Presentation is loading. Please wait.

Presentation is loading. Please wait.

Apache Triplesec: Strong (2-factor)

Published byAdela Cunningham Modified over 8 years ago

Similar presentations

Presentation on theme: "Apache Triplesec: Strong (2-factor)"— Presentation transcript:

1 Apache Triplesec: Strong (2-factor)
Mobile Identity Management Alex Karasulu

2 Agenda Drivers Multiple factors & OTP Triplesec Solution Miscellaneous
Summary & Conclusion

3 Agenda: Drivers Problems Demand Market Costs Logistics

4 An Integration Problem!
The Identity Problem An Integration Problem!

5 Increasing demand for multi-factor authentication.
The Phishing Problem Increasing demand for multi-factor authentication.

6 Multi-Factor Gold Rush
FEICC-mandated multi-factor for 2007 Financial companies are desperate Many new vendors Lack of standards Just get into the market mentality Lot's of ugly products Lot's of suckers to be born!

7 Commercial Products 2-factor products Identity Management products
SecureId (RSA)‏ Safeword ActiveIdentity Identity Management products Netegrity (CA)‏ Oblix (Oracle)‏ SUN Identity

8 How much does multi-factor authentication cost?
One Time Device Cost 15-110$ USD per user logistics costs: delivery & RMA? Recurring Cost Per User (server)‏ 10-35$ USD per user per year Authentication Server Cost 0-100K USD one time cost Maintenance covered by per user cost Integration Services?

9 How much does identity management cost?
Recurring Cost Per User (server)‏ 12-30$ USD per user per year Server Cost 0-100K USD one time cost (10K users)‏ Maintenance covered by per user cost Integration Services?

10 Identity Management + Multi-factor authentication = too much!
Combined cost per user can climb rapidly Increased entropy: 2 products not 1 Integration between products required More to Manage: each has own interfaces

11 Agenda: Multiple Factors and OTP
One Time Passwords (OTP)‏ HOTP Inhibitors Mobile Solution

12 One Time Passwords (OTP)‏
Generated by hardware token Changes with each use Algorithms Time Based S/Key (MD4/5)‏ HMAC HOTP

13 HOTP – RFC 4226 Shared secret Counter Throttling parameter
Look-ahead parameter: self service Bi-directional authentication Low resource utilization No network needed

14 OTP Inhibitors A token per account Must carry extra device on person
Replacing broken or stolen device Device cost Device provisioning Invasive changes required to use within existing infrastructure

15 Proposed Solution Use mobile phones to generate OTP
everybody has a cell phone no new hardware to buy or carry Simple provisioning process WAP push to mobile device Standard protocols for authentication Standard JSE, JEE & JME interfaces Integrated noninvasive IdM

16 Agenda: Triplesec Solution
Intro Mobile Token Authentication & Authorization Administrator UI Feature Demos

17 Triplesec “Strong Identity Server”
FOSS – ASL Licensed Identity Management Platform 2-Factor Authentication Authorization (RBAC)‏ Auditing SSO JME & JSE OTP client Want to see it?

18 Mobile Token JME based OTP generator Connectionless OTP generation
MIDP 1.0 compatible 33Kb footprint Runs on low end phones Connectionless OTP generation No data subscription need No service need Uses HOTP from OATH (RFC 4226)‏

19 Authentication Password & passcode (OTP value)‏ Optional realm field
Kerberos LDAP JAAS Login Module

20 Authorization Authorization Policy Store Guardian API applications
permissions roles authorization profiles users groups Guardian API

21 Administration Tool Manage Let's take a look! applications users
groups roles permissions profiles Let's take a look!

22 Servlet Demo Simple Servlet Uses Guardian API Application = demo
Read & report roles and permissions Reads profile for each request Should respond to policy change events?

23 Policy Change Listener
Guardian API has listener interface Receives policy change events permission changes role changes profile changes Asynchronous notification No polling!

24 Dynamic Policy Demo Simple Swing Application
Uses Policy Change Listener Paints menu with permissions of user Update dependent: grants denials roles UI responds to events to redraw menu

25 Simple Policy Management
Simple Schema for Policy Store Any LDAP client can be used Easy to write access API in any lang Easy to administer policy with scripts Export Policies for testing Guardian LDIF & LDAP Drivers

26 What happens when the counter gets out of sync?
Sync Protocol What happens when the counter gets out of sync?

27 Let's see the sync protocol in action with a better demo.
Better Web Demo Let's see the sync protocol in action with a better demo.

28 Agenda: Miscellaneous
Built on ApacheDS Protocols SSO & SAML Future Plans

29 Based on ApacheDS Triplesec uses ApacheDS for: Simple Schema
LDAP Kerberos ChangePW Simple Schema Looking inside with LDAP Studio

30 Single Sign On & SAML Use Kerberos for OS authentication
Windows (default)‏ Linux (pam_krb5)‏ MacOSX (optional)‏ Can be integrated w/ CAS Can be integrate w/ Shibboleth HOTP transparent to all clients

31 Future Plans Improve various features
Experiment with Bluetooth for MIDlet Make into JACC provider Add more polish Administrator plug-in for LDAP Studio

32 Agenda: Summary & Conclusions
Uncovered Material Benefits Drawbacks Conclusions Questions

33 Things we did not have time to present to you
MIDLet OTP Generator SMS & Provisioning Pin Cracking Protection OS SSO & Configuration Auditing & Compliance JAAS LoginModule Configuration UI Integration Delegation of Administration Authentication Delegation to external services

34 Benefits Single device for all OTP generators (accounts)‏
Easy to use & simple design Dynamic notification of policy changes Uses standards: HOTP, Kerberos, LDAP, JAAS, MIDP 1.0 FOSS – ASL 2.0

35 Drawbacks Waiting on ApacheDS MMR Heavy re-factoring needed: prototype
Schema redesign needed for JACC Better management interfaces

36 Conclusions Simple solution for: Low complexity: minimize integration
Simple identity management needs 2-factor mobile authentication Low complexity: minimize integration No need for extra hardware Easy provisioning Increased security Reduced cost

37 Questions?

Download ppt "Apache Triplesec: Strong (2-factor)"

Similar presentations

Secure Single Sign-On Across Security Domains

Secure Single Sign-On Across Security Domains
McAfee One Time Password

McAfee One Time Password
Enable Bring Your Own Device with SCCM 2012 David Caddick Solutions Architect, Quest Software WCL315.

Enable Bring Your Own Device with SCCM 2012 David Caddick Solutions Architect, Quest Software WCL315.
OneBridge Mobile Data Suite Product Positioning. Target Plays IT-driven enterprise mobility initiatives Extensive support for integration into existing.

OneBridge Mobile Data Suite Product Positioning. Target Plays IT-driven enterprise mobility initiatives Extensive support for integration into existing.
Oracle IDM at First National Bank

Oracle IDM at First National Bank
Mutual OATH HOTP Variants 65th IETF - Dallas, TX March 2006.

Mutual OATH HOTP Variants 65th IETF - Dallas, TX March 2006.
FIspace Security Components FIspace Security Components NetFutures 2015 FIspace project Javier Romero Negrín Javier Hitado Simarro ATOS Serdar Arslan KoçSistem.

FIspace Security Components FIspace Security Components NetFutures 2015 FIspace project Javier Romero Negrín Javier Hitado Simarro ATOS Serdar Arslan KoçSistem.
Digital DNA Server Login People ®. Login People ˃ IT security vendor ˃ Patented Digital DNA ® technology innovation Digital DNA Server Multi-factor Authentication.

Digital DNA Server Login People ®. Login People ˃ IT security vendor ˃ Patented Digital DNA ® technology innovation Digital DNA Server Multi-factor Authentication.
WSO2 Identity Server Road Map

WSO2 Identity Server Road Map
Page 1 of 29 Net-Scale Technologies, Inc. Network Based Personal Information and Messaging Services Urs Muller Beat Flepp

Page 1 of 29 Net-Scale Technologies, Inc. Network Based Personal Information and Messaging Services Urs Muller Beat Flepp
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
Ho Ting Chung, Zeturl (52246962) 1.  Authentication  Encryption 2.

Ho Ting Chung, Zeturl ( ) 1.  Authentication  Encryption 2.
S ECURITY M ADE S IMPLE Technology leader in modern two-factor authentication via SMS Morten Skovsgaard Sales Manager 21 19 21 49

S ECURITY M ADE S IMPLE Technology leader in modern two-factor authentication via SMS Morten Skovsgaard Sales Manager
Important when you launch Yammer Enterprise Create an engaged and trusted community Decide about User Profile Syncs Various User and Admin.

Important when you launch Yammer Enterprise Create an engaged and trusted community Decide about User Profile Syncs Various User and Admin.
The Homegrown Single Sign On (SSO) Project at UM – St. Louis.

The Homegrown Single Sign On (SSO) Project at UM – St. Louis.
Understanding Active Directory

Understanding Active Directory
EToken TMS 5.0 CA June 09. eToken TMS 5.0 Agenda  The challenge: Authenticator life-cycle management  eToken TMS (Token Management System)  eToken.

EToken TMS 5.0 CA June 09. eToken TMS 5.0 Agenda  The challenge: Authenticator life-cycle management  eToken TMS (Token Management System)  eToken.
Microsoft Identity and Access Solutions Market Trends and Futures

Microsoft Identity and Access Solutions Market Trends and Futures
Prabath Siriwardena Senior Software Architect. An open source Identity & Entitlement management server.

Prabath Siriwardena Senior Software Architect. An open source Identity & Entitlement management server.
Computer Associates Solutions Managing eBusiness Catalin Matei, April 12, 2005

Computer Associates Solutions Managing eBusiness Catalin Matei, April 12, 2005

Similar presentations

Ads by Google