SlideShare a Scribd company logo

Stronger/Multi-factor Authentication for Enterprise Applications

Ramesh Nagappan
Ramesh Nagappan
Technology
1 of 25
Download to read offline
Stronger / Multi-factor Authentication For Enterprise Applications (Identity Assurance using PKI, Smart cards and Biometrics) Sun Virtualization Solutions Presented to OWASP Seminar, Hartford (Feb 10, 2009) Ramesh Nagappan Sun Microsystems, Burlington, MA http://www.coresecuritypatterns.com/blogs
Agenda ● The Identity Dilemma ● Identity Assurance vs. Stronger Security ● Multi-factor Authentication Strategies ➢ OTPs, Smartcards, PKI and Biometrics ➢ Choosing the credential: Pros and Cons ● Understanding Real-world Implementation ➢ Tools of the Trade ➢ Role of JAAS ● Role of Sun OpenSSO Enterprise ● Architecture and Deployment ● Demonstration ➢ Multi-factor SSO with PKI, Smart cards and Biometrics. ● Q&A
Who am I ? • A technical guy from Sun Microsystems, Burlington, MA. > Focused on Security and Identity Management technologies • Co-Author of 5 technology books and numerous articles on Java EE, XML Web Services and Security. • Holds CISSP and CISA. • Contributes to Java, XML security, Biometrics, Smart cards standards and open-source initiatives. • Contributes to Graduate curriculum of Information Security programs at multiple universities. • Ph.D drop-out. • Read my blogs at http://www.coresecuritypatterns.com/blogs • Write to me at nramesh@post.harvard.edu
The Identity Dilemma : Who Are You ? • Internet is a faceless channel of interaction. > No mechanisms for physically verify a person – who is accessing your resources. • Identifying the legitimate user has become crucial. > With higher strength of authentication and security. > Mandates mechanisms driven by human recognition characteristics. > Growing trends on on-demand SaaS, Cloud computing infrastructures. > Everyone is concerned about their Cartoon by Peter Steiner. The New Yorker, July 5, 1993 issue (Vol.69 (LXIX) no. 20) page 61 private information and privacy.
How do I know..it's you ? • Identity thefts and on-line frauds: The fastest growing crime in the world. > Someone wrongfully obtains or abuses another person's identity – for economic or personal gain. > Impersonation, Counterfeits, stolen or forged credentials (PINs, Passwords, ID cards), Phishing are widely becoming common. > Most frauds happens through trusted insiders. > Fake credentials are everywhere : Few detected and many undetected ! • Identity thefts results huge losses to organizations. > Loss of consumer confidence and leading to incur huge government penalties. > Growing needs for stringent “Personal Identity Verification and Assurance” (i.e HSPD-12, ICAO 9303). > Growing mandates for protecting Identity information and compliance (i.e. Massachusetts 201 CMR 17.00)
Growing need for Identity Assurance • High degree of authentication and assurance is the most critical requirement for physical and logical access control. • Acquire Identity credentials that tightly binds an event to a person's proof of possessions, physiological characteristics and behavioural traits. > Identification and authentication as equivalent to Face-to-Face verification of a person. > Credentials must provide at-least some long-term stability. > Credentials should be non-intrusive but still qualitatively and quantitatively measured. > Integrate/Interoperable with physical and logical infrastructures for assured identity verification. > Support for pervasive use (On-demand SaaS and Cloud-computing based application infrastructures) for authenticating a person with irrefutable proof . > Lesser impact on privacy and social values.
Human Factors of Identity Assurance Human attributes as Identity Assurance Credentials • Proof-of-Knowledge > Something I know ? > Passwords, PIN, Mom's Maiden Name, Phone #, etc. • Proof-of-Possession > Something I have ? > Smartcards, Tokens, Driver's license, PKI certificates • Proof-of-Characteristics > Something I physiologically or behaviorally own ? > Fingerprints, Hand geometry, Facial image, Iris, Retina, DNA, voice, signature patterns > Proof-of-Physical Presence
Security Levels vs. Identity Assurance Courtesy: Randy Vanderhoof, Smartcard Alliance
Strong Authentication Strategies • Authentication Questions • HTTP/s Request/Response attributes • Hardware/Software Token based One-time Passwords (OTP) • Hardware/Software Token based Challenge/Response OTP • Phone call based OTP • SMS based OTP • PKI Certificate • USB Tokens/Smart cards (PIN and PKI Certificates) • Biometrics (Fingerprints) • USB Token/Smart cards (PKI and Match-on-card Biometrics).
One-Time Passwords Hardware/Software Tokens • Generate one-time passwords > Mathematical problem or Crypto function or Random number generation > Challenge/Response Dynamic password, Asynchronous Password > Time synchronization between client & server. • Deliver Passwords > Proprietary devices, USB, Key fobs > SMS Messages, Email, Phone • Known issues > Vulnerable to MITM, Phishing attacks where Time-synchronization not effective. > DES key and Lost token issues • Standards: OAUTH (Open Authentication Initiative) One-Time Passwords : Alternative to static passwords
Smart cards w. PKI Smart cards Standards • A credit card sized computing device acts as a • ISO-7816 Cryptographic token. • Java Card, Multos > Contact / Contactless cards • Global Platform • Allows perforning security functions > Key generation • PC/SC > Public/Private key operations • FIPS-201/PIV, CAC > PIN/Biometric authentication • PKCS#11, PKCS#15 > Challenge/response authentication • GSM/PCS • Supports the use of Public-key infrastructure to verify • EMV the Identity claim. (Europay/Mastercard/Visa) > PKI credential issuance. > Credential validation/verification via OCSP, CRLs • Defends against tampering and hacking. > PKI/Private key protection • Issues: Lost cards, Key compromise recovery is difficult. Smart cards as a Cryptographic Token
Biometric Assurance Biometric Identity Standards • Use of Physiological or Behavioral characteristics to • INCITS 378 / CBEFF (Fingerprints) identify a person. • INCITS 379 (Iris) > High degree of assurance with proof of presence. > Fingerprints, Facial image/geometry, Iris, Retina, • OASIS BIAS Voice, Hand geometry, Keystroke, Signature • BioAPI • Biometric templates can be stored on Smart card for • JavaCard BioAPI personal identification. • FIPS-201 / PIV > Fingerprint template is ~200 bytes > Iris template is 500 bytes • Biometric credential must be exchanged in a secure network channel (Trusted path) • Issues: > Biometrics is not a secret > False Acceptance (FAR) & False Reject (FRR) rates > Vulnerable to Message replay/MITM attacks, if not exchanged in secure channel. Biometric Assurance : Who I claim to be
Real-world Scenario : Authentication Identity Assurance Credentials Authentication  User name, password Server / Directory  One-time Passwords  Smart Card (PKI Certificates) Enterprise  Biometrics Applications Validate  Good  Bad Ideally, credentials are: something you know + something you have + something you are
Real World Scenario : SSO / Federation IDP/SSO Server + Directory Application A Multi-factor Identity Credentials (e.g. username/password, 1. Application B Smartcard PKI, Biometrics) 2. 3. SSO Token  SAML  Artifact Acquire  Proprietary token Credentials  Kerberos ticket  etc
Tools of the Trade : What do you need ? Multi-factor Authentication for Enterprise Applications • Web Authentication > JAAS Login Module • Desktop Authentication > PAM Module (Solaris, Linux) > GINA (Windows XP, 2003) • Identity Provider Infrastructure (IDP) > Single Sign-on (SSO) > Multi-factor authentication • Directory Server > Repository for user accounts • Your target applications
Tools of the Trade : From Authentication Providers Multi-factor Authentication for Enterprise Applications • Browser Plugin > PKCS#11 Client for Smartcard > ActiveX/Java Plugin for USB Biometric Scanners • Enrollment Middleware > Biometric Enrollment, Smartcard/Token Credential Issuance/Management > One-time Password (Token) registration/issuance • Authentication Middleware > Biometric Authentication, One-time password authentication > PKI Credential validation via OCSP, CRL, Directory, Certificate Authority
Java Authentication Authorization Service (JAAS) • JAAS plays a vital role delivering Multi-factor authentication. > All Java EE compliant Application server provide support for JAAS. • JAAS allows to enable Multi-factor authentication in Java EE Enterprise environment. > Facilitates pluggable authentication providers as “Login Modules”. > Ensure Java EE remain independent of authentication providers. • Implementing a Login module is not cumbersome.. > Callback handler – Prompt the user for acquiring credentials > Login (), commit (), Logout () • Choose your own JAAS based Identity Provider Infrastructure ? > Get introduced to Sun OpenSSO
Sun OpenSSO Enterprise • Identity Services Infrastructure facilitates Single Sign-On (SSO) for Web applications residing within an enterprise or across networks. • Based on Sun's Open-source initiative. • Open standards based framework supports centralized authentication, authorization and auditing. > JAAS based authentication services > Agent-based and XACML based policy enforcement > Identity-enabled XML Web services for AuthN, AuthX, Audit and Provisioning > Identity Federation Protocols support include SAMLv2, ID-*, WS-Federation,WS- Policy) > XML Web Services Security (WS-Security, WS-Trust, WS-I Basic Security Profile) > Multi-factor authentication via chaining > Centralized configuration, logging and auditing services > Supports multiple Java EE application servers and Web containers > Fedlets • Deployed as a Web application (single WAR file)
Multi-factor Authentication and Session Upgrade OpenSSO Authentication Chain and Session upgrade thru’ AuthN • OpenSSO facilitates stronger/ multi-factor authentication through authentication chain including multiple authentication providers. > Enables an authentication process where an user must pass credentials to one or more authentication modules before session validation. > Session validation is determined based on the JAAS control flag (Required, Requisite, Sufficient, Optional) configured to the authentication module instance chain. > The overall authentication success or failure is determined based on the control flag assigned to each module in the authentication stack. > OpenSSO is tested and verified to provide multi-factor authentication chain that include BiObex Login, Smartcard/PKI and other OpenSSO supported authentication providers. • Session Upgrade allows upgrading a valid session based on a successful “second-factor authentication” performed by the same user. > Allows user authenticate to access second resource under the same or different realm > If authentication is successful - OpenSSO updates the session based on the second- level authentication. If authentication fails, the current session will be maintained.
OpenSSO Policy Agents Authorization and Policy Enforcement • Policies are managed by Policy Configuration Service in OpenSSO. > Policy service authorizes a use based on the policies stored in OpenSSO. > Policy consists of Rules, Subjects, Conditions and Response providers. • OpenSSO Policy Agents enforce policy and Policy decisions on protected resources. > Intercepts the requests from user clients and applications and redirects them to OpenSSO server for authentication – If no SSO token exists. > Once authenticated, the policy agent communicates with OpenSSO Policy service to grant/deny access to the user based on policy evaluation.
Multi-factor Authentication w. Biometrics
Multi-factor Authentication Smartcard/PIN/PKI and Biometrics
Deployment Architecture
Participate in OpenSSO Community ! • Join 700 project members at opensso.org Join Download Sign up at OpenSSO opensso.org Enterprise 8 Subscribe Chat OpenSSO Mailing #opensso Lists on freenode.net dev, users, announce Sun Confidential: Partners and Customers NDA/CDA only
Demonstration... Thank You Sun Virtualization Solutions Ramesh Nagappan Sun Microsystems, Burlington, MA http://www.coresecuritypatterns.com/blogs

Recommended

HSM超入門講座
HSM超入門講座HSM超入門講座
HSM超入門講座
Hiroshi Nakamura
 
FAPI 最新情報 - OpenID BizDay #15
FAPI 最新情報 - OpenID BizDay #15FAPI 最新情報 - OpenID BizDay #15
FAPI 最新情報 - OpenID BizDay #15
OpenID Foundation Japan
 
Modern Authentication -- FIDO2 Web Authentication (WebAuthn) を学ぶ --
Modern Authentication -- FIDO2 Web Authentication (WebAuthn) を学ぶ --Modern Authentication -- FIDO2 Web Authentication (WebAuthn) を学ぶ --
Modern Authentication -- FIDO2 Web Authentication (WebAuthn) を学ぶ --
Jun Kurihara
 
Authentication vs authorization
Authentication vs authorizationAuthentication vs authorization
Authentication vs authorization
Frank Victory
 
HSM用ミドルウェア Conduit Toolkitの概要と使い方
HSM用ミドルウェア Conduit Toolkitの概要と使い方HSM用ミドルウェア Conduit Toolkitの概要と使い方
HSM用ミドルウェア Conduit Toolkitの概要と使い方
Hiroshi Nakamura
 
AAA Implementation
AAA ImplementationAAA Implementation
AAA Implementation
Ahmad El Tawil
 
BadUSB, and what you should do about it
BadUSB, and what you should do about itBadUSB, and what you should do about it
BadUSB, and what you should do about it
robertfisk
 
3 reasons your business can't ignore Two-Factor Authentication
3 reasons your business can't ignore Two-Factor Authentication3 reasons your business can't ignore Two-Factor Authentication
3 reasons your business can't ignore Two-Factor Authentication
Fortytwo
 

Recommended

HSM超入門講座
HSM超入門講座HSM超入門講座
HSM超入門講座
Hiroshi Nakamura
 
FAPI 最新情報 - OpenID BizDay #15
FAPI 最新情報 - OpenID BizDay #15FAPI 最新情報 - OpenID BizDay #15
FAPI 最新情報 - OpenID BizDay #15
OpenID Foundation Japan
 
Modern Authentication -- FIDO2 Web Authentication (WebAuthn) を学ぶ --
Modern Authentication -- FIDO2 Web Authentication (WebAuthn) を学ぶ --Modern Authentication -- FIDO2 Web Authentication (WebAuthn) を学ぶ --
Modern Authentication -- FIDO2 Web Authentication (WebAuthn) を学ぶ --
Jun Kurihara
 
Authentication vs authorization
Authentication vs authorizationAuthentication vs authorization
Authentication vs authorization
Frank Victory
 
HSM用ミドルウェア Conduit Toolkitの概要と使い方
HSM用ミドルウェア Conduit Toolkitの概要と使い方HSM用ミドルウェア Conduit Toolkitの概要と使い方
HSM用ミドルウェア Conduit Toolkitの概要と使い方
Hiroshi Nakamura
 
AAA Implementation
AAA ImplementationAAA Implementation
AAA Implementation
Ahmad El Tawil
 
BadUSB, and what you should do about it
BadUSB, and what you should do about itBadUSB, and what you should do about it
BadUSB, and what you should do about it
robertfisk
 
3 reasons your business can't ignore Two-Factor Authentication
3 reasons your business can't ignore Two-Factor Authentication3 reasons your business can't ignore Two-Factor Authentication
3 reasons your business can't ignore Two-Factor Authentication
Fortytwo
 
Pci express modi
Pci express modiPci express modi
Pci express modi
proma_goswami
 
FIDO U2F Specifications: Overview & Tutorial
FIDO U2F Specifications: Overview & TutorialFIDO U2F Specifications: Overview & Tutorial
FIDO U2F Specifications: Overview & Tutorial
FIDO Alliance
 
Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...
Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...
Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...
Garage4hackers.com
 
FIDO2 Specifications Overview
FIDO2 Specifications OverviewFIDO2 Specifications Overview
FIDO2 Specifications Overview
FIDO Alliance
 
IDaaS を正しく活用するための認証基盤設計
IDaaS を正しく活用するための認証基盤設計IDaaS を正しく活用するための認証基盤設計
IDaaS を正しく活用するための認証基盤設計
Trainocate Japan, Ltd.
 
FIDOのキホン
FIDOのキホンFIDOのキホン
FIDOのキホン
Yahoo!デベロッパーネットワーク
 
Passwords#14 - mimikatz
Passwords#14 - mimikatzPasswords#14 - mimikatz
Passwords#14 - mimikatz
Benjamin Delpy
 
BAD USB 2.0
BAD USB 2.0BAD USB 2.0
BAD USB 2.0
Pradhap M
 
【de:code 2020】 Azure Bot Services を使って Teams bot を開発する
【de:code 2020】 Azure Bot Services を使って Teams bot を開発する【de:code 2020】 Azure Bot Services を使って Teams bot を開発する
【de:code 2020】 Azure Bot Services を使って Teams bot を開発する
日本マイクロソフト株式会社
 
PCI express
PCI expressPCI express
PCI express
sarangaprabod
 
PDSを実現するにあたっての技術動向の紹介 (OAuth, OpenID Connect, UMAなど)
PDSを実現するにあたっての技術動向の紹介 (OAuth, OpenID Connect, UMAなど)PDSを実現するにあたっての技術動向の紹介 (OAuth, OpenID Connect, UMAなど)
PDSを実現するにあたっての技術動向の紹介 (OAuth, OpenID Connect, UMAなど)
Tatsuo Kudo
 
Getting Started With WebAuthn
Getting Started With WebAuthnGetting Started With WebAuthn
Getting Started With WebAuthn
FIDO Alliance
 
Integrity Protection for Embedded Systems
Integrity Protection for Embedded SystemsIntegrity Protection for Embedded Systems
Integrity Protection for Embedded Systems
Samsung Open Source Group
 
Fido認証概要説明
Fido認証概要説明Fido認証概要説明
Fido認証概要説明
FIDO Alliance
 
議題二:Web應用程式安全防護
議題二:Web應用程式安全防護議題二:Web應用程式安全防護
議題二:Web應用程式安全防護
Nicolas su
 
H4x0rs gonna hack
H4x0rs gonna hackH4x0rs gonna hack
H4x0rs gonna hack
Xchym Hiệp
 
Regular Expression Injection
Regular Expression InjectionRegular Expression Injection
Regular Expression Injection
NSConclave
 
これからのネイティブアプリにおけるOpenID Connectの活用
これからのネイティブアプリにおけるOpenID Connectの活用これからのネイティブアプリにおけるOpenID Connectの活用
これからのネイティブアプリにおけるOpenID Connectの活用
Masaru Kurahayashi
 
EvilDuino
EvilDuinoEvilDuino
EvilDuino
Rashid feroz
 
Securing a Web App with Passwordless Web Authentication
Securing a Web App with Passwordless Web AuthenticationSecuring a Web App with Passwordless Web Authentication
Securing a Web App with Passwordless Web Authentication
FIDO Alliance
 
User Authentication for Government
User Authentication for GovernmentUser Authentication for Government
User Authentication for Government
Carahsoft
 
Identity Assertions Draftv5
Identity Assertions Draftv5Identity Assertions Draftv5
Identity Assertions Draftv5
Salvatore D'Agostino
 

More Related Content

What's hot

議題二:Web應用程式安全防護
議題二:Web應用程式安全防護議題二:Web應用程式安全防護
議題二:Web應用程式安全防護
Nicolas su
 
これからのネイティブアプリにおけるOpenID Connectの活用
これからのネイティブアプリにおけるOpenID Connectの活用これからのネイティブアプリにおけるOpenID Connectの活用
これからのネイティブアプリにおけるOpenID Connectの活用
Masaru Kurahayashi
 

What's hot (20)

Pci express modi
Pci express modiPci express modi
Pci express modi
 
FIDO U2F Specifications: Overview & Tutorial
FIDO U2F Specifications: Overview & TutorialFIDO U2F Specifications: Overview & Tutorial
FIDO U2F Specifications: Overview & Tutorial
 
Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...
Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...
Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...
 
FIDO2 Specifications Overview
FIDO2 Specifications OverviewFIDO2 Specifications Overview
FIDO2 Specifications Overview
 
IDaaS を正しく活用するための認証基盤設計
IDaaS を正しく活用するための認証基盤設計IDaaS を正しく活用するための認証基盤設計
IDaaS を正しく活用するための認証基盤設計
 
FIDOのキホン
FIDOのキホンFIDOのキホン
FIDOのキホン
 
Passwords#14 - mimikatz
Passwords#14 - mimikatzPasswords#14 - mimikatz
Passwords#14 - mimikatz
 
BAD USB 2.0
BAD USB 2.0BAD USB 2.0
BAD USB 2.0
 
【de:code 2020】 Azure Bot Services を使って Teams bot を開発する
【de:code 2020】 Azure Bot Services を使って Teams bot を開発する【de:code 2020】 Azure Bot Services を使って Teams bot を開発する
【de:code 2020】 Azure Bot Services を使って Teams bot を開発する
 
PCI express
PCI expressPCI express
PCI express
 
PDSを実現するにあたっての技術動向の紹介 (OAuth, OpenID Connect, UMAなど)
PDSを実現するにあたっての技術動向の紹介 (OAuth, OpenID Connect, UMAなど)PDSを実現するにあたっての技術動向の紹介 (OAuth, OpenID Connect, UMAなど)
PDSを実現するにあたっての技術動向の紹介 (OAuth, OpenID Connect, UMAなど)
 
Getting Started With WebAuthn
Getting Started With WebAuthnGetting Started With WebAuthn
Getting Started With WebAuthn
 
Integrity Protection for Embedded Systems
Integrity Protection for Embedded SystemsIntegrity Protection for Embedded Systems
Integrity Protection for Embedded Systems
 
Fido認証概要説明
Fido認証概要説明Fido認証概要説明
Fido認証概要説明
 
議題二:Web應用程式安全防護
議題二:Web應用程式安全防護議題二:Web應用程式安全防護
議題二:Web應用程式安全防護
 
H4x0rs gonna hack
H4x0rs gonna hackH4x0rs gonna hack
H4x0rs gonna hack
 
Regular Expression Injection
Regular Expression InjectionRegular Expression Injection
Regular Expression Injection
 
これからのネイティブアプリにおけるOpenID Connectの活用
これからのネイティブアプリにおけるOpenID Connectの活用これからのネイティブアプリにおけるOpenID Connectの活用
これからのネイティブアプリにおけるOpenID Connectの活用
 
EvilDuino
EvilDuinoEvilDuino
EvilDuino
 
Securing a Web App with Passwordless Web Authentication
Securing a Web App with Passwordless Web AuthenticationSecuring a Web App with Passwordless Web Authentication
Securing a Web App with Passwordless Web Authentication
 

Similar to Stronger/Multi-factor Authentication for Enterprise Applications

Authentication Technologies
Authentication TechnologiesAuthentication Technologies
Authentication Technologies
Nicholas Davis
 
Authentication technologies
Authentication technologiesAuthentication technologies
Authentication technologies
Nicholas Davis
 
FrontOne our new and different solutions
FrontOne our new and different solutionsFrontOne our new and different solutions
FrontOne our new and different solutions
frontone
 
Wayfs and Strays - Jonathan Richardson
Wayfs and Strays - Jonathan RichardsonWayfs and Strays - Jonathan Richardson
Wayfs and Strays - Jonathan Richardson
Eduserv
 
Authenticationtechnologies 120711134100-phpapp01
Authenticationtechnologies 120711134100-phpapp01Authenticationtechnologies 120711134100-phpapp01
Authenticationtechnologies 120711134100-phpapp01
Hai Nguyen
 
Pki & Personal Digital Certificates, Securing Sensitive Electronic Commun...
Pki & Personal Digital Certificates, Securing Sensitive Electronic Commun...Pki & Personal Digital Certificates, Securing Sensitive Electronic Commun...
Pki & Personal Digital Certificates, Securing Sensitive Electronic Commun...
Nicholas Davis
 
Pki & personal digital certificates, securing sensitive electronic communicat...
Pki & personal digital certificates, securing sensitive electronic communicat...Pki & personal digital certificates, securing sensitive electronic communicat...
Pki & personal digital certificates, securing sensitive electronic communicat...
Nicholas Davis
 
Why and how to implement strong authentication on the web cartes 2010 - pat...
Why and how to implement strong authentication on the web cartes 2010 - pat...Why and how to implement strong authentication on the web cartes 2010 - pat...
Why and how to implement strong authentication on the web cartes 2010 - pat...
Keynectis
 
Government Citizen ID using Java Card Platform
Government Citizen ID using Java Card PlatformGovernment Citizen ID using Java Card Platform
Government Citizen ID using Java Card Platform
Ramesh Nagappan
 

Similar to Stronger/Multi-factor Authentication for Enterprise Applications (20)

User Authentication for Government
User Authentication for GovernmentUser Authentication for Government
User Authentication for Government
 
Identity Assertions Draftv5
Identity Assertions Draftv5Identity Assertions Draftv5
Identity Assertions Draftv5
 
Ynamono Hs Lecture
Ynamono Hs LectureYnamono Hs Lecture
Ynamono Hs Lecture
 
Authentication Technologies
Authentication TechnologiesAuthentication Technologies
Authentication Technologies
 
Authentication technologies
Authentication technologiesAuthentication technologies
Authentication technologies
 
Eds user authenticationuser authentication methods
Eds user authenticationuser authentication methodsEds user authenticationuser authentication methods
Eds user authenticationuser authentication methods
 
Authentication.Next
Authentication.NextAuthentication.Next
Authentication.Next
 
FrontOne our new and different solutions
FrontOne our new and different solutionsFrontOne our new and different solutions
FrontOne our new and different solutions
 
Wayfs and Strays - Jonathan Richardson
Wayfs and Strays - Jonathan RichardsonWayfs and Strays - Jonathan Richardson
Wayfs and Strays - Jonathan Richardson
 
E collaborationscottrea
E collaborationscottreaE collaborationscottrea
E collaborationscottrea
 
Biometrics and authentication webinar v3
Biometrics and authentication webinar v3Biometrics and authentication webinar v3
Biometrics and authentication webinar v3
 
Authenticationtechnologies 120711134100-phpapp01
Authenticationtechnologies 120711134100-phpapp01Authenticationtechnologies 120711134100-phpapp01
Authenticationtechnologies 120711134100-phpapp01
 
#MFSummit2016 Secure: Mind the gap strengthening the information security model
#MFSummit2016 Secure: Mind the gap strengthening the information security model#MFSummit2016 Secure: Mind the gap strengthening the information security model
#MFSummit2016 Secure: Mind the gap strengthening the information security model
 
Pki & Personal Digital Certificates, Securing Sensitive Electronic Commun...
Pki & Personal Digital Certificates, Securing Sensitive Electronic Commun...Pki & Personal Digital Certificates, Securing Sensitive Electronic Commun...
Pki & Personal Digital Certificates, Securing Sensitive Electronic Commun...
 
Pki & personal digital certificates, securing sensitive electronic communicat...
Pki & personal digital certificates, securing sensitive electronic communicat...Pki & personal digital certificates, securing sensitive electronic communicat...
Pki & personal digital certificates, securing sensitive electronic communicat...
 
Why and how to implement strong authentication on the web cartes 2010 - pat...
Why and how to implement strong authentication on the web cartes 2010 - pat...Why and how to implement strong authentication on the web cartes 2010 - pat...
Why and how to implement strong authentication on the web cartes 2010 - pat...
 
Two factor authentication 2018
Two factor authentication 2018Two factor authentication 2018
Two factor authentication 2018
 
Government Citizen ID using Java Card Platform
Government Citizen ID using Java Card PlatformGovernment Citizen ID using Java Card Platform
Government Citizen ID using Java Card Platform
 
Authentication
AuthenticationAuthentication
Authentication
 
Digital Identity Landscape for Vancouver IAM Meetup 2017 12-19
Digital Identity Landscape for Vancouver IAM Meetup 2017 12-19Digital Identity Landscape for Vancouver IAM Meetup 2017 12-19
Digital Identity Landscape for Vancouver IAM Meetup 2017 12-19
 

More from Ramesh Nagappan

High Performance Security and Virtualization for Oracle Database and Cloud-En...
High Performance Security and Virtualization for Oracle Database and Cloud-En...High Performance Security and Virtualization for Oracle Database and Cloud-En...
High Performance Security and Virtualization for Oracle Database and Cloud-En...
Ramesh Nagappan
 
Analysis of Security and Compliance using Oracle SPARC T-Series Servers: Emph...
Analysis of Security and Compliance using Oracle SPARC T-Series Servers: Emph...Analysis of Security and Compliance using Oracle SPARC T-Series Servers: Emph...
Analysis of Security and Compliance using Oracle SPARC T-Series Servers: Emph...
Ramesh Nagappan
 
ICAM - Demo Architecture review
ICAM - Demo Architecture reviewICAM - Demo Architecture review
ICAM - Demo Architecture review
Ramesh Nagappan
 
PIV Card based Identity Assurance in Sun Ray and IDM environment
PIV Card based Identity Assurance in Sun Ray and IDM environmentPIV Card based Identity Assurance in Sun Ray and IDM environment
PIV Card based Identity Assurance in Sun Ray and IDM environment
Ramesh Nagappan
 
Java Platform Security Architecture
Java Platform Security ArchitectureJava Platform Security Architecture
Java Platform Security Architecture
Ramesh Nagappan
 
Managing PIV Card Lifecycle and Converging Physical & Logical Access Control
Managing PIV Card Lifecycle and Converging Physical & Logical Access ControlManaging PIV Card Lifecycle and Converging Physical & Logical Access Control
Managing PIV Card Lifecycle and Converging Physical & Logical Access Control
Ramesh Nagappan
 
Stronger Authentication with Biometric SSO
Stronger Authentication with Biometric SSOStronger Authentication with Biometric SSO
Stronger Authentication with Biometric SSO
Ramesh Nagappan
 
Wire-speed Cryptographic Acceleration for SOA and Java EE Security
Wire-speed Cryptographic Acceleration for SOA and Java EE SecurityWire-speed Cryptographic Acceleration for SOA and Java EE Security
Wire-speed Cryptographic Acceleration for SOA and Java EE Security
Ramesh Nagappan
 

More from Ramesh Nagappan (14)

Post Quantum Cryptography: Technical Overview
Post Quantum Cryptography: Technical OverviewPost Quantum Cryptography: Technical Overview
Post Quantum Cryptography: Technical Overview
 
Biometric Authentication for J2EE applications - JavaONE 2005
Biometric Authentication for J2EE applications - JavaONE 2005Biometric Authentication for J2EE applications - JavaONE 2005
Biometric Authentication for J2EE applications - JavaONE 2005
 
Interoperable Provisioning in a distributed world
Interoperable Provisioning in a distributed worldInteroperable Provisioning in a distributed world
Interoperable Provisioning in a distributed world
 
Secure Multitenancy on Oracle SuperCluster
Secure Multitenancy on Oracle SuperClusterSecure Multitenancy on Oracle SuperCluster
Secure Multitenancy on Oracle SuperCluster
 
Secure Multi-tenancy on Private Cloud Environment (Oracle SuperCluster)
Secure Multi-tenancy on Private Cloud Environment (Oracle SuperCluster)Secure Multi-tenancy on Private Cloud Environment (Oracle SuperCluster)
Secure Multi-tenancy on Private Cloud Environment (Oracle SuperCluster)
 
High Performance Security and Virtualization for Oracle Database and Cloud-En...
High Performance Security and Virtualization for Oracle Database and Cloud-En...High Performance Security and Virtualization for Oracle Database and Cloud-En...
High Performance Security and Virtualization for Oracle Database and Cloud-En...
 
High Performance Security With SPARC T4 Hardware Assisted Cryptography
High Performance Security With SPARC T4 Hardware Assisted CryptographyHigh Performance Security With SPARC T4 Hardware Assisted Cryptography
High Performance Security With SPARC T4 Hardware Assisted Cryptography
 
Analysis of Security and Compliance using Oracle SPARC T-Series Servers: Emph...
Analysis of Security and Compliance using Oracle SPARC T-Series Servers: Emph...Analysis of Security and Compliance using Oracle SPARC T-Series Servers: Emph...
Analysis of Security and Compliance using Oracle SPARC T-Series Servers: Emph...
 
ICAM - Demo Architecture review
ICAM - Demo Architecture reviewICAM - Demo Architecture review
ICAM - Demo Architecture review
 
PIV Card based Identity Assurance in Sun Ray and IDM environment
PIV Card based Identity Assurance in Sun Ray and IDM environmentPIV Card based Identity Assurance in Sun Ray and IDM environment
PIV Card based Identity Assurance in Sun Ray and IDM environment
 
Java Platform Security Architecture
Java Platform Security ArchitectureJava Platform Security Architecture
Java Platform Security Architecture
 
Managing PIV Card Lifecycle and Converging Physical & Logical Access Control
Managing PIV Card Lifecycle and Converging Physical & Logical Access ControlManaging PIV Card Lifecycle and Converging Physical & Logical Access Control
Managing PIV Card Lifecycle and Converging Physical & Logical Access Control
 
Stronger Authentication with Biometric SSO
Stronger Authentication with Biometric SSOStronger Authentication with Biometric SSO
Stronger Authentication with Biometric SSO
 
Wire-speed Cryptographic Acceleration for SOA and Java EE Security
Wire-speed Cryptographic Acceleration for SOA and Java EE SecurityWire-speed Cryptographic Acceleration for SOA and Java EE Security
Wire-speed Cryptographic Acceleration for SOA and Java EE Security
 

Recently uploaded

TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Principled Technologies
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 

Recently uploaded (20)

TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 

Stronger/Multi-factor Authentication for Enterprise Applications

  • 1. Stronger / Multi-factor Authentication For Enterprise Applications (Identity Assurance using PKI, Smart cards and Biometrics) Sun Virtualization Solutions Presented to OWASP Seminar, Hartford (Feb 10, 2009) Ramesh Nagappan Sun Microsystems, Burlington, MA http://www.coresecuritypatterns.com/blogs
  • 2. Agenda ● The Identity Dilemma ● Identity Assurance vs. Stronger Security ● Multi-factor Authentication Strategies ➢ OTPs, Smartcards, PKI and Biometrics ➢ Choosing the credential: Pros and Cons ● Understanding Real-world Implementation ➢ Tools of the Trade ➢ Role of JAAS ● Role of Sun OpenSSO Enterprise ● Architecture and Deployment ● Demonstration ➢ Multi-factor SSO with PKI, Smart cards and Biometrics. ● Q&A
  • 3. Who am I ? • A technical guy from Sun Microsystems, Burlington, MA. > Focused on Security and Identity Management technologies • Co-Author of 5 technology books and numerous articles on Java EE, XML Web Services and Security. • Holds CISSP and CISA. • Contributes to Java, XML security, Biometrics, Smart cards standards and open-source initiatives. • Contributes to Graduate curriculum of Information Security programs at multiple universities. • Ph.D drop-out. • Read my blogs at http://www.coresecuritypatterns.com/blogs • Write to me at nramesh@post.harvard.edu
  • 4. The Identity Dilemma : Who Are You ? • Internet is a faceless channel of interaction. > No mechanisms for physically verify a person – who is accessing your resources. • Identifying the legitimate user has become crucial. > With higher strength of authentication and security. > Mandates mechanisms driven by human recognition characteristics. > Growing trends on on-demand SaaS, Cloud computing infrastructures. > Everyone is concerned about their Cartoon by Peter Steiner. The New Yorker, July 5, 1993 issue (Vol.69 (LXIX) no. 20) page 61 private information and privacy.
  • 5. How do I know..it's you ? • Identity thefts and on-line frauds: The fastest growing crime in the world. > Someone wrongfully obtains or abuses another person's identity – for economic or personal gain. > Impersonation, Counterfeits, stolen or forged credentials (PINs, Passwords, ID cards), Phishing are widely becoming common. > Most frauds happens through trusted insiders. > Fake credentials are everywhere : Few detected and many undetected ! • Identity thefts results huge losses to organizations. > Loss of consumer confidence and leading to incur huge government penalties. > Growing needs for stringent “Personal Identity Verification and Assurance” (i.e HSPD-12, ICAO 9303). > Growing mandates for protecting Identity information and compliance (i.e. Massachusetts 201 CMR 17.00)
  • 6. Growing need for Identity Assurance • High degree of authentication and assurance is the most critical requirement for physical and logical access control. • Acquire Identity credentials that tightly binds an event to a person's proof of possessions, physiological characteristics and behavioural traits. > Identification and authentication as equivalent to Face-to-Face verification of a person. > Credentials must provide at-least some long-term stability. > Credentials should be non-intrusive but still qualitatively and quantitatively measured. > Integrate/Interoperable with physical and logical infrastructures for assured identity verification. > Support for pervasive use (On-demand SaaS and Cloud-computing based application infrastructures) for authenticating a person with irrefutable proof . > Lesser impact on privacy and social values.
  • 7. Human Factors of Identity Assurance Human attributes as Identity Assurance Credentials • Proof-of-Knowledge > Something I know ? > Passwords, PIN, Mom's Maiden Name, Phone #, etc. • Proof-of-Possession > Something I have ? > Smartcards, Tokens, Driver's license, PKI certificates • Proof-of-Characteristics > Something I physiologically or behaviorally own ? > Fingerprints, Hand geometry, Facial image, Iris, Retina, DNA, voice, signature patterns > Proof-of-Physical Presence
  • 8. Security Levels vs. Identity Assurance Courtesy: Randy Vanderhoof, Smartcard Alliance
  • 9. Strong Authentication Strategies • Authentication Questions • HTTP/s Request/Response attributes • Hardware/Software Token based One-time Passwords (OTP) • Hardware/Software Token based Challenge/Response OTP • Phone call based OTP • SMS based OTP • PKI Certificate • USB Tokens/Smart cards (PIN and PKI Certificates) • Biometrics (Fingerprints) • USB Token/Smart cards (PKI and Match-on-card Biometrics).
  • 10. One-Time Passwords Hardware/Software Tokens • Generate one-time passwords > Mathematical problem or Crypto function or Random number generation > Challenge/Response Dynamic password, Asynchronous Password > Time synchronization between client & server. • Deliver Passwords > Proprietary devices, USB, Key fobs > SMS Messages, Email, Phone • Known issues > Vulnerable to MITM, Phishing attacks where Time-synchronization not effective. > DES key and Lost token issues • Standards: OAUTH (Open Authentication Initiative) One-Time Passwords : Alternative to static passwords
  • 11. Smart cards w. PKI Smart cards Standards • A credit card sized computing device acts as a • ISO-7816 Cryptographic token. • Java Card, Multos > Contact / Contactless cards • Global Platform • Allows perforning security functions > Key generation • PC/SC > Public/Private key operations • FIPS-201/PIV, CAC > PIN/Biometric authentication • PKCS#11, PKCS#15 > Challenge/response authentication • GSM/PCS • Supports the use of Public-key infrastructure to verify • EMV the Identity claim. (Europay/Mastercard/Visa) > PKI credential issuance. > Credential validation/verification via OCSP, CRLs • Defends against tampering and hacking. > PKI/Private key protection • Issues: Lost cards, Key compromise recovery is difficult. Smart cards as a Cryptographic Token
  • 12. Biometric Assurance Biometric Identity Standards • Use of Physiological or Behavioral characteristics to • INCITS 378 / CBEFF (Fingerprints) identify a person. • INCITS 379 (Iris) > High degree of assurance with proof of presence. > Fingerprints, Facial image/geometry, Iris, Retina, • OASIS BIAS Voice, Hand geometry, Keystroke, Signature • BioAPI • Biometric templates can be stored on Smart card for • JavaCard BioAPI personal identification. • FIPS-201 / PIV > Fingerprint template is ~200 bytes > Iris template is 500 bytes • Biometric credential must be exchanged in a secure network channel (Trusted path) • Issues: > Biometrics is not a secret > False Acceptance (FAR) & False Reject (FRR) rates > Vulnerable to Message replay/MITM attacks, if not exchanged in secure channel. Biometric Assurance : Who I claim to be
  • 13. Real-world Scenario : Authentication Identity Assurance Credentials Authentication  User name, password Server / Directory  One-time Passwords  Smart Card (PKI Certificates) Enterprise  Biometrics Applications Validate  Good  Bad Ideally, credentials are: something you know + something you have + something you are
  • 14. Real World Scenario : SSO / Federation IDP/SSO Server + Directory Application A Multi-factor Identity Credentials (e.g. username/password, 1. Application B Smartcard PKI, Biometrics) 2. 3. SSO Token  SAML  Artifact Acquire  Proprietary token Credentials  Kerberos ticket  etc
  • 15. Tools of the Trade : What do you need ? Multi-factor Authentication for Enterprise Applications • Web Authentication > JAAS Login Module • Desktop Authentication > PAM Module (Solaris, Linux) > GINA (Windows XP, 2003) • Identity Provider Infrastructure (IDP) > Single Sign-on (SSO) > Multi-factor authentication • Directory Server > Repository for user accounts • Your target applications
  • 16. Tools of the Trade : From Authentication Providers Multi-factor Authentication for Enterprise Applications • Browser Plugin > PKCS#11 Client for Smartcard > ActiveX/Java Plugin for USB Biometric Scanners • Enrollment Middleware > Biometric Enrollment, Smartcard/Token Credential Issuance/Management > One-time Password (Token) registration/issuance • Authentication Middleware > Biometric Authentication, One-time password authentication > PKI Credential validation via OCSP, CRL, Directory, Certificate Authority
  • 17. Java Authentication Authorization Service (JAAS) • JAAS plays a vital role delivering Multi-factor authentication. > All Java EE compliant Application server provide support for JAAS. • JAAS allows to enable Multi-factor authentication in Java EE Enterprise environment. > Facilitates pluggable authentication providers as “Login Modules”. > Ensure Java EE remain independent of authentication providers. • Implementing a Login module is not cumbersome.. > Callback handler – Prompt the user for acquiring credentials > Login (), commit (), Logout () • Choose your own JAAS based Identity Provider Infrastructure ? > Get introduced to Sun OpenSSO
  • 18. Sun OpenSSO Enterprise • Identity Services Infrastructure facilitates Single Sign-On (SSO) for Web applications residing within an enterprise or across networks. • Based on Sun's Open-source initiative. • Open standards based framework supports centralized authentication, authorization and auditing. > JAAS based authentication services > Agent-based and XACML based policy enforcement > Identity-enabled XML Web services for AuthN, AuthX, Audit and Provisioning > Identity Federation Protocols support include SAMLv2, ID-*, WS-Federation,WS- Policy) > XML Web Services Security (WS-Security, WS-Trust, WS-I Basic Security Profile) > Multi-factor authentication via chaining > Centralized configuration, logging and auditing services > Supports multiple Java EE application servers and Web containers > Fedlets • Deployed as a Web application (single WAR file)
  • 19. Multi-factor Authentication and Session Upgrade OpenSSO Authentication Chain and Session upgrade thru’ AuthN • OpenSSO facilitates stronger/ multi-factor authentication through authentication chain including multiple authentication providers. > Enables an authentication process where an user must pass credentials to one or more authentication modules before session validation. > Session validation is determined based on the JAAS control flag (Required, Requisite, Sufficient, Optional) configured to the authentication module instance chain. > The overall authentication success or failure is determined based on the control flag assigned to each module in the authentication stack. > OpenSSO is tested and verified to provide multi-factor authentication chain that include BiObex Login, Smartcard/PKI and other OpenSSO supported authentication providers. • Session Upgrade allows upgrading a valid session based on a successful “second-factor authentication” performed by the same user. > Allows user authenticate to access second resource under the same or different realm > If authentication is successful - OpenSSO updates the session based on the second- level authentication. If authentication fails, the current session will be maintained.
  • 20. OpenSSO Policy Agents Authorization and Policy Enforcement • Policies are managed by Policy Configuration Service in OpenSSO. > Policy service authorizes a use based on the policies stored in OpenSSO. > Policy consists of Rules, Subjects, Conditions and Response providers. • OpenSSO Policy Agents enforce policy and Policy decisions on protected resources. > Intercepts the requests from user clients and applications and redirects them to OpenSSO server for authentication – If no SSO token exists. > Once authenticated, the policy agent communicates with OpenSSO Policy service to grant/deny access to the user based on policy evaluation.
  • 24. Participate in OpenSSO Community ! • Join 700 project members at opensso.org Join Download Sign up at OpenSSO opensso.org Enterprise 8 Subscribe Chat OpenSSO Mailing #opensso Lists on freenode.net dev, users, announce Sun Confidential: Partners and Customers NDA/CDA only
  • 25. Demonstration... Thank You Sun Virtualization Solutions Ramesh Nagappan Sun Microsystems, Burlington, MA http://www.coresecuritypatterns.com/blogs