Authentication and strong authentication for Web Application

MARET Consulting | 109, chemin du Pont-du-Centenaire | CH 1228 Plan-les-Ouates | Tél +41 22 727 05 57 | Fax +41 22 727 05 50 | www.maret-consulting.ch

Conseil en technologies

Sylvain Maret / Digital Security Expert @ MARET ConsultingBrightTALK - October 7th 2010

Authentication and Strong Authentication in Web Application

Conseil en technologieswww.maret-consulting.ch

Agenda

Protecting digital identities

strong authentication?

Strong Authentication: A new paradigm !

New Standards

Integration with web applications

Identity Federation for Authentication

SAML / OpenID


Who am I?

Security Expert 15 years of experience in ICT Security CEO and Founder of MARET Consulting Expert at Engineer School of Yverdon & Geneva University Swiss French Area delegate at OpenID Switzerland Co-founder Geneva Application Security Forum OWASP Member Author of the blog: la Citadelle Electronique http://ch.linkedin.com/in/smaret

Chosen field Digital Identity Security


Protection of digital identities: a topical issue…


threats on the authentication


Facts !

Keylogger (hard and soft) Malware Man in the Middle Browser in the Middle Password Sniffer Social Engineering Phishing / Pharming

The number of identity thefts is increasing dramatically!


A major event in the world of strong authentication

12 October 2005: the Federal Financial Institutions Examination Council (FFIEC) issues a directive

« Single Factor Authentication » is not enough for the web financial applications

Before end 2006 it is compulsory to implement a strong authentication system

http://www.ffiec.gov/press/pr101205.htm

And the PCI DSS norm Compulsory strong authentication for distant accesses

And now European regulations Payment Services (2007/64/CE) for banks

Social Networks, Open Source


Definition of strong authentication

Strong Authentication on Wikipedia


«Digital identity is the cornerstone of trust»

More information on the subject

MARET Consulting | 109, chemin du Pont-du-Centenaire | CH 1228 Plan-les-Ouates | Tél +41 22 727 05 57 | Fax +41 22 727 05 50 | www.maret-consulting.ch

Conseil en technologies

Strong Authentication

A new paradigm !


Which strong authentication technology? (Legacy Token …..)



OTP PKI (HW) Biometry

Strong authentication

Encryption

Digital signature

Non repudiation

Strong link with the user

*

* Biometry type Fingerprinting


Strong Authentication with Biometry (Match on Card technology)

A reader Biometry SmartCard

A card with chip Technology MOC Crypto processor

PC/SC PKCS#11 Digital certificate X509


Authentication Server must be agnostic


New Standards&

Open Source


Technologies accessible to everyone

Based on Standards

Open Authentication (OATH)

OATH authentication algorithms

HOTP (HMAC Event Based)

OCRA (Challenge/Response)

TOTP (Time Based) OATH Token Identifier

Specification

Open Solutions

Mobile One Time Passwords strong, two-factor authentication

with mobile phones


Integration with

web application


Web applications: basic authentication model


Web application: strong authentication model


“Shielding" approach: perimetric authentication


Module/Agent-based approach


API/SDK based approach


SSL PKI: how does it work?

Web ServerAlice

ValidationAuthority

ValidInvalidUnknown

OCSP request

SSL / TLS Mutual Authentication


Federated identities:

a changing paradigm

on authentication


Federation of identity approach a change of paradigm: using IDP for Authentication and Strong Authentication

Web App X

Web App Y

Identity Provider


SECTION 1SAML>What is it?

>How does it work?


Using SAML for Authentication and Strong Authentication

(Assertion Consumer Service)


SAML – What is it?

SAML (Security Assertion Markup Language):

>Defined by the Oasis Group>Well and Academically Designed Specification>Uses XML Syntax>Used for Authentication & Authorization

>SAML Assertions> Statements: Authentication, Attribute, Authorization

>SAML Protocols> Queries: Authentication, Artifact, Name Identifier Mapping, etc.

>SAML Bindings> SOAP, Reverse-SOAP, HTTP-Get, HTTP-Post, HTTP-Artifact

>SAML Profiles> Web Browser SingleSignOn Profile, Identity Provider Discovery Profile, Assertion Query

/ Request Profile, Attribute Profile


SAML – How does it work?

Identity Providere.g. clavid.ch

User Hans Muster

Enabled Service

e.g. Google Appsfor Business

12

2

6

3

4

4


Example with HTTP POST Binding

+ PIN

Web App SAML Ready

AuthN

ACS

Ressource

IDP MC

Access Resource

1

3 <AuthnRequest>Redirect 302

Single Sign OnService

4<AuthnRequest>

CredentialChallenge 5a

User Login

<Response>in HTML Form 6

7POST

<Response>

8Ressource

Browser

2

5b


1/3Web

Server

2/3App

Server

3/3BackEnd

AuthN

ACS

AuthN

ACS AuthN

ACS

1A 1B 1C

Web App SAML Ready

Service P

rovider (SP

)

Digital Identity (Principale)

SAML AuthN & ACS integration in Web Application


OpenID> What is it?

> How does it work?

> How to integrate?

SECTION 2


OpenID - What is it?

> Internet SingleSignOn> Relatively Simple Protocol> User-Centric Identity

Management> Internet Scalable

> Free Choice of Identity Provider> No License Fee> Independent of Identification

Methods> Non-Profit Organization


OpenID - How does it work?

1

3

5

Enabled Service

Identity Providere.g. clavid.com6

4, 4a

hans.muster.clavid.com

User Hans Muster

Caption1. User enters OpenID2. Discovery3. Authentication4. Approval4a. Change Attributes5. Send Attributes6. Validation

2 Identity URLhttps://hans.muster.clavid.com


Architecture IPD

Authentication Server


1/3Web

Server

2/3App

Server

3/3BackEnd

AuthN

ACS

Web App SAML Ready

Service P

rovider (SP

)

Unique InterfaceAgnostic / Easy

SAML

IDP-AS

OTP

PKI

BIO

Password

ProtocolBackend

SAML v2

SAML v1

OpenID

Radius, etc.

ProtocolFrontend

Federation(Facebook, Google, OpenID, other IDP, Internal Active Directory, etc.)



Conclusion #1

Authentication Server need to be agnostic to any Token• Support Open Standards

Federation of identity: a change of paradigm for authentication• Not Only for Federation or Web SSO• SAML and OpenID can support all authentication technologies• Develop only one authentication interface for all Web Application


Conclusion #2

Users can choose his Strong Authentication Token• Users Friendly and Reduce Costs

New Standards and Open Source Solution• OTP Software Token is no free • Strong Authentication for Social Networks (OpenID IPD & Strong Authentication)

Think about Web Application Security• OWASP - Application Security Verification Standard Project• OWASP - Best Practices: Use of Web Application Firewalls• 2010 CWE/SANS - Top 25 Most Dangerous Software Errors


Quelques liens pour aller approfondir le sujet

MARET Consulting http://maret-consulting.ch/

La Citadelle Electronique (le blog sur les identités numériques) http://www.citadelle-electronique.net/

Articles banque et finance: Usurper une identité? Impossible avec la biométrie!

http://www.banque-finance.ch/numeros/88/59.pdf Biométrie et Mobilité

http://www.banque-finance.ch/numeros/97/62.pdf

Présentations publiques OSSIR Paris 2009: Retour d'expérience sur le déploiement de biométrie à grande

échelle http://www.ossir.org/paris/supports/2009/2009-10-13/Sylvain_Maret_Biometrie.pdf

ISACA, Clusis: Accès à l’information : Rôles et responsabilités http://blog.b3b.ch/wp-content/uploads/mise-en-oeuvre-de28099une-solution-biometrique-

de28099authentification-forte.pdf


"Le conseil et l'expertise pour le choix et la mise

en oeuvre des technologies innovantes dans la sécurité

des systèmes d'information et de l'identité numérique"
