Authentication and Strong Authentication in Web Applications

8/8/2019 Authentication and Strong Authentication in Web Applications

1/43

MARET Consulting | 109, chemin du Pont-du-Centenaire | CH 1228 Plan-les-Ouates | Tl +41 22 727 05 57 | Fax +41 22 727 05 50 | www.maret-consulting.ch

Conseil en technologies

Sylvain Maret / Digital Security Expert @ MARET Consulting

BrightTALK - October 7th 2010

Authentication and Strong Authentication

in Web Application


2/43

Conseil en technologieswww.maret-consulting.ch

Agenda

f Protecting digital identities

f strong authentication?

f Strong Authentication: A new

paradigm !

f New Standards

f Integration with web

applications

f Identity Federation for

Authentication

f SAML / OpenID


3/43


Who am I?

f Security Expert

f 15 years of experience in ICT Security

f CEO and Founder of MARET Consulting

f Expert at Engineer School of Yverdon & Geneva University

f Swiss French Area delegate at OpenID Switzerland

f Co-founder Geneva Application Security Forum

f OWASP Member

f Author of the blog: la Citadelle Electronique

f http://ch.linkedin.com/in/smaret

f Chosen field

f Digital Identity Security


4/43


Protection of digital identities: a topical issue


5/43


threats on the authentication


6/43


Facts !

f Keylogger (hard and soft)

f Malware

f Man in the Middle

f Browser in the Middle

f Password Sniffer

f Social Engineering

f Phishing / Pharming

f The number of identity thefts is increasing dramatically!


7/43


8/43


Definition of strong authentication

Strong Authentication on Wikipedia


9/43


Digital identity is the cornerstone of trust

More information on the subject


11/43


Which strong authentication technology? (Legacy Token ..)


12/43



13/43


OTP PKI (HW) Biometry

Strong

authenticationEncryption

Digital signature

Non repudiation

Strong link with

the user

*

* Biometry type Fingerprinting


14/43


Strong Authentication with Biometry (Match on Card technology)

f A reader

f Biometry

f SmartCard

f A card with chip

f Technology MOC

f Crypto processor

f PC/SC

f PKCS#11

f Digital certificate X509


15/43


Authentication Server must be agnostic


16/43


New Standards

&

Open Source


17/43


Technologies accessible to everyone

f Based on Standards

f Open Authentication

(OATH)

f OATH authentication

algorithms

f HOTP (HMAC Event

Based)f OCRA

(Challenge/Response)

f TOTP (Time Based)

f OATH Token Identifier

Specification

f Open Solutions

f Mobile One Time Passwordsf strong, two-factor authentication

with mobile phones


18/43


Integration withweb application


19/43


Web applications: basic authentication model


20/43


Web application: strong authentication model


21/43


Shielding" approach: perimetric authentication


22/43


Module/Agent-based approach


23/43


API/SDK based approach


24/43


SSL PKI: how does it work?

Web Server

Alice

ValidationAuthority

Valid

Invalid

Unknown

OCSP request

SSL / TLS Mutual Authentication


25/43


Federated identities:

a changing paradigm

on authentication


26/43


Federation of identity approach a change of paradigm:

using IDP for Authentication and Strong Authentication

Web App X

Web App Y

Identity Provider


27/43


SECTION 1

SAML>What is it?

>How does it work?


28/43


Using SAML for Authentication and Strong Authentication

(AssertionConsumer Service)


29/43


SAML What is it?

SAML (Security Assertion Markup Language):

> Defined by the Oasis Group

> Well and Academically Designed Specification

> Uses XML Syntax

> Used for Authentication & Authorization

> SAML Assertions

> Statements: Authentication, Attribute, Authorization

> SAML Protocols> Queries: Authentication, Artifact, Name Identifier Mapping, etc.

> SAML Bindings> SOAP, Reverse-SOAP, HTTP-Get, HTTP-Post, HTTP-Artifact

> SAML Profiles> Web Browser SingleSignOn Profile, Identity Provider Discovery Profile, Assertion Query/ Request Profile, Attribute Profile


30/43


SAML How does it work?

Identity Providere.g. clavid.ch

User Hans Muster

Enabled Service

e.g. Google Apps

for Business

12

2

6

3

4

4


31/43


Example with HTTP POST Binding


32/43


1A

SAML AuthN & ACS integration in Web Application


33/43


OpenID> What is it?

> How does it work?

> How to integrate?

SECTION 2


34/43


35/43


OpenID - How does it work?

1

3

5

Enabled Service

Identity Providere.g. clavid.com

6

4, 4a

hans.muster.clavid.com

User Hans Muster

Caption1. User enters OpenID

2. Discovery3. Authentication

4. Approval4a. Change Attributes

5. Send Attributes6. Validation

2 Identity URLhttps://hans.muster.clavid.com


36/43


Architecture IPD

Authentication Server


37/43


Unique Interface

Agnostic / Easy

SAML


38/43



39/43


Conclusion #1

f Authentication Server need to be agnostic to any Token

Support Open Standards

f Federation of identity: a change of paradigm for authentication

Not Only for Federation or Web SSO

SAML and OpenID can support all authentication technologies

Develop only one authentication interface for all Web Application


40/43


Conclusion #2

f Users can choose his Strong Authentication Token

Users Friendly and Reduce Costs

f New Standards and Open Source Solution

OTP Software Token is no free

Strong Authentication for Social Networks (OpenID IPD & Strong Authentication)

f Think about Web Application Security

OWASP - Application Security Verification Standard Project

OWASP - Best Practices: Use of Web Application Firewalls 2010 CWE/SANS - Top 25 Most Dangerous Software Errors


41/43


42/43


"Le conseil et l'expertise pour le choix et la mise

en oeuvre des technologies innovantes dans la scurit

des systmes d'information et de l'identit numrique"


43/43


Authentication and Strong Authentication in Web Applications

Documents