Swiss Cyber Storm 3 Security Conference: RSA Failed ?
Post on 08-Apr-2018
223 Views
Preview:
Transcript
8/6/2019 Swiss Cyber Storm 3 Security Conference: RSA Failed ?
http://slidepdf.com/reader/full/swiss-cyber-storm-3-security-conference-rsa-failed- 1/89
Sylvain Maret / Digital Security Expert / OpenID Switzerland
@smaretVersion 1.0 / 2PM
Strong Authentication in Web Application
“State of the Art 2011”
8/6/2019 Swiss Cyber Storm 3 Security Conference: RSA Failed ?
http://slidepdf.com/reader/full/swiss-cyber-storm-3-security-conference-rsa-failed- 2/89
8/6/2019 Swiss Cyber Storm 3 Security Conference: RSA Failed ?
http://slidepdf.com/reader/full/swiss-cyber-storm-3-security-conference-rsa-failed- 3/89
RSA FAILED ?
8/6/2019 Swiss Cyber Storm 3 Security Conference: RSA Failed ?
http://slidepdf.com/reader/full/swiss-cyber-storm-3-security-conference-rsa-failed- 4/89
Who am I?
Security Expert
17 years of experience in ICT Security
Principal Consultant at MARET Consulting Expert at Engineer School of Yverdon & Geneva University
Swiss French Area delegate at OpenID Switzerland
Co-founder Geneva Application Security Forum
OWASP Member
Author of the blog: la Citadelle Electronique
http://ch.linkedin.com/in/smaret or @smaret
http://www.slideshare.net/smaret
Chosen field
AppSec & Digital Identity Security
8/6/2019 Swiss Cyber Storm 3 Security Conference: RSA Failed ?
http://slidepdf.com/reader/full/swiss-cyber-storm-3-security-conference-rsa-failed- 5/89
Protection of digital identities: a topical issue…
Strong Auth
8/6/2019 Swiss Cyber Storm 3 Security Conference: RSA Failed ?
http://slidepdf.com/reader/full/swiss-cyber-storm-3-security-conference-rsa-failed- 6/89
«Digital identity is the cornerstone of trust»
http://fr.wikipedia.org/wiki/Authentification_forte
8/6/2019 Swiss Cyber Storm 3 Security Conference: RSA Failed ?
http://slidepdf.com/reader/full/swiss-cyber-storm-3-security-conference-rsa-failed- 7/89
Definition of strong authentication
Strong Authentication on Wikipedia
8/6/2019 Swiss Cyber Storm 3 Security Conference: RSA Failed ?
http://slidepdf.com/reader/full/swiss-cyber-storm-3-security-conference-rsa-failed- 8/89
Strong Authentication
A new paradigm?
8/6/2019 Swiss Cyber Storm 3 Security Conference: RSA Failed ?
http://slidepdf.com/reader/full/swiss-cyber-storm-3-security-conference-rsa-failed- 9/89
Which Strong Authentication technology ?Legacy Token / OTP / PKI / SuisseID ? / Open Source Solution ?
8/6/2019 Swiss Cyber Storm 3 Security Conference: RSA Failed ?
http://slidepdf.com/reader/full/swiss-cyber-storm-3-security-conference-rsa-failed- 10/89
8/6/2019 Swiss Cyber Storm 3 Security Conference: RSA Failed ?
http://slidepdf.com/reader/full/swiss-cyber-storm-3-security-conference-rsa-failed- 11/89
OTP PKI (HW) Biometry
Strongauthentication
Encryption
Digital signature
Non repudiation
Strong link withthe user
8/6/2019 Swiss Cyber Storm 3 Security Conference: RSA Failed ?
http://slidepdf.com/reader/full/swiss-cyber-storm-3-security-conference-rsa-failed- 12/89
8/6/2019 Swiss Cyber Storm 3 Security Conference: RSA Failed ?
http://slidepdf.com/reader/full/swiss-cyber-storm-3-security-conference-rsa-failed- 13/89
PKI: Digital Certificate
Software Certificate
(PKCS#12;PFX)
Hardware Token (Crypto PKI)
Strong Authentication
8/6/2019 Swiss Cyber Storm 3 Security Conference: RSA Failed ?
http://slidepdf.com/reader/full/swiss-cyber-storm-3-security-conference-rsa-failed- 14/89
SSL/TLS Mutual Authentication : how does it work?
Web Server
Alice
Validation
Authority
Valid
InvalidUnknown
CRL
or
OCSP Request
SSL / TLS Mutual Authentication
8/6/2019 Swiss Cyber Storm 3 Security Conference: RSA Failed ?
http://slidepdf.com/reader/full/swiss-cyber-storm-3-security-conference-rsa-failed- 15/89
Demo #1: Software Certificate Auth using an IDP OpenID
http://www.clavid.com/
8/6/2019 Swiss Cyber Storm 3 Security Conference: RSA Failed ?
http://slidepdf.com/reader/full/swiss-cyber-storm-3-security-conference-rsa-failed- 16/89
Strong Authentication with Biometry (Match on Card technology)
A reader
Biometry
SmartCard
A card with chip
Technology MOC
Crypto Processor
PC/SC
PKCS#11
Digital certificate X509
S A h i i
8/6/2019 Swiss Cyber Storm 3 Security Conference: RSA Failed ?
http://slidepdf.com/reader/full/swiss-cyber-storm-3-security-conference-rsa-failed- 17/89
Strong Authentication
With
(O)ne (T)ime (P)assword
8/6/2019 Swiss Cyber Storm 3 Security Conference: RSA Failed ?
http://slidepdf.com/reader/full/swiss-cyber-storm-3-security-conference-rsa-failed- 18/89
(O)ne (T)ime (P)assword
OTP Time Based
Like SecurID
OTP Event Based
OTP ChallengeResponse Based
Others:
OTP via SMS
OTP via email
Biometry and OTP
Bingo Card
Etc.
OTP T B?
8/6/2019 Swiss Cyber Storm 3 Security Conference: RSA Failed ?
http://slidepdf.com/reader/full/swiss-cyber-storm-3-security-conference-rsa-failed- 19/89
OTP T-B?
OTP E-B?OTP C-R-B?
Crypto - 101
8/6/2019 Swiss Cyber Storm 3 Security Conference: RSA Failed ?
http://slidepdf.com/reader/full/swiss-cyber-storm-3-security-conference-rsa-failed- 20/89
Crypto-101 / Time Based OTP
ie = OTP(K,T) = Truncate(HMAC-SHA-1(K,T))
K=Secret Key / Seed
T=UTC Time
HASH Function
OTP
8/6/2019 Swiss Cyber Storm 3 Security Conference: RSA Failed ?
http://slidepdf.com/reader/full/swiss-cyber-storm-3-security-conference-rsa-failed- 21/89
Crypto-101 / Event Based OTP
ie = OTP(K,C) = Truncate(HMAC-SHA-1(K,C))
K=Secret Key / Seed
C = Counter
HASH Function
OTP
8/6/2019 Swiss Cyber Storm 3 Security Conference: RSA Failed ?
http://slidepdf.com/reader/full/swiss-cyber-storm-3-security-conference-rsa-failed- 22/89
Crypto-101 / OTP Challenge Response Based
K=Secret Key / Seed
nonce
HASH Function
OTPChallenge
ie:
8/6/2019 Swiss Cyber Storm 3 Security Conference: RSA Failed ?
http://slidepdf.com/reader/full/swiss-cyber-storm-3-security-conference-rsa-failed- 23/89
Other[s] OTP technologies…
OTP Via SMS
By Elcard
“Flicker code” GeneratorSoftware
that converts already
encrypted data into
optical screen animation
8/6/2019 Swiss Cyber Storm 3 Security Conference: RSA Failed ?
http://slidepdf.com/reader/full/swiss-cyber-storm-3-security-conference-rsa-failed- 24/89
Demo #2: Protect WordPress (OTP Via SMS)
8/6/2019 Swiss Cyber Storm 3 Security Conference: RSA Failed ?
http://slidepdf.com/reader/full/swiss-cyber-storm-3-security-conference-rsa-failed- 25/89
How to Storemy Secret Key ?
A Token !
8/6/2019 Swiss Cyber Storm 3 Security Conference: RSA Failed ?
http://slidepdf.com/reader/full/swiss-cyber-storm-3-security-conference-rsa-failed- 26/89
OTP Token: Software vs Hardware ?
8/6/2019 Swiss Cyber Storm 3 Security Conference: RSA Failed ?
http://slidepdf.com/reader/full/swiss-cyber-storm-3-security-conference-rsa-failed- 27/89
Software OTP for Smartphone
http://itunes.apple.com/us/app/iotp/id328973960
8/6/2019 Swiss Cyber Storm 3 Security Conference: RSA Failed ?
http://slidepdf.com/reader/full/swiss-cyber-storm-3-security-conference-rsa-failed- 28/89
8/6/2019 Swiss Cyber Storm 3 Security Conference: RSA Failed ?
http://slidepdf.com/reader/full/swiss-cyber-storm-3-security-conference-rsa-failed- 29/89
Where are[is] the seed
8/6/2019 Swiss Cyber Storm 3 Security Conference: RSA Failed ?
http://slidepdf.com/reader/full/swiss-cyber-storm-3-security-conference-rsa-failed- 30/89
8/6/2019 Swiss Cyber Storm 3 Security Conference: RSA Failed ?
http://slidepdf.com/reader/full/swiss-cyber-storm-3-security-conference-rsa-failed- 31/89
Seed generation & distribution ? Still a good model ?
Editor / Vendor
Secret Key are[is]
generated on promise
K1
K1 K1
Threat
Agent
(APT)
8/6/2019 Swiss Cyber Storm 3 Security Conference: RSA Failed ?
http://slidepdf.com/reader/full/swiss-cyber-storm-3-security-conference-rsa-failed- 32/89
TokenCode
N St d d
8/6/2019 Swiss Cyber Storm 3 Security Conference: RSA Failed ?
http://slidepdf.com/reader/full/swiss-cyber-storm-3-security-conference-rsa-failed- 33/89
New Standards
&
Open Source
8/6/2019 Swiss Cyber Storm 3 Security Conference: RSA Failed ?
http://slidepdf.com/reader/full/swiss-cyber-storm-3-security-conference-rsa-failed- 34/89
Technologies accessible to everyone
Initiative for Open AuTHentication (OATH)
HOTP
TOTP
OCRA
Etc.
Mobile OTP (Use MD5 …..)
8/6/2019 Swiss Cyber Storm 3 Security Conference: RSA Failed ?
http://slidepdf.com/reader/full/swiss-cyber-storm-3-security-conference-rsa-failed- 35/89
Initiative for Open AuTHentication (OATH)
HOTP
Event Based OTP
RFC 4226
TOTP
Time Based OTP
Draft IETF Version 8
OCRA
Challenge/Response OTP
Draft IETF Version 13
Token IdentifierSpecification
IETF KeyProv Working Group PSKC - Portable Symmetric Key
Container, RFC 6030
DSKPP - Dynamic Symmetric
Key Provisioning Protocol, RFC6063
And more !
http://www.openauthentication.org/specifications
8/6/2019 Swiss Cyber Storm 3 Security Conference: RSA Failed ?
http://slidepdf.com/reader/full/swiss-cyber-storm-3-security-conference-rsa-failed- 36/89
(R)isk
(B)ased
(A)uthentication
8/6/2019 Swiss Cyber Storm 3 Security Conference: RSA Failed ?
http://slidepdf.com/reader/full/swiss-cyber-storm-3-security-conference-rsa-failed- 37/89
RBA (Risk-Based Authentication) = Behavior Model
8/6/2019 Swiss Cyber Storm 3 Security Conference: RSA Failed ?
http://slidepdf.com/reader/full/swiss-cyber-storm-3-security-conference-rsa-failed- 38/89
http://code.google.com/p/google-authenticator/
Use OATH-HOTP & TOTP
8/6/2019 Swiss Cyber Storm 3 Security Conference: RSA Failed ?
http://slidepdf.com/reader/full/swiss-cyber-storm-3-security-conference-rsa-failed- 39/89
8/6/2019 Swiss Cyber Storm 3 Security Conference: RSA Failed ?
http://slidepdf.com/reader/full/swiss-cyber-storm-3-security-conference-rsa-failed- 40/89
Integration withweb application
8/6/2019 Swiss Cyber Storm 3 Security Conference: RSA Failed ?
http://slidepdf.com/reader/full/swiss-cyber-storm-3-security-conference-rsa-failed- 41/89
Web application: basic authentication model
8/6/2019 Swiss Cyber Storm 3 Security Conference: RSA Failed ?
http://slidepdf.com/reader/full/swiss-cyber-storm-3-security-conference-rsa-failed- 42/89
Web application: Strong Authentication Implementation Blueprint
8/6/2019 Swiss Cyber Storm 3 Security Conference: RSA Failed ?
http://slidepdf.com/reader/full/swiss-cyber-storm-3-security-conference-rsa-failed- 43/89
“Shielding" approach: perimetric authentication using Reverse Proxy / WAF
8/6/2019 Swiss Cyber Storm 3 Security Conference: RSA Failed ?
http://slidepdf.com/reader/full/swiss-cyber-storm-3-security-conference-rsa-failed- 44/89
Module/Agent-based approach (example)
8/6/2019 Swiss Cyber Storm 3 Security Conference: RSA Failed ?
http://slidepdf.com/reader/full/swiss-cyber-storm-3-security-conference-rsa-failed- 45/89
Demo #3: Apache and Mod_OpenID (Using Biometry / OTP)
8/6/2019 Swiss Cyber Storm 3 Security Conference: RSA Failed ?
http://slidepdf.com/reader/full/swiss-cyber-storm-3-security-conference-rsa-failed- 46/89
Demo #3: Challenge / Response OTP with Biometry
8/6/2019 Swiss Cyber Storm 3 Security Conference: RSA Failed ?
http://slidepdf.com/reader/full/swiss-cyber-storm-3-security-conference-rsa-failed- 47/89
API/SDK based approach (example)
8/6/2019 Swiss Cyber Storm 3 Security Conference: RSA Failed ?
http://slidepdf.com/reader/full/swiss-cyber-storm-3-security-conference-rsa-failed- 48/89
Multi OTP PHP Class Demo #4 & Hardening OS
8/6/2019 Swiss Cyber Storm 3 Security Conference: RSA Failed ?
http://slidepdf.com/reader/full/swiss-cyber-storm-3-security-conference-rsa-failed- 49/89
Proof of Concept Code byAnne Gosselin, Antonio Fontes, Sylvain Maret !
if (! empty($_REQUEST['pma_username'])) {
// The user just logged in
$GLOBALS['PHP_AUTH_USER'] = $_REQUEST['pma_username'];
// we combine both OTP + PIN code for the token verification
$fooPass = empty($_REQUEST['pma_password']) ? '' : $_REQUEST['pma_password'];
$fooOtp = empty($_REQUEST['pma_otp']) ? '' : $_REQUEST['pma_otp'];
$GLOBALS['PHP_AUTH_PW'] = $fooPass.''.$fooOtp;
// OTP CHECKrequire_once('./libraries/multiotp.class.php');
$multiotp = new Multiotp();
$multiotp->SetUser($GLOBALS['PHP_AUTH_USER']);
$multiotp->SetEncryptionKey('DefaultCliEncryptionKey');
$multiotp->SetUsersFolder('./libraries/users/');
$multiotp->SetLogFolder('./libraries/log/');
$multiotp->EnableVerboseLog();
$otpCheckResult = $multiotp->CheckToken($GLOBALS['PHP_AUTH_PW']);// the PIN code use kept for accessing the database
$GLOBALS['PHP_AUTH_PW'] = substr($GLOBALS['PHP_AUTH_PW'], 0, strlen($GLOBALS['PHP_AUTH_PW']
if($otpCheckResult == 0)
return true;
else
die("auth failed.");
Step1: Add a new method using cookie authentication
8/6/2019 Swiss Cyber Storm 3 Security Conference: RSA Failed ?
http://slidepdf.com/reader/full/swiss-cyber-storm-3-security-conference-rsa-failed- 50/89
Howto #1In config.inc.php
Step2: Add pma_otp field
8/6/2019 Swiss Cyber Storm 3 Security Conference: RSA Failed ?
http://slidepdf.com/reader/full/swiss-cyber-storm-3-security-conference-rsa-failed- 51/89
In common.inc.php
Step3: Add new input
8/6/2019 Swiss Cyber Storm 3 Security Conference: RSA Failed ?
http://slidepdf.com/reader/full/swiss-cyber-storm-3-security-conference-rsa-failed- 52/89
Step3: Add new input
File ori: cookie.auth.lib.php
New file: cookieotp.auth.lib.php
8/6/2019 Swiss Cyber Storm 3 Security Conference: RSA Failed ?
http://slidepdf.com/reader/full/swiss-cyber-storm-3-security-conference-rsa-failed- 53/89
File ori: cookie.auth.lib.php
8/6/2019 Swiss Cyber Storm 3 Security Conference: RSA Failed ?
http://slidepdf.com/reader/full/swiss-cyber-storm-3-security-conference-rsa-failed- 54/89
Step3: Call multiotpNew file: cookieotp.auth.lib.php
8/6/2019 Swiss Cyber Storm 3 Security Conference: RSA Failed ?
http://slidepdf.com/reader/full/swiss-cyber-storm-3-security-conference-rsa-failed- 55/89
Demo 4#: PHP[OTP] integration for[in] phpmyadmin
8/6/2019 Swiss Cyber Storm 3 Security Conference: RSA Failed ?
http://slidepdf.com/reader/full/swiss-cyber-storm-3-security-conference-rsa-failed- 56/89
Multi OTP PHP Class by André Liechti (Switzerland)
http://www.multiotp.net/
Source Code will be publish soon:
http://www.citadelle-electronique.net/
8/6/2019 Swiss Cyber Storm 3 Security Conference: RSA Failed ?
http://slidepdf.com/reader/full/swiss-cyber-storm-3-security-conference-rsa-failed- 57/89
8/6/2019 Swiss Cyber Storm 3 Security Conference: RSA Failed ?
http://slidepdf.com/reader/full/swiss-cyber-storm-3-security-conference-rsa-failed- 58/89
SSH Hardening with OTP Multi OTP PHP Class
PAM
AES 256
8/6/2019 Swiss Cyber Storm 3 Security Conference: RSA Failed ?
http://slidepdf.com/reader/full/swiss-cyber-storm-3-security-conference-rsa-failed- 59/89
Strong Authentication and Application SecurityStrong Authentication
&
Application Security
8/6/2019 Swiss Cyber Storm 3 Security Conference: RSA Failed ?
http://slidepdf.com/reader/full/swiss-cyber-storm-3-security-conference-rsa-failed- 60/89
Threat Modeling
“detecting web application
threats before coding”
8/6/2019 Swiss Cyber Storm 3 Security Conference: RSA Failed ?
http://slidepdf.com/reader/full/swiss-cyber-storm-3-security-conference-rsa-failed- 61/89
ICAM:
a changing paradigm
on Strong Authentication
8/6/2019 Swiss Cyber Storm 3 Security Conference: RSA Failed ?
http://slidepdf.com/reader/full/swiss-cyber-storm-3-security-conference-rsa-failed- 62/89
Federation of identity approach a change of paradigm:using IDP for Authentication and Strong Authentication
Identity Provider
SAML, OpenID, etc
8/6/2019 Swiss Cyber Storm 3 Security Conference: RSA Failed ?
http://slidepdf.com/reader/full/swiss-cyber-storm-3-security-conference-rsa-failed- 63/89
OpenID> What is it?
> How does it work?> How to integrate?
SECTION 2
8/6/2019 Swiss Cyber Storm 3 Security Conference: RSA Failed ?
http://slidepdf.com/reader/full/swiss-cyber-storm-3-security-conference-rsa-failed- 64/89
OpenID - What is it?
> Internet SingleSignOn
> Relatively Simple Protocol
> User-Centric Identity Management
> Internet Scalable
> Free Choice of Identity Provider
> No License Fee
> Independent of Identification Methods
> Non-Profit Organization
8/6/2019 Swiss Cyber Storm 3 Security Conference: RSA Failed ?
http://slidepdf.com/reader/full/swiss-cyber-storm-3-security-conference-rsa-failed- 65/89
OpenID - How does it work?
1
3
5
Enabled Service
Identity Providere.g. clavid.com
6
4, 4ahans.muster.clavid.com
User Hans Muster
Caption1. User enters OpenID
2. Discovery3. Authentication
4. Approval4a. Change Attributes5. Send Attributes6. Validation
2 Identity URLhttps://hans.muster.clavid.com
Surprise! You may already
8/6/2019 Swiss Cyber Storm 3 Security Conference: RSA Failed ?
http://slidepdf.com/reader/full/swiss-cyber-storm-3-security-conference-rsa-failed- 66/89
Surprise! You may alreadyhave an OpenID !
Other Well Known
8/6/2019 Swiss Cyber Storm 3 Security Conference: RSA Failed ?
http://slidepdf.com/reader/full/swiss-cyber-storm-3-security-conference-rsa-failed- 67/89
Other Well Known&
Simple Providers
http://en.wikipedia.org/wiki/List_of_OpenID_providers
8/6/2019 Swiss Cyber Storm 3 Security Conference: RSA Failed ?
http://slidepdf.com/reader/full/swiss-cyber-storm-3-security-conference-rsa-failed- 68/89
Get an OpenID with Strong Authentication for free !
8/6/2019 Swiss Cyber Storm 3 Security Conference: RSA Failed ?
http://slidepdf.com/reader/full/swiss-cyber-storm-3-security-conference-rsa-failed- 69/89
Questions ?
8/6/2019 Swiss Cyber Storm 3 Security Conference: RSA Failed ?
http://slidepdf.com/reader/full/swiss-cyber-storm-3-security-conference-rsa-failed- 70/89
Resources on Internet 1/2
http://motp.sourceforge.net/
http://www.clavid.ch/otp
http://code.google.com/p/mod-authn-otp/ http://www.multiotp.net/
http://www.openauthentication.org/
http://wiki.openid.net/
http://www.citadelle-electronique.net/
http://code.google.com/p/mod-authn-otp/
8/6/2019 Swiss Cyber Storm 3 Security Conference: RSA Failed ?
http://slidepdf.com/reader/full/swiss-cyber-storm-3-security-conference-rsa-failed- 71/89
Resources on Internet 2/2
http://rcdevs.com/products/openotp/
https://github.com/adulau/paper-token
http://www.yubico.com/yubikey
http://code.google.com/p/mod-authn-otp/
http://www.nongnu.org/oath-toolkit/
http://www.nongnu.org/oath-toolkit/
http://www.gpaterno.com/publications/2010/dublin_ossbarcamp_2010_otp_with_oss.pdf
8/6/2019 Swiss Cyber Storm 3 Security Conference: RSA Failed ?
http://slidepdf.com/reader/full/swiss-cyber-storm-3-security-conference-rsa-failed- 72/89
Backup Slides
K kh ff ' P i i l ?
8/6/2019 Swiss Cyber Storm 3 Security Conference: RSA Failed ?
http://slidepdf.com/reader/full/swiss-cyber-storm-3-security-conference-rsa-failed- 73/89
Kerckhoffs's Principle ?
U i i f !
8/6/2019 Swiss Cyber Storm 3 Security Conference: RSA Failed ?
http://slidepdf.com/reader/full/swiss-cyber-storm-3-security-conference-rsa-failed- 74/89
Une conviction forte !
Authentification forte
8/6/2019 Swiss Cyber Storm 3 Security Conference: RSA Failed ?
http://slidepdf.com/reader/full/swiss-cyber-storm-3-security-conference-rsa-failed- 75/89
8/6/2019 Swiss Cyber Storm 3 Security Conference: RSA Failed ?
http://slidepdf.com/reader/full/swiss-cyber-storm-3-security-conference-rsa-failed- 76/89
Using SAML for Authentication and Strong Authentication
(Assertion
Consumer Service)
8/6/2019 Swiss Cyber Storm 3 Security Conference: RSA Failed ?
http://slidepdf.com/reader/full/swiss-cyber-storm-3-security-conference-rsa-failed- 77/89
SAML – What is it?
SAML (Security Assertion Markup Language):
> Defined by the Oasis Group> Well and Academically Designed Specification> Uses XML Syntax> Used for Authentication & Authorization
> SAML Assertions> Statements: Authentication, Attribute, Authorization
> SAML Protocols> Queries: Authentication, Artifact, Name Identifier Mapping, etc.
> SAML Bindings> SOAP, Reverse-SOAP, HTTP-Get, HTTP-Post, HTTP-Artifact
> SAML Profiles
> Web Browser SingleSignOn Profile, Identity Provider Discovery Profile, Assertion Query / Request Profile, Attribute Profile
8/6/2019 Swiss Cyber Storm 3 Security Conference: RSA Failed ?
http://slidepdf.com/reader/full/swiss-cyber-storm-3-security-conference-rsa-failed- 78/89
SAML – How does it work?
Identity Providere.g. clavid.ch
User Hans Muster
Enabled Service
e.g. Google Appsfor Business
12
2
6
3
4
4
8/6/2019 Swiss Cyber Storm 3 Security Conference: RSA Failed ?
http://slidepdf.com/reader/full/swiss-cyber-storm-3-security-conference-rsa-failed- 79/89
Example with HTTP POST Binding
+ PIN
Web App SAML Ready
AuthN
ACS
Ressource
IDP MC
Access Resource
1
3 <AuthnRequest>
Redirect 302
Single Sign OnService
4<AuthnRequest>
Credential
Challenge 5a
User Login
<Response>in HTML Form 6
7
POST
<Response>
8Ressource
Browser
2
5b
8/6/2019 Swiss Cyber Storm 3 Security Conference: RSA Failed ?
http://slidepdf.com/reader/full/swiss-cyber-storm-3-security-conference-rsa-failed- 80/89
A major event in the world of strong authentication
12 October 2005: the Federal Financial Institutions ExaminationCouncil (FFIEC) issues a directive
« Single Factor Authentication » is not enough for the web financialapplications
Before end 2006 it is compulsory to implement a strongauthentication system http://www.ffiec.gov/press/pr101205.htm
And the PCI DSS norm Compulsory strong authentication for distant accesses
And now European regulations Payment Services (2007/64/CE) for banks
Social Networks, Open Source
8/6/2019 Swiss Cyber Storm 3 Security Conference: RSA Failed ?
http://slidepdf.com/reader/full/swiss-cyber-storm-3-security-conference-rsa-failed- 81/89
Out of Band Authentication
8/6/2019 Swiss Cyber Storm 3 Security Conference: RSA Failed ?
http://slidepdf.com/reader/full/swiss-cyber-storm-3-security-conference-rsa-failed- 82/89
Phone Factor
8/6/2019 Swiss Cyber Storm 3 Security Conference: RSA Failed ?
http://slidepdf.com/reader/full/swiss-cyber-storm-3-security-conference-rsa-failed- 83/89
SAML
8/6/2019 Swiss Cyber Storm 3 Security Conference: RSA Failed ?
http://slidepdf.com/reader/full/swiss-cyber-storm-3-security-conference-rsa-failed- 84/89
SAML AuthnRequst Transfer via Browser
Redirect-Binding
POST-Binding
8/6/2019 Swiss Cyber Storm 3 Security Conference: RSA Failed ?
http://slidepdf.com/reader/full/swiss-cyber-storm-3-security-conference-rsa-failed- 85/89
A SAML AuthnRequest (no magic, just XML)
<?xml version="1.0" encoding="UTF-8"?>
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol“
ID="glcmfhikbbhohichialilnnpjakbeljekmkhppkb“
Version="2.0”
IssueInstant="2008-10-14T00:57:14Z”
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST”
ProviderName="google.com”
ForceAuthn="false”IsPassive="false”
AssertionConsumerServiceURL="https://www.google.com/a/unopass.net/acs">
<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
google.com
</saml:Issuer>
<samlp:NameIDPolicy AllowCreate="true"
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" />
</samlp:AuthnRequest>
8/6/2019 Swiss Cyber Storm 3 Security Conference: RSA Failed ?
http://slidepdf.com/reader/full/swiss-cyber-storm-3-security-conference-rsa-failed- 86/89
SAML Assertion Transfer via Browser
POST-Binding
8/6/2019 Swiss Cyber Storm 3 Security Conference: RSA Failed ?
http://slidepdf.com/reader/full/swiss-cyber-storm-3-security-conference-rsa-failed- 87/89
A SAML Assertion Response (no magic, just XML)
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
ID="s247893b2ec90665dfd5d9bd4a092f5e3a7194fef4"
InResponseTo="hkcmljnccpheoobdofbjcngjbadmgcfhaapdbnni"
Version="2.0"
IssueInstant="2008-10-15T17:24:46Z"
Destination="https://www.google.com/a/unopass.net/acs">
<saml:Issuer>
http://idp.unopass.net:80/opensso
</saml:Issuer>
<samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
</samlp:Status>
<saml:Assertion
ID="s295c56ccd7872209ae336b934d1eed5be52a8e6ec"
IssueInstant="2008-10-15T17:24:46Z"
Version="2.0">
<saml:Issuer>http://idp.unopass.net:80/opensso</saml:Issuer>
<Signature>… A DIGITAL SIGNATURE …
</Signature>
...
8/6/2019 Swiss Cyber Storm 3 Security Conference: RSA Failed ?
http://slidepdf.com/reader/full/swiss-cyber-storm-3-security-conference-rsa-failed- 88/89
A SAML Assertion Response (no magic, just XML)
...
<saml:Subject>
<saml:NameID
NameQualifier="http://idp.unopass.net:80/opensso">
sylvain.maret
</saml:NameID>
<saml:SubjectConfirmation Method="urn:oasis:...:bearer">
<saml:SubjectConfirmationDataInResponseTo="hkcmljnccpheoobdofbjcngjbadmgcfhaapdbnni"
NotOnOrAfter="2008-10-15T17:34:46Z"
Recipient="https://www.google.com/a/unopass.net/acs"/>
</saml:SubjectConfirmation>
</saml:Subject>
...
8/6/2019 Swiss Cyber Storm 3 Security Conference: RSA Failed ?
http://slidepdf.com/reader/full/swiss-cyber-storm-3-security-conference-rsa-failed- 89/89
A SAML Assertion Response (no magic, just XML)
...
<saml:Conditions NotBefore="2008-10-15T17:14:46Z"
NotOnOrAfter="2008-10-15T17:34:46Z">
<saml:AudienceRestriction>
<saml:Audience>google.com</saml:Audience>
</saml:AudienceRestriction>
</saml:Conditions><saml:AuthnStatement AuthnInstant="2008-10-15T17:24:46Z“
SessionIndex="s2bb816b5a8852dcc29f3301784c1640f245a9ec01">
<saml:AuthnContext>
<saml:AuthnContextClassRef>
urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
</saml:AuthnContextClassRef>
</saml:AuthnContext>
</saml:AuthnStatement>
</saml:Assertion></samlp:Response>
top related