INA Volume 1/3 Version 1.0 Released / Digital Identity and Authentication

INA Volume 1/3 Version 1.0 Released / Digital Identity and Authentication
INA – Volume 1 Sylvain MARET Version 1.0 Released 2013-04-08 INA Volume 1 – Version 1.0 / @smaret 2013
INA Volume 1 – Version 1.0 / @smaret 2013
Who am I?  ICT Security Consultant – 18 years of experience in ICT Security – Principal Consultant at MARET Consulting – Expert at Engineer School of Yverdon-les-Bains – Member of board OpenID Switzerland – Co-founder Application Security Forum #ASFWS – OWASP Member Switzerland – Author of the blog: la Citadelle Electronique – http://ch.linkedin.com/in/smaret or @smaret – http://www.slideshare.net/smaret  Chosen field – AppSec & Digital Identity Security INA Volume 1 – Version 1.0 / @smaret 2013
Agenda Volume 1  C0 - Introduction  C1 - Definition  C2 - Tokens / Authentication factors  C3 – Password  C4 - One Time Password - OTP  C5 - OTP / OATH standars  C6 - OTP solution  C7 - AuthN PKI  C8 - Biometrics  C9 - OATH approach INA Volume 1 – Version 1.0 / @smaret 2013
Digital Identity ? INA Volume 1 – Version 1.0 / @smaret 2013
Definition Wikipédia French INA Volume 1 – Version 1.0 / @smaret 2013
Definition INA Volume 1 – Version 1.0 / @smaret 2013
Identity  A set of attributes that uniquely describe a person or information system within a given context. Source = NIST Special Publication 800-63-1 INA Volume 1 – Version 1.0 / @smaret 2013
Authentication  The process of establishing confidence in the identity of users or information systems. Source = NIST Special Publication 800-63-1 INA Volume 1 – Version 1.0 / @smaret 2013
Electronic Authentication (E-Authentication)  The process of establishing confidence in user identities electronically presented to an information system. Source = NIST Special Publication 800-63-1 INA Volume 1 – Version 1.0 / @smaret 2013
Claimant  A party whose identity is to be verified using an authentication protocol. Source = NIST Special Publication 800-63-1 INA Volume 1 – Version 1.0 / @smaret 2013
Subscriber  A party who has received a credential or token from a CSP. Source = NIST Special Publication 800-63-1 INA Volume 1 – Version 1.0 / @smaret 2013
Token  Something that the Claimant possesses and controls (typically a cryptographic module or password) that is used to authenticate the Claimant’s identity. Source = NIST Special Publication 800-63-1 INA Volume 1 – Version 1.0 / @smaret 2013
Credential  An object or data structure that authoritatively binds an identity (and optionally, additional attributes) to a token possessed and controlled by a Subscriber. Source = NIST Special Publication 800-63-1 INA Volume 1 – Version 1.0 / @smaret 2013
Identity Proofing  The process by which a CSP and a Registration Authority (RA) collect and verify information about a person for the purpose of issuing credentials to that person. Source = NIST Special Publication 800-63-1 INA Volume 1 – Version 1.0 / @smaret 2013
Credential Service Provider (CSP)  A trusted entity that issues or registers Subscriber tokens and issues electronic credentials to Subscribers. The CSP may encompass Registration Authorities (RAs) and Verifiers that it operates. A CSP may be an independent third party, or may issue credentials for its own use. Source = NIST Special Publication 800-63-1 INA Volume 1 – Version 1.0 / @smaret 2013
Registration Authority (RA)  A trusted entity that establishes and vouches for the identity or attributes of a Subscriber to a CSP. The RA may be an integral part of a CSP, or it may be independent of a CSP, but it has a relationship to the CSP(s). Source = NIST Special Publication 800-63-1 INA Volume 1 – Version 1.0 / @smaret 2013
Verifier  An entity that verifies the Claimant’s identity by verifying the Claimant’s possession and control of a token using an authentication protocol. To do this, the Verifier may also need to validate credentials that link the token and identity and check their status. Source = NIST Special Publication 800-63-1 INA Volume 1 – Version 1.0 / @smaret 2013
Relying Party (RP)  An entity that relies upon the Subscriber's token and credentials or a Verifier's assertion of a Claimant’s identity, typically to process a transaction or grant access to information or a system. Source = NIST Special Publication 800-63-1 INA Volume 1 – Version 1.0 / @smaret 2013
Authentication Protocol  A defined sequence of messages between a Claimant and a Verifier that demonstrates that the Claimant has possession and control of a valid token to establish his/her identity, and optionally, demonstrates to the Claimant that he or she is communicating with the intended Verifier. Source = NIST Special Publication 800-63-1 INA Volume 1 – Version 1.0 / @smaret 2013
AuthN & AuthZ  Aka authentication process  Aka authorization process INA Volume 1 – Version 1.0 / @smaret 2013
Tokens / Authentication factors INA Volume 1 – Version 1.0 / @smaret 2013
Authentication factors  Something you know  Something you have  Something you are INA Volume 1 – Version 1.0 / @smaret 2013
Strong Authentication / Multi-factor authentication  Multi-factor authentication refers to the use of more than one of the factors listed bellow: – Something you know – Something you have – Something you are INA Volume 1 – Version 1.0 / @smaret 2013
Two-factor authentication  Two-factor authentication – TFA – T-FA – 2FA INA Volume 1 – Version 1.0 / @smaret 2013
Knowledge factors: "something the user knows"  Password – password is a secret word or string of characters that is used for user authentication.  PIN – personal identification number (PIN) is a secret numeric password.  Pattern – Pattern is a sequence of cells in an array that is used for authenticating the users. INA Volume 1 – Version 1.0 / @smaret 2013
Possession factors: "something the user has"  Tokens with a display  USB tokens  Smartphone  Smartcards  Wireless (RFID, NFC)  Etc. INA Volume 1 – Version 1.0 / @smaret 2013
Inherence factors: "something the user is or do"  Physiological biometric – Fingerprint recognition – Facial recognition system – Iris recognition – Etc.  Behavioral biometrics – Keystroke dynamics – Speaker recognition – Geo Localization – Etc. INA Volume 1 – Version 1.0 / @smaret 2013
PASSWORD INA Volume 1 – Version 1.0 / @smaret 2013
http://www.wired.co.uk/magazine/archive/2013/01/features/hacked INA Volume 1 – Version 1.0 / @smaret 2013
http://www.wired.com/wiredenterprise/2013/01/google-password/ INA Volume 1 – Version 1.0 / @smaret 2013
Password Factor  Something you know  PIN Code  Password  Passphrase  Aka 1FA INA Volume 1 – Version 1.0 / @smaret 2013
Password Entropy / Password strength  Password strength is a measure of the effectiveness of a password in resisting guessing and brute-force attacks. INA Volume 1 – Version 1.0 / @smaret 2013
Password Entropy / Password strength http://en.wikipedia.org/wiki/Password_strength INA Volume 1 – Version 1.0 / @smaret 2013
Password Entropy / Password strength http://en.wikipedia.org/wiki/Password_strength INA Volume 1 – Version 1.0 / @smaret 2013
Characteristics of weak passwords  based on common dictionary words – Including dictionary words that have been altered: • Reversed (e.g., “terces”) • Mixed case (e.g., SeCreT) • Character/Symbol replacement (e.g., “$ecret”) • Words with vowels removed (e.g., “scrt”)  based on common names  short (under 6 characters)  based on keyboard patterns (e.g., “qwertz”)  composed of single symbol type (e.g., all characters) INA Volume 1 – Version 1.0 / @smaret 2013
Characteristics of strong passwords  Strong Passwords – contain at least one of each of the following: • digit (0..9) • letter (a..Z) • punctuation symbol (e.g., !) • control character (e.g., ^s, Ctrl-s) – are based on a verse (e.g., passphrase) from an obscure work where the password is formed from the characters in the verse INA Volume 1 – Version 1.0 / @smaret 2013
Test your password! https://www.microsoft.com/security/pc-security/password-checker.aspx INA Volume 1 – Version 1.0 / @smaret 2013
Password Manager http://keepass.info/ INA Volume 1 – Version 1.0 / @smaret 2013
Password Manager http://passwordsafe.sourceforge.net/ INA Volume 1 – Version 1.0 / @smaret 2013
Password Generator INA Volume 1 – Version 1.0 / @smaret 2013
Threat Model AuthN 1FA INA Volume 1 – Version 1.0 / @smaret 2013
Password / Threats  Man In The Middle Attacks  Phishing Attacks  Pharming Attacks  DNS Cache Poisoning  Trojan Attacks  Man-in-the-Phone Attacks (Man-in-the-Mobile/MitMo Attacks)  Man-in-the-Browser Attacks  Browser Poisoning  Password Sniffing  Brute Force Attack  Dictionary Attacks INA Volume 1 – Version 1.0 / @smaret 2013
Password Attacks  Password Cracking – Brute force – Dictionary attack – Hybride  Password sniffing  Man-in-the-middle attack  Malware – Keylogger  Default Password  Phishing  Etc. INA Volume 1 – Version 1.0 / @smaret 2013
Password Cracking Tools  Caen & Abel  John the Ripper  L0phtCrack  Ophcrack  THC hydra  Aircrack (WEP/WPA cracking tool)  Etc. INA Volume 1 – Version 1.0 / @smaret 2013
Rainbow table  A rainbow table is a precomputed table for reversing cryptographic hash functions, usually for cracking password hashes. INA Volume 1 – Version 1.0 / @smaret 2013
Ophcrack INA Volume 1 – Version 1.0 / @smaret 2013
Defense against rainbow tables  A rainbow table is ineffective against one-way hashes that include salts INA Volume 1 – Version 1.0 / @smaret 2013
Password Storage Cheat Sheet  Password Storage Rules – Rule 1: Use An Adaptive One-Way Function • bcrypt, PBKDF2 or scrypt – Rule 2: Use a Long Cryptographically Random Per- User Salt – Rule 3: Iterate the hash – Rule 4 : Encrypt the Hash Data With a Keyed Algorithm https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet INA Volume 1 – Version 1.0 / @smaret 2013
Hashcat / GPU  25-GPU cluster cracks every standard Windows password in <6 hours – It achieves the 350 billion-guess-per-second speed when cracking password hashes generated by the NTLM cryptographic algorithm that Microsoft has included in every version of Windows since Server 2003. http://arstechnica.com/security/2012/12/25-gpu-cluster-cracks-every-standard-windows-password-in-6-hours/ INA Volume 1 – Version 1.0 / @smaret 2013
Password sniffing INA Volume 1 – Version 1.0 / @smaret 2013
DFD – Weak Protocol (Telnet) INA Volume 1 – Version 1.0 / @smaret 2013
Weak protocols  Telnet  FTP  IMAP  POP3  LDAP  Etc. INA Volume 1 – Version 1.0 / @smaret 2013
ARP Spoofing INA Volume 1 – Version 1.0 / @smaret 2013
DFD - SSH INA Volume 1 – Version 1.0 / @smaret 2013
Man-in-the-middle attack  often abbreviated – MITM, MitM, MIM, MiM, MITMA INA Volume 1 – Version 1.0 / @smaret 2013
Man-in-the-middle attack  Ettercap  SSLStrip  SSLSniff  Mallory  Etc. INA Volume 1 – Version 1.0 / @smaret 2013
Keylogger / Keystroke logging  Software-based keyloggers – Malware – Mobile  Hardware-based keyloggers INA Volume 1 – Version 1.0 / @smaret 2013
Wireless sniffing – TEMPEST http://lasecwww.epfl.ch/keyboard/ INA Volume 1 – Version 1.0 / @smaret 2013
Malicious Code Evolution INA Volume 1 – Version 1.0 / @smaret 2013
Malware INA Volume 1 – Version 1.0 / @smaret 2013
Zeus INA Volume 1 – Version 1.0 / @smaret 2013
Default Password INA Volume 1 – Version 1.0 / @smaret 2013
One Time Password - OTP Strong AuthN OTP INA Volume 1 – Version 1.0 / @smaret 2013
OTP Technology / Standards  Based on a shared secret Key (symmetric Crypto)  Approach – Time Based OTP – Event Based OTP – Challenge Response OTP – Out-of-band OTP – Transaction Signing OTP – Others  Standards – OATH INA Volume 1 – Version 1.0 / @smaret 2013
Time Based OTP K=Secret Key / Seed OTP T=UTC Time Hash function INA Volume 1 – Version 1.0 / @smaret 2013
Event Based OTP K=Secret Key / Seed OTP C = Counter HASH Function INA Volume 1 – Version 1.0 / @smaret 2013
Token OTP pin protected Source: Richard E. Smith / Authentication INA Volume 1 – Version 1.0 / @smaret 2013
Token OTP pin protected Source: Richard E. Smith / Authentication INA Volume 1 – Version 1.0 / @smaret 2013
OTP Challenge Response Based HASH Function K=Secret Key / Seed OTP Challenge nonce INA Volume 1 – Version 1.0 / @smaret 2013
Transaction Signing OTP INA Volume 1 – Version 1.0 / @smaret 2013
Others OTP  Out-of-Band – SMS OTP – TAN  Bingo Card  Etc. INA Volume 1 – Version 1.0 / @smaret 2013
Out-of-band - SMS OTP INA Volume 1 – Version 1.0 / @smaret 2013
Out-of-band - TAN OTP INA Volume 1 – Version 1.0 / @smaret 2013
Bingo Card OTP INA Volume 1 – Version 1.0 / @smaret 2013
Other[s] OTP technologies… “Flicker code” Generator Software that converts already encrypted data into optical screen animation INA Volume 1 – Version 1.0 / @smaret 2013
OTP / OATH standards Authentication Methods INA Volume 1 – Version 1.0 / @smaret 2013
OATH - Authentication Methods  HOTP: An HMAC-Based OTP Algorithm (RFC 4226)  TOTP - Time-based One-time Password Algorithm (RFC 6238)  OCRA - OATH Challenge/Response Algorithms Specification (RFC 6287) INA Volume 1 – Version 1.0 / @smaret 2013
HOTP: An HMAC-Based One-Time Password Algorithm  RFC 4226  http://www.ietf.org/rfc/rfc4226.txt  Event Based OTP  Use HMAC: Keyed-Hashing for Message Authentication (RFC 2104) INA Volume 1 – Version 1.0 / @smaret 2013
HOTP – Crypto 101 INA Volume 1 – Version 1.0 / @smaret 2013
HOTP – Crypto 101 INA Volume 1 – Version 1.0 / @smaret 2013
TOTP - Time-based One-time Password Algorithm  RFC 6238  http://www.ietf.org/rfc/rfc6238.txt  Time Based OTP  Use HMAC: Keyed-Hashing for Message Authentication (RFC 2104) INA Volume 1 – Version 1.0 / @smaret 2013
TOTP – Crypto 101 INA Volume 1 – Version 1.0 / @smaret 2013
Challenge Response OTP  RFC 6287  http://www.ietf.org/rfc/rfc6287.txt  OCRA  OATH Challenge-Response Algorithm INA Volume 1 – Version 1.0 / @smaret 2013
OCRA – Crypto 101 INA Volume 1 – Version 1.0 / @smaret 2013
OTP solution OTP AuthN INA Volume 1 – Version 1.0 / @smaret 2013
Software OTP for Smartphone http://itunes.apple.com/us/app/iotp/id328973960 INA Volume 1 – Version 1.0 / @smaret 2013
OCRA on a mobile INA Volume 1 – Version 1.0 / @smaret 2013
google-authenticator  These implementations support – HMAC-Based One-time Password (HOTP) algorithm specified in RFC 4226 – Time-based One-time Password (TOTP) algorithm specified in RFC 6238 – Google Authenticator • Android, IOS and Blackberry http://code.google.com/p/google-authenticator/ INA Volume 1 – Version 1.0 / @smaret 2013
google-authenticator INA Volume 1 – Version 1.0 / @smaret 2013
OCRA on Mobile INA Volume 1 – Version 1.0 / @smaret 2013
OTP without PIN INA Volume 1 – Version 1.0 / @smaret 2013
OTP Pin Protected INA Volume 1 – Version 1.0 / @smaret 2013
OTP on Smartcard INA Volume 1 – Version 1.0 / @smaret 2013
OTP with Smartcard INA Volume 1 – Version 1.0 / @smaret 2013
OTP hybrid (OTP & PKI) INA Volume 1 – Version 1.0 / @smaret 2013
YubiKey INA Volume 1 – Version 1.0 / @smaret 2013
YubiKey INA Volume 1 – Version 1.0 / @smaret 2013
Yubikey  http://www.yubico.com/support/documentation/  http://forum.yubico.com/  http://code.google.com/p/yubico-pam/ INA Volume 1 – Version 1.0 / @smaret 2013
PKI PKI AuthN INA Volume 1 – Version 1.0 / @smaret 2013
PKI AuthN  Based on asymmetric encryption INA Volume 1 – Version 1.0 / @smaret 2013
PKI Tokens Storage INA Volume 1 – Version 1.0 / @smaret 2013
Public Key Cryptography 101 INA Volume 1 – Version 1.0 / @smaret 2013
Signature 101 INA Volume 1 – Version 1.0 / @smaret 2013
Signature – Verification 101 INA Volume 1 – Version 1.0 / @smaret 2013
Mutual AuthN SSL INA Volume 1 – Version 1.0 / @smaret 2013
PKI Certificate Validation  CRL  Delta CRL  OCSP INA Volume 1 – Version 1.0 / @smaret 2013
OSCP Validation INA Volume 1 – Version 1.0 / @smaret 2013
Crypto Processor Source: Richard E. Smith / Authentication INA Volume 1 – Version 1.0 / @smaret 2013
Smart Card INA Volume 1 – Version 1.0 / @smaret 2013
Smart Card INA Volume 1 – Version 1.0 / @smaret 2013
Smart Card - Crypto INA Volume 1 – Version 1.0 / @smaret 2013
Biometrics BIO AuthN INA Volume 1 – Version 1.0 / @smaret 2013
Biometrics Source: http://www.biometrics.gov/ INA Volume 1 – Version 1.0 / @smaret 2013
Biometric Terms Source: http://www.biometrics.gov/ INA Volume 1 – Version 1.0 / @smaret 2013
Enrollment Process Source: http://www.biometrics.gov/ INA Volume 1 – Version 1.0 / @smaret 2013
Components Source: http://www.biometrics.gov/ INA Volume 1 – Version 1.0 / @smaret 2013
FRR / FAR Source: http://www.biometrics.gov/ INA Volume 1 – Version 1.0 / @smaret 2013
TAR Source: http://www.biometrics.gov/ INA Volume 1 – Version 1.0 / @smaret 2013
FAR Source: http://www.biometrics.gov/ INA Volume 1 – Version 1.0 / @smaret 2013
Accept Rate Threshold Source: http://www.biometrics.gov/ INA Volume 1 – Version 1.0 / @smaret 2013
Identification Source: http://www.biometrics.gov/ INA Volume 1 – Version 1.0 / @smaret 2013
Identification Source: http://www.biometrics.gov/ INA Volume 1 – Version 1.0 / @smaret 2013
Failure to Acquire Source: http://www.biometrics.gov/ INA Volume 1 – Version 1.0 / @smaret 2013
Biometric Modalities Source: http://www.biometrics.gov/ INA Volume 1 – Version 1.0 / @smaret 2013
Dynamic Signature Source: http://www.biometrics.gov/ INA Volume 1 – Version 1.0 / @smaret 2013
Dynamic Signature History Source: http://www.biometrics.gov/ INA Volume 1 – Version 1.0 / @smaret 2013
Dynamic Signature Technology Source: http://www.biometrics.gov/ INA Volume 1 – Version 1.0 / @smaret 2013
Face Recognition Source: http://www.biometrics.gov/ INA Volume 1 – Version 1.0 / @smaret 2013
Face Recognition History Source: http://www.biometrics.gov/ INA Volume 1 – Version 1.0 / @smaret 2013
Face Recognition Technologies Source: http://www.biometrics.gov/ INA Volume 1 – Version 1.0 / @smaret 2013
Principal Components Analysis (PCA) Source: http://www.biometrics.gov/ INA Volume 1 – Version 1.0 / @smaret 2013
Linear Discriminant Analysis Source: http://www.biometrics.gov/ INA Volume 1 – Version 1.0 / @smaret 2013
Elastic Bunch Graph Matching Source: http://www.biometrics.gov/ INA Volume 1 – Version 1.0 / @smaret 2013
Fingerprinting Source: http://www.biometrics.gov/ INA Volume 1 – Version 1.0 / @smaret 2013
Fingerprinting History Source: http://www.biometrics.gov/ INA Volume 1 – Version 1.0 / @smaret 2013
Fingerprinting Technology Source: http://www.biometrics.gov/ INA Volume 1 – Version 1.0 / @smaret 2013
Fingerprint Sensor Source: http://www.biometrics.gov/ INA Volume 1 – Version 1.0 / @smaret 2013
Sensors USB INA Volume 1 – Version 1.0 / @smaret 2013
Chipset INA Volume 1 – Version 1.0 / @smaret 2013
PIV-FIPS 201 Sensors INA Volume 1 – Version 1.0 / @smaret 2013
Tablet approach INA Volume 1 – Version 1.0 / @smaret 2013
Fingerprint Software Source: http://www.biometrics.gov/ INA Volume 1 – Version 1.0 / @smaret 2013
Hand Geometry Source: http://www.biometrics.gov/ INA Volume 1 – Version 1.0 / @smaret 2013
Hand Geometry History Source: http://www.biometrics.gov/ INA Volume 1 – Version 1.0 / @smaret 2013
Hand Geometry History Source: http://www.biometrics.gov/ INA Volume 1 – Version 1.0 / @smaret 2013
Hand Geometry Technology Source: http://www.biometrics.gov/ INA Volume 1 – Version 1.0 / @smaret 2013
Iris Recognition Source: http://www.biometrics.gov/ INA Volume 1 – Version 1.0 / @smaret 2013
Iris Recognition History Source: http://www.biometrics.gov/ INA Volume 1 – Version 1.0 / @smaret 2013
Iris Recognition Technology Source: http://www.biometrics.gov/ INA Volume 1 – Version 1.0 / @smaret 2013
Iris Recognition Technology Source: http://www.biometrics.gov/ INA Volume 1 – Version 1.0 / @smaret 2013
Palm Print Source: http://www.biometrics.gov/ INA Volume 1 – Version 1.0 / @smaret 2013
Palm Print History Source: http://www.biometrics.gov/ INA Volume 1 – Version 1.0 / @smaret 2013
Palm Print Technology Source: http://www.biometrics.gov/ INA Volume 1 – Version 1.0 / @smaret 2013
Palm Print Technology Source: http://www.biometrics.gov/ INA Volume 1 – Version 1.0 / @smaret 2013
Speaker Verification INA Volume 1 – Version 1.0 / @smaret 2013
Speaker Verification History Source: http://www.biometrics.gov/ INA Volume 1 – Version 1.0 / @smaret 2013
Speaker Verification Technology Source: http://www.biometrics.gov/ INA Volume 1 – Version 1.0 / @smaret 2013
Vascular Pattern INA Volume 1 – Version 1.0 / @smaret 2013
Vascular Pattern History Source: http://www.biometrics.gov/ INA Volume 1 – Version 1.0 / @smaret 2013
Vascular Pattern Technology Source: http://www.biometrics.gov/ INA Volume 1 – Version 1.0 / @smaret 2013
Vascular Pattern Technology Source: http://www.biometrics.gov/ INA Volume 1 – Version 1.0 / @smaret 2013
Vascular Pattern Technology INA Volume 1 – Version 1.0 / @smaret 2013
Device fingerprint  A device fingerprint or machine fingerprint or browser fingerprint is information collected about a remote computing device for the purpose of identification INA Volume 1 – Version 1.0 / @smaret 2013
Biometrics Technology INA Volume 1 – Version 1.0 / @smaret 2013
Biometrics Technology INA Volume 1 – Version 1.0 / @smaret 2013
Match-on-Card INA Volume 1 – Version 1.0 / @smaret 2013
MOC INA Volume 1 – Version 1.0 / @smaret 2013
MOC – Athena & Precise Biometrics INA Volume 1 – Version 1.0 / @smaret 2013
OATH approach Open Authentication INA Volume 1 – Version 1.0 / @smaret 2013
OATH Approach INA Volume 1 – Version 1.0 / @smaret 2013
OATH Logical view INA Volume 1 – Version 1.0 / @smaret 2013
OATH Physical view INA Volume 1 – Version 1.0 / @smaret 2013
OATH Authentication Framework INA Volume 1 – Version 1.0 / @smaret 2013
OATH Client framework INA Volume 1 – Version 1.0 / @smaret 2013
OATH AuthN methods 1/2 INA Volume 1 – Version 1.0 / @smaret 2013
OATH AuthN methods 2/2 INA Volume 1 – Version 1.0 / @smaret 2013
OATH AuthN protocols 1/3 INA Volume 1 – Version 1.0 / @smaret 2013
OATH AuthN validation framework INA Volume 1 – Version 1.0 / @smaret 2013
OATH validation protocols INA Volume 1 – Version 1.0 / @smaret 2013
OATH provisioning INA Volume 1 – Version 1.0 / @smaret 2013
Existing Credential Provisioning Protocols 1/2 INA Volume 1 – Version 1.0 / @smaret 2013
Existing Credential Provisioning Protocols 2/2 INA Volume 1 – Version 1.0 / @smaret 2013
Software Provisioning Protocols INA Volume 1 – Version 1.0 / @smaret 2013
End Volume 1 Sylvain MARET / @smaret sylvain.maret@openid.ch http://www.slideshare.net/smaret http://www.linkedin.com/in/smaret INA Volume 1 – Version 1.0 / @smaret 2013
Appendices INA Volume 1 – Version 1.0 / @smaret 2013
Threat Modeling DFD STRIDE INA Volume 1 – Version 1.0 / @smaret 2013
Threat Modeling Process Vision Diagram Identify Validate Threats Mitigate INA Volume 1 – Version 1.0 / @smaret 2013
DFD symbols INA Volume 1 – Version 1.0 / @smaret 2013
DFD Symbols INA Volume 1 – Version 1.0 / @smaret 2013
DFD Symbols INA Volume 1 – Version 1.0 / @smaret 2013
Trust boundaries that intersect data flows  Points/surfaces where an attacker can interject – Machine boundaries, privilege boundaries, integrity boundaries are examples of trust boundaries – Threads in a native process are often inside a trust boundary, because they share the same privs, rights, identifiers and access  Processes talking across a network always have a trust boundary INA Volume 1 – Version 1.0 / @smaret 2013
DFD Level  Level 0 - Context Diagram – Very high-level; entire component / product / system  Level 1 Diagram – High level; single feature / scenario  Level 2 Diagram – Low level; detailed sub-components of features  Level 3 Diagram – More detailed – Rare to need more layers, except in huge projects or when you’re drawing more trust boundaries INA Volume 1 – Version 1.0 / @smaret 2013
STRIDE - Tool Threat Property Definition Example Spoofing Authentication Impersonating Pretending to be any of billg, xbox.com or a something or system update someone else. Tampering Integrity Modifying data or Modifying a game config file on disk, or a code packet as it traverses the network Repudiation Non-repudiation Claiming to have not “I didn’t cheat!” performed an action Information Confidentiality Exposing information Reading key material from an app Disclosure to someone not authorized to see it Denial of Service Availability Deny or degrade Crashing the web site, sending a packet and service to users absorbing seconds of CPU time, or routing packets into a black hole Elevation of Privilege Authorization Gain capabilities Allowing a remote internet user to run without proper commands is the classic example, but running authorization kernel codeINA Volume 1 – Version 1.0 / @smaret 2013 from lower trust levels is also EoP
STRIDE – Security Controls STRIDE Threat List Security Type Examples Control Threat action aimed to illegally access and use another Spoofing Authentication user's credentials, such as username and password. Threat action aimed to maliciously change/modify persistent data, such as persistent data in a database, and Tampering Integrity the alteration of data in transit between two computers over an open network, such as the Internet. Threat action aimed to perform illegal operations in a Non- Repudiation system that lacks the ability to trace the prohibited Repudiation operations. Information Threat action to read a file that one was not granted Confidentiality disclosure access to, or to read data in transit. Denial of Threat aimed to deny access to valid users, such as by Availability service making a web server temporarily unavailable or unusable. Threat aimed to gain privileged access to resources for Elevation of gaining unauthorized access to information or to Authorization privilege compromise a system. INA Volume 1 – Version 1.0 / @smaret 2013
SRIDE INA Volume 1 – Version 1.0 / @smaret 2013
SRIDE INA Volume 1 – Version 1.0 / @smaret 2013
DFD & STRIDE INA Volume 1 – Version 1.0 / @smaret 2013
DFD AuthN 1FA INA Volume 1 – Version 1.0 / @smaret 2013
DFD – AuthN 1FA / STRIDE INA Volume 1 – Version 1.0 / @smaret 2013
HSPD-12 PIV AuthN INA Volume 1 – Version 1.0 / @smaret 2013
Homeland Security Presidential Directive/Hspd-12 http://www.dhs.gov/homeland-security-presidential-directive-12 INA Volume 1 – Version 1.0 / @smaret 2013
FIPS 201 / PIV  Federal Information Processing Standard 201, Personal Identity Verification (PIV) of Federal Employees and Contractors, March 2006. – (See http://csrc.nist.gov)  FIPS 201 (Federal Information Processing Standard Publication 201) is a United States federal government standard that specifies Personal Identity Verification (PIV) requirements for Federal employees and contractors.  http://www.idmanagement.gov/ INA Volume 1 – Version 1.0 / @smaret 2013
FICAM Roadmap INA Volume 1 – Version 1.0 / @smaret 2013

INA Volume 1/3 Version 1.0 Released / Digital Identity and Authentication

Check these out next

INA Volume 1/3 Version 1.0 Released / Digital Identity and Authentication

Recomendados

Mais conteúdo relacionado

Apresentações para você(9)

Similar a INA Volume 1/3 Version 1.0 Released / Digital Identity and Authentication(20)

Mais de Sylvain Maret(20)

Último(20)

INA Volume 1/3 Version 1.0 Released / Digital Identity and Authentication