post password era - bernard toplak, owasp croatia meetup 2016

by Bernard Toplak

OWASP Croatia, Feb 2016

Post-Password Era

Understanding (new) methods of authentication

Bernard Toplak OWASP Croatia, Feb 2016

Passwords ...The damnation of ...

Bernard Toplak OWASP Croatia, Feb 2016

Issues with passwords

1.Passwords can be “stolen” from

a.compromised / untrusted device

b.untrusted website (phishing)

c.legitimate server

d.user himself

Bernard Toplak OWASP Croatia, Feb 2016

Issues with passwords

2. Users can’t/won’t remember “stronger” passwords, leads to :

a.weak and/or guessable passwords

b.reuse on many/all places

c.inconvenient to type pass on phone

Bernard Toplak OWASP Croatia, Feb 2016

Discussed in details in ...

… my presentation from FSEC 2014

Bernard Toplak OWASP Croatia, Feb 2016

Multi-Factor AuthenticationThe solution in ...

Bernard Toplak OWASP Croatia, Feb 2016

Multi-Factor Authentication

Factors of authentication :1.something you know

(knowledge)

2.something you have (possession)

3.something you are(inherence)

Bernard Toplak OWASP Croatia, Feb 2016

2-Factor vs. 2-Step

2-step = twice the same factor

2-factor = each step is also a different factor

Bernard Toplak OWASP Croatia, Feb 2016

2FA

… Patented in 1984

Bernard Toplak OWASP Croatia, Feb 2016

OATH ...The usual implementation is ...

Bernard Toplak OWASP Croatia, Feb 2016

OATH

Initiative for Open AuTHentication• industry-level collaboration• developing

–open standards–reference architecture

OATH ≠ OAuth

Bernard Toplak OWASP Croatia, Feb 2016

OATH Authentication Methods

A.HOTP (RFC 4226, Dec. 2005)An HMAC-Based One-time Password Algorithm

B.TOTP (RFC 6238, May 2011)Time-based One-time Password Algorithm

C.OCRA (RFC 6287, Jun. 2011)OATH Challenge/Response Algorithms

Bernard Toplak OWASP Croatia, Feb 2016

One Time Password

Intended to act as a bridge between legacy and modern applications.

Widely implemented as :

1.SMS distributed2.software token

(often mobile app)

3.hardware token

Bernard Toplak OWASP Croatia, Feb 2016

Issues with OTP

1.Vulnerable to

a.MITM - man in the middle

b.MITB - man in the browser

types of the attacks

Bernard Toplak OWASP Croatia, Feb 2016

Issues with OTP

2. Questionable privacy of the SMS-delivered OTP

a.mobile operator

b.over the air sniffing

c.phone OS environment

Bernard Toplak OWASP Croatia, Feb 2016

Issues with OTP

3. Yet another (expensive) device

4. Inconvenient to type OTP on phone etc.

Bernard Toplak OWASP Croatia, Feb 2016

OTP libraries and example code

• OWASP JOTP project• Google Authenticator open-sourced

(Android, IOS, Blackberry, libpam)• http://oauth.net/code/ • https://github.com/search?q=otp (1,557 repos)• https://github.com/search?q=oath (371 repos)

Bernard Toplak OWASP Croatia, Feb 2016

PKI ...The complication of ...

Bernard Toplak OWASP Croatia, Feb 2016

Public Key Infrastructure

Bernard Toplak OWASP Croatia, Feb 2016

Public Key Infrastructure

Wide and rather complex set of hardware, software, people, policies, and procedures for managing all around certificates

Bernard Toplak OWASP Croatia, Feb 2016

Public Key Infrastructure

• developed since 1970’s (GCHQ / Diffie-Hellman-....)

• fundamental security component ofall major Internet protocols for authentication and communication (e.g. TLS, WS-Security, IPSec IKE, 802.1x, SIP … )

Bernard Toplak OWASP Croatia, Feb 2016

PKI usages• user authentication (e.g., smart card logon, client

authentication with SSL)• e-mail messages encryption and/or sender

authentication (eg. OpenPGP, S/MIME)• documents encryption and/or authentication (e.g.

XML Signature or XML Encryption)• bootstrapping secure communication protocols

(SSL/TLS, IKE)• mobile signatures are electronic signatures that are

created using a mobile device

Bernard Toplak OWASP Croatia, Feb 2016

PKI problems

1. it’s complex2. it’s complex to implement and maintain the proper

(read: secure) way3. even when PKI works perfectly, it doesn't work4. significant middleware overhead brings potential

additional problems of tracking and updating every single “moving part” = outdated insecure versions

Bernard Toplak OWASP Croatia, Feb 2016

PKI libraries and projects

• OpenSSL - still most used CA/PKI toolkit• CFSSL - CloudFlare's PKI and TLS toolkit

• Let's Encrypt - free, automated, open CA• PKI.IO - scalable X.509 certificate management• OpenCA - full featured CA system• Dogtag - enterprise-class CA system

• OpenXPKI - X.509v3 software stack• EJBCA - enterprise-class CA (Java) system• XCA - graphical interface and database

Bernard Toplak OWASP Croatia, Feb 2016

FIDO ...The birth of ...

Bernard Toplak OWASP Croatia, Feb 2016

… Is it a dog? Is it a plane?

FIDO (Fast Identity Online) Alliance.

The FIDO Alliance includes Google, Microsoft, RSA, ARM, Lenovo, Mastercard, Visa, PayPal, Discover, Samsung, BlackBerry, NXP, Yubico … among its members.

Bernard Toplak OWASP Croatia, Feb 2016

FIDO design principles

• easy to use

• one device - many services• concept designed to make device production

as cheap as it gets

• stronger security while reducing complexity

Bernard Toplak OWASP Croatia, Feb 2016

FIDO design principles

• no secrets on the server side (public key)• no 3rd-pty in the protocol• (if used) biometric data never leaves the

device• accounts and/or services are not

“interchangeable”

1. Passwordless experience(UAF standard)

2. Second Factor experience(U2F Standard)

FIDO registration

FIDOlogin

Localauth

plugins

Bernard Toplak OWASP Croatia, Feb 2016

FIDO U2FThe invention of ...

Bernard Toplak OWASP Croatia, Feb 2016

Universal 2nd Factor

• open authentication standard• goal: Strong Authentication and Privacy for

the Web• initially developed by Google, Yubico and NXP,

but now managed by the FIDO Alliance

Bernard Toplak OWASP Croatia, Feb 2016

U2F - Universal 2nd Factor

• based on similar security technology found in smart cards (PKI)

• streamlines the 2FA process using a U2F-enabled USB, NFC, BT-LE keyfob, card, or mobile device …

Bernard Toplak OWASP Croatia, Feb 2016

• Chrome - plugin v.38, natively v.40• Firefox - WIP (tracker #1065729), plugin exists• IE/Edge - announced for Win10, MS is FIDO

member• Opera - not yet

See http://caniuse.com/#feat=u2f

U2F browser integration

Bernard Toplak OWASP Croatia, Feb 2016

FIDO U2F soft libraries

Reference U2F implementation, Google

PHP based U2F server library

Python based U2F server library

Pluggable Authentication Module (PAM) for U2F

Ruby + Rails FIDO U2F lib

https://github.com/showcases/universal-2nd-factor

Bernard Toplak OWASP Croatia, Feb 2016

Passwordless Auth-ProtocolsFinally, new ...

Bernard Toplak OWASP Croatia, Feb 2016

Let’s go passwordless !!

Some of the authentication protocols that don’t require passwords:

• FIDO UAF• OAuth (1.0a or 2.0)• OpenId• SAML - Security Assertion Markup Language

Bernard Toplak OWASP Croatia, Feb 2016

FIDO UAFThe invention of ...

Bernard Toplak OWASP Croatia, Feb 2016

Universal Authentication Framework

Intended to use existing security technologies present on devices for authentication :

• fingerprint sensors• cameras (face biometrics)• microphones (voice biometrics)• Trusted Execution Environments(TEEs)• Secure Elements(SEs)• and others ...

Bernard Toplak OWASP Croatia, Feb 2016

Universal Authentication Framework

The protocol is designed to plug-in these device capabilities into a common authentication framework.

UAF works with both native applications and web applications.

Bernard Toplak OWASP Croatia, Feb 2016

Other interesting bookmarks ...

• OWASP Authentication Cheat Sheet• Securing SSH with Google Authenticator• OWASP Transaction Authorization Cheat Shee

t• OWASP Anti-Malware KB (point on OTP)• OWASP SAML Security Cheat Sheet

by Bernard Toplak

OWASP Croatia, Feb 2016

QUESTIONS ?

by Bernard Toplak

OWASP Croatia, Feb 2016

Bernard ToplakORION InformaticsFederation Servers

THANK YOU !!!

bernard@orion-web.hr@toplak