Upload File

building a one- time-password token infrastructure · centralized yet distributed no secrets on...

  • Home
  • Documents
  • Building a One- Time-Password Token Infrastructure · Centralized yet Distributed No Secrets on Endpoints There can be only one Modular, Abstracted . Provisioning Users Make it simple
30
Building a One- Time-Password Token Infrastructure Jonathan Hanks & Abe Singer LIGO Laboratory

Upload: others

Post on 03-Aug-2020

3 views

Category:

Documents


0 download

Report

TRANSCRIPT

Page 1: Building a One- Time-Password Token Infrastructure · Centralized yet Distributed No Secrets on Endpoints There can be only one Modular, Abstracted . Provisioning Users Make it simple

Building a One-Time-Password Token

Infrastructure

Jonathan Hanks & Abe Singer

LIGO Laboratory

Page 2: Building a One- Time-Password Token Infrastructure · Centralized yet Distributed No Secrets on Endpoints There can be only one Modular, Abstracted . Provisioning Users Make it simple
Page 3: Building a One- Time-Password Token Infrastructure · Centralized yet Distributed No Secrets on Endpoints There can be only one Modular, Abstracted . Provisioning Users Make it simple

Distributed

Multi-Institution

International

Page 4: Building a One- Time-Password Token Infrastructure · Centralized yet Distributed No Secrets on Endpoints There can be only one Modular, Abstracted . Provisioning Users Make it simple

Kerberos

Shibboleth

Grouper

Page 5: Building a One- Time-Password Token Infrastructure · Centralized yet Distributed No Secrets on Endpoints There can be only one Modular, Abstracted . Provisioning Users Make it simple

Open Data

Time Critical

No Do-Overs

Remote Access

Single/Common sign-on

Page 6: Building a One- Time-Password Token Infrastructure · Centralized yet Distributed No Secrets on Endpoints There can be only one Modular, Abstracted . Provisioning Users Make it simple

Credential Theft

Page 7: Building a One- Time-Password Token Infrastructure · Centralized yet Distributed No Secrets on Endpoints There can be only one Modular, Abstracted . Provisioning Users Make it simple

Separate Credential

Non-Replayable

Not for everything

Page 8: Building a One- Time-Password Token Infrastructure · Centralized yet Distributed No Secrets on Endpoints There can be only one Modular, Abstracted . Provisioning Users Make it simple

One Time Passwords

Page 9: Building a One- Time-Password Token Infrastructure · Centralized yet Distributed No Secrets on Endpoints There can be only one Modular, Abstracted . Provisioning Users Make it simple

What does(n’t) OTP solve?

Page 10: Building a One- Time-Password Token Infrastructure · Centralized yet Distributed No Secrets on Endpoints There can be only one Modular, Abstracted . Provisioning Users Make it simple

Time Based

Sequence Based

Challenge-Response

One Time Pad

Page 11: Building a One- Time-Password Token Infrastructure · Centralized yet Distributed No Secrets on Endpoints There can be only one Modular, Abstracted . Provisioning Users Make it simple

Something you Have

What do(n’t) tokens solve?

Page 12: Building a One- Time-Password Token Infrastructure · Centralized yet Distributed No Secrets on Endpoints There can be only one Modular, Abstracted . Provisioning Users Make it simple

Delivery

Rolf

Synchronization

Overhead

Integration

Failures

Page 13: Building a One- Time-Password Token Infrastructure · Centralized yet Distributed No Secrets on Endpoints There can be only one Modular, Abstracted . Provisioning Users Make it simple

One token to rule them all

Physical device

Trust No-one

Distributed, Fault tolerant

Open

Cheap

Page 14: Building a One- Time-Password Token Infrastructure · Centralized yet Distributed No Secrets on Endpoints There can be only one Modular, Abstracted . Provisioning Users Make it simple

Custom Authentication Server

PAM

Yubikey

Kerberos

Page 15: Building a One- Time-Password Token Infrastructure · Centralized yet Distributed No Secrets on Endpoints There can be only one Modular, Abstracted . Provisioning Users Make it simple

Why?

Ownership

Trust

Capabilities

Page 16: Building a One- Time-Password Token Infrastructure · Centralized yet Distributed No Secrets on Endpoints There can be only one Modular, Abstracted . Provisioning Users Make it simple

Architectures

Page 17: Building a One- Time-Password Token Infrastructure · Centralized yet Distributed No Secrets on Endpoints There can be only one Modular, Abstracted . Provisioning Users Make it simple

DCC-Number Title

SP   Internet  

Auth  Server  

SP  

SP  

SP = Service Provider

Page 18: Building a One- Time-Password Token Infrastructure · Centralized yet Distributed No Secrets on Endpoints There can be only one Modular, Abstracted . Provisioning Users Make it simple

DCC-Number Title

SP   Internet   SP  

SP  

Auth  Server  

Auth  Server  

Auth  Server  

Page 19: Building a One- Time-Password Token Infrastructure · Centralized yet Distributed No Secrets on Endpoints There can be only one Modular, Abstracted . Provisioning Users Make it simple

DCC-Number Title

SP   Internet   SP  

SP  

SP  Auth  Server  

Auth  Server  

Page 20: Building a One- Time-Password Token Infrastructure · Centralized yet Distributed No Secrets on Endpoints There can be only one Modular, Abstracted . Provisioning Users Make it simple

DCC-Number Title

SP   Internet   SP  

SP  

SP  Auth  Server  

Auth  Server  

Page 21: Building a One- Time-Password Token Infrastructure · Centralized yet Distributed No Secrets on Endpoints There can be only one Modular, Abstracted . Provisioning Users Make it simple

DCC-Number Title

Architecture

Client

KDC

Service  Provider  

PAM

Auth. Server

Auth. Server

Auth. Server

Page 22: Building a One- Time-Password Token Infrastructure · Centralized yet Distributed No Secrets on Endpoints There can be only one Modular, Abstracted . Provisioning Users Make it simple

Replication and Mitigating

Replay Attacks

Replication takes Time

Replicate Data w/o global

locks

Page 23: Building a One- Time-Password Token Infrastructure · Centralized yet Distributed No Secrets on Endpoints There can be only one Modular, Abstracted . Provisioning Users Make it simple

Centralized yet Distributed

No Secrets on Endpoints

There can be only one

Modular, Abstracted

Page 24: Building a One- Time-Password Token Infrastructure · Centralized yet Distributed No Secrets on Endpoints There can be only one Modular, Abstracted . Provisioning Users Make it simple

Provisioning Users

Make it simple

Make it safe

Page 25: Building a One- Time-Password Token Infrastructure · Centralized yet Distributed No Secrets on Endpoints There can be only one Modular, Abstracted . Provisioning Users Make it simple

Supporting Users

Any auth scheme is a

hinderance

Just replace the token

Page 26: Building a One- Time-Password Token Infrastructure · Centralized yet Distributed No Secrets on Endpoints There can be only one Modular, Abstracted . Provisioning Users Make it simple

Experiences / Problems

It Works

Tokens get out of sync

When good tokens go bad

Local Account Issues

Page 27: Building a One- Time-Password Token Infrastructure · Centralized yet Distributed No Secrets on Endpoints There can be only one Modular, Abstracted . Provisioning Users Make it simple

Kerberos

Page 28: Building a One- Time-Password Token Infrastructure · Centralized yet Distributed No Secrets on Endpoints There can be only one Modular, Abstracted . Provisioning Users Make it simple

We like SSO

Cannot afford to support all

the client systems

Cannot wait for the OTP

extensions to reach end

users

Page 29: Building a One- Time-Password Token Infrastructure · Centralized yet Distributed No Secrets on Endpoints There can be only one Modular, Abstracted . Provisioning Users Make it simple

Hijack encrypted timestamp

All kinits support this

No custom client SW required

Page 30: Building a One- Time-Password Token Infrastructure · Centralized yet Distributed No Secrets on Endpoints There can be only one Modular, Abstracted . Provisioning Users Make it simple

Questions?


primary Research Question And Definition Of Endpoints€¦ · Primary Research Question and Definition of Endpoints Mario Chen, ... zSecondary objectives and endpoints. ... – “Redefinition

Beyond One Billion Endpoints - Development of IT Security

Abstracted calligraphic marks

Time to review the role of surrogate endpoints in health ...The case for surrogate endpoints Results from surrogate endpoints generally accrue more quickly than final endpoints, thus

Druva Protects and Empowers One Million BYOD Endpoints (infographic)

Efficacy endpoints in Oncology

IxChariot Performance Endpoints · 2009-12-21 · IxChariot Performance Endpoints vii Table of Contents Configuring 32-bit Linux x86 Performance Endpoints. . . . . 7-9 Configuration

Abstract/Abstracted: 3 Dec. 2016 - Brock University

The Abstracted Network for Industrial Internet

Clinical trial endpoints for use in medical product ... - 03 Papadopoulos.pdfClinical vs. Surrogate Endpoints* • Clinical endpoints – Endpoints that describe or reflect how an

Examples-Finding one of the endpoints when you know a ...viningsmath.weebly.com/uploads/9/8/8/7/9887770/geometry_lesson_1.7.pdfsegmentwhose endpoints have coordinates a and b is mart

Abstracted Landscape

AMP for Endpoints Quick Start - Cisco for Endpoints Quick Start.pdf · Cisco Systems, Inc. AMP for Endpoints Quick Start Last Updated: December 4, 2017

TEXTURE CREATING ABSTRACTED IMAGES FROM EXISTING SURFACES

Comodo One - Patch Management - Administrator Guide...Comodo One - Patch Management - Administrator Guide • Install a Patch or an Application on to Selected Endpoints • Uninstall

Video Endpoints: Transitioning On-Premises Devices to ... · CTG Technical Marketing Engineering Team. Video Endpoints: Transitioning On-Premises Registered Video Endpoints to Webex

Session 3: Endpoints in CAT - US EPA€¦ · Session 3: Endpoints 3 Set Up CAT Specify Climate Record Adjustments Create Scenarios Define Endpoints Run HSPF Analyze Endpoints. Session

ABSTRACTED MONTHLY FROM THE JOURNALS - Practical Pointers

VENOM’S ABSTRACTED SNAKE

Made By Motion: a Conceptual Framework for Abstracted ...eprints.qut.edu.au/84770/1/Paul_Van_Opdenbosch_Thesis_(print_version).pdf · a Conceptual Framework for Abstracted Animation

A temporally abstracted Viterbi algorithm (TAV)

Performance Endpoints 5

Abstracted Photos

Habitats Directive Review of Consents drives abstracted ...webarchive.nationalarchives.gov.uk/.../files/Cadbury-case-study.pdf · Habitats Directive Review of Consents drives abstracted

Paxos Consensus, Deconstructed and Abstracted Alvaro Garc

2021 Hospital Abstracted Reporting

A HIGHLY ABSTRACTED M FPGA-B D

Abstracted literature on Mediterranean biodiversity since 10 years

Abstracted Realism What A Trip

EFFICACY ENDPOINTS IN ONCOLOGY - Lex JansenSurrogate Endpoints Introduction Overall Survival Surrogate Endpoints Regulatory Req. Data Management Analysis Conclusions A surrogate endpoint

GRAPE: GRaphical Abstracted Protein Explorerpages.cs.wisc.edu/~gregc/Research/Papers/GRAPE.pdf · GRAPE: GRaphical Abstracted Protein Explorer Gregory Cipriano1,*, ... Scalar fields,

redCORE: an abstracted development layer for Joomla! - JWC14

Abstracted XML Network Management

AMP for Endpoints Deployment Strategy - Cisco for Endpoints Deployment... · 2020. 1. 30. · Cisco AMP for Endpoints Deployment Strategy Guide ..... 41 Cisco AMP for Endpoints Support

IX. Multicast Sockets. Unicast provide point-to-point communication. create a connection with two well-defined endpoints; there is one sender and one