Upload
others
View
20
Download
0
Embed Size (px)
Citation preview
AUTHENTICATION USING ONE-TIMEPASSWORD TOKEN AND SMART CARDAN EASY WAY TO PREVENT IDENTITY THEFT
THIERRY BORDAZ - FLORENCE RENAUD
Senior Software Engineers - Identity Management
PASSWORDS ARE NOTSECURE.WHAT SHOULD I DO, THEN?TWO FACTOR AUTHENTICATION
OTP (TOTP/HOTP TOKENS, SOFT TOKENS, MOBILE PHONE...)
PKCS#11 (SMART CARD READER + SMART CARD, USB KEYS...)
IDENTITY MANAGEMENTMAIN FEATURES
CENTRALIZED AUTHENTICATION
Source: IDM or Active DirectoryCredentials: passwords, certificates, Smart Cards, OTP tokensSingle Sign-On: Kerberos, SAML, OpenID
CENTRALIZED AUTHORIZATION
Resources: systems, services, applicationsHBAC, sudo rules, privileges
CENTRALIZED MANAGEMENT
PolicyCertificates and Keys
DNS
BASED ON A COLLECTION OF OPEN SOURCE COMPONENTS:KDC, LDAP, PKI, DNS, FREEIPA
Secret
Serial number XXX
Secret / SR
Soft token(freeOTP)
Hardware token(gemalto)
Programmable Hardware
token (yubikey)
Write secret
Phase 1: Sharing a secret
user 1
user 2
user 3XXX
Write secret
Soft token(freeOTP)
Phase 2: Synchronize counter
code(counter) =
TRUNCATE(HMAC(sha1, , counter)) / (10^digit)
rfc 4226/6238
user 1
code(counter_N)
code(counter_N+1)
Phase 3: use it at login
Soft token(freeOTP)
user 1 - 2FAFirst factor password
Second factor: code
FREEIPA SERVER FREEIPA CLIENT
Users and groups
Username:
PIN:
SMART CARDAUTHENTICATION
SSL certificate
FREEIPA SERVER FREEIPA CLIENT
Users and groups
Username:
PIN:
SMART CARDAUTHENTICATION
Look formatching user
FREEIPA SERVER FREEIPA CLIENT
Users and groups
Username:
PIN:
SMART CARDAUTHENTICATION
authenticated
RESOURCESFREEIPA
Project wiki: Project trac: Code: Blog aggregation: FreeIPA demo instance in the cloud: Mailing lists:
[email protected]@[email protected]
http://www.freeipa.orghttps://fedorahosted.org/freeipa/
https://git.fedorahosted.org/cgit/freeipa.git/http://planet.freeipa.org/
http://www.freeipa.org/page/Demo
twitter.com/RedHatNews
youtube.com/redhat
facebook.com/redhatinc
THANK YOU!
plus.google.com/+RedHat
linkedin.com/company/red-hat