Upload
sylvain-maret
View
1.134
Download
4
Embed Size (px)
DESCRIPTION
WebCast: Authentication and Strong Authentication in Web Applications WebCast
Citation preview
MARET Consulting | 109, chemin du Pont-du-Centenaire | CH 1228 Plan-les-Ouates | Tél +41 22 727 05 57 | Fax +41 22 727 05 50 | www.maret-consulting.ch
Conseil en technologies
Sylvain Maret / Digital Security Expert @ MARET ConsultingBrightTALK - October 7th 2010
Authentication and Strong Authentication in Web Application
Conseil en technologieswww.maret-consulting.ch
Agenda
Protecting digital identities
strong authentication?
Strong Authentication: A new paradigm !
New Standards
Integration with web applications
Identity Federation for Authentication
SAML / OpenID
Conseil en technologieswww.maret-consulting.ch
Who am I?
Security Expert 15 years of experience in ICT Security CEO and Founder of MARET Consulting Expert at Engineer School of Yverdon & Geneva University Swiss French Area delegate at OpenID Switzerland Co-founder Geneva Application Security Forum OWASP Member Author of the blog: la Citadelle Electronique http://ch.linkedin.com/in/smaret
Chosen field Digital Identity Security
Conseil en technologieswww.maret-consulting.ch
Protection of digital identities: a topical issue…
Conseil en technologieswww.maret-consulting.ch
threats on the authentication
Conseil en technologieswww.maret-consulting.ch
Facts !
Keylogger (hard and soft) Malware Man in the Middle Browser in the Middle Password Sniffer Social Engineering Phishing / Pharming
The number of identity thefts is increasing dramatically!
Conseil en technologieswww.maret-consulting.ch
A major event in the world of strong authentication
12 October 2005: the Federal Financial Institutions Examination Council (FFIEC) issues a directive
« Single Factor Authentication » is not enough for the web financial applications
Before end 2006 it is compulsory to implement a strong authentication system
http://www.ffiec.gov/press/pr101205.htm
And the PCI DSS norm Compulsory strong authentication for distant accesses
And now European regulations Payment Services (2007/64/CE) for banks
Social Networks, Open Source
Conseil en technologieswww.maret-consulting.ch
Definition of strong authentication
Strong Authentication on Wikipedia
Conseil en technologieswww.maret-consulting.ch
«Digital identity is the cornerstone of trust»
More information on the subject
MARET Consulting | 109, chemin du Pont-du-Centenaire | CH 1228 Plan-les-Ouates | Tél +41 22 727 05 57 | Fax +41 22 727 05 50 | www.maret-consulting.ch
Conseil en technologies
Strong Authentication
A new paradigm !
Conseil en technologieswww.maret-consulting.ch
Which strong authentication technology? (Legacy Token …..)
Conseil en technologieswww.maret-consulting.ch
Conseil en technologieswww.maret-consulting.ch
OTP PKI (HW) Biometry
Strong authentication
Encryption
Digital signature
Non repudiation
Strong link with the user
*
* Biometry type Fingerprinting
Conseil en technologieswww.maret-consulting.ch
Strong Authentication with Biometry (Match on Card technology)
A reader Biometry SmartCard
A card with chip Technology MOC Crypto processor
PC/SC PKCS#11 Digital certificate X509
Conseil en technologieswww.maret-consulting.ch
Authentication Server must be agnostic
Conseil en technologieswww.maret-consulting.ch
New Standards&
Open Source
Conseil en technologieswww.maret-consulting.ch
Technologies accessible to everyone
Based on Standards
Open Authentication (OATH)
OATH authentication algorithms
HOTP (HMAC Event Based)
OCRA (Challenge/Response)
TOTP (Time Based) OATH Token Identifier
Specification
Open Solutions
Mobile One Time Passwords strong, two-factor authentication
with mobile phones
Conseil en technologieswww.maret-consulting.ch
Integration with
web application
Conseil en technologieswww.maret-consulting.ch
Web applications: basic authentication model
Conseil en technologieswww.maret-consulting.ch
Web application: strong authentication model
Conseil en technologieswww.maret-consulting.ch
“Shielding" approach: perimetric authentication
Conseil en technologieswww.maret-consulting.ch
Module/Agent-based approach
Conseil en technologieswww.maret-consulting.ch
API/SDK based approach
Conseil en technologieswww.maret-consulting.ch
SSL PKI: how does it work?
Web ServerAlice
ValidationAuthority
ValidInvalidUnknown
OCSP request
SSL / TLS Mutual Authentication
Conseil en technologieswww.maret-consulting.ch
Federated identities:
a changing paradigm
on authentication
Conseil en technologieswww.maret-consulting.ch
Federation of identity approach a change of paradigm: using IDP for Authentication and Strong Authentication
Web App X
Web App Y
Identity Provider
Conseil en technologieswww.maret-consulting.ch
SECTION 1SAML>What is it?
>How does it work?
Conseil en technologieswww.maret-consulting.ch
Using SAML for Authentication and Strong Authentication
(Assertion Consumer Service)
Conseil en technologieswww.maret-consulting.ch
SAML – What is it?
SAML (Security Assertion Markup Language):
>Defined by the Oasis Group>Well and Academically Designed Specification>Uses XML Syntax>Used for Authentication & Authorization
>SAML Assertions> Statements: Authentication, Attribute, Authorization
>SAML Protocols> Queries: Authentication, Artifact, Name Identifier Mapping, etc.
>SAML Bindings> SOAP, Reverse-SOAP, HTTP-Get, HTTP-Post, HTTP-Artifact
>SAML Profiles> Web Browser SingleSignOn Profile, Identity Provider Discovery Profile, Assertion Query
/ Request Profile, Attribute Profile
Conseil en technologieswww.maret-consulting.ch
SAML – How does it work?
Identity Providere.g. clavid.ch
User Hans Muster
Enabled Service
e.g. Google Appsfor Business
12
2
6
3
4
4
Conseil en technologieswww.maret-consulting.ch
Example with HTTP POST Binding
+ PIN
Web App SAML Ready
AuthN
ACS
Ressource
IDP MC
Access Resource
1
3 <AuthnRequest>Redirect 302
Single Sign OnService
4<AuthnRequest>
CredentialChallenge 5a
User Login
<Response>in HTML Form 6
7POST
<Response>
8Ressource
Browser
2
5b
Conseil en technologieswww.maret-consulting.ch
1/3Web
Server
2/3App
Server
3/3BackEnd
AuthN
ACS
AuthN
ACS AuthN
ACS
1A 1B 1C
Web App SAML Ready
Service P
rovider (SP
)
Digital Identity (Principale)
SAML AuthN & ACS integration in Web Application
Conseil en technologieswww.maret-consulting.ch
OpenID> What is it?
> How does it work?
> How to integrate?
SECTION 2
Conseil en technologieswww.maret-consulting.ch
OpenID - What is it?
> Internet SingleSignOn> Relatively Simple Protocol> User-Centric Identity
Management> Internet Scalable
> Free Choice of Identity Provider> No License Fee> Independent of Identification
Methods> Non-Profit Organization
Conseil en technologieswww.maret-consulting.ch
OpenID - How does it work?
1
3
5
Enabled Service
Identity Providere.g. clavid.com6
4, 4a
hans.muster.clavid.com
User Hans Muster
Caption1. User enters OpenID2. Discovery3. Authentication4. Approval4a. Change Attributes5. Send Attributes6. Validation
2 Identity URLhttps://hans.muster.clavid.com
Conseil en technologieswww.maret-consulting.ch
Architecture IPD
Authentication Server
Conseil en technologieswww.maret-consulting.ch
1/3Web
Server
2/3App
Server
3/3BackEnd
AuthN
ACS
Web App SAML Ready
Service P
rovider (SP
)
Unique InterfaceAgnostic / Easy
SAML
IDP-AS
OTP
PKI
BIO
Password
ProtocolBackend
SAML v2
SAML v1
OpenID
Radius, etc.
ProtocolFrontend
Federation(Facebook, Google, OpenID, other IDP, Internal Active Directory, etc.)
Conseil en technologieswww.maret-consulting.ch
Conseil en technologieswww.maret-consulting.ch
Conclusion #1
Authentication Server need to be agnostic to any Token• Support Open Standards
Federation of identity: a change of paradigm for authentication• Not Only for Federation or Web SSO• SAML and OpenID can support all authentication technologies• Develop only one authentication interface for all Web Application
Conseil en technologieswww.maret-consulting.ch
Conclusion #2
Users can choose his Strong Authentication Token• Users Friendly and Reduce Costs
New Standards and Open Source Solution• OTP Software Token is no free • Strong Authentication for Social Networks (OpenID IPD & Strong Authentication)
Think about Web Application Security• OWASP - Application Security Verification Standard Project• OWASP - Best Practices: Use of Web Application Firewalls• 2010 CWE/SANS - Top 25 Most Dangerous Software Errors
Conseil en technologieswww.maret-consulting.ch
Quelques liens pour aller approfondir le sujet
MARET Consulting http://maret-consulting.ch/
La Citadelle Electronique (le blog sur les identités numériques) http://www.citadelle-electronique.net/
Articles banque et finance: Usurper une identité? Impossible avec la biométrie!
http://www.banque-finance.ch/numeros/88/59.pdf Biométrie et Mobilité
http://www.banque-finance.ch/numeros/97/62.pdf
Présentations publiques OSSIR Paris 2009: Retour d'expérience sur le déploiement de biométrie à grande
échelle http://www.ossir.org/paris/supports/2009/2009-10-13/Sylvain_Maret_Biometrie.pdf
ISACA, Clusis: Accès à l’information : Rôles et responsabilités http://blog.b3b.ch/wp-content/uploads/mise-en-oeuvre-de28099une-solution-biometrique-
de28099authentification-forte.pdf
Conseil en technologieswww.maret-consulting.ch
"Le conseil et l'expertise pour le choix et la mise
en oeuvre des technologies innovantes dans la sécurité
des systèmes d'information et de l'identité numérique"
Conseil en technologieswww.maret-consulting.ch