authentication and identity systems
play

Authentication and Identity Systems Brad Hill Me iSEC Partners: - PowerPoint PPT Presentation

Nov 15, 2023 •226 likes •343 views

Common Flaws of Distributed Authentication and Identity Systems Brad Hill Me iSEC Partners: 2005 Mid-April 2011 PayPal ISG: Mid-May 2011 - ??? Reminder: This workshops RFP close: Early April 2011 My position paper does not

  1. Common Flaws of Distributed Authentication and Identity Systems Brad Hill

  2. Me • iSEC Partners: 2005 – Mid-April 2011 • PayPal ISG: Mid-May 2011 - ??? • Reminder: This workshop’s RFP close: Early April 2011 My position paper does not necessarily reflect the views of my current or former employer.

  3. What I used to do: • Break things (application security consulting) • Looked at lots of authentication systems – For hire – For fun – As historical background to the above • Found lots of bugs and flaws – WS-*, Public Key Kerberos, many more under NDA

  4. Lots of the same flaws • Or flaws that rhyme • Pentesters develop an intuition about such things • A bit different than an academic researcher might

  5. My project: Make that intuition useful to others • Train other security testers • Educate developers and designers to reduce avoidable mistakes • Risk management targets for ecosystem participants

  6. “Common Flaws and Failures of Distributed Authentication and Identity Systems” • An “OWASP Top 10” for enterprise and federated authN systems • Presented at RSA 2011 • Whitepaper at: https://www.isecpartners.com/ Research -> White Papers

  7. The Top Flaws and Attacks 1. Unconstrained Delegation 2. Unbound Composition of Transport and Message Security 3. Un-Scoped or Over-Scoped Authority 4. PKI, PKIX and SSL/TLS Dependencies 5. Impedance Mismatch in Identity Contexts 6. False Dilemmas in Adoption vs. Assurance 7. Confused Deputy and DoS Attacks against Key Discovery and Revocation Checking 8. Crypto Implementation Foibles

  8. ID in the Browser context: 1. Unconstrained Delegation = OAuth 2 token leaks 2. Unbound Composition of Transport and Message Security = TLS Renego, WWW-Auth forwarding attacks 3. Un-Scoped or Over-Scoped Authority = Compromised and/or incompetent CAs 4. PKI, PKIX and SSL/TLS Dependencies = All of the above 5. Impedance Mismatch in Identity Contexts = ID in the Browser is inherently cross-contextal 6. False Dilemmas in Adoption vs. Assurance = No signatures in OAuth2 7. Confused Deputy and DoS Attacks against Key Discovery and Revocation Checking = K.I.S.S. 8. Crypto Implementation Foibles = Not quite there yet today…

  9. What I will be doing: • Now at PayPal’s Internet Standards and Governance group (with Jeff Hodges, Andy Steingruebl, et al.) • Work in the context of W3C and other orgs to develop, improve and promote new and existing security standards for the web

  10. What I’m here to do: • Officially unaffliated • Here as an interested “expert” to help work towards the ambitions of my paper and contribute a perspective on WCPGW. (What Could Possibly Go Wrong?!?) • Unofficially acquire context and connections for my new role and goals

  11. Thanks! Brad Hill hillbrad@gmail.com bhill@paypal.com skype + twitter: hillbrad

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

External Identity and Authentication Providers For Apache HTTP Server Jan Pazdziora Principal

External Identity and Authentication Providers For Apache HTTP Server Jan Pazdziora Principal

External Identity and Authentication Providers For Apache HTTP Server Jan Pazdziora Principal Software Engineer Identity Management Engineering, Red Hat 17 th November 2014 Basic Authentication The only authentication option in 1996 when

393 views • 21 slides
UCSB Identity and LDAP The central campus directory and authentication system UCSB Identity

UCSB Identity and LDAP The central campus directory and authentication system UCSB Identity

UCSB Identity and LDAP The central campus directory and authentication system UCSB Identity System UCSBnetID authentication UCSB-wide student and employee info http://www.identity.ucsb.edu/ LDAP Overview Lightweight Directory Access Protocol

604 views • 24 slides
HOST Authentication Overview ECE 525 Authentication Overview Authentication refers to the

HOST Authentication Overview ECE 525 Authentication Overview Authentication refers to the

HOST Authentication Overview ECE 525 Authentication Overview Authentication refers to the process of verifying the identity of the communicating principals to one another Usually sub-divided into Entity authentication Authentication

288 views • 10 slides
Distributed Systems Authentication Protocols Paul Krzyzanowski pxk@cs.rutgers.edu Except as

Distributed Systems Authentication Protocols Paul Krzyzanowski pxk@cs.rutgers.edu Except as

Authentication Establish and verify identity allow access to resources Distributed Systems Authentication Protocols Paul Krzyzanowski pxk@cs.rutgers.edu Except as otherwise noted, the content of this presentation is licensed under the

228 views • 10 slides
Mobile Provided Identity Authentication on the Web tle pt by Jonas Hgberg, Ericsson for W3C

Mobile Provided Identity Authentication on the Web tle pt by Jonas Hgberg, Ericsson for W3C

Mobile Provided Identity Authentication on the Web tle pt by Jonas Hgberg, Ericsson for W3C s WS on Identity in the Browser tle pt 24-5th May 11 Mountain View, CA, USA Mobile Provided Identity Authentication itle on the Web pt

298 views • 13 slides
Federated Identity, SSO and Multifactor Authentication June 23 rd , 2017 Computing Services and

Federated Identity, SSO and Multifactor Authentication June 23 rd , 2017 Computing Services and

Computing Services and Systems Development Federated Identity, SSO and Multifactor Authentication June 23 rd , 2017 Computing Services and Systems Development F EDERATED I DENTITY , SSO AND MFA @ THE U NIVERSITY OF P ITTSBURGH Tony Carra

542 views • 12 slides
A2: Broken Authentication and Session Management But first Authentication, Authorization,

A2: Broken Authentication and Session Management But first Authentication, Authorization,

A2: Broken Authentication and Session Management But first Authentication, Authorization, Sessions Authentication Determining user identity Multiple ways What you know (password) What you have (phone, RSA SecureID, Yubikey)

1.57k views • 28 slides
User Authentication for Emerging Interfaces Nasir Memon Tandon School of Engineering New York

User Authentication for Emerging Interfaces Nasir Memon Tandon School of Engineering New York

User Authentication for Emerging Interfaces Nasir Memon Tandon School of Engineering New York University Identity Identity and Authentication What is identity? A computers representation of an unique entity (principal). What is

675 views • 56 slides
Outline Authentication and Identity Management Authentication Computer Security: Security at

Outline Authentication and Identity Management Authentication Computer Security: Security at

Authentication and Identity Management Authentication and Identity Management Operating System and Network Security Operating System and Network Security Cyber war and terrorism Radboud University Nijmegen Cyber war and terrorism Radboud

590 views • 9 slides
Authentication, vulnerabilities, exploits, and the secure design principles of Saltzer and

Authentication, vulnerabilities, exploits, and the secure design principles of Saltzer and

Authentication, vulnerabilities, exploits, and the secure design principles of Saltzer and Schroeder Authentication in general Bishop: Authentication is the binding of an identity to a principal. Network-based authentication mechanisms

1.6k views • 43 slides
Recognize people by the way they type Typing Biometrics Authentication Cybercrime & identity

Recognize people by the way they type Typing Biometrics Authentication Cybercrime & identity

Typing Biometrics Authentication Recognize people by the way they type Typing Biometrics Authentication Cybercrime & identity theft 17 million victims $30 billion / year Typing Biometrics Authentication The way you type is unique Typing

143 views • 10 slides
Outline Computer Security: Security at Work Authentication and Identity Management Bart Jacobs

Outline Computer Security: Security at Work Authentication and Identity Management Bart Jacobs

Radboud University Nijmegen Radboud University Nijmegen Authentication and Identity Management Authentication and Identity Management Outline Computer Security: Security at Work Authentication and Identity Management Bart Jacobs

405 views • 5 slides
B Three Factors Jointed to secure the user and their transactions A C Renaissance Systems,

B Three Factors Jointed to secure the user and their transactions A C Renaissance Systems,

Renaissance Systems, Inc. Adopts and Promotes Teleworking three-factor authentication (3FA) 3FA As part of our identity management process services we see , the first steps of access control is the identify and authenticate the users.

434 views • 4 slides
1 Message Encryption- see Table 11.1 in the book Message Encryption if public-key encryption

1 Message Encryption- see Table 11.1 in the book Message Encryption if public-key encryption

Message Authentication CPE 542: CRYPTOGRAPHY & NETWORK SECURITY message authentication is concerned with: protecting the integrity of a message Chapter 11 Message Authentication and validating identity of originator Hash

462 views • 6 slides
3-509

3-509

3-509 liuzhen@sjtu.edu.cn 1 Authentication and Key Exchange 2 Authentication Alice proves her identity to Bob Alice and Bob can be humans or

524 views • 23 slides
Put Identity at the Heart of Security Strong Authentication via Hitachi Biometric Technology

Put Identity at the Heart of Security Strong Authentication via Hitachi Biometric Technology

Put Identity at the Heart of Security Strong Authentication via Hitachi Biometric Technology Tadeusz Woszczyski Country Manager Poland, Hitachi Europe Ltd. 20 September 2017 Financial security in the old world The Perimeter Assets were

659 views • 31 slides
Collective Annotation: Applying Voting Theory to Computational Linguistics Ulle Endriss

Collective Annotation: Applying Voting Theory to Computational Linguistics Ulle Endriss

Collective Annotation FNWI Student Colloquium 2015 Collective Annotation: Applying Voting Theory to Computational Linguistics Ulle Endriss Institute for Logic, Language and Computation University of Amsterdam joint work with Raquel

461 views • 7 slides
What is scale? @catswetel #qconlondon How a system How things responds change when its

What is scale? @catswetel #qconlondon How a system How things responds change when its

V A R i E t Y The Spice of Life and the Secret to Scale @catswetel #qconlondon What is scale? @catswetel #qconlondon How a system How things responds change when its size with size changes Santa Fe Institute How a

982 views • 64 slides
TDDD89 Introductions Workshop Pamela Vang Overview Structure Language Motivation Johan

TDDD89 Introductions Workshop Pamela Vang Overview Structure Language Motivation Johan

TDDD89 Introductions Workshop Pamela Vang Overview Structure Language Motivation Johan berg Not a heading Describe the problem and put it in a context that shows its importance. WHY should this be studied? This is the motivation for

416 views • 18 slides
Plan for Today (June Session One) Land Acknowledgment Zoom Breakout Option The

Plan for Today (June Session One) Land Acknowledgment Zoom Breakout Option The

Plan for Today (June Session One) Land Acknowledgment Zoom Breakout Option The Stockbridge Indians 5-minute break at halftime Lewis Henry Morgan Answers to Questions from Chat messages 1 Part 2 Fridays in June

463 views • 25 slides
7-Speech Quality Assessment Quality Levels Subjective Tests Objective Tests Intelligibility

7-Speech Quality Assessment Quality Levels Subjective Tests Objective Tests Intelligibility

7-Speech Quality Assessment Quality Levels Subjective Tests Objective Tests Intelligibility Naturalness Quality Levels Synthetic Quality (Under 4.8 kbps) Communication Quality (4.8 to 13 kbps) Toll Quality (13 to 64 kbps) Broadcast Quality

548 views • 27 slides
LIT ITERARY DEVICES COPY THIS! DEFINITIONS TERMINOLOGY 1) An object or word is used to

LIT ITERARY DEVICES COPY THIS! DEFINITIONS TERMINOLOGY 1) An object or word is used to

LIT ITERARY DEVICES COPY THIS! DEFINITIONS TERMINOLOGY 1) An object or word is used to represent an abstract idea. 1) Symbolism 2) Main idea or underlying meaning. 2) Theme 3) Image evoking words that spark the senses. 3) Imagery 4)

376 views • 8 slides
5. Applications of Rational and Meromorphic Asymptotics http://ac.cs.princeton.edu

5. Applications of Rational and Meromorphic Asymptotics http://ac.cs.princeton.edu

A N A L Y T I C C O M B I N A T O R I C S P A R T T W O 5. Applications of Rational and Meromorphic Asymptotics http://ac.cs.princeton.edu Analytic combinatorics overview specification A. SYMBOLIC METHOD 1. OGFs 2. EGFs GF

1.14k views • 69 slides
Domain Adaptation in Statistical Machine Translation Logic, Language and Computation Bart

Domain Adaptation in Statistical Machine Translation Logic, Language and Computation Bart

Domain Adaptation in Statistical Machine Translation Logic, Language and Computation Bart Mellebeek October 28, 2013 Bart Mellebeek Domain Adaptation in Statistical Machine Translation Outline Machine Translation and AI Statistical Machine

889 views • 54 slides

More recommend