This deck will explore what is CASQUE SNR, why your business needs to consider CASQUE for authentication, and how to use CASQUE with WSO2 Identity Server.
Watch the On-Demand webinar here - https://wso2.com/library/webinars/2019/05/securing-applications-using-wso2-identity-server-and-casque/
Securing Applications using WSO2 Identity Server and CASQUE
1. Securing Applications using WSO2 Identity Server
and CASQUE
Basil Philipsz - Managing Director, CASQUE
Dinali Dabarera - Senior Software Engineer, WSO2
2. Presenters
Basil Philipsz is the founder and CEO of Distributed Management Systems (DMS), a private company
owned by its Directors and based in Lancashire, UK.
DMS has invented CASQUE – a radical approach to High Assurance Authentication.
Dinali Dabarera is passionate about all aspects of Identity and Access
Management
She has worked in the testing CASQUE with WSO2 Identity Server and
done improvements in fine-grain access control in WSO2 Identity Server
3. Data breaches continue to proliferate.
1,334,488,724 breached records worldwide in April 2019.
Running annual total 5.64 billion
Monthly average 1.46 billion!
(IT Governance)
4. Why Data Breaches Continue to Proliferate?
1. Existing Authentication Methods are vulnerable
2. Users can easily deny access so feel able to disclose or be
complicit
3. Users are ill-disciplined
4. Weakness in IT infrastructure design, implementation and
control
CASQUE and WSO2 IS can solve [1] and [2]
5. The Problem
Common Out-of-Band Authentication Methods like SMS, Email are
weak with OTP only slightly better*
Products** exploiting such vulnerabilities are publicly available
* NIST Digital Identity Guidelines NIST.SP.800-63b.pdf
** Stingray, Shylock
6. Vulnerabilities
Current multi-factor authentication (MFA) methods have
exploitable weaknesses – rely on fixed secrets
• Password, Embedded key in SecurID
• Private key in PKI infrastructure, Attestation key in FIDO2
• Algorithm and data point used in zero knowledge methods
If discovered by hacking, calculated or disclosed by Insiders,
the security is bust!
7. Software Only Authentication - Flawed
Do not be beguiled by “transparent” software only methods such
User profiling
• Users with the most dynamic profiles need the most permissive usage
characteristics so making the most privileged users the easiest target.
• Would not be certified at High Assurance because it cannot distinguish
illegal access - User can always plead the repudiation defence
"Someone must have watched my behaviour and got in"
8. The Solution
Solve the weak authentication problem
○ keep changing the secret!
But very difficult to implement
○ Indeterminacy
○ Outage & Recovery
○ Replay Attack
9. Challenge-Response Protocol
• User has handheld Token containing a secure chip
• Secure chip has EAL 6, FIPS 140-2 Level 3 Assurance
The Solution
11. “Remedy”
-- keep changing the Secret
-- needed 4 inventions!
• Granted US & EU patents
• NATO approved, in use 24/7 by UK MOD
• Certified by NCSC as suitable for Secret * - the only such
*https://www.ncsc.gov.uk/products/dms-casque-snr
The Solution
12. Token has many manifestations
Different forms for Client and Clientless applications
Optical
Token
Contactless
Smartcard
Contact Bluetooth
Smartcard
Surrogate
Camera Token
USB Token
The Solution
13. The Business Case
Digital Transformation: Cloud and Mobile
• Who polices the administrators of your Cloud deployment?
• Can an Insider reveal access secrets?
• Who is liable if a breach occurs?
• How is the mobile User authenticated?
• Are they authenticated by vulnerable methods?
14. The Business Case
Digital Transformation: Cloud and Mobile
• Who controls the Identity Provision?
• Can a User or Token be instantly suspended?
• Are third parties part of the risk?
• Are Tokens reusable?
15. Federated High Grade Identity & Access Management
• Users - not third parties - should own and manage Identity Access.
• Need to determine and segregate data that is vital - “Crown Jewels”
• Access to the Crown Jewels must have highest Identity Assurance
The Business Case
16. Digital Transformation: Cloud and Mobile
Access required from several devices.
Challenge presented as QR code -
Use Android mobile as “Token Reader”.
18. Most Economic way to reduce overall Risk
CASQUE
● co-exist with existing security
● Protects the inner keep
● Reduces overall risk
19. WSO2 Identity Server
• Uniquely extensible, open source IAM product optimized for identity
federation and single sign-on (SSO) with comprehensive support for
adaptive multi-factor authentication and API security.
• Helps identity administrators to setup a federated identity management
ecosystem and secure access to web/mobile applications & endpoints
across on-premises & cloud environments
• Unlike open core vendors, WSO2 Identity Server includes the core and all
of its extensions under the commercial friendly Apache 2.0 license.
20. Identity Server - Capabilities
● Identity Federation and SSO
● Identity Bridging
● Adaptive and Strong Authentication
● Account management and Identity Provisioning
● Access Controls
● APIs and Microservices security
● Privacy
● Identity Analytics
21. Key Benefits of WSO2 Identity Server
● Avoids Vendor lock-in with open source and open standards
● Extensible architecture helps support complex IAM use cases
● Scalable, for deployments of millions of users - 75mn identities managed
● Ecosystem-Friendly, with an identity ecosystem of 40+ extension
points/connectors
● Speed integration out-of-the-box support for cloud and on-premise
applications, 3rd party authentication systems and social ID providers
● Unique flexibility bridges identities between heterogeneous ID systems
● Low maintenance cost, with a pricing model that’s instance-based
22. CASQUE SNR Connector - WSO2 Store
The CASQUE SNR authenticator
allows you to integrate WSO2
Identity Server with CASQUE SNR so
that you can use the CASQUE SNR
multi-factor authentication
technology to authenticate users.
https://store.wso2.com/store/assets/isconnector/
details/03fcefc0-9c8e-4c2d-ae61-d0b04563d5
0f
24. Demo
Scenario: Login to the API store using CASQUE SNR as the second
step in the Authentication flow
API Store User
Experience with
WSO2 Identity server