View
239
Download
0
Tags:
Embed Size (px)
DESCRIPTION
Strong AuthN - MultiOTP
Citation preview
Easy public/private keys usage protected
with strong authentication, using
U2F/UAF from the
Based on documentation and presentation from fido alliance, Yubico and Google
Rump Session, 6 November 2014
Application Security Forum Western Switzerland
André Liechti (@andreliechti, @multiOTP)
Last update : 2014-12-09
FIDO Alliance, who is that ?
FIDO (Fast IDentity Online)
2007 PayPal launched Security Key (classic OTP token)Low adoption rate, because harder to use for end users
Late 2009 Ramesh Kesanupalli (CTO of Validity Sensors) visited Michael Barrett (PayPal's CISO).Barret insisted on two things:
solution based on a (future) industry standard
must support Validity’s hardware and also their competitors
July 2012 FIDO Alliance nominally formedPayPal, Lenovo, Nok Nok Labs, Validity Sensors, Infineon, and Agnitio
February 2013 Alliance publicly launched and growing.Google, Yubico, ...
2014-11-06 2
FIDO Alliance members (150 in November 2014)
Board Level
21 members : Alibaba Group, ARM, Bank of America,
BlackBerry, CrucialTec, Discover, Google, IdentityX,
Lenovo, MasterCard, Microsoft, Nok Nok Labs, NXP,
Oberthur Technologies, PayPal, Qualcomm, RSA,
Samsung, Synpatics, Visa, Yubico
Sponsor Level
48 members
Associate Level
81 members
2014-11-06 3
FIDO Alliance mission
The Mission of the FIDO Alliance is to change the nature of
online authentication by:
Developing technical specifications that define an open,
scalable, interoperable set of mechanisms that reduce
the reliance on passwords to authenticate users.
Operating industry programs to help ensure successful
worldwide adoption of the Specifications.
Submitting mature technical Specification(s) to
recognized standards development organization(s) for
formal standardization.
2014-11-06 4
Online Authentication : what U2F/UAF are trying to solve ?
Avoid asking users for (secure?) passwords only because:
same password is reused for a lot of services
phishing is still working well
plenty of hardware and software keyloggers are available
Existing solutions have known problems:
Most of hardware devices are fragile, you must have one for
each service, you have battery issues
SMS costs are not negligible, you can be out of coverage
End user don’t always understand how to use it
Some phishing attacks are still possible
2014-11-06 5
UAF : passwordless experience
UAF : Universal Authentication Framework
Passwordless experience
2014-11-06 6
U2F : second factor experience
U2F : Universal Second Factor protocol
Second factor experience
2014-11-06 7
U2F Protocol
Core Idea: Standard Public Key Cryptography
User's device mints new key pair, gives public key to server
Server asks user's device to sign data to verify the user
One device, many services -“Bring Your Own
Authenticator”
Design Considerations:
Privacy: Site Specific Keys, No unique ID per device
Security: No phishing, Man-In-The-Middles
Trust: User decide what authenticator to use
Pragmatics: Affordable today
Usability: No delays, Fast crypto in device
2014-11-06 8
U2F flow
2014-11-06 9
U2F Registration
2014-11-06 10
U2F Authentication
2014-11-06 11
U2F and MITM attack
The client send:
I promise a user was here
The server challenge was: KSDJsdASAS-AIS_Me
The origin was: accounts.acme.com
The TLS connection state was: 345567
MITM attack detection
Origin mismatch for key handle
Incorrect origin name
ChannelID mismatch
2014-11-06 12
What if I want to accept U2F logins for my service?
Server: Implement registration flow
decide how to handle attestation certificates
verify registration response
store public key, key handle with user account
Server: Implement login flow
check username/password, look up key handle
verify authentication response (origin, signature, counter, …)
Check your account recovery flow
2014-11-06 13
Yubico implementation details
“ There is no practical limit to the U2F secured services the
YubiKey can be associated with. During the registration
process, the key pairs are generated on the device (secure
element) but the key pairs are not stored on the YubiKey.
Instead, the key pair (public key and encrypted private key)
are stored by each relying party/service that initiated the
registration. Therefore, this approach allows for an unlimited
number of services to be associated with the YubiKey. ”
2014-11-06 14
U2F demo with Yubikey FIDO U2F Security Key
http://demo.yubico.com/u2f
2014-11-06 15