Bringing Two-factor Authentication to Web Applications by Michael Starks 2005 March Rochester OWASP.

Slides:



Advertisements
Similar presentations
Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.
Advertisements

1 Lecture 17: SSL/TLS history, architecture basic handshake session initiation/resumption key computation negotiating cipher suites application: SET.
CS470, A.SelcukSSL/TLS & SET1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
CSC 386 – Computer Security Scott Heggen. Agenda Authentication Passwords Reducing the probability of a password being guessed Reducing the probability.
SSL CS772 Fall Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.
SSL & SharePoint IT:Network:Applications. Agenda Secure Socket Layer Encryption 101 SharePoint Customization SharePoint Integration.
1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.
DESIGNING A PUBLIC KEY INFRASTRUCTURE
Apr 2, 2002Mårten Trolin1 Previous lecture On the assignment Certificates and key management –Obtaining a certificate –Verifying a certificate –Certificate.
Mar 12, 2002Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities SSL/TLS.
16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.
Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.
Chapter 11: Active Directory Certificate Services
Apr 22, 2003Mårten Trolin1 Agenda Course high-lights – Symmetric and asymmetric cryptography – Digital signatures and MACs – Certificates – Protocols Interactive.
Using Digital Credentials On The World-Wide Web M. Winslett.
Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE CSci530: Computer Security Systems Authentication.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 7: Planning a DNS Strategy.
Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.
SSL (Secure Socket Layer) and Secure Web Pages Rob Sodders, University of Florida CIS4930 “Advanced Web Design” Spring 2004
TLS/SSL Review. Transport Layer Security A 30-second history Secure Sockets Layer was developed by Netscape in 1994 as a protocol which permitted persistent.
Digital Certificates. What is a Digital Certificate? A digital certificate is the equivalent of your business card in the e-commerce world. It says who.
CSCI 6962: Server-side Design and Programming
CRYPTOGRAPHY PROGRAMMING ON ANDROID Jinsheng Xu Associate Professor North Carolina A&T State University.
IT:Network:Applications.  Single Key (Symmetric) encryption ◦ One “key” or passphrase used to encrypt and decrypt ◦ FAST – good for large amounts of.
Session 11: Security with ASP.NET
MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter Four Configuring Outlook and Outlook Web Access.
Tutorial Chapter 5. 2 Question 1: What are some information technology tools that can affect privacy? How are these tools used to commit computer crimes?
SSL / TLS in ITDS Arun Vishwanathan 23 rd Dec 2003.
Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®
Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.
1 Apache and Virtual Sites and SSL Dorcas Muthoni.
Protecting Internet Communications: Encryption  Encryption: Process of transforming plain text or data into cipher text that cannot be read by anyone.
Introduction to Secure Sockets Layer (SSL) Protocol Based on:
E-Commerce Security Professor: Morteza Anvari Student: Xiaoli Li Student ID: March 10, 2001.
Security Protocols and E-commerce University of Palestine Eng. Wisam Zaqoot April 2010 ITSS 4201 Internet Insurance and Information Hiding.
Chapter 23 Internet Authentication Applications Kerberos Overview Initially developed at MIT Software utility available in both the public domain and.
Certificate-Based Operations. Module Objectives By the end of this module participants will be able to: Define how cryptography is used to secure information.
Module 9: Fundamentals of Securing Network Communication.
All Input is Evil (Part 1) Introduction Will not cover everything Healthy level of paranoia Use my DVD Swap Shop application (week 2)
SEC835 Runtime authentication Secure session management Secure use of cryptomaterials.
Module 9: Designing Public Key Infrastructure in Windows Server 2008.
Module 8: Designing Security for Authentication. Overview Creating a Security Plan for Authentication Creating a Design for Security of Authentication.
Windows 2000 Certificate Authority By Saunders Roesser.
Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®
1. 2 Overview In Exchange security is managed by assigning permissions in Active Directory Exchange objects are secured with DACL and ACEs Permissions.
Authentication Chapter 2. Learning Objectives Create strong passwords and store them securely Understand the Kerberos authentication process Understand.
CPS Computer Security Tutorial on Creating Certificates SSH Kerberos CPS 290Page 1.
Security fundamentals Topic 5 Using a Public Key Infrastructure.
Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®
Creating and Managing Digital Certificates Chapter Eleven.
© Copyright 2009 SSLPost 01. © Copyright 2009 SSLPost 02 a recipient is sent an encrypted that contains data specific to that recipient the data.
CPS Computer Security Tutorial on Creating Certificates SSH Kerberos CPS 290Page 1.
Active Directory. Computers in organizations Computers are linked together for communication and sharing of resources There is always a need to administer.
SSH/SSL Attacks not on tests, just for fun. SSH/SSL Should Be Secure Cryptographic operations are secure SSL uses certificates to authenticate servers.
Secure Socket Layer SSL and TLS. SSL Protocol Peer negotiation for algorithm support Public key encryptionPublic key encryption -based key exchange and.
Mar 28, 2003Mårten Trolin1 This lecture Certificates and key management Non-interactive protocols –PGP SSL/TLS –Introduction –Phases –Commands.
4.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 12: Implementing Security.
 Encryption provides confidentiality  Information is unreadable to anyone without knowledge of the key  Hashing provides integrity  Verify the integrity.
SSL: Secure Socket Layer By: Mike Weissert. Overview Definition History & Background SSL Assurances SSL Session Problems Attacks & Defenses.
Web Applications Security Cryptography 1
MANAGEMENT of INFORMATION SECURITY, Fifth Edition
Tutorial on Creating Certificates SSH Kerberos
Secure Sockets Layer (SSL)
Module 8: Securing Network Traffic by Using IPSec and Certificates
Module 8: Securing Network Traffic by Using IPSec and Certificates
Ones Technology Products & Solutions
Presentation transcript:

Bringing Two-factor Authentication to Web Applications by Michael Starks 2005 March Rochester OWASP

Three Categories of Authentication ● Something you know ● Something you have ● Something you are

Something You Know ● Password or passphrase ● Mother's maiden name ● Date of birth ● Previous address ● Pin

Something You Have ● RSA SecurID ● Smart card ● Smart token ● Scratch-off card ● Certificate

Something You Are ● Biometrics – Retina or Iris scan – Hand geometry – Finger print – Voice print – Face recognition ● The future – DNA – Behavior recognition

How Many Factors Are Required? ● Any item from the three categories can be considered a token ● Simply put, to authenticate with a token from one category is single-factor authentication and with a token from two categories, two- factor authentication. ● Authentication is predominantly single-factor ● The password is the most common form of authentication

The Problems With Single-factor Authentication ● Most web-based applications authenticate with a password only ● Passwords easily stolen, guessed, recorded and brute forced ● Humans are not well-suited to remembering good and managing passwords ● Passwords are often stored in plain-text or using reversable encryption

Benefits of Two-factor Authentication ● Mitigates the risk of many attacks. – Sniffing, keystroke logging – Social engineering – Replay – Session spoofing – May reduce overall risk of vulnerable web application ● If a single identity token is compromised, the application should not authenticate the thief. ● Non-repudiation

Risks NOT Necessarily Mitigated by Using Two-factor Authentication ● Web applications which are vulnerable are still vulnerable ● Backdoors, trojans, etc ● Are your applications still accessible with single- factor or no authentication? ● Web server vulnerabilities ● Other vulnerable services running on the same server or other trusted servers ● DNS hijacking ● Many, many more...

Options for Web Applications ● Two-factor authentication of any sort can generally be added directly to, or as a layer onto, web applications ● With enough money ● With enough time ● With enough patience ● With enough user-acceptance ● It all goes back to cost

Cost/Benefit Analysis of Common Solutions ● Cost is determined by several factors – Dollars and cents – Order of effectiveness ● How well does it work? – Order of Acceptance ● Biometric acceptance in particular, can be a challenge – Enrollment ● Credentials have to be granted to verified users – Cost is often determined by the value of the information you are trying to protect – For many situations, the winner is....

SSL! ● SSL involves the use of asymmetric, as well as symmetric encryption ● SSL is above TCP but below the HTTP layer ● SSL can provide not only session layer encryption but also require the user to present a valid certificate. ● A valid certificate can serve as a token from the 'what you have' category ● Combined with a password, as traditionally used in web applications, authentication then becomes two-factor

Abridged Description of How SSL works ● Client requests secure session from server, while sending info about ciphers and SSL version supported. ● Server responds with SSL version and ciphers supported ● Server presents certificate with includes the public key, along with some other info ● Server optionally requests client certificate ● Client presents client certificate, encrypts various info to the servers public key and optionally signs the transaction.

Abridged Description of How SSL works (continued) – If the client certificate is protected by a pass phrase, the authentication can already be considered two-factor. If not, it is now single-factor. ● Symmetric session key is negotiated by the client, encrypted to the server's public key and sent to the server. ● The actual symmetrically encrypted SSL session begins

Three Ways to Implement Certificates ● Self-signed ● Trusted certificate authority signed ● Local certificate authority signed ● Each has associated costs and benefits ● Intranet environments different than public web servers. ● Effective user enrollment can be time and logistically expensive, but secure. X.509v3

Requiring Client Certificates With Apache 1. Decide on self-signed, trusted or local CA 2. If using self-signed or local CA, create server certificate on an off-line system. If your root CA certificate is ever compromised, nothing issued by the root can be trusted. Instead, create another issuing CA 3. If using self-signed or local CA, the certificate will probably have to be manually distributed and installed 4. If using trusted CA, obtain signed certificate from a trusted authority

Requiring Client Certificates With Apache (continued...) 1. Install the certificate into Apache 2. Add the following directive to httpd.conf: ● SSLVerifyClient require ● SSLVerifyDepth 1 (increase n based on the number of intermediate CAs) 3. At this point you are now requiring client authentication. 4. Enroll clients in person at your CA for maximum security. 5. Use further directives for granular security

Requiring Client Certificates With IIS 1. Decide on self-signed, trusted or local CA 2. If using self-signed or local CA, create server certificate on an off-line system. Microsoft Certificate Services can be used, as well as OpenSSL. Remember, if your root CA certificate is ever compromised, nothing issued by the root can be trusted. Instead, create another issuing CA 3. In a domain environment, an Enterprise Certificate Services server can automatically distribute certificates via Group Policy

Requiring Client Certificates With IIS 1. Install a Certificate Trust List, otherwise IIS will trust all CAs, potentially even that of an attacker. 2. In IIS, under the properties of the web site, click on the Directory Security tab, check the 'Require Secure Channel' box and the 'Request Client Certificates' radio button 3. At this point you are now requiring client authentication. 4. Enroll clients in person at your CA, or through Group Policy for maximum security.

Effects of Using Non-trusted Certificates

Effects of Using Non-trusted Certificates (continued...)

Installing a Non-trusted Certificate in Windows

Effect of Installing a Non-trusted Certificate in Windows

Recommendations, Summary and Key Points ● Requiring client certificates allows for two-factor authentication to web applications, but does not alone make it two-factor ● If requiring a client certificate, the certificate exchange happens before the web application is accessible, thereby mitigating the risks of many known and unknown attacks. ● Consider cost as it relates to more than dollars and cents ● Consider protecting only sensitive areas

Recommendations, Summary and Key Points (continued...) ● Risks cannot be 100% mitigated. Certificates can be stolen, users can be social engineered, private key passphrases can be saved. Think defense-in- depth. ● Consider using open-source based software such as Apache and OpenSSL, whenever possible ● When using certificates for authentication, it is usually mutual. The user authenticates the server and the server authenticates the user. Who do you trust?

Recommendations, Summary and Key Points (continued...) ● Enforce a minimum of 128 bit key lengths with SSL v3.0/TLS 1.0, if possible. ● Consider that NIDS will have a blind eye to SSL traffic ● When distributing client certificates, try to use a secure out-of-band channel. ● Finally, don't have a false sense of security just because two-factor authentication has been implemented. Security is more about processes, policies and people, than technology.

Bibliography ● Apache 2 with SSL/TLS: Step-by-Step, Part 1 by Artur Maj – ● Apache 2 with SSL/TLS: Step-by-Step, Part 2 by Artur Maj – ● Apache 2 with SSL/TLS: Step-by-Step, Part 3 by Artur Maj – ● All In One CISSP Certification Exam Guide by Shon Harris ● Microsoft Windows 2000 Server Documentation – ault.asp?url=/windows2000/en/server/iis/htm/core/iiabasc.htm ault.asp?url=/windows2000/en/server/iis/htm/core/iiabasc.htm ● Securing Internet Information Services – Part of the Track 5 'Securing Windows' course by the SANS institute and Jason Fossen

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.