SlideShare una empresa de Scribd logo

Getting authentication right

A
Andre N. Klingsheim

My talk at ROOTS 2012

Tecnología
1 de 39
Descargar para leer sin conexión
ROOTS, 27. April 2012 André N. Klingsheim @klingsen
 Some motivation  Authentication/identities defined  Where authentication fits in  Authentication factors  Passwords  Two-factor authentication  Keeping your shields up  Fun and demos
 Verizon Data Breach Investigations Report*  Based on 855 incidents (that resulted in)  174 million compromized records  Leads to some interesting statistics ▪ Curiosity: One organized criminal group in Eastern Europe worked on average three days per week  Go read it when you get home! * http://www.verizonbusiness.com/dbir/
Source: Verizon Data Breach Investigations Report, p. 26
Source: Verizon Data Breach Investigations Report, p. 32
 TL;DR: How sure are you that it’s the correct user who’s logging in?  You’re never 100% sure!  Authentication is the process of establishing an understood level of trust in whether the user is who she claims to be
 An identifier such as a name, national identity number, or a customer number, points to an identity  The identity of an individual is the set of information associated with that individual in a particular computer system
Someone claims to be «klings»! Authentication tries to establish whether that someone is this guy! 
1. You don’t know who the user is 2. The user authenticates (now you’re pretty sure who the user is) 3. The user gets a security token in return  You associate the user’s identity with this token  Think session cookies (and username written to session) 4. Now you «remember» the outcome of the authentication
 You’re done with authentication, and then have to rely on session security  So, authentication helps you figure out whether an unkown person/computer can safely be assosciated with a digital identity  Session security deals with remembering who the users is in a secure manner
 Your trust in that you’re talking to the right person is at its peak in the authentication instant  Session security takes over, remember this is «cached» trust  Re-authentication  Rebuilds your trust in that it’s still the correct person acting as the logged in user
 Something you know («Pa$$W0rd1»)  Something you have  Something you are * Fingerprint shared by Wilfredor under CC BY-SA 3.0 lisence
 In practice a static, shared secret  Password  Security questions ▪ Mother’s maiden name ▪ Where did you go to school ▪ And so on...  PINs (debit/credit cards)
 Code generators  Sequence based  Time-based  Your mobile phone  SMS  Google Authenticator  You’re debit/credit card (physical/VVC2)  Cards with printed PIN-codes
 Biometrics  Fingerprint  Retina scan  Etc..  Not widely deployed on the web...
 Something you know: a password or PIN  Why?  Very cheap (no devices) ▪ Do note that password resets can cost you…  In some cases available off-the-shelf (e.g. ASP.NET has the SqlMembershipProvider)  Scales well  Users are well accustomed to passwords/PINs!
 Som critical aspects of a password based authentication procedure  How passwords are stored  How users sign up  How passwords are validated  How passwords are reset  Application security  The security of all other password based IT- systems in the world
 The easiest way to store a password is, well, to store the password in a database in cleartext  DBA’s can easily steal the passwords.  A breach of the database will immediately reveal all passwords (think Sony)  So, encryption or hashing to the rescue!  PS! Forgot password -> mail with old password -> most likely cleartext passwords
 Encrypted passwords mean only one thing  They must be decrypted to be verified  Encryption key + database -> all passwords  There is most likely a sysadmin with access to both the key, and the db  Password encryption is not recommended!
 A hash function is a deterministic one way function with a fixed output length  Commonly used: MD5, Sha-1, Sha-256  MD5(‘Password’) => 3GR+tl5nEeFVN1IYISs5ZA==  Look it up on Google   It’s easy to compute the hash value of an input. It should be impossible to calculate the input based on a hash value (hence one way)
 Two users with the same password, will have the same hash values in the db  You can compute the hash value for common passwords, and store the values  If you get hold of password hashes – just look them up against known values!  The precomputation step is the essence of Rainbow tables  Let’s you crack common passwords in no time  We need salts!
 Salts add a bit of uniqueness to the input to the hash function  Salts can be stored besides the password hash in the db  Salt: 3GR+tl5nEeFVN1IYISs5ZA==  Hash = Sha-256(salt+password)  Hampers rainbow table attacks  Does not hamper dictionary attacks/brute force attacks
 If you get your hands on a list of salted password hashes you can  Run a dictionary attack (calculate password hashes for a wordlist, and compare the hashes)  Run a brute force attack (calculate hashes for all possible passwords aaaaaa, aaaaab, aaaaac so on)  If it’s not your list of password hashes, do consider the legal aspects
 Are very efficient against common hashes such as MD5/Sha-family  Millions of hashes checked per second (single cpu)  Due to the fact that hash functions were designed to be fast (not to store passwords)  We need to add a workload!
 PBKDF2  Password based key derivation function  Runs X iterations of an HMAC (based on SHA-1) to generate a key  Computational penalty for password crackers  Bcrypt  Also adds computational load => time penalty  Scrypt  Based on a memory trade-off, to hamper special purpose hardware w/limited memory
 You’ve stored your passwords securely  The password crackers now hate you  Then some other site gets hacked and all their passwords are leaked  Who cares, you’re secure right?  Your users used the same password on your site...
 Users tend to reuse their passwords across websites  Other sites get hacked for various reasons  Leads to the compromise of accounts on your site!  But that’s not fair!  No it isn’t. The world is not fair, in case you haven’t noticed.
 Something you have  Is NOT shared between sites  Solves the «other sites were hacked» problem
 Time-based  Code typically generated based on a secret key, and the current time  Requires reliable clocks on both server and the code generating device  Sequence based  Pseudo random number generator, seeded with a secret key  Code generator and server generate same sequence of codes
 Go with time-based if you can  Limited TTL for your codes  Limited number of valid codes at any given time  Sequence based generators  Let’s you compute many codes that will be valid until used  E.g. take someone’s token, generate 5 codes, they’ll be valid until the victim tries to use a code
 Very important that security cannot be degraded in your system  Fallback from two-factor to single factor authentication  Disabling of security mechanisms without requiring authentication  E.g. to change the password, you need to enter the correct current password
 More complicated for two-factor authentication  If you can reset one factor with the other, it’s not really two-factor  Forgot password -> set new password, confirm with one time code  Lost mobile phone -> log in with password to change mobile number for one time codes  Beware such dependencies in your system!
 “Forgotten password”  Secret questions (are not)  E-mail  Snail mail  SMS
 Require re-authentication for all critical updates  Such as change of  Password  Phone number  E-mail address  Disabling of security mechanisms  And not with just one factor!
 If you have an optional security mechanism (e.g. one time codes)  You must require the user to use the security mechanism in order to turn it off  Else it’s useless!  So changing the «security level» must be done according to the current level of security
 Tutorial/demo!   Scenario: Someone is logged in to their Google account  Two-factor authentication enabled  You have figured out their password but don’t have access to their OTPs  Can you find any way to gain access to their acount, without OTPs, from another computer?
 Thank you for listening!  Find me on the web:  www.dotnetnoob.com  @klingsen

Recomendados

Brute force attack
Brute force attackBrute force attack
Brute force attackJamil Ali Ahmed
 
Brute force-attack presentation
Brute force-attack presentationBrute force-attack presentation
Brute force-attack presentationMahmoud Ibra
 
Password Cracking
Password CrackingPassword Cracking
Password CrackingHajer alriyami
 
Brute force-attack presentation
Brute force-attack presentationBrute force-attack presentation
Brute force-attack presentationMahmoud Ibra
 
Improving Password Based Security
Improving Password Based SecurityImproving Password Based Security
Improving Password Based SecurityRare Input
 
Password based cryptography
Password based cryptographyPassword based cryptography
Password based cryptographyIshraq Al Fataftah
 
Password Cracking
Password CrackingPassword Cracking
Password CrackingSagar Verma
 
Password cracking and brute force
Password cracking and brute forcePassword cracking and brute force
Password cracking and brute forcevishalgohel12195
 

Recomendados

Brute force attack
Brute force attackBrute force attack
Brute force attackJamil Ali Ahmed
 
Brute force-attack presentation
Brute force-attack presentationBrute force-attack presentation
Brute force-attack presentationMahmoud Ibra
 
Password Cracking
Password CrackingPassword Cracking
Password CrackingHajer alriyami
 
Brute force-attack presentation
Brute force-attack presentationBrute force-attack presentation
Brute force-attack presentationMahmoud Ibra
 
Improving Password Based Security
Improving Password Based SecurityImproving Password Based Security
Improving Password Based SecurityRare Input
 
Password based cryptography
Password based cryptographyPassword based cryptography
Password based cryptographyIshraq Al Fataftah
 
Password Cracking
Password CrackingPassword Cracking
Password CrackingSagar Verma
 
Password cracking and brute force
Password cracking and brute forcePassword cracking and brute force
Password cracking and brute forcevishalgohel12195
 
Brute force attack
Brute force attackBrute force attack
Brute force attackjoycruiser
 
Password Attack
Password AttackPassword Attack
Password AttackAliaqa Hosainy
 
Securing Database Passwords Using a Combination of hashing and Salting Techni...
Securing Database Passwords Using a Combination of hashing and Salting Techni...Securing Database Passwords Using a Combination of hashing and Salting Techni...
Securing Database Passwords Using a Combination of hashing and Salting Techni...Fego Ogwara
 
Password Cracking
Password Cracking Password Cracking
Password Cracking Sina Manavi
 
Password craking techniques
Password craking techniques Password craking techniques
Password craking techniques أحلام انصارى
 
Password Management
Password ManagementPassword Management
Password ManagementPortalGuard dba PistolStar, Inc.
 
3D Password M Sc BHU Sem 1
3D Password M Sc BHU Sem 13D Password M Sc BHU Sem 1
3D Password M Sc BHU Sem 1Swagato Dey
 
Why is password protection a fallacy a point of view
Why is password protection a fallacy a point of viewWhy is password protection a fallacy a point of view
Why is password protection a fallacy a point of viewYury Chemerkin
 
Password hacking
Password hackingPassword hacking
Password hackingAbhay pal
 
Password Strength Policy Query
Password Strength Policy QueryPassword Strength Policy Query
Password Strength Policy QueryGloria Stoilova
 
J0704055058
J0704055058J0704055058
J0704055058IJERD Editor
 
Encryption by fastech
Encryption by fastechEncryption by fastech
Encryption by fastechAbdulafeez Fasasi
 
Welcome to the world of hacking
Welcome to the world of hackingWelcome to the world of hacking
Welcome to the world of hackingTjylen Veselyj
 
password cracking and Key logger
password cracking and Key loggerpassword cracking and Key logger
password cracking and Key loggerPatel Mit
 
Greater Wheeling AITP Web Security
Greater Wheeling AITP Web SecurityGreater Wheeling AITP Web Security
Greater Wheeling AITP Web SecurityJohn Parkinson
 
3D PASSWORD
3D PASSWORD 3D PASSWORD
3D PASSWORD Rajashree Swain
 
3d authentication system
3d authentication system3d authentication system
3d authentication systemRicha Agarwal
 
Password Attack
Password Attack Password Attack
Password Attack Sina Manavi
 
Brute force
Brute forceBrute force
Brute forcePrajwal Panchmahalkar
 
An Enhanced Security System for Web Authentication
An Enhanced Security System for Web Authentication An Enhanced Security System for Web Authentication
An Enhanced Security System for Web Authentication IJMER
 
Authentication and session v4
Authentication and session v4Authentication and session v4
Authentication and session v4skimil
 
Top Ten Tips For Tenacious Defense In Asp.Net
Top Ten Tips For Tenacious Defense In Asp.NetTop Ten Tips For Tenacious Defense In Asp.Net
Top Ten Tips For Tenacious Defense In Asp.Netalsmola
 

Más contenido relacionado

La actualidad más candente

Brute force attack
Brute force attackBrute force attack
Brute force attackjoycruiser
 
Securing Database Passwords Using a Combination of hashing and Salting Techni...
Securing Database Passwords Using a Combination of hashing and Salting Techni...Securing Database Passwords Using a Combination of hashing and Salting Techni...
Securing Database Passwords Using a Combination of hashing and Salting Techni...Fego Ogwara
 
Password Cracking
Password Cracking Password Cracking
Password Cracking Sina Manavi
 
3D Password M Sc BHU Sem 1
3D Password M Sc BHU Sem 13D Password M Sc BHU Sem 1
3D Password M Sc BHU Sem 1Swagato Dey
 
Why is password protection a fallacy a point of view
Why is password protection a fallacy a point of viewWhy is password protection a fallacy a point of view
Why is password protection a fallacy a point of viewYury Chemerkin
 
Password hacking
Password hackingPassword hacking
Password hackingAbhay pal
 
Password Strength Policy Query
Password Strength Policy QueryPassword Strength Policy Query
Password Strength Policy QueryGloria Stoilova
 
Welcome to the world of hacking
Welcome to the world of hackingWelcome to the world of hacking
Welcome to the world of hackingTjylen Veselyj
 
password cracking and Key logger
password cracking and Key loggerpassword cracking and Key logger
password cracking and Key loggerPatel Mit
 
Greater Wheeling AITP Web Security
Greater Wheeling AITP Web SecurityGreater Wheeling AITP Web Security
Greater Wheeling AITP Web SecurityJohn Parkinson
 
3d authentication system
3d authentication system3d authentication system
3d authentication systemRicha Agarwal
 
Password Attack
Password Attack Password Attack
Password Attack Sina Manavi
 
An Enhanced Security System for Web Authentication
An Enhanced Security System for Web Authentication An Enhanced Security System for Web Authentication
An Enhanced Security System for Web Authentication IJMER
 

La actualidad más candente (20)

Brute force attack
Brute force attackBrute force attack
Brute force attack
 
Password Attack
Password AttackPassword Attack
Password Attack
 
Securing Database Passwords Using a Combination of hashing and Salting Techni...
Securing Database Passwords Using a Combination of hashing and Salting Techni...Securing Database Passwords Using a Combination of hashing and Salting Techni...
Securing Database Passwords Using a Combination of hashing and Salting Techni...
 
Password Cracking
Password Cracking Password Cracking
Password Cracking
 
Password craking techniques
Password craking techniques Password craking techniques
Password craking techniques
 
Password Management
Password ManagementPassword Management
Password Management
 
3D Password M Sc BHU Sem 1
3D Password M Sc BHU Sem 13D Password M Sc BHU Sem 1
3D Password M Sc BHU Sem 1
 
Why is password protection a fallacy a point of view
Why is password protection a fallacy a point of viewWhy is password protection a fallacy a point of view
Why is password protection a fallacy a point of view
 
Password hacking
Password hackingPassword hacking
Password hacking
 
Password Strength Policy Query
Password Strength Policy QueryPassword Strength Policy Query
Password Strength Policy Query
 
J0704055058
J0704055058J0704055058
J0704055058
 
Encryption by fastech
Encryption by fastechEncryption by fastech
Encryption by fastech
 
Welcome to the world of hacking
Welcome to the world of hackingWelcome to the world of hacking
Welcome to the world of hacking
 
password cracking and Key logger
password cracking and Key loggerpassword cracking and Key logger
password cracking and Key logger
 
Greater Wheeling AITP Web Security
Greater Wheeling AITP Web SecurityGreater Wheeling AITP Web Security
Greater Wheeling AITP Web Security
 
3D PASSWORD
3D PASSWORD 3D PASSWORD
3D PASSWORD
 
3d authentication system
3d authentication system3d authentication system
3d authentication system
 
Password Attack
Password Attack Password Attack
Password Attack
 
Brute force
Brute forceBrute force
Brute force
 
An Enhanced Security System for Web Authentication
An Enhanced Security System for Web Authentication An Enhanced Security System for Web Authentication
An Enhanced Security System for Web Authentication
 

Similar a Getting authentication right

Authentication and session v4
Authentication and session v4Authentication and session v4
Authentication and session v4skimil
 
Top Ten Tips For Tenacious Defense In Asp.Net
Top Ten Tips For Tenacious Defense In Asp.NetTop Ten Tips For Tenacious Defense In Asp.Net
Top Ten Tips For Tenacious Defense In Asp.Netalsmola
 
Why is password protection a fallacy a point of view
Why is password protection a fallacy a point of viewWhy is password protection a fallacy a point of view
Why is password protection a fallacy a point of viewSTO STRATEGY
 
Password cracking and brute force tools
Password cracking and brute force toolsPassword cracking and brute force tools
Password cracking and brute force toolszeus7856
 
CHAPTER 7 Authentication and Authorization On
CHAPTER 7 Authentication and Authorization OnCHAPTER 7 Authentication and Authorization On
CHAPTER 7 Authentication and Authorization OnMaximaSheffield592
 
Introduction to Web Application Security Principles
Introduction to Web Application Security Principles Introduction to Web Application Security Principles
Introduction to Web Application Security Principles Dr. P. Mohana Priya
 
Password and Account Management Strategies - April 2019
Password and Account Management Strategies - April 2019Password and Account Management Strategies - April 2019
Password and Account Management Strategies - April 2019Kimberley Dray
 
Secure password - CYBER SECURITY
Secure password - CYBER SECURITYSecure password - CYBER SECURITY
Secure password - CYBER SECURITYSupanShah2
 
Ethical hacking for Business or Management.pptx
Ethical hacking for Business or Management.pptxEthical hacking for Business or Management.pptx
Ethical hacking for Business or Management.pptxFarhanaMariyam1
 
Chapter 6Authenticating PeopleChapter 6 OverviewThe th
Chapter 6Authenticating PeopleChapter 6 OverviewThe thChapter 6Authenticating PeopleChapter 6 OverviewThe th
Chapter 6Authenticating PeopleChapter 6 OverviewThe thsamirapdcosden
 
Technology Training - Security, Passwords & More
Technology Training - Security, Passwords & MoreTechnology Training - Security, Passwords & More
Technology Training - Security, Passwords & MoreWilliam Mann
 
11 Commandments of Cyber Security for the Home
11 Commandments of Cyber Security for the Home11 Commandments of Cyber Security for the Home
11 Commandments of Cyber Security for the Homezaimorkai
 
Password Management
Password ManagementPassword Management
Password ManagementDavon Smart
 
1208 wp-two-factor-and-swivel-whitepaper
1208 wp-two-factor-and-swivel-whitepaper1208 wp-two-factor-and-swivel-whitepaper
1208 wp-two-factor-and-swivel-whitepaperHai Nguyen
 
It security in healthcare
It security in healthcareIt security in healthcare
It security in healthcareNicholas Davis
 
Password hacking
Password hackingPassword hacking
Password hackingMr. FM
 
"Inter- application vulnerabilities. hunting for bugs in secure applications"...
"Inter- application vulnerabilities. hunting for bugs in secure applications"..."Inter- application vulnerabilities. hunting for bugs in secure applications"...
"Inter- application vulnerabilities. hunting for bugs in secure applications"...PROIDEA
 

Similar a Getting authentication right (20)

Authentication and session v4
Authentication and session v4Authentication and session v4
Authentication and session v4
 
Top Ten Tips For Tenacious Defense In Asp.Net
Top Ten Tips For Tenacious Defense In Asp.NetTop Ten Tips For Tenacious Defense In Asp.Net
Top Ten Tips For Tenacious Defense In Asp.Net
 
How encryption works
How encryption worksHow encryption works
How encryption works
 
Why is password protection a fallacy a point of view
Why is password protection a fallacy a point of viewWhy is password protection a fallacy a point of view
Why is password protection a fallacy a point of view
 
Password cracking and brute force tools
Password cracking and brute force toolsPassword cracking and brute force tools
Password cracking and brute force tools
 
CHAPTER 7 Authentication and Authorization On
CHAPTER 7 Authentication and Authorization OnCHAPTER 7 Authentication and Authorization On
CHAPTER 7 Authentication and Authorization On
 
Introduction to Web Application Security Principles
Introduction to Web Application Security Principles Introduction to Web Application Security Principles
Introduction to Web Application Security Principles
 
Password and Account Management Strategies - April 2019
Password and Account Management Strategies - April 2019Password and Account Management Strategies - April 2019
Password and Account Management Strategies - April 2019
 
Secure password - CYBER SECURITY
Secure password - CYBER SECURITYSecure password - CYBER SECURITY
Secure password - CYBER SECURITY
 
Ethical hacking for Business or Management.pptx
Ethical hacking for Business or Management.pptxEthical hacking for Business or Management.pptx
Ethical hacking for Business or Management.pptx
 
Chapter 6Authenticating PeopleChapter 6 OverviewThe th
Chapter 6Authenticating PeopleChapter 6 OverviewThe thChapter 6Authenticating PeopleChapter 6 OverviewThe th
Chapter 6Authenticating PeopleChapter 6 OverviewThe th
 
Information Security
Information SecurityInformation Security
Information Security
 
Technology Training - Security, Passwords & More
Technology Training - Security, Passwords & MoreTechnology Training - Security, Passwords & More
Technology Training - Security, Passwords & More
 
11 Commandments of Cyber Security for the Home
11 Commandments of Cyber Security for the Home11 Commandments of Cyber Security for the Home
11 Commandments of Cyber Security for the Home
 
Password Management
Password ManagementPassword Management
Password Management
 
C0210014017
C0210014017C0210014017
C0210014017
 
1208 wp-two-factor-and-swivel-whitepaper
1208 wp-two-factor-and-swivel-whitepaper1208 wp-two-factor-and-swivel-whitepaper
1208 wp-two-factor-and-swivel-whitepaper
 
It security in healthcare
It security in healthcareIt security in healthcare
It security in healthcare
 
Password hacking
Password hackingPassword hacking
Password hacking
 
"Inter- application vulnerabilities. hunting for bugs in secure applications"...
"Inter- application vulnerabilities. hunting for bugs in secure applications"..."Inter- application vulnerabilities. hunting for bugs in secure applications"...
"Inter- application vulnerabilities. hunting for bugs in secure applications"...
 

Último

What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rick Flair
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
What is Artificial Intelligence?????????
What is Artificial Intelligence?????????What is Artificial Intelligence?????????
What is Artificial Intelligence?????????blackmambaettijean
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 

Último (20)

What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
What is Artificial Intelligence?????????
What is Artificial Intelligence?????????What is Artificial Intelligence?????????
What is Artificial Intelligence?????????
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 

Getting authentication right

  • 1. ROOTS, 27. April 2012 André N. Klingsheim @klingsen
  • 2. Some motivation  Authentication/identities defined  Where authentication fits in  Authentication factors  Passwords  Two-factor authentication  Keeping your shields up  Fun and demos
  • 3. Verizon Data Breach Investigations Report*  Based on 855 incidents (that resulted in)  174 million compromized records  Leads to some interesting statistics ▪ Curiosity: One organized criminal group in Eastern Europe worked on average three days per week  Go read it when you get home! * http://www.verizonbusiness.com/dbir/
  • 4. Source: Verizon Data Breach Investigations Report, p. 26
  • 5. Source: Verizon Data Breach Investigations Report, p. 32
  • 6. TL;DR: How sure are you that it’s the correct user who’s logging in?  You’re never 100% sure!  Authentication is the process of establishing an understood level of trust in whether the user is who she claims to be
  • 7. An identifier such as a name, national identity number, or a customer number, points to an identity  The identity of an individual is the set of information associated with that individual in a particular computer system
  • 8. Someone claims to be «klings»! Authentication tries to establish whether that someone is this guy! 
  • 9. 1. You don’t know who the user is 2. The user authenticates (now you’re pretty sure who the user is) 3. The user gets a security token in return  You associate the user’s identity with this token  Think session cookies (and username written to session) 4. Now you «remember» the outcome of the authentication
  • 10. You’re done with authentication, and then have to rely on session security  So, authentication helps you figure out whether an unkown person/computer can safely be assosciated with a digital identity  Session security deals with remembering who the users is in a secure manner
  • 11.
  • 12. Your trust in that you’re talking to the right person is at its peak in the authentication instant  Session security takes over, remember this is «cached» trust  Re-authentication  Rebuilds your trust in that it’s still the correct person acting as the logged in user
  • 13.
  • 14. Something you know («Pa$$W0rd1»)  Something you have  Something you are * Fingerprint shared by Wilfredor under CC BY-SA 3.0 lisence
  • 15. In practice a static, shared secret  Password  Security questions ▪ Mother’s maiden name ▪ Where did you go to school ▪ And so on...  PINs (debit/credit cards)
  • 16. Code generators  Sequence based  Time-based  Your mobile phone  SMS  Google Authenticator  You’re debit/credit card (physical/VVC2)  Cards with printed PIN-codes
  • 17. Biometrics  Fingerprint  Retina scan  Etc..  Not widely deployed on the web...
  • 18. Something you know: a password or PIN  Why?  Very cheap (no devices) ▪ Do note that password resets can cost you…  In some cases available off-the-shelf (e.g. ASP.NET has the SqlMembershipProvider)  Scales well  Users are well accustomed to passwords/PINs!
  • 19. Som critical aspects of a password based authentication procedure  How passwords are stored  How users sign up  How passwords are validated  How passwords are reset  Application security  The security of all other password based IT- systems in the world
  • 20. The easiest way to store a password is, well, to store the password in a database in cleartext  DBA’s can easily steal the passwords.  A breach of the database will immediately reveal all passwords (think Sony)  So, encryption or hashing to the rescue!  PS! Forgot password -> mail with old password -> most likely cleartext passwords
  • 21. Encrypted passwords mean only one thing  They must be decrypted to be verified  Encryption key + database -> all passwords  There is most likely a sysadmin with access to both the key, and the db  Password encryption is not recommended!
  • 22. A hash function is a deterministic one way function with a fixed output length  Commonly used: MD5, Sha-1, Sha-256  MD5(‘Password’) => 3GR+tl5nEeFVN1IYISs5ZA==  Look it up on Google   It’s easy to compute the hash value of an input. It should be impossible to calculate the input based on a hash value (hence one way)
  • 23. Two users with the same password, will have the same hash values in the db  You can compute the hash value for common passwords, and store the values  If you get hold of password hashes – just look them up against known values!  The precomputation step is the essence of Rainbow tables  Let’s you crack common passwords in no time  We need salts!
  • 24.  Salts add a bit of uniqueness to the input to the hash function  Salts can be stored besides the password hash in the db  Salt: 3GR+tl5nEeFVN1IYISs5ZA==  Hash = Sha-256(salt+password)  Hampers rainbow table attacks  Does not hamper dictionary attacks/brute force attacks
  • 25. If you get your hands on a list of salted password hashes you can  Run a dictionary attack (calculate password hashes for a wordlist, and compare the hashes)  Run a brute force attack (calculate hashes for all possible passwords aaaaaa, aaaaab, aaaaac so on)  If it’s not your list of password hashes, do consider the legal aspects
  • 26. Are very efficient against common hashes such as MD5/Sha-family  Millions of hashes checked per second (single cpu)  Due to the fact that hash functions were designed to be fast (not to store passwords)  We need to add a workload!
  • 27. PBKDF2  Password based key derivation function  Runs X iterations of an HMAC (based on SHA-1) to generate a key  Computational penalty for password crackers  Bcrypt  Also adds computational load => time penalty  Scrypt  Based on a memory trade-off, to hamper special purpose hardware w/limited memory
  • 28. You’ve stored your passwords securely  The password crackers now hate you  Then some other site gets hacked and all their passwords are leaked  Who cares, you’re secure right?  Your users used the same password on your site...
  • 29. Users tend to reuse their passwords across websites  Other sites get hacked for various reasons  Leads to the compromise of accounts on your site!  But that’s not fair!  No it isn’t. The world is not fair, in case you haven’t noticed.
  • 30.  Something you have  Is NOT shared between sites  Solves the «other sites were hacked» problem
  • 31. Time-based  Code typically generated based on a secret key, and the current time  Requires reliable clocks on both server and the code generating device  Sequence based  Pseudo random number generator, seeded with a secret key  Code generator and server generate same sequence of codes
  • 32. Go with time-based if you can  Limited TTL for your codes  Limited number of valid codes at any given time  Sequence based generators  Let’s you compute many codes that will be valid until used  E.g. take someone’s token, generate 5 codes, they’ll be valid until the victim tries to use a code
  • 33. Very important that security cannot be degraded in your system  Fallback from two-factor to single factor authentication  Disabling of security mechanisms without requiring authentication  E.g. to change the password, you need to enter the correct current password
  • 34. More complicated for two-factor authentication  If you can reset one factor with the other, it’s not really two-factor  Forgot password -> set new password, confirm with one time code  Lost mobile phone -> log in with password to change mobile number for one time codes  Beware such dependencies in your system!
  • 35. “Forgotten password”  Secret questions (are not)  E-mail  Snail mail  SMS
  • 36. Require re-authentication for all critical updates  Such as change of  Password  Phone number  E-mail address  Disabling of security mechanisms  And not with just one factor!
  • 37. If you have an optional security mechanism (e.g. one time codes)  You must require the user to use the security mechanism in order to turn it off  Else it’s useless!  So changing the «security level» must be done according to the current level of security
  • 38. Tutorial/demo!   Scenario: Someone is logged in to their Google account  Two-factor authentication enabled  You have figured out their password but don’t have access to their OTPs  Can you find any way to gain access to their acount, without OTPs, from another computer?
  • 39. Thank you for listening!  Find me on the web:  www.dotnetnoob.com  @klingsen