the authentication jungle
play

The Authentication Jungle An overview of all sorts of authentication - PowerPoint PPT Presentation

Dec 13, 2022 •383 likes •1.28k views

The Authentication Jungle An overview of all sorts of authentication technologies Karol Babioch Security Engineer kbabioch@suse.de New authentication standards ... 2 Some authentication technologies ... 3 - Authentication theory -

  1. The Authentication Jungle An overview of all sorts of authentication technologies Karol Babioch Security Engineer kbabioch@suse.de

  2. New authentication standards ... 2

  3. Some authentication technologies ... 3

  4. - Authentication theory - “Simple” authentication schemes - Centralized authentication schemes - Federated authentication schemes - Conclusion Karol Babioch Security Engineer kbabioch@suse.de

  5. Authentication theory Karol Babioch Security Engineer kbabioch@suse.de

  6. What is authentication? “[…] the act of confirming the truth of an attribute of a single piece of data [...]” (Wikipedia) In our context: Mostly concerned about user authentication → Who am I communicating with? 6

  7. Attributes for authentication ● Something you know ● Secrets (Password, PIN, code, etc.) ● Something you have ● Physical keys ● Hardware tokens (Smart card, YubiKey, etc.) → Should be difficult to clone ● Something you are ● Fingerprint ● Iris ● Face recognition 7

  8. Challenges for authentication technologies - Security – Resiliency to guessing (brute force, online, offline) – Resiliency to phishing – Resiliency to theft – Resiliency to physical observation – Resiliency to internal observation – No trusted third parties – Explicit user-consent – Unlinkability - Usability – Memorywise effortless – Scalable for users – Nothing to carry – Easy recovery from loss - Deployability – Cost per user – Server compatible – Browser compatible – Maturity – Non proprietary 8

  9. Authentication vs. Authorization Authentication (AuthN, A1, Au) → Who am I communicating with? Authorization (AuthZ, AuthR, A2, Az) → What am I allowed to do? → Most of the time: Tightly coupled 9

  10. “Simple” authentication schemes Karol Babioch Security Engineer kbabioch@suse.de

  11. Passwords Karol Babioch Security Engineer kbabioch@suse.de

  12. Password-based logins ● Apparently simple to use ● Apparently easy to implement (“string compare”) ● Universal across all domains/contexts ● Recommendations & best practices (NIST, etc.) 12

  13. Problems with passwords ● Weak passwords ● Re-usage across different domains/contexts ● Phishing ● Static ● Breaches ● User’s responsibility ● Chocolate study ● Easy to remember = Easy to guess 13

  14. Experts get it wrong • NIST Special Publication 800-63. Appendix A ● Originally from 2003 ● Based on no real data (not available) ● Expiration after x days ● No re-usage of last x passwords ● Different character classes: Special character, numbers, big and small caps ● Example: P@ssW0rd123! →Users still choose easy-to-guess passwords – Less entropy than expected – Regular changes bad idea • Stolen credentials are used right away (not after x days) • weak passwords • Workaround: password1 → password2 → password3 → password1 14

  15. Fun with password strength 15

  16. haveibeenpwned.com • One (of many) password databases based on dumps (> 500 million passwords) • Search for your account in existing dumps • Notify when account appears in new dumps • API / datasets for querying passwords (k-anonymity) • Should be checked during account creation / password change 16

  17. Mitigations • Pro-active password checks during account creation and password changes • Re-active leak monitoring (i.e. haveibeenpwned.com): – Single accounts – Whole domain • Use and encourage password manager • No annoying limitations for passwords • Multifactor authentication • Other authentication schemes – Single-Sign-On & Federation 17

  18. Crypto 101 Karol Babioch Security Engineer kbabioch@suse.de

  19. Crypto 101: Cryptographic hash functions • Returns a (fixed-size) output (“hash-value”) for any input – Easy to calculate the hash value value for any given data – Computationally difficult to calculate an input with a given hash value – Unlikely that two (slightly) different messages have the same hash value • H(message) → output • Examples – SHA1 (e.g. git) – SHA2 (256, 384, 512) – SHA3 – MD5 – MD4 • Use cases – Message integrity – Digital signatures – Authentication 19

  20. Crypto 101: Cryptographic hash functions 20

  21. Crypto 101: HMAC • Hash-based message authentication code • Defined in RFC2104 • Any cryptographic hash function can be used • HMAC(secret, message) → output [hash] • Examples – HMAC-MD5 – HMAC-SHA256 – HMAC-SHA3 • Use cases – data integrity – authentication 21

  22. Multifactor authentication Karol Babioch Security Engineer kbabioch@suse.de

  23. Multifactor authentication to the rescue ● Basic idea: Use multiple factors for authentication (passwords is not sufficient) ● 2FA = Two-factor authentication ● MFA = Multi-factor authentication ● Examples: ● One-Time passwords (OTP) ● Chip & TAN ● password & certificate (OpenVPN, etc.) • Different channels: – SMS – Smart card (chipTAN) – (Smartphone) apps – Different devices (Notifications from Google on Android, etc.) – Hardware tokens (RSA SecurID, YubiKey, U2F, etc.) 23

  24. twofactorauth.org 24

  25. OATH: TOTP & HOTP ● Standardized by OATH (!= OAuth) ● Many software implementations & hardware tokens ● Requires initial setup to establish shared secret between provider and user ● e.g. QR code ● TOTP: Time-based OTP ● Code: HMAC(sharedSecret, timestamp) ● HOTP: Event-based OTP ● Code: HMAC(sharedSecret, counter) 25

  26. Soft-token implementations otpauth://totp/label?secret=secret&issuer=issuer 26

  27. Hardware OTP tokens ● Shared secret is stored in hardware → Cannot be duplicated ● Requires enrollment process ● More on hardware tokens → second talk 27

  28. Yubico OTP ● Hardware token with USB interface ● Emulating USB keyboard ● Multiple slots ● Short push (~ 0.5 sec) ● Long push (~ 2 sec) ● Push button → User consent ● Supports OATH ● HOTP ● TOTP (requires software on host) ● Yubico OTP ● Many other modes of operation → second talk 28

  29. Yubico OTP explanation 29

  30. Problems with multifactor authentication ● Based on shared secret → Still something to loose (data breach) ● Trusted third party (in case of RSA, Yubico OTP, etc.) ● Broken fallback routines / recovery processes ● Inconvenient (i.e. smartphone not available, etc.) ● No inherent MitM protection (active attacks, phishing, session hijacking) ● Scales badly ● Requires setup for each service ● Requires dedicated key / slot for each service ● Cost per device 30

  31. Crypto 101 Karol Babioch Security Engineer kbabioch@suse.de

  32. Crypto 101: Symmetric cryptography • Encryption and decryption are using the same secret (key) • Examples: – AES – DES, 3DES – Blowfish – Twofish – RC4 • Block cipher modes: – ECB – CBC – OFB – XTS 32

  33. Crypto 101: Asymmetric Cryptography • Two keys (referred to as a key pair) – Public – Private • Examples: – RSA – DH (Diffie Hellman) – ECC (Elliptic Curve Cryptography) • Use cases – Encryption – Authentication – Key agreement – Signatures – Verification • Challenge : Key exchange, authenticity of public keys 33

  34. Crypto 101: Asymmetric Cryptography 34

  35. SSL/TLS (X509) Karol Babioch Security Engineer kbabioch@suse.de

  36. SSL/TLS basics • Prevalent throughout the Internet • Can basically be used with all protocols (https, ldaps, imaps, etc.) • Provides confidentiality, integrity, authentication • Mostly: One-way authentication (Browser) • Chain of trust: Certificate authority (CA) →… (intermediate CA) … → certificate • PKI: Public-key infrastructure • Interesting to us: Client certificates – Can be offloaded to hardware → Second talk 36

  37. SSL/TLS handshake 37

  38. Server certificates 38

  39. Client certificates 39

  40. Certificates • Many attributes – Valid before – Valid after – Common name – Public key – Issuer – ... • Binding between key pair and an identity 40

  41. Problems with SSL/TLS • General SSL/TLS criticism – Trusted Third Party → Every CA can sign anything – Broken revocation – Key pinning challenging – etc., pp. • Specific to client certificates – Support for client certificates (applications, protocols, etc.) – Verification of client certificates – Handling certificates correctly is challenging – Roll your own CA? – Privacy concerns (→TLS 1.3?) 41

  42. OpenPGP Karol Babioch Security Engineer kbabioch@suse.de

  43. OpenPGP basics • RFC 4880 • Most widely used implementation: GnuPG (gpg) • Allows – Encryption – Signatures / Verification – Authentication • Decentral approach (“web of trust”) – Everybody can create key pairs – Distribution via keyservers – Authentication via keysigning 43

  44. OpenPGP example 44

  45. OpenPGP problems (1) 45

Recommend

AUTHENTICATION AUTHENTICATION Authentication is the process by which you decide that someone is

AUTHENTICATION AUTHENTICATION Authentication is the process by which you decide that someone is

SECURITY TOPICS PART 2 AUTHENTICATION AUTHENTICATION Authentication is the process by which you decide that someone is who they say they are and therefore permitted to access the requested resources: getting entrance to a computer lab

833 views • 44 slides
What is Jungle Beat? Remember when kids were kids and

What is Jungle Beat? Remember when kids were kids and

What is Jungle Beat? Remember when kids were kids and playing meant grass burns, bare feet and muddy faces? Jungle Beat is a fun,

722 views • 39 slides
HOST Authentication Overview ECE 525 Authentication Overview Authentication refers to the

HOST Authentication Overview ECE 525 Authentication Overview Authentication refers to the

HOST Authentication Overview ECE 525 Authentication Overview Authentication refers to the process of verifying the identity of the communicating principals to one another Usually sub-divided into Entity authentication Authentication

288 views • 10 slides
Finding your way through the QEMU parameter jungle 2018-02-04 Thomas Huth

Finding your way through the QEMU parameter jungle 2018-02-04 Thomas Huth

Finding your way through the QEMU parameter jungle 2018-02-04 Thomas Huth <thuth@redhat.com> Legal Disclaimer: Opinions are my own and not necessarily the views of my employer Jungle Leaves background license: CC BY 3.0 US

492 views • 28 slides
Authentication Most technical security safeguards have Authentication authentication as a

Authentication Most technical security safeguards have Authentication authentication as a

Authentication Most technical security safeguards have Authentication authentication as a precondition How to authenticate: Something you know Password, Secrets Something you have Smart Card, Token Something you are Biometrie

607 views • 4 slides
Authentication and Data Integrity Authentication with Symmetric Key Encryption Authentication

Authentication and Data Integrity Authentication with Symmetric Key Encryption Authentication

Cryptography Authentication and Data Integrity Aims of Authentication Authentication and Data Integrity Authentication with Symmetric Key Encryption Authentication with Hash Cryptography Functions Authentication with MACs School of

613 views • 27 slides
Authentication and Data Integrity Authentication with Symmetric Key Encryption Authentication

Authentication and Data Integrity Authentication with Symmetric Key Encryption Authentication

Cryptography Authentication and Data Integrity Aims of Authentication Authentication and Data Integrity Authentication with Symmetric Key Encryption Authentication with Hash Cryptography Functions Authentication with MACs School of

1.66k views • 27 slides
A2: Broken Authentication and Session Management But first Authentication, Authorization,

A2: Broken Authentication and Session Management But first Authentication, Authorization,

A2: Broken Authentication and Session Management But first Authentication, Authorization, Sessions Authentication Determining user identity Multiple ways What you know (password) What you have (phone, RSA SecureID, Yubikey)

1.57k views • 28 slides
Web Authentication Thierry Sans Several Methods Local authentication with login and password

Web Authentication Thierry Sans Several Methods Local authentication with login and password

Web Authentication Thierry Sans Several Methods Local authentication with login and password Token-based authentication Third party authentication Local Authentication How to store and verify password? Clear Data can be hacked

615 views • 14 slides
Outline Introduction Authentication Basic authentication mechanisms CS 239

Outline Introduction Authentication Basic authentication mechanisms CS 239

Outline Introduction Authentication Basic authentication mechanisms CS 239 Authentication on a single machine Computer Security Authentication across a network February 21, 2007 Lecture 9 Lecture 9 Page 1 Page 2 CS 236,

302 views • 8 slides
(Towards) Jungle Computing with Ibis Frank J. Seinstra, Jason Maassen, Niels Drost Computer

(Towards) Jungle Computing with Ibis Frank J. Seinstra, Jason Maassen, Niels Drost Computer

(Towards) Jungle Computing with Ibis Frank J. Seinstra, Jason Maassen, Niels Drost Computer Systems Group Department of Computer Science VU University, Amsterdam, The Netherlands Jungle Computing (ComplexHPC) Worst case computing as

522 views • 24 slides
I know who you are, but you can't come in Authentication and single sign-on in the SAS platform

I know who you are, but you can't come in Authentication and single sign-on in the SAS platform

I know who you are, but you can't come in Authentication and single sign-on in the SAS platform Agenda Authentication Inbound authentication Outbound authentication Single Sign-on Definitions Stage Process Method Physical

781 views • 48 slides
HOST PUF-Based Authentication ECE 525 PUF-Based Authentication PUF-based protocols have been

HOST PUF-Based Authentication ECE 525 PUF-Based Authentication PUF-based protocols have been

HOST PUF-Based Authentication ECE 525 PUF-Based Authentication PUF-based protocols have been proposed for applications including: Encryption and authentication For detecting malicious alterations of design components For

645 views • 15 slides
1 Password-Based Authentication Node A has a secret ( password ): e.g., lisa To

1 Password-Based Authentication Node A has a secret ( password ): e.g., lisa To

Authentication Protocols Guevara Noubir College of Computer and Information Science Northeastern University noubir@ccs.neu.edu Outline Overview of Authentication Systems [Chapter 9] Authentication of People [Chapter 10]

396 views • 17 slides
THE STATE OF AUTHENTICATION Chad Spensky Allthenticate OUTLINE Who am I? Authentication

THE STATE OF AUTHENTICATION Chad Spensky Allthenticate OUTLINE Who am I? Authentication

THE STATE OF AUTHENTICATION Chad Spensky Allthenticate OUTLINE Who am I? Authentication overview Current state of Authentication The future of authentication MY JOURNEY 2012-2015 2004-2011 2015-Present 1998-2004 Staff at MIT

453 views • 34 slides
User Authentication Passport Jason Situ Passport What is it? Passport is authentication

User Authentication Passport Jason Situ Passport What is it? Passport is authentication

User Authentication Passport Jason Situ Passport What is it? Passport is authentication middleware for Node. It is designed to serve a singular purpose: authenticate requests. Supports a comprehensive set of authentication mechanisms called

808 views • 16 slides
The Jungle Universe About scales and physics in the cosmos Simon Portegies Zwart Sterrewacht

The Jungle Universe About scales and physics in the cosmos Simon Portegies Zwart Sterrewacht

The Jungle Universe About scales and physics in the cosmos Simon Portegies Zwart Sterrewacht Leiden Observation of the early universe (WMAP) Abel1689 Stephen's quintuplet The universe is multi-physics The universe is multi-scale Jungle

578 views • 44 slides
Original Concept Anne Quenton Reinterpretation of the Jungle Book Post-apocalyptic universe

Original Concept Anne Quenton Reinterpretation of the Jungle Book Post-apocalyptic universe

Original Concept Anne Quenton Reinterpretation of the Jungle Book Post-apocalyptic universe Humanod animals Original Concept Original Concept Interest The Jungle Book: part of the popular culture Offer an accessible and effective game

493 views • 30 slides
HOST PUF-Based Authentication Protocols ECE 525 PUF-Based Authentication Protocols The simplest

HOST PUF-Based Authentication Protocols ECE 525 PUF-Based Authentication Protocols The simplest

HOST PUF-Based Authentication Protocols ECE 525 PUF-Based Authentication Protocols The simplest mechanisms called challenge-response entity authentication exchange cleartext bitstrings directly, i.e., no cryptographic primitives are used A PUF

1.08k views • 38 slides
Authentication, vulnerabilities, exploits, and the secure design principles of Saltzer and

Authentication, vulnerabilities, exploits, and the secure design principles of Saltzer and

Authentication, vulnerabilities, exploits, and the secure design principles of Saltzer and Schroeder Authentication in general Bishop: Authentication is the binding of an identity to a principal. Network-based authentication mechanisms

1.6k views • 43 slides
The Android security jungle: pitfalls, threats and survival tips Scott Alexander-Bown @scottyab

The Android security jungle: pitfalls, threats and survival tips Scott Alexander-Bown @scottyab

The Android security jungle: pitfalls, threats and survival tips Scott Alexander-Bown @scottyab The Jungle Ecosystem Googles protection Threats Risks Survival Network Data protection (encryption) App/device

888 views • 45 slides
Information Security Identification and authentication Advanced User Authentication II

Information Security Identification and authentication Advanced User Authentication II

Information Security Identification and authentication Advanced User Authentication II 2016-01-29 Amund Hunstad Guest Lecturer, amund@foi.se Agenda for lecture I within this part of the course Background Authentication eID

683 views • 44 slides
Information Security Identification and authentication Advanced User Authentication II

Information Security Identification and authentication Advanced User Authentication II

Information Security Identification and authentication Advanced User Authentication II 2019-02-08 Amund Hunstad Guest Lecturer, amund@foi.se Agenda for lecture I within this part of the course Background Authentication eID

1.19k views • 102 slides
e-authentication Practices: A road to global implementation of e-authentication for

e-authentication Practices: A road to global implementation of e-authentication for

Market-driven e-authentication Practices: A road to global implementation of e-authentication for cross-bordered trade document Mr. Wanawit Ahkuputra Deputy Executive Director of ETDA Thailand HOD and AFACT chair. Building Soft

533 views • 13 slides

More recommend