Upload
norman-soetbeer
View
37.809
Download
2
Tags:
Embed Size (px)
DESCRIPTION
What does Two Factor Authentication mean? How does it work and how difficult is it to integrate it into your own web application?
Citation preview
ENTER
Better Security WithTwo Factor Authentication
Norman Soetbeer22.09.2013
Norman Soetbeer 222.09.2013
Who am I?
Norman Soetbeer
Computer Science StudentGame Developer @ InnoGames
Twitter: @TheBattleRattleGithub: BattleRattle
Table of Contents
What is TFA?1
TFA for Web Applications2
HOTP3
TOTP4
Example Implementation5
22.09.2013 Norman Soetbeer 3
Table of Contents
What is TFA?1
TFA for Web Applications2
HOTP3
TOTP4
Example Implementation5
22.09.2013 Norman Soetbeer 4
Norman Soetbeer 5
What is TFA?
22.09.2013
John Doe
********
submit
LOGIN
743503
submit
Enter your CodeAn authenticator isconnected to your account
WelcomeHey, John Doe!You successfully logged in
1 2
Norman Soetbeer 6
What is TFA?
also known as
TFA, 2FATwo-Step Authentication
Two-Step Verification (Google)Two Factor Verification (Dropbox, Twitter)
Login Approvals (Facebook)Code Generator (Facebook)
22.09.2013
7
What is TFA?
three factorsconsider two (or more)
22.09.2013 Norman Soetbeer
8
What is TFA?
knowledge factor„something only the user knows“
PINpasswordpattern
„What was the name of your first pet?“
22.09.2013 Norman Soetbeer
9
What is TFA?
possession factor„something only the user has“
22.09.2013 Norman Soetbeer
key
smart card
ATM card
mobile phone
hard tokens
USB tokens
10
What is TFA?
inherence factor„something only the user is“
finger printiris
voiceDNA
22.09.2013 Norman Soetbeer
11
What is TFA?
Automatic Teller MachineATM card + PIN
=„something only the user has“
+„something only the user knows“
22.09.2013 Norman Soetbeer
12
What is TFA?
requirements for secure factors
strong entropy on secrets
22.09.2013 Norman Soetbeer
13
What is TFA?
requirements for secure factors
high resistance of a tokens to be cloned
22.09.2013 Norman Soetbeer
14
What is TFA?
requirements for secure factors
uniqueness and reliability of biometrics
22.09.2013 Norman Soetbeer
15
What is TFA?
requirements for secure factors
secure transport (tokens, passwords, etc.)
22.09.2013 Norman Soetbeer
16
What is TFA?
requirements for secure factors
additional management:disable lost tokens
determine steps for password resetwithdraw credentials, if no longer required
22.09.2013 Norman Soetbeer
17
What is TFA?
requirements for secure factors
fraud detection:monitor failed attempts, lock account
22.09.2013 Norman Soetbeer
What is TFA?1
TFA for Web Applications2
HOTP3
TOTP4
Example Implementation5
22.09.2013 Norman Soetbeer 18
19
TFA in Web Applications
what is possible?
22.09.2013 Norman Soetbeer
20
TFA in Web Applications
knowledge factorPIN?
22.09.2013 Norman Soetbeer
21
TFA in Web Applications
knowledge factorpassword?
22.09.2013 Norman Soetbeer
22
TFA in Web Applications
knowledge factorpattern?
requires javascript / flash, but
22.09.2013 Norman Soetbeer
23
TFA in Web Applications
knowledge factor„What was the name of your first pet“?
does not fulfill„something only the user knows“
22.09.2013 Norman Soetbeer
24
TFA in Web Applications
possession factorkey?
difficult to check
22.09.2013 Norman Soetbeer
25
TFA in Web Applications
possession factorsmart card?
requires additional hardwarenot usable in web browser (maybe with plugin)
costs (card, card reader, transport of card)
22.09.2013 Norman Soetbeer
26
TFA in Web Applications
possession factorUSB token?
not usable in web browser (maybe with plugin)costs (token + transfer)
22.09.2013 Norman Soetbeer
27
TFA in Web Applications
possession factorhard token?
costs (token itself, transport)
?22.09.2013 Norman Soetbeer
28
TFA in Web Applications
possession factormobile phone?
SMS?
Costs
22.09.2013 Norman Soetbeer
29
TFA in Web Applications
22.09.2013 Norman Soetbeer
Give us your phone number?
30
TFA in Web Applications
possession factormobile phone?
voice message?
same as SMS
22.09.2013 Norman Soetbeer
31
TFA in Web Applications
possession factormobile phone?
code generator (smart phone)
22.09.2013 Norman Soetbeer
22.09.2013 Norman Soetbeer
What is TFA?1
TFA for Web Applications2
HOTP3
TOTP4
Example Implementation5
32
33
HMAC-Based One-Time Password algorithm
22.09.2013 Norman Soetbeer
secret key
secret counter value
public serial
new code on key press
(counter increases)
34
HMAC-Based One-Time Password algorithm
22.09.2013 Norman Soetbeer
HMAC-Based One-Time Password
hash = hmac_sha1(key, counter)
offset = last 4 bits of hash
number = 4 bytes from hash, beginning at offset
pad numbers to given length
35
HMAC-Based One-Time Password algorithm
22.09.2013 Norman Soetbeer
example
hash = hmac_sha1(„12345“, 1)20 d4 c6 b0 32 ea 01 da 02 6ea8 a9 f6 f4 00 41 d0 95 6d 08offset = last 4 bits of hash
8number = 4 bytes from hash, beginning at
offset02 6e a8 a9
pad numbers to given length40806569
36
HMAC-Based One-Time Password algorithm
22.09.2013 Norman Soetbeer
usage
serial key counter uid
FOO-BAR-BAZ
43A7B66200DD
7 42456
ABCD-EFGH-IJKL
AF3A77E8D638
19 87632
MNOP-QRST-UVWX
74DA39355CB6
2 24572
SERIALABCD-EFGH-IJKL
KEY (secret)AF3A77E8D638COUNTER (secret)
19
authenticator web application
37
HMAC-Based One-Time Password algorithm
22.09.2013 Norman Soetbeer
generate a new code
serial key counter uid
FOO-BAR-BAZ
43A7B66200DD
7 42456
ABCD-EFGH-IJKL
AF3A77E8D638
19 87632
MNOP-QRST-UVWX
74DA39355CB6
2 24572
SERIALABCD-EFGH-IJKL
KEY (secret)AF3A77E8D638COUNTER (secret)
20
authenticator web application
830429 830429
38
HMAC-Based One-Time Password algorithm
22.09.2013 Norman Soetbeer
code was correct
serial key counter uid
FOO-BAR-BAZ
43A7B66200DD
7 42456
ABCD-EFGH-IJKL
AF3A77E8D638
20 87632
MNOP-QRST-UVWX
74DA39355CB6
2 24572
SERIALABCD-EFGH-IJKL
KEY (secret)AF3A77E8D638COUNTER (secret)
20
authenticator web application
830429 830429
39
HMAC-Based One-Time Password algorithm
22.09.2013 Norman Soetbeer
code was incorrect (e.g. typo)
serial key counter uid
FOO-BAR-BAZ
43A7B66200DD
7 42456
ABCD-EFGH-IJKL
AF3A77E8D638
19 87632
MNOP-QRST-UVWX
74DA39355CB6
2 24572
SERIALABCD-EFGH-IJKL
KEY (secret)AF3A77E8D638COUNTER (secret)
20
authenticator web application
830428 830429
40
HMAC-Based One-Time Password algorithm
22.09.2013 Norman Soetbeer
code was incorrect (e.g. typo)
serial key counter uid
FOO-BAR-BAZ
43A7B66200DD
7 42456
ABCD-EFGH-IJKL
AF3A77E8D638
19 87632
MNOP-QRST-UVWX
74DA39355CB6
2 24572
SERIALABCD-EFGH-IJKL
KEY (secret)AF3A77E8D638COUNTER (secret)
20
authenticator web application
830428 830429
counters out of sync
41
HMAC-Based One-Time Password algorithm
22.09.2013 Norman Soetbeer
solutionalso check up to 10 upcoming codes
and update counter
22.09.2013 Norman Soetbeer
What is TFA?1
TFA for Web Applications2
HOTP3
TOTP4
Example Implementation5
42
43
Time-Based One-Time Password algorithm
22.09.2013 Norman Soetbeer
secret key
internal clock
new code every 30 seconds
44
Time-Based One-Time Password algorithm
22.09.2013 Norman Soetbeer
Time-Based One-Time Password
time_frame = floor (unix_timestamp / time_step)
hash = hmac_sha1(key, time_frame)
offset = last 4 bits of hash
number = 4 bytes from hash, beginning at offset
pad numbers to given length
45
HMAC-Based One-Time Password algorithm
22.09.2013 Norman Soetbeer
usage
key uid
43A7B66200DD 42456
AF3A77E8D638 87632
74DA39355CB6 24572
KEY (maybe secret)AF3A77E8D638
UNIX TIMESTAMP1234567890
authenticator web application
692113 692113
code must be marked as used,because „one-time password“
46
HMAC-Based One-Time Password algorithm
22.09.2013 Norman Soetbeer
wrong code
key uid
43A7B66200DD 42456
AF3A77E8D638 87632
74DA39355CB6 24572
KEY (maybe secret)AF3A77E8D638
UNIX TIMESTAMP1234567890
authenticator web application
849372 692113
you should lock the accountfor current time frame
47
HMAC-Based One-Time Password algorithm
22.09.2013 Norman Soetbeer
what about delays?clocks out of sync?
48
HMAC-Based One-Time Password algorithm
22.09.2013 Norman Soetbeer
simplejust also check one time framebefore and after current one
22.09.2013 Norman Soetbeer
What is TFA?1
TFA for Web Applications2
HOTP3
TOTP4
Example Implementation5
49
50
Example
22.09.2013 Norman Soetbeer
demo time
51
Example
22.09.2013 Norman Soetbeer
// Check Credentials (Step 1)$username = $_POST['username'];$password = $_POST['password'];
$user = getUserByCredentials($username, $password);
if (!$user) { redirect('/login/');}
if ($user->hasAuthenticator()) { $session->set('authenticated', false);} else { $session->set('authenticated', true);}
52
Example
22.09.2013 Norman Soetbeer
// Check for Authenticationif (!$session->get('authenticated')) {
redirect('/tfa-code/');}
53
Example
22.09.2013 Norman Soetbeer
// Check Code (Step 2)use BattleRattle\Doorman\Authentication\GoogleAuthenticator;
// get the code from user input$code = $_POST['code'];
// get the associated key for the current user$key = 'ONETIMEPASSWORDS';
$authenticator = new GoogleAuthenticator();$result = $authenticator->authenticate($key, $code);
if ($result) { echo 'Welcome, you successfully logged in';} else { echo 'Nope, try again';}
54
Example
22.09.2013 Norman Soetbeer
installation via composer / packagist
“require”: { “battlerattle/doorman”: “dev-master” }
5522.09.2013 Norman Soetbeer
questions?
5622.09.2013 Norman Soetbeer
thank you