post password era - bernard toplak, owasp croatia meetup 2016

by Bernard Toplak

OWASP Croatia, Feb 2016

Post-Password Era

Understanding (new) methods of authentication

Bernard Toplak OWASP Croatia, Feb 2016

Passwords ...The damnation of ...


Issues with passwords

1.Passwords can be “stolen” from

a.compromised / untrusted device

b.untrusted website (phishing)

c.legitimate server

d.user himself


Issues with passwords

2. Users can’t/won’t remember “stronger” passwords, leads to :

a.weak and/or guessable passwords

b.reuse on many/all places

c.inconvenient to type pass on phone


Discussed in details in ...

… my presentation from FSEC 2014

https://docs.google.com/presentation/d/10iVcOymLlraC8yVf3gOFmr-a-3PP64NRPHoMe2MpPd4


Multi-Factor AuthenticationThe solution in ...


Multi-Factor Authentication

Factors of authentication :1.something you know

(knowledge)

2.something you have (possession)

3.something you are(inherence)


2-Factor vs. 2-Step

2-step = twice the same factor

2-factor = each step is also a different factor


2FA

… Patented in 1984


OATH ...The usual implementation is ...


OATH

Initiative for Open AuTHentication• industry-level collaboration• developing

–open standards–reference architecture

OATH ≠ OAuth

https://openauthentication.org/








OATH Authentication Methods

A.HOTP (RFC 4226, Dec. 2005)An HMAC-Based One-time Password Algorithm

B.TOTP (RFC 6238, May 2011)Time-based One-time Password Algorithm

C.OCRA (RFC 6287, Jun. 2011)OATH Challenge/Response Algorithms


One Time Password

Intended to act as a bridge between legacy and modern applications.

Widely implemented as :

1.SMS distributed2.software token

(often mobile app)

3.hardware token


Issues with OTP

1.Vulnerable to

a.MITM - man in the middle

b.MITB - man in the browser

types of the attacks


Issues with OTP

2. Questionable privacy of the SMS-delivered OTP

a.mobile operator

b.over the air sniffing

c.phone OS environment


Issues with OTP

3. Yet another (expensive) device

4. Inconvenient to type OTP on phone etc.


OTP libraries and example code

• OWASP JOTP project• Google Authenticator open-sourced

(Android, IOS, Blackberry, libpam)• http://oauth.net/code/ • https://github.com/search?q=otp (1,557 repos)• https://github.com/search?q=oath (371 repos)

https://www.owasp.org/index.php/OWASP_JOTP_Project

https://github.com/google/google-authenticator

http://oauth.net/code/

https://github.com/search?q=otp

https://github.com/search?q=oath


PKI ...The complication of ...


Public Key Infrastructure



Wide and rather complex set of hardware, software, people, policies, and procedures for managing all around certificates



• developed since 1970’s (GCHQ / Diffie-Hellman-....)

• fundamental security component ofall major Internet protocols for authentication and communication (e.g. TLS, WS-Security, IPSec IKE, 802.1x, SIP … )


PKI usages• user authentication (e.g., smart card logon, client

authentication with SSL)• e-mail messages encryption and/or sender

authentication (eg. OpenPGP, S/MIME)• documents encryption and/or authentication (e.g.

XML Signature or XML Encryption)• bootstrapping secure communication protocols

(SSL/TLS, IKE)• mobile signatures are electronic signatures that are

created using a mobile device


PKI problems

1. it’s complex2. it’s complex to implement and maintain the proper

(read: secure) way3. even when PKI works perfectly, it doesn't work4. significant middleware overhead brings potential

additional problems of tracking and updating every single “moving part” = outdated insecure versions


PKI libraries and projects

• OpenSSL - still most used CA/PKI toolkit• CFSSL - CloudFlare's PKI and TLS toolkit

• Let's Encrypt - free, automated, open CA• PKI.IO - scalable X.509 certificate management• OpenCA - full featured CA system• Dogtag - enterprise-class CA system

• OpenXPKI - X.509v3 software stack• EJBCA - enterprise-class CA (Java) system• XCA - graphical interface and database

https://www.openssl.org/

https://cfssl.org/

https://letsencrypt.org/

https://pki.io/

http://www.openca.org/

http://pki.fedoraproject.org/wiki/PKI_Main_Page

http://www.openxpki.org/

https://www.ejbca.org/

https://sourceforge.net/projects/xca/


FIDO ...The birth of ...


… Is it a dog? Is it a plane?

FIDO (Fast Identity Online) Alliance.

The FIDO Alliance includes Google, Microsoft, RSA, ARM, Lenovo, Mastercard, Visa, PayPal, Discover, Samsung, BlackBerry, NXP, Yubico … among its members.


FIDO design principles

• easy to use

• one device - many services• concept designed to make device production

as cheap as it gets

• stronger security while reducing complexity


FIDO design principles

• no secrets on the server side (public key)• no 3rd-pty in the protocol• (if used) biometric data never leaves the

device• accounts and/or services are not

“interchangeable”

1. Passwordless experience(UAF standard)

2. Second Factor experience(U2F Standard)

FIDO registration

FIDOlogin

Localauth

plugins


FIDO U2FThe invention of ...


Universal 2nd Factor

• open authentication standard• goal: Strong Authentication and Privacy for

the Web• initially developed by Google, Yubico and NXP,

but now managed by the FIDO Alliance


U2F - Universal 2nd Factor

• based on similar security technology found in smart cards (PKI)

• streamlines the 2FA process using a U2F-enabled USB, NFC, BT-LE keyfob, card, or mobile device …


• Chrome - plugin v.38, natively v.40• Firefox - WIP (tracker #1065729), plugin exists• IE/Edge - announced for Win10, MS is FIDO

member• Opera - not yet

See http://caniuse.com/#feat=u2f

U2F browser integration

https://bugzilla.mozilla.org/show_bug.cgi?id=1065729

https://addons.mozilla.org/en-GB/firefox/addon/u2f-support-add-on/

https://dev.windows.com/en-us/microsoft-edge/platform/status/fidou2f

http://caniuse.com/#feat=u2f


FIDO U2F soft libraries

Reference U2F implementation, Google

PHP based U2F server library

Python based U2F server library

Pluggable Authentication Module (PAM) for U2F

Ruby + Rails FIDO U2F lib

https://github.com/showcases/universal-2nd-factor

https://github.com/google/u2f-ref-code

https://github.com/Yubico/php-u2flib-server

https://github.com/Yubico/python-u2flib-server

https://github.com/Yubico/pam-u2f

https://github.com/TwoFactorAuth/ruby

https://github.com/showcases/universal-2nd-factor


Passwordless Auth-ProtocolsFinally, new ...


Let’s go passwordless !!

Some of the authentication protocols that don’t require passwords:

• FIDO UAF• OAuth (1.0a or 2.0)• OpenId• SAML - Security Assertion Markup Language


FIDO UAFThe invention of ...


Universal Authentication Framework

Intended to use existing security technologies present on devices for authentication :

• fingerprint sensors• cameras (face biometrics)• microphones (voice biometrics)• Trusted Execution Environments(TEEs)• Secure Elements(SEs)• and others ...


Universal Authentication Framework

The protocol is designed to plug-in these device capabilities into a common authentication framework.

UAF works with both native applications and web applications.


Other interesting bookmarks ...

• OWASP Authentication Cheat Sheet• Securing SSH with Google Authenticator• OWASP Transaction Authorization Cheat Shee

t• OWASP Anti-Malware KB (point on OTP)• OWASP SAML Security Cheat Sheet

https://www.owasp.org/index.php/Authentication_Cheat_Sheet

https://www.linux.com/community/blogs/133-general-linux/783135-securing-ssh-with-two-factor-authentication-using-google-authenticator

https://www.owasp.org/index.php/Transaction_Authorization_Cheat_Sheet

https://www.owasp.org/index.php/Transaction_Authorization_Cheat_Sheet

https://www.owasp.org/index.php/OWASP_Anti-Malware_-_Knowledge_Base#OTP_.28Time_Based.2C_Click_Based.29

https://www.owasp.org/index.php/SAML_Security_Cheat_Sheet

by Bernard Toplak


QUESTIONS ?

by Bernard Toplak


Bernard ToplakORION InformaticsFederation Servers

THANK YOU !!!

[email protected]@toplak

post password era - bernard toplak, owasp croatia meetup 2016

Software