3. Background to Authentication
What is Authentication?
From the Greek, meaning real or genuine
the act of establishing or confirming something (or
someone) as authentic, that is, that claims made by or
about the subject are true
Why Authenticate?
Restrict access to resources (log on to laptop)
Identify user contributions (comments on a blog)
Non repudiation (e.g. tax lodgements)
4. Background to Authentication
Authentication Factors
the ownership factors: Something the user has
the knowledge factors: Something the user knows
the inherence factors: Something the user is or does
E.g. Fingerprint, retina voice
5. Background to Authentication
How to Authenticate
Single factor
E.g. user id and password
Multi factor
E.g. Bank EFTPOS card and pin
Captchas – authenticating that you are human!
6. Background to Authentication
Establishing Credentials
Simple registration – e.g. Google, TrueCrypt
Self certification – e.g. web site certificate for SSL
Trust chains – e.g. PGP certificates
3rd party certification – e.g. VeriSign
7. Problems
Problem #1: managing all the types of authentication
E.g. multiple PINs, multiple user ids and passwords
Problem: #2: identify theft
E.g. keystroke loggers, phishing attacks, dumpster
diving, lost laptop
8. OpenID
http://openid.net/
Single point of authority for user credentials
A bit like PayPal is for your credit card/bank details
Already supported by a range of major providers
E.g. Yahoo, Flickr, Blogger, Google, Wordpress,
LiveJournal, AOL, VeriSign
You can also set up your own OpenID Server
Demo – VeriSign Personal Identity Page
Solves the first problem (multiple accounts), but not
the second (identity theft)
9. Identity Theft
Has become an increasing problem
Physical access compromised (e.g. lost laptop)
Brute force (eg. dictionary) attacks
Credit card details poorly protected by 3rd parties
Keystroke loggers in malware
“Clickjacking”
Social engineering
Higher security access requires stronger
authentication – e.g. multi-factor
10. Multi-factor Authentication
Typically two-factor is “something you have” and
“something you know”, e.g. EFTPOS card and PIN
But need to consider replay attacks, e.g. credit card
and security code is NOT true two-factor
RSA, SecurID one-time password token (e.g. PayPal)
Mobile phone SMS codes
But can be difficult/expensive to implement and
integrate
11. Multi-factor Authentication
Really secure access (e.g. physical access to a data
centre), may warrant three-factor authentication
Something you have, something you know, and
something you are, e.g. userid, password and fingerprint
Biometric authentication is increasing in popularity
Fingerprint can serve both as WHO you are as well as
WHAT you are
Cost of implementation coming down, integrated
devices becoming more common
But not available everywhere as yet, particularly in
legacy devices
12. Enter the YubiKey
Made by a Swedish company – http://yubico.com
Acts like a USB keyboard - supports most computers
Generates a fixed userid and a one-time password
Can also generate a fixed long/complex password
Very small form factor – easy/cheap to deploy
Yubico can authenticate you via OpenID or via free
open source web service clients
Open source authentication servers are provided free
Java, C, PHP, Python, Perl, PAM (Linux)
13. YubiKey – How it Works
YubiKeys contain a 128-bit AES key, initially set by Yubico
AES is a symmetric cypher, not public/private key
You can generate your own AES key
When the button is pressed, the YubiKey generates a 44
character string consisting of:
A fixed userid (12 characters)
A one-time password (32 characters)
300,000,000,000,000,000,000,000,000,000,000,000,000
(3*10**38) combinations
Can also be configured to navigate to a specific web site and
authenticate with one button press (Windows only at
present)
14. YubiKey – How it Works
User id (12 characters):
vvuelcnnljrd
One-Time Password (32 characters):
brihhlvhgbcnlufjlvnuirudeunknlkn
Characters are encoded in ModHex for compatability
Sample output:
vvuelcnnljrdbtrffffdhhlidlhijrbckjgtlgcbnnnh
vvuelcnnljrdhrrbkfkhjfvturlkehrrfhkijdljbcdf
vvuelcnnljrdettngeieevitvlhvtjghilkttkhueglg
15. YubiKey – How it Works
The AES key is used to encrypt a set of data for the OTP:
A hidden identity field to verify the decrypted result
A volatile counter , incremented by one for each code that has
been generated. The code is reset at each power-up
A non-volatile counter , incremented by one for each power-
up event. The value of this counter is preserved even when
power is lost
A non-predictable counter value is fed by a time-base that is
highly device and session dependent.
A random seed
A simple checksum
16.
17. YubiKey Features
Can operate in single or two-factor mode
Just rely on embedded userid and one-time password
(operates as “something you have”)
Add either separate userid and/or password to
embedded userid and OTP (operates as “something you
have” and “something you know”)
YubiKey Demo
Mashed Life Demo
18. YubiKey – Other Features
“One time pad” approach means no time-based sync
Hardware based solution means proof against trojans
(unlike software based solutions)
No battery to run down (unlike RSA key)
No time limit (unlike certificate-based solutions)
Small form factor (easy to ship/carry)
Fast and easy to use – lower user resistance
Low cost (approx $US25 one off, $US10 in quantity)
19. Useful Links
Yubico
Yubico Twitter Feed
YubiKey Security Analysis
Steve Gibson talking about YubiKey
AES Encryption
Mashed Life