also in IBM ● Red Hat Certified Security Specialist (RHCSS), Red Hat Certified Architect (RHCA) and Cisco Certified Network Professinal (CCNP) ● Part of the italian security community sikurezza.org ● Published books and whitepapers ● Forensic analisys for local govs ● More on: – http://www.scss.tcd.ie/Giuseppe.Paterno/ – http://www.gpaterno.com/ – http://www.linkedin.com/in/gpaterno
  • 3. Disclaimer I do not speak on behalf of my employer, nor I am authorized to represent it publicly. All and any opinion and results expressed in this presentation are solely mine and do not represent my employer point-of-view. All the tests and any project contribution are done as a TCD researcher out of business hours.
  • 4. Global IT scenario ● ● Even more in this recession phase, the IT budget is getting lower and lower The projects (demand) are increasing with significantly less money available
  • 5. Lowering TCO "The economic crisis is going to be a catalyst for open source, much like the technology crash of 2001 catapulted Linux front and center" Laurie Wurster, a Gartner analyst. The adoption of Open Source software can lower the TCO … and increase your security!
  • 6. How Open Source can increase Security? Open Source = Open Standards = Choice
  • 7. The OATH Alliance ● The Initiative for Open Authentication (OATH) ● Open alliance of vendors – ● ● ActiveIdentity, Vasco, Gemalto, Aladdin, ... http://www.openauthentication.org/ Created a common algorithm for one time password tokens (HOTP) – A common “protocol” for the interoperability of the several impementations available
  • 8. What is HOTP ● ● An HMAC-Based One-Time Password Algorithm (HOTP) A common shared algorithm that is meant to facilitate the adoption of two-factor authentication ● Alogorithm published as RFC 4226 ● The complete standard on: – http://www.rfc-editor.org/
  • 9. HOTP: Internals The algorithm is: HOTP(K,C) = Truncate(HMAC-SHA-1(K,C)) K Shared key between client and server C 8-byte counter value syncronized between client and server Truncate() Perform a dynamic truncation and reduction of the string to extract a 4-byte dynamic binary code. The result must extract minimum a 6-digit code, but also 7 and 8-digit code
  • 10. Anathomy of HOTP ● The shared key between the OTP peers (token and authenticator) is an hexadecimal string – ● The lenght is a SHA-1 digest Example of generating a new HMAC 6-digit shared key: dd if=/dev/random bs=4096 count=1 2>/dev/null | sha1sum | awk '{print $1}'
  • 11. HOTP implementations ● ● ● ● Both commercial and open source implementations available Most of the hardware tokens adhere to the HOTP algorithm Few software implementations, most of which proprietary/closed source Some software client available: – J2ME, iPhone and Windows Mobile – Publically available algorithm makes it simple to implement a client
  • 12. How does it fit all together?
  • 13. The software ● An open source OTP server: – Only one server implementation available (OTPD), formelly from TRI-D Systems – Now I made it available on http://otpd.googlecode.com ● FreeRADIUS, the popular radius server for Linux ● Two tested freely available client: – – ● oathdsss.jar (DSSS) for Java MIDP (Nokia) iToken (Quest Software) for iPhone Also tried some hardware tokens
  • 14. OTPD server ● It handle the validation of the One Time Passwords – Uses files and LDAP as repository ● Keeps the state of the OTP token (counter) ● Supported tokens: – – CRYPTOCard – ● HOTP Plain old x9.9 (based on DES, unsecure!) It listen to autentication requests
  • 15. FreeRADIUS ● Well known high-performance open source RADIUS server – – ● Handle authentication and accounting Plug-in based One of the plug-in is rlm_otpd – Developed by TRI-D Systems – Communicate via Unix sockets with the OTPD server to verify an OTP token
  • 16. The soft-token ● An OTP token in software ● Less “secure” than an hardware – ● What if my laptop is stolen? A compromise is using a softtoken on a mobile platform – Easy to manage – Lower costs – Better security over a “fat” client on laptops/desktops – Available for most mobile phones
  • 17. What can I authenticate? ● Any RADIUS compliant system, ex: – – Wireless LANs – Routers/network equipments – Core UNIX systems (through pam_radius) – ● VPN systems Captive portals Any application can use the RADIUS protocol: – common APIs available in C, PHP, Python, Ruby, Java (J2EE)
  • 19. Demo scenario ● Authentication server: – OTP Server – FreeRADIUS Server ● Client UNIX ● Web application (PHP) ● Centralized Web Single Sign-On (CAS)
  • 20. Demo (the clients) ● Client Unix – – ● Interactive log-in Leverage the pam_radius module Web Single Sign-On – – ● Based on Yale CAS Customized to login through RADIUS PHP web application – Dummy application to demonstrate CAS' capabilities with OTP integration – Virtually every application can leverage CAS architecture
  • 21. Demo scenario (big picture)
  • 23. Web Application OTP/Radius Server Redirect to CAS' Single Sign-on Portal Authentication Request (RADIUS) Web Access
  • 25. Thank you!! Giuseppe “Gippa” Paternò Visiting Researcher Trinity College Dublin paternog@cs.tcd.ie http://www.scss.tcd.ie/Giuseppe.Paterno/ http://www.gpaterno.com/