Scribd Logo
Încărcați

Bine ați venit la Scribd!

  • Smaret Strong AuthN 22.11.12 Version 1.01

    Încărcat de

    Sylvain MARET
    24 vizualizări53 pagini
    Security Operations d.o.o. Sarajevo Strong Authentication in Web Application "State of the Art 2012" 17 years of experience in ICT Security Principal Consultant at MARET consulting. Strong Authentication is a new paradigm? which technology?

    Descriere originală:

    Drepturi de autor

    © Attribution Non-Commercial (BY-NC)

    Formate disponibile

    PDF, TXT sau citiți online pe Scribd

    Vi se pare util acest document?

    Este necorespunzător acest conținut?

    Raportați acest document
    Security Operations d.o.o. Sarajevo Strong Authentication in Web Application "State of the Art 2012" 17 years of experience in ICT Security Principal Consultant at MARET consulting. Strong Authentication is a new paradigm? which technology?

    Drepturi de autor:

    Attribution Non-Commercial (BY-NC)
    Descărcați ca PDF, TXT sau citiți online pe Scribd
    Indicator pentru conținut neadecvat
    24 vizualizări53 pagini

    Smaret Strong AuthN 22.11.12 Version 1.01

    Încărcat de

    Sylvain MARET
    Security Operations d.o.o. Sarajevo Strong Authentication in Web Application "State of the Art 2012" 17 years of experience in ICT Security Principal Consultant at MARET consulting. Strong Authentication is a new paradigm? which technology?

    Drepturi de autor:

    Attribution Non-Commercial (BY-NC)
    Descărcați ca PDF, TXT sau citiți online pe Scribd
    Indicator pentru conținut neadecvat
    din 53

    Consultants of Security Operations d.o.o.

    Sarajevo

    Strong Authentication in Web Application State of the Art 2012

    Sylvain Maret / Digital Security Expert / OpenID Switzerland @smaret Version 1.01 / 22.11.2012

    Who am I?
    Security Expert
    17 years of experience in ICT Security Principal Consultant at MARET Consulting Expert at Engineer School of Yverdon & Geneva University Swiss French Area delegate at OpenID Switzerland Co-founder Geneva Application Security Forum OWASP Member Author of the blog: la Citadelle Electronique http://ch.linkedin.com/in/smaret or @smaret http://www.slideshare.net/smaret

    Chosen field
    AppSec & Digital Identity Security

    22 per minute

    Protection of digital identities: a topical issue

    Strong AuthN

    RSA FAILED ?

    Digital identity is the cornerstone of trust

    http://fr.wikipedia.org/wiki/Authentification_forte

    Definition of strong authentication

    Strong Authentication on Wikipedia

    Strong Authentication A new paradigm?

    Which Strong Authentication technology ?

    OTP Strong authentication Encryption Digital signature Non repudiation Strong link with the user

    PKI (HW)

    Biometry

    Strong Authentication with PKI

    PKI: Digital Certificate


    Software Certificate (PKCS#12;PFX) Hardware Token (Crypto PKI) Strong Authentication

    SSL/TLS Mutual Authentication : how does it work?


    CRL or OCSP Request Valid Invalid Unknown Validation Authority

    SSL / TLS Mutual Authentication

    Alice
    Web Server

    Strong Authentication with Biometry (Match on Card technology)


    A reader
    Biometry SmartCard

    A card with chip


    Technology MOC Crypto Processor
    PC/SC PKCS#11 Digital certificate X509

    Strong Authentication With (O)ne (T)ime (P)assword

    (O)ne (T)ime (P)assword


    OTP Time Based
    Like SecurID

    Others:
    OTP via SMS OTP via email Biometry and OTP Phone Bingo Card Etc.

    OTP Event Based

    OTP Challenge Response Based

    OTP T-B? OTP E-B? OTP C-R-B?

    Crypto - 101

    Crypto-101 / Time Based OTP


    HASH Function K=Secret Key / Seed

    OTP

    T=UTC Time

    ie = OTP(K,T) = Truncate(HMAC-SHA-1(K,T))

    Crypto-101 / Event Based OTP


    HASH Function K=Secret Key / Seed

    OTP
    C = Counter

    ie = OTP(K,C) = Truncate(HMAC-SHA-1(K,C))

    Crypto-101 / OTP Challenge Response Based


    HASH Function K=Secret Key / Seed

    OTP Challenge
    nonce

    ie:

    Other[s] OTP technologies

    OTP Via SMS

    Flicker code Generator Software that converts already encrypted data into optical screen animation

    How to Store and Generate my Secret Key ? A Token !

    OTP Token: Software vs Hardware ?

    Software OTP for Smartphone

    http://itunes.apple.com/us/app/iotp/id328973960

    Where are[is] the seed ?

    Seed generation & distribution ? Still a good model ?


    K1 Threat Agent (APT)

    Editor / Vendor
    Secret Key are[is] generated on promise

    K1

    K1
    K1

    TokenCode

    New Standards & Open Source

    Technologies accessible to everyone


    Initiative for Open AuTHentication (OATH)
    HOTP TOTP OCRA Etc.

    Mobile OTP
    (Use MD5 ..)

    Initiative for Open AuTHentication (OATH)


    HOTP
    Event Based OTP RFC 4226

    Token Identifier Specification


    IETF KeyProv Working Group
    PSKC - Portable Symmetric Key Container, RFC 6030 DSKPP - Dynamic Symmetric Key Provisioning Protocol, RFC 6063

    TOTP
    Time Based OTP Draft IETF Version 8

    OCRA

    Challenge/Response OTP And more ! Draft IETF Version 13


    http://www.openauthentication.org/specifications

    (R)isk

    (B)ased
    (A)uthentication

    RBA (Risk-Based Authentication) = Behavior Model

    Use OATH-HOTP & TOTP


    http://code.google.com/p/google-authenticator/

    Integration with web application

    Web application: basic authentication model

    Web application: Strong Authentication Implementation Blueprint

    Shielding" approach: perimetric authentication using Reverse Proxy / WAF

    Module/Agent-based approach

    API/SDK based approach

    ICAM: a changing paradigm


    on Strong Authentication

    Federation of identity approach a change of paradigm:


    using IDP for Authentication and Strong Authentication

    Identity Provider SAML, OpenID, etc

    Strong Authentication and Strong Authentication Application Security

    &

    Application Security

    Threat Modeling detecting web application

    threats before coding

    Questions ?

    Resources on Internet 1/2


    http://motp.sourceforge.net/ http://www.clavid.ch/otp http://code.google.com/p/mod-authn-otp/ http://www.multiotp.net/ http://www.openauthentication.org/ http://wiki.openid.net/ http://www.citadelle-electronique.net/ http://code.google.com/p/mod-authn-otp/

    Resources on Internet 2/2


    http://rcdevs.com/products/openotp/ https://github.com/adulau/paper-token http://www.yubico.com/yubikey http://code.google.com/p/mod-authn-otp/ http://www.nongnu.org/oath-toolkit/ http://www.nongnu.org/oath-toolkit/ http://www.gpaterno.com/publications/2010/du blin_ossbarcamp_2010_otp_with_oss.pdf

    S-ar putea să vă placă și