create a-strong-two-factors-authentication-device-for-less-than-chf-100
DESCRIPTION
Strong AuthN - MultiOTPTRANSCRIPT
A fully compliant strong authentication
server for less than $100!
Application Security Forum Western Switzerland 2014-11-04
André Liechti (@multiOTP, @andreliechti)
SysCo systèmes de communication sa, Neuchâtel, Switzerland
Last update : 2014-12-09
Trainer
SysCo systèmes de communication sa
16 years old Swiss based company installed in Neuchâtel
Security, consulting services, customized development
Linux and Windows (Open Source) solutions
André Liechti
CTO of SysCo systèmes de communication sa
MSc in communication systems
Bsc in Electronics
2014-11-04
2
Schedule
Why regular passwords are never strong enough ?
What are the different solutions for more security ?
multiOTP, our PHP open source library solution
How to setup a device for less than CHF 100
Let’s make a strong two factors authentication device
with a Raspberry Pi
Some questions ?
2014-11-04 3
Why regular passwords are
never strong enough ?
(on the Internet, but elsewhere too…)
2014-1
1-0
4
Why regular passwords are never strong enough ?
Same password for different applications…
2014-11-04 5
Some nice hardware tools…
2014-11-04 6
Key logger…
Camera in car key…
fake USB Keyboard mounted in a memory stick…
... and some «nicer» hardware tools… ;-)
2014-11-04 7
wireless Key logger…
and so on …
What are the different solutions
for more security ?
2014-1
1-0
4
What are the different solutions for more security ?
Two-factor authentication
A daily usage for the combination of knowledge
and possession factors.
The ATM machine
We have the physical ATM card and we know
our personal PIN.
2014-11-04 9
Strong authentication with one-time password
No software installation is required for the user
(compatible with all OS and Internet navigator)
Passwords list
2014-11-04 10
Passwords list
Login = username
+ password
+ next code
2014-11-04 11
Lists on the server
List for User A
Historical market leader
Time-based automatic generator with a secret algorithm
70% of the market in 2003
(25 mio of devices have been sold up to 2003)
2014-11-04 12
First open-source one-time password solution
Mobile-OTP (2003)
Hash (md5) of a “PIN code + time based algorithm”
open source, more than 40 different implementations
Java J2ME for mobile phones (at the beginning)
Unix shell script on server side
2014-11-04 13
Standardized one-time password generator
HOTP : HMAC-based One-time Password Algorithm (2005)
code construction is based on a HMAC hash function
open standard (OATH: Initiative for open authentication)
RFC 4226
2014-11-04 14
HOTP authentication mechanism
2014-11-04 15
UserServer
0382
754812
0380-03840379
No synchronization problem anymore with TOTP
TOTP : Time-based One-time Password Algorithm (2008)
based on HOTP
The counter is now the time divided in slices of 30 seconds
RFC 6238
2014-11-04 16
TOTP authentication mechanism
2014-11-04 17
UserServer
0382
754812
Yubico OTP
2014-11-04 18
YubiCloud
2014-11-04 19
Yubico OTP code
2014-11-04 20
Some HOTP and TOTP tokens
2014-11-04 21
OTP Server
SMS-Token
2014-11-04 22
username + password + token
multiOTP
our PHP open source library
… since June 2010 !
2014-1
1-0
4
History of the multiOTP package
2009 PHP PoC implementing the Mobile-OTP protocol
2010 class creation with basic TOTP/HOTP
2011 Workshop during ASFWS 2011 (Application Security Forum)
2012 Wider deployment in the community and feedbacks
2013 New functionalities
SMS tokens
scratch passwords list
QRcode/URL provisioning
Client/server implementation with local cache
MySQL backend support
2014 More functionalities
OATH certified
Yubico OTP support (Yubikey)
Active Directory and LDAP synchronization
Support for Active Directory / LDAP passwords (instead of PIN)
2014-11-04 24
multiOTP
Why did we develop the multiOTP package ?
no free and easy to use solution for small companies
a lot of existing commercial products need Windows Server
Existing products need a lot of resources
Why open source ?
To receive feedbacks and proposals from the users
security issues are analyzed by other developers
users can be sure that there is no Trojan and other NSA-friendly
“tools” in our code
2014-11-04 25
multiOTP concept
open source PHP class (embedded in only one file)
OS independent
Works also on any web server, including in shared hosting
data or stored in flat files or in a MySQL database
all methods are implemented in a command line tool
Command line tool is compatible with the centralized open
source authentication server FreeRADIUS
(FreeRADIUS is also available for Windows)
The system administrator can create scripts in order to handle
the package and to create users
2014-11-04 26
multiOTP concept (2)
common standards are supported
Mobile-OTP, HOTP, TOTP, Yubico OTP
SMS tokens
scratch passwords list
HOTP and TOTP software tokens can simply be configured by flashing a Qrcode generated by multiOTP
hardware tokens definition files can be imported
Authenex definition files (proprietary .sql file)
SafeNet definition files (proprietary .dat file)
any standard PSKC files (since December 2013)
Yubico log file in Traditional format (since November 2014)
simple web GUI
2014-11-04 27
multiOTP – Windows installation
installed in 3 minutes !
surf on http://www.multiOTP.net
download the last version
unpack the files in the C:\multiotp\ folder
read the readme file ;-)
install the FreeRADIUS service
C:\multiotp\radius_install.cmd
that’s it !
2014-11-04 28
multiOTP – how to create a user
create the user on the server sideC:\multiotp>multiotp -fastcreate bergen11 INFO: User successfully created or updated
(in real life, user must be created with an activated prefix PIN !)
save the QRcode image in a fileC:\multiotp>multiotp -qrcode bergen C:\multiotp\tefo.png16 INFO: QRcode successfully created
Send the QRcode to the user(using a secure channel !)
… or simply use the webinterface to print a niceHTML provisioning page;-) !
2014-11-04 29
multiOTP – how to provision the token received
2014-11-04 30
install the Google Authenticator App
Android, iOS, BlackBerry
scan the QRcode received
token is ready !
multiOTP – how to authenticate a user
Authenticate the user
C:\multiotp>multiotp bergen 452549
0 OK: Token accepted
authenticate again the user with the same token
C:\multiotp>multiotp bergen 452549
26 ERROR: The time based token has already been used
creating a scratch passwords list
C:\multiotp>multiotp -scratchlist bergen
317493, 134580, 326450, 941356, 000298,
412420, 456790, 222461, 645113, 837303
2014-11-04 31
multiOTP – how to use hardware tokens
Import the tokens definition file
C:\multiotp>multiotp -import importAlpine.dat
(…)
Info: Token 0003000b31da successfully imported
15 INFO: Tokens definition file successfully imported
create a user linked with the token 0003000b31da
(and with the prefix PIN 1234)
C:\multiotp>multiotp -create demo -token-id 0003000b31da 1234
11 INFO: User successfully created or updated
require a prefix PIN for the user
C:\multiotp>multiotp -set demo prefix-pin=1
19 INFO: Requested operation successfully done
2014-11-04 32
multiOTP typical usage
2014-11-04 33
How to build a working server
device for less than CHF 100 ?
2014-1
1-0
4
Hardware selection
2014-11-04 35
Raspberry Pi very cheap (< CHF 40)
no OS licence (Debian Linux or others)
widely distributed
community support
microUSB powered
CPU 700 MHz (ARM)
RAM 512 MB
How to make your own strong authentication server ?
2014-11-04 36
SD card with Debian Linux
for Raspberry Pi ($10)
Real-time clock ($15)
+ multiOTP ($0)
< CHF 100
Let’s make a strong two factors
authentication device with a Raspberry Pi
2014-1
1-0
4
Build an authentication server in some easy steps
1/17
If you want to have a battery backed up Real Time Clock, install it
in your Raspberry Pi
http://afterthoughtsoftware.com/products/rasclock
http://www.cjemicros.co.uk/micros/products/rpirtc.shtml
http://www.robotshop.com/ca/en/mini-real-time-clock-rtc-module.html
http://nicegear.co.nz/raspberry-pi/high-precision-real-time-clock-for-raspberry-pi/
2014-11-04 38
Build an authentication server in some easy steps
2/17
Download the last image of Raspbian to be flashed
http://downloads.raspberrypi.org/raspbian_latest
(currently 2014-09-09-wheezy-raspbian.zip)
2014-11-04 39
Build an authentication server in some easy steps
3/17
Format your SD Card using the SD Card Association’s formatting
tool:
https://www.sdcard.org/downloads/formatter_4/
2014-11-04 40
Build an authentication server in some easy steps
4/17
Flash the raw image using the UNIX tool dd or the
Win32DiskImager for Windows
http://sourceforge.net/projects/win32diskimager/files/latest/download
This should take about 10 minutes.
2014-11-04 41
Build an authentication server in some easy steps
5/17
Surf on http://www.multiOTP.net and download the last version
Copy all files from multiotp/raspberry/boot-part to the root of the
SD Card (it could overwrite some files like config.txt)
2014-11-04 42
Build an authentication server in some easy steps
6/17
When copy it's done, eject the SD Card
2014-11-04 43
Build an authentication server in some easy steps
7/17
Connect the Raspberry Pi to the local network
2014-11-04 44
Build an authentication server in some easy steps
8/17
Put the SD card into the Raspberry Pi and boot it
2014-11-04 45
Build an authentication server in some easy steps
9/17
Login directly on your Raspberry Pi, or using SSH, with the default
username "pi" and the password "raspberry"
2014-11-04 46
Build an authentication server in some easy steps
10/17
Launch the initial configuration by typing sudo raspi-config
2014-11-04 47
Build an authentication server in some easy steps
11/17
Choose the following options
1) Expand Filesystem
2) Change User Password
4) Internationalisation Options (if needed)
8) Advanced Options
A2 Hostname (change the hostname to your favorite name,
like for example "multiotp")
2014-11-04 48
Build an authentication server in some easy steps
12/17
Select Finish and answer "<Yes>" to reboot, or type "sudo reboot"
2014-11-04 49
Build an authentication server in some easy steps
13/17
Login again directly on your Raspberry Pi, or using SSH, with the
default username "pi" and your new password
2014-11-04 50
Build an authentication server in some easy steps
14/17
Type "sudo /boot/install.sh“
Everything is done automatically (it will take about 35 minutes)
and the Raspberry Pi will reboot automatically at the end
2014-11-04 51
Build an authentication server in some easy steps
15/17
The fixed IP address is set to 192.168.1.44
with a default gateway at 192.168.1.1
To adapt the network configuration, edit the file
/etc/network/interfaces
2014-11-04 52
Build an authentication server in some easy steps
16/17
Congratulations! You have now an open source and fully OATH
compliant strong two factors authentication server !
Surf now on http(s)://192.168.1.44 to use the basic web interface
(The default radius secret is set to myfirstpass for the subnet
192.168.0.0/16. To adapt the freeradius configuration, edit the file
/etc/freeradius/clients.conf)
2014-11-04 53
… or build an authentication server in ONE step ;-)
If you want to download a multiOTP Raspberry Pi
image ready to use, follow this URL:
http://download.multiOTP.net/raspberry/
Nano-computer name: multiOTP
IP address: 192.168.1.44 (netmask: 255.255.255.0)
Username: pi
Password: raspberry
You can now flash the SD Card, put it into the Raspberry Pi
and boot it.
2014-11-04 54
Any questions ?
2014-11-04 55
Crêt-Taconnet 13tel 032 730 11 10
fax 032 730 11 09
2000 Neuchâ[email protected]
www.sysco.ch
S y s C o ® systèmes de communication sa