http://wso2.com/library/webinars/2016/05/wso2-identity-server-adding-hardware-security-module-without-breaking-the-bank/ This webinar will discuss Improving security using the WSO2 Identity Server (WSO2 IS) with FIDO U2F and a YubiHSM Enabling FIDO U2F strong authentication support in WSO2 IS 5.1 to repair user IDs and passwords Easily integrating YubiHSM into the WSO2 IS to strengthen password hashes used for authentication Using YubiHSM within WSO2 IS computes hashes and produces local salts within this secure environment Using YubiHSM and WSO2 IS to set a high bar for securing secrets without breaking the bank

1. WSO2 Iden*ty Server: Adding
Hardware Security Module
Without Breaking the Bank
David Maples, Solu0ons Team member, Yubico
Ishara Karunarathna, Senior So<ware Engineer WSO2
Rob Blaauboer, Integra0on Consultant Yenlo
May 17thth 2016

2. About the presenters
2
David Maples
Solu0ons Team Member, Yubico
David is a senior member of the Solu0ons team at Yubico with over four years of experience with Yubico
products, including the YubiHSM. He works with small, medium and enterprise customers to consult and
build open scalable security solu0ons.
Rob Blaauboer
Senior Consultant, Yenlo
Rob is a Senior Business Consultant and Solu0on Architect with more than twenty years experience. In
addi0on to his work he is an ac0ve blogger working on a number of ar0cles on the 'Internet of Things'
and a WSO2 'GeOng Started with ...' series in which he talks about WSO2 components and their purpose
especially aimed at non technical readers.
Ishara Karunarathna
Senior So@ware Engineer, WSO2
Ishara is a Senior So<ware Engineer at WSO2 and a key member of WSO2 Iden0ty server team,
contribu0ng towards the Iden0ty Server and WSO2's plaPorm security. He has par0cipated in several
customer engagements helping them to realize enterprise use cases and to build solu0ons On top of
WSO2 plaPorm.
?

3. 3
• Premier Partner of WSO2
• Global Organiza0on
• Offices in the Netherlands, Germany,
Belgium, United Kingdom and United
States
• Experts is Integra0on Solu0ons
• Experts in a ‘Connected Business’
• WSO2 project & consultancy services
• WSO2 support services:
• Product Support
• Development Support
• Opera0onal Support
• WSO2 Training services
• Enterprise & Solu0on Architecture
Who we are What we deliver
More info about us and our pre-build (WSO2) solu0ons: www.yenlo.com

4. Topics Webinar
4
WSO2 Iden0ty Server:
Adding Hardware Security Module Without Breaking the Bank
• Introduc0on to Security
• Yubico HSM
• WSO2 Iden0ty Server
• Benefits & Technical details
• You have ques0ons? We have answers!

5. The Many Faces of Security

6. Depending on the chain
o Human factor (weakest link?) ①
o Frontend (encryp0on) ②
o Transport (encryp0on) ③
o Backend (so<ware, encryp0on,
firewalls) ④
Security has many faces
6

7. To some extent: Yes, but more money
does not necessarily mean beger
security.
Does money buy security?
6

8. o Depends on what needs to be
secured (access to website vs.
health data)
o Depends on what is offered
(UID & Password, 2 factor
authen0ca0on)
o Depends on the usability
(forcing ‘$yh*7EP9$’
passwords)
o Depends on the acceptance of
risk (creditcard and signature)
Security is a subjec0ve topic
7
Public Domain, https://en.wikipedia.org/w/index.php?curid=2308226
Top Secret
Secret
Confidential
Public Trust
Unclassified

9. o Damage from security breaches is real, both monetary as well
as from a public rela0ons perspec0ve
o Just ask many organiza0ons as well as individuals
Monetary damages and PR nightmares
8

10. o It seems like we are playing leapfrog with the ‘bad guys’
o In fact we are making it more and more secure with
vulnerabili0es being addressed and more and beger security on
the horizon
Are we playing leapfrog?
9

11. o WSO2 is an open source product, sources are publicly available
o WSO2 uses many Apache projects internally (Axis, Synapse
etc.)
o WSO2 is an open system that can be extended by means of
custom developed modules, mediators and so on as well as
through connectors to third party systems
o WSO2 products do not require any addi0onal hardware to run
Can something that is this open, be secure?
Is ‘secure open source’ an oxymoron?
How secure are WSO2 products?
9

12. Why do we need an HSM? Doesn’t WSO2 do the
trick?
Yes, for many organiza0ons WSO2 offers ample security. But
Hardware Security Module offer:
o Beger random genera0on
o Calcula0ons done in hardware rather than so<ware
o Keys stored more securely
Use cases:
o Government
o Banking / insurance
o Healthcare
o Any organiza0on that values security

13. Yubico HSM

14. CORE FEATURES
o Works with any standard USB port, across mul0ple opera0ng
systems including Linux and Microso< Windows.
o Offers encryp0on with a Message Authen0ca0on Code
(MAC), HMAC-SHA1 hashing, AES encryp0on/decryp0on, and
cryptographic True Random Number Genera0on.
o Provides a physically isolated environment for cryptographic
processing.
o Has no moving parts and requires no addi0onal maintenance
once installed.
o Capable of suppor0ng any counter-based OTP protocol
including YubiOTP (Yubico’s OTP implementa0on) and OATH-
HOTP authen0ca0on.
13

15. WSO2 Iden0ty Server

16. o WSO2 Iden0ty server is a leading IAM product
o Works without addi0onal hardware
o Open Source
o Highly performant
o Used by all kinds of organiza0ons (from SME to large
corporate)
o Current version 5.1.0
o Extendable with IS-connectors and well defined
extension points.
WSO2 Iden0ty Server
21

17. User management in Iden0ty server
28
User Store Manager
JDBC LDAP AD Custom
User Store

18. HSM for Iden0ty server
o Crea0ng a custom user store manager
hgps://docs.wso2.com/display/IS510/Wri0ng+a+Custom+User
+Store+Manager
28

19. HSM for Iden0ty server
o Crea0ng a custom user store manager
protected String preparePassword(String password, String saltValue)
throws UserStoreException {
int keyHandle = 12337; // The key to use in the YubiHSM (0x3031)
// Instance of YubiHSM
YubiHSM hsm = new YubiHSM();
// Generate HmacSHA1 for password
String newPassword = hsm.generateHMACSHA1(password, keyHandle,
true, false).get("hash");
return newPassword;
}
28

20. WSO2 IS Roadmap
Candidate feature:
o Integra0on with HSM modules by means of an IS-connector
28

21. What are the benefits?

22. Benefits are clear
o Improved security
o Physical based genera0on of random numbers
o TPM-like iden0ty assurance, not 0ed to a server
o Secure, isolated cryptographic processor
o Extending the deployability of IS in high-security
environments
o And of course, without breaking the bank!
30

23. Without breaking the bank
# of
HSMs
Connec0on Type One 0me
cost
Recurring
cost
Total
Vendor X 2 USB $ 8.900 $ 4.000 $ 12.900
Vendor Y 2 PCI-E $ 18.000 $ 4.000 $ 22.000
Vendor Z 2 Network Agached
Appliance
$ 32.400 $ 2.200 $ 34.600
Yubico 2 USB $ 1000 - $ 1000

24. You have ques0ons?
We have answers!

25. Contact & Download
34
Download this presenta0on:
hgps://www.yenlo.com/en/free-advice/webinars
Or
Contact us:
hgps://www.yenlo.com/en/contact

26. 35
THANK YOU
FOR
YOUR
ATTENTION