$30 off During Our Annual Pro Sale. View Details »

Auth*: Dispelling the Myths

Auth*: Dispelling the Myths

There's a lot of bad practices and myths floating around about authentication and authorization these days. Using passwords just isn't good enough anymore. Come with me as I explore and dispel some of these common misconceptions and myths about these two important and often misunderstood topics. I'll talk about some of the most common techniques and look forward to tools and options that can help make your applications even more secure.

@ True North PHP 2013

Chris Cornutt

November 09, 2013
Tweet

More Decks by Chris Cornutt

Other Decks in Technology

Transcript

  1. AUTH*
    DISPELLING THE MYTHS
    @enygma - True North PHP 2013
    Saturday, November 9, 2013

    View Slide

  2. Saturday, November 9, 2013

    View Slide

  3. AUTHENTICATION
    Saturday, November 9, 2013

    View Slide

  4. ...the act of confirming
    the truth of an attribute
    of a datum or entity
    [and] often involves
    verifying the validity of at
    least one form of
    identification.
    AUTHENTICATION
    source: wikipedia
    Saturday, November 9, 2013

    View Slide

  5. Confirming identity
    A satisfactory “yes” or “no”
    Impossible...in theory
    What about anonymous?
    no, not *that* Anonymous...
    AND...
    Saturday, November 9, 2013

    View Slide

  6. TYPES
    Username/password
    Two-factor
    OpenID Connect
    Biometrics
    Security Question
    Saturday, November 9, 2013

    View Slide

  7. AUTHORIZATION
    Saturday, November 9, 2013

    View Slide

  8. ...is the function of
    specifying access rights to
    resources, which is related
    to information security and
    computer security in general
    and access control in
    particular.
    AUTHORIZATION
    source: wikipedia
    Saturday, November 9, 2013

    View Slide

  9. Principle of Least Privilege
    Coarse vs fine-grained
    Think “rule” not “role”
    AND...
    Saturday, November 9, 2013

    View Slide

  10. TYPES
    Access control lists (ACL)
    Role-based access control (RBAC)
    Attribute-based control
    Policy enforcement
    Discretionary controls
    Mandatory controls
    Saturday, November 9, 2013

    View Slide

  11. MYTH #1
    Multi-factor will keep us safe
    Saturday, November 9, 2013

    View Slide

  12. SILVER BULLETS
    Not a “cure all”
    Yet another hoop
    Different implementations
    Hardware versus Software
    Saturday, November 9, 2013

    View Slide

  13. IT’S GOOD AT...
    Being a backup method,
    not a replacement
    Increasing confidence in users
    Helps with compliance
    Saturday, November 9, 2013

    View Slide

  14. IT’S NOT
    GOOD AT...
    Being the only method
    Preventing out-of-band attacks
    Stopping other attacks
    (ex. SQLi on login)
    Preventing provider (IdP) issues
    Saturday, November 9, 2013

    View Slide

  15. MYTH #2
    It’s just a password, right?
    Saturday, November 9, 2013

    View Slide

  16. PASSWORD
    BALL & CHAIN
    Ancient origins
    Just feels ancient today
    New app? Use a password!
    Password policies
    Saturday, November 9, 2013

    View Slide

  17. WHY
    PASSWORDS SUCK
    Shared across services
    Restrictive policies
    Too much work on “getting it right”
    Users are no good at them
    Cracking hardware is cheap
    Saturday, November 9, 2013

    View Slide

  18. Saturday, November 9, 2013

    View Slide

  19. PASSWORD
    CRACKING
    Offline attack
    Dictionary/guessing
    Brute force
    Key casting
    Cloud services
    ....and password policies
    Saturday, November 9, 2013

    View Slide

  20. Saturday, November 9, 2013

    View Slide

  21. Saturday, November 9, 2013

    View Slide

  22. PASSWORD
    POLICIES
    Number/Lower/Upper/Special
    Reduce repeated characters
    Length > Complexity
    Use slow algorithm
    Salt and hash (at the least)
    Saturday, November 9, 2013

    View Slide

  23. source: xkcd.com/936
    Saturday, November 9, 2013

    View Slide

  24. MYTH #3
    Internal vs Cloud - Epic Battle
    Saturday, November 9, 2013

    View Slide

  25. INTERNAL
    More control
    More traditional options
    Easier to customize
    Hardware costs/infrastructure
    Too many tools
    Less stringent on encryption
    Saturday, November 9, 2013

    View Slide

  26. EXTERNAL
    Standardized auth methods
    Agility & flexibility
    Cost savings
    High encryption/protection
    Less “control”
    Limited to provider options
    Saturday, November 9, 2013

    View Slide

  27. CONNECTING
    SAML (Markup)
    “Vaulted” POST request
    Multi-factor integration
    Federated identity
    Custom API
    Saturday, November 9, 2013

    View Slide

  28. CRITERIA
    Easy integration
    Scalability
    Provisioning integration
    User authentication methods
    Monitoring & management
    Saturday, November 9, 2013

    View Slide

  29. MYTH #4
    The Auth that Wasn’t
    Saturday, November 9, 2013

    View Slide

  30. OWASP Top 10
    A2: Broken Auth/Session
    Management
    A4: Insecure Object References
    A6: Sensitive Data Exposure
    Saturday, November 9, 2013

    View Slide

  31. Bad Practices
    Sending plain-text passwords
    Sensitive data in the URL
    Informative error messages
    No throttling on resets
    or registrations
    or password failures
    Saturday, November 9, 2013

    View Slide

  32. DON’T...
    Obscurity !== Security
    Share logins
    Use default credentials
    Plain-text
    Saturday, November 9, 2013

    View Slide

  33. MYTH #5
    But we have...
    Saturday, November 9, 2013

    View Slide

  34. Integrated systems
    Firewalls
    WAF
    Encryption
    HARD &
    SOFTWARE
    Saturday, November 9, 2013

    View Slide

  35. HAVING
    USING
    and
    are not the same
    Saturday, November 9, 2013

    View Slide

  36. Defense in Depth
    Logging & auditing
    Fail securely
    Least privilege
    PRINCIPLES
    Saturday, November 9, 2013

    View Slide

  37. FIXING AUTH
    Planning for Security
    Saturday, November 9, 2013

    View Slide

  38. Audit of current components
    Gather usage data
    Plan, plan then plan some more
    Easier in hindsight
    REALIGNMENT
    Saturday, November 9, 2013

    View Slide

  39. Think “Subject” not “User”
    Narrowing the options
    Pick the right fit,
    not the shiny one
    Plan for delegation
    LOOK AHEAD
    Saturday, November 9, 2013

    View Slide

  40. More than one level?
    What to protect?
    Is it the same everywhere?
    Policies/procedures
    Reduce the overhead
    IN DEPTH
    Saturday, November 9, 2013

    View Slide

  41. IDENTITY IS
    HARD
    Saturday, November 9, 2013

    View Slide

  42. Questions or comments?
    @enygma
    http://websec.io
    https://joind.in/9986
    THANKS
    Saturday, November 9, 2013

    View Slide