1. U2F Case Study Examining the U2F paradox 3 What is Universal 2 nd Factor (U2F)?

Slides:



Advertisements
Similar presentations
Cloud PIV Authentication and Authorization Demo PIV Card User Workstation Central Security Server In order to use Cloud Authentication and Authorization.
Advertisements

Fast IDentity Online – a new industry alliance formed to develop technical standards that enable Internet Services to use Simpler Stronger Auth solutions.
EDUCAUSE 2001, Indianapolis IN Securing e-Government: Implementing the Federal PKI David Temoshok Federal PKI Policy Manager GSA Office of Governmentwide.
CSC 774 Advanced Network Security
The team - currently 25 people
Not Built On Sand. IT Has Scaled $$$ Technological capabilities: (1971  2013) Clock speed x4700 #transistors x608k Structure size /450 Price: (1980 
Cross Platform Single Sign On using client certificates Emmanuel Ormancey, Alberto Pace Internet Services group CERN, Information Technology department.
Key Provisioning Use Cases and Requirements 67 th IETF KeyProv BOF – San Diego Mingliang Pei 11/09/2006.
Two Factor Authentication (TFA) is a 100% Open Source, free to use security system for your Joomla site’s backend. Two Factor Authentication works in.
Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.
Lesson 12 Cryptography for E-Commerce. Approaches to Network Security Separate Security Protocol--SSL Application-Specific Security--SHTTP Security with.
WAP Public Key Infrastructure CSCI – Independent Study Fall 2002 Jaleel Syed Presentation No 5.
Mar 12, 2002Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities SSL/TLS.
Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.
FIT3105 Smart card based authentication and identity management Lecture 4.
Class on Security Raghu. Current state of Security Cracks appear all the time Band Aid solutions Applications are not designed properly OS designs are.
Apr 22, 2003Mårten Trolin1 Agenda Course high-lights – Symmetric and asymmetric cryptography – Digital signatures and MACs – Certificates – Protocols Interactive.
Using Digital Credentials On The World-Wide Web M. Winslett.
Mar 4, 2003Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities.
Chap 3: Key exchange protocols In most systems, we distinguish the short term keys from the long term ones: –A short term key (session key) is used to.
Digital Cash Damodar Nagapuram. Overview ► Monetary Freedom ► Digital Cash and its importance ► Achieving Digital Cash ► Disadvantages with digital cash.
Information Security of Embedded Systems : Algorithms and Measures Prof. Dr. Holger Schlingloff Institut für Informatik und Fraunhofer FIRST.
CAMP - June 4-6, Copyright Statement Copyright Robert J. Brentrup and Mark J. Franklin This work is the intellectual property of the authors.
魂▪創▪通魂▪創▪通 Digital Certificate and Beyond Sangrae Cho Authentication Research Team.
CMSC 414 Computer and Network Security Lecture 11 Jonathan Katz.
Computer Science Public Key Management Lecture 5.
Digital Signature Xiaoyan Guo/ Xiaohang Luo/
CRYPTOGRAPHY PROGRAMMING ON ANDROID Jinsheng Xu Associate Professor North Carolina A&T State University.
魂▪創▪通魂▪創▪通 Use Case and Requirement for Future Work Sangrae Cho Authentication Research Team.
Lecture 12 Electronic Business (MGT-485). Recap – Lecture 11 E-Commerce Security Environment Security Threats in E-commerce Technology Solutions.
Secure Online USB Login System. Everything is going online Social Interactions Banking Transactions Meetings Businesses... including all sorts of crimes.
LEVERAGING UICC WITH OPEN MOBILE API FOR SECURE APPLICATIONS AND SERVICES Ran Zhou 1 9/3/2015.
.Net Security and Performance -has security slowed down the application By Krishnan Ganesh Madras.
Authentication and Authorization Authentication is the process of verifying a principal’s identity (but how to define “identity”?) –Who the person is –Or,
Protecting Internet Communications: Encryption  Encryption: Process of transforming plain text or data into cipher text that cannot be read by anyone.
Passwords are not able to keep user safe.
R ECOMMENDATION F OR SRI LANKAN ICT POLICY (T RUST A ND S ECURITY )
E-Commerce Security Professor: Morteza Anvari Student: Xiaoli Li Student ID: March 10, 2001.
SECURITY MANAGEMENT Key Management in the case of public-key cryptosystems, we assumed that a sender of a message had the public key of the receiver at.
Certificate-Based Operations. Module Objectives By the end of this module participants will be able to: Define how cryptography is used to secure information.
10. Key Management. Contents Key Management  Public-key distribution  Secret-key distribution via public-key cryptography.
Middleware for Secure Environments Presented by Kemal Altıntaş Hümeyra Topcu-Altıntaş Osman Şen.
“The FIDO Alliance Today”
Secure Communication between Set-top Box and Smart Card in DTV Broadcasting Authors: T. Jiang, Y. Hou and S. Zheng Source: IEEE Transactions on Consumer.
The FIDO Approach to Privacy Hannes Tschofenig, ARM Limited 1.
Traditional Security Issues Confidentiality –Prevent unauthorized access or reading of information Integrity –Insure that writing or operations are allowed.
New Client Puzzle Outsourcing Techniques for DoS Resistance Brent Waters, Ari Juels, J. Alex Halderman and Edward W. Felten.
Your friend, Bluestem. What is Bluestem? “Bluestem is a software system which enables one or more high-security SSL HTTP servers in a domain (entrusted.
Pkiuniversity.com. Alice Bob Honest Abe’s CA Simple PKI hierarchy.
Bridge Certification Architecture A Brief Overview by Tim Sigmon May, 2000.
Secure Messenger Protocol using AES (Rijndael) Sang won, Lee
2/19/2016clicktechsolution.com Security. 2/19/2016clicktechsolution.com Threats Threats to the security of itself –Loss of confidentiality.
SECURITY. Security Threats, Policies, and Mechanisms There are four types of security threats to consider 1. Interception 2 Interruption 3. Modification.
Information Systems Design and Development Security Precautions Computing Science.
Whatsapp Security Ahmad Hijazi Systèmes de Télécommunications & Réseaux Informatiques (STRI) 20 April 2016.
Secure Quick Reliable Login ● SQRL pronounced “squirrel”. ● Acronym confusion – QR no longer stands for “Quick Response” two-dimensional bar codes. Optional.
1 Example security systems n Kerberos n Secure shell.
Modern User and Device Authentication  Biometric Fingerprints: Moving beyond Login  TPM Key Attestation: Binding a user and machine identities  Strong.
How to Enable Account Key Sign Instead Of Password In Yahoo? For more details:
2 Factor & Multi Factor Authentication
Microsoft Passport and Windows Hello Developer’s Guide to Windows 10 Build SDK Update Andy Wigley
Kerberos Kerberos is a network authentication protocol and it is designed to provide strong authentication for client server applications. It uses secret.
A World Without Passwords
FIDO U2F Universal 2nd Factor
How to Secure your Google Account WE WORK ON MAKING GMAIL EXPERIENCE BETTER !!!!!
Google 2 Step Verification Backup Codes Google 2 Steps Verification Backup Codes is very important to get access Gmail account. Backup codes is usually.
Electronic Payment Security Technologies
Presentation transcript:

1

U2F Case Study Examining the U2F paradox

3 What is Universal 2 nd Factor (U2F)?

4 Simple, Secure, Scalable 2FA

5 Didn’t We Solve This Already? SMSOTP Devices Coverage Delay Cost Battery Policy One per site Provisioning costs Battery Smart Cards Readers/drivers Middleware Cost

6 Bad User experienceStill phishable Users find it hard to useSuccessful attacks carried out today MitM Successful attacks carried out today And...

7 Why U2F? Simple – To register and authenticate -- a simple touch! – No drivers or client software to install Secure – Public key cryptography – Protects against phishing and man-in-the-middle Scalable – One U2F device, many services Protects Privacy – No secrets shared between service providers

8 1. Enter username/pwd 2. Insert U2F Key 3. Touch device Google Login With U2F

9 1. Enter username/pwd 2. Insert U2F Key 3. Touch device Dropbox Login With U2F

10 1. Enter username/pwd 2. Insert U2F Key 3. Touch device GitHub Login With U2F

11 1. Enter username/pwd 2. Insert U2F Key 3. Touch device Your Login With U2F

12 1. Enter username/pwd 2. Insert U2F Key 3. Touch device Your Login With U2F

13 1. Enter username/pwd 2. Insert U2F Key 3. Touch device Your Login With U2F

14 Protocol Overview

Server sends challenge 1 Server receives and verifies device signature using attestation cert 5 Key handle and public key are stored in database 6 Device generates key pair 2 Device creates key handle 3 Device signs challenge + client info 4 Registration Server sends challenge + key handle 1 Server receives and verifies using stored public key 4 Device unwraps/derives private key from key handle 2 Device signs challenge + client info 3 Authentication Individual with U2F Device, Relying Party

16 Protocol Design Step-By-Step

17 U2F Device Client Relying Party challenge Sign with k priv signature(challenge) s Check signature (s) using k pub s Lookup k pub Authentication

18 U2F Device Client Relying Party challenge challenge, origin, channel id Sign with k priv signature(c) c, s Check s using k pub Verify origin & channel id s Lookup k pub Phishing/MitM Protection

19 U2F Device Client Relying Party handle, app id, challenge h, a; challenge, origin, channel id, etc. c a Check app id Lookup the k priv associated with h Sign with k priv signature(a,c) c, s Check s using k pub Verify origin & channel id s h Lookup the k pub associate d with h Application-Specific Keys

20 U2F Device Client Relying Party handle, app id, challenge h, a; challenge, origin, channel id, etc. c a Check app id Lookup the k priv associated with h Sign with k priv counter++ counter, signature(a,c, counter) counter, c, s Check s using k pub Verify origin, channel id & counter s h Lookup the k pub associate d with h Device Cloning

21 U2F Device Client Relying Party app id, challenge a; challenge, origin, channel id, etc. c a Check app id Generate: k pub k priv handle h k pub, h, attestation cert, signature (a,c,k pub,h) c, k pub, h, attestation cert, s Associate k pub with handle h for user s Registration + Device Attestation

22 Bad User Experience Still Phishable MitM x xx So How Did We Do?

23 Resources Strengthen 2 step verification with Security Key Yubico Security Key Yubico Libraries, Plugins, Sample Code, Documentation FIDO U2F Protocol Specification Yubico Demo Server - Test U2F Yubico Demo Server - Test Yubico OTP Google security blog yubico.com/security-key developers.yubico.com fidoalliance.org/specifications demo.yubico.com/u2f demo.yubico.com

24 Questions, Comments

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.