Ohne Passwörter geht es auch

Transcript

1. Jochen Christ Ohne Passwörter geht es auch Sichere und einfache

   Benutzerauthentifizierung 
 ohne Passwörter

2. BED-CON / me Hi, My Name is Jochen Jochen Christ


   Senior Consultant at INNOQ Deutschland GmbH Jochen is a software engineer and works in IT consulting
 for 10 years. As a specialist for Java technologies, 
 he develops elegant solutions with innovative concepts, such as Microservices, Docker, and Cloud Computing.

3. BED-CON / Quiz Password-Free Authentication

4. None
5. None
6. None
7. None
8. None
9. None
10. None
11. None
12. None
13. None
14. None
15. None
16. None
17. None

18. BED-CON / All major Websites use Passwords Password-Free Authentication 10/10

    of Top Sites by Alexa Page Rank as of August 1, 2017 and 10/10 of Most Downloaded iOS Apps in 2016 use password credentials or federated logins with passwords credentials

19. BED-CON / All of previous sites reported major data breaches

    Password-Free Authentication http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/

20. BED-CON / Problem #1 Passwords are stolen Password-Free Authentication

21. BED-CON / Major Data Breaches of PPT Master 16:9 /

    Edition 2018 http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/

22. BED-CON / Problem #2 Passwords are weak Password-Free Authentication

23. BED-CON / Hash Passwords! Password-Free Authentication Username Password Hashed value

    = SHA256 (PW) user1 password123 EF92B778BAFE771E89245B89ECBC08A44A4E166C06659 911881F383D4473E94F user2 password123 EF92B778BAFE771E89245B89ECBC08A44A4E166C06659 911881F383D4473E94F

24. BED-CON / Best Practice: Hash with Salts Password-Free Authentication https://en.wikipedia.org/wiki/Salt_(cryptography)

    Username Salt value String to be hashed Hashed value = SHA256 (PW + Salt value) user1 E1F53135E559C253 password123+E1F53135 E559C253 72AE25495A7981C40622D49F9A52E4F1565 C90F048F59027BD9C8C8900D5C3D8 user2 84B03D034B409D4E password123+84B03D0 34B409D4E B4B6603ABC670967E99C7E7F1389E40CD1 6E78AD38EB1468EC2AA1E62B8BED3A

25. BED-CON / Password-Free Authentication AWS EC2 p3.16xlarge Instance 8x NVIDIA

    TESLA V100 GPUs

26. BED-CON / Password-Free Authentication MD5 Unix, Postgres, Wordpress, … PW

    Length Charset Example Days 6 94 8(Ve>r 0 8 62 4C4dkD5p 0 8 94 F,nB4r=$ 0,1 10 94 X9Zq-Sz,zQ 1385 20 62 5UiqgFLmlL8KlnTqm580 1E+19 https://hashcat.net/forum/thread-6972.html Time to brute force all hashes on 1 AWS p3.16xlarge with hashcat 4

27. BED-CON / Password-Free Authentication SHA512 Ubuntu, Magento, … PW Length

    Charset Example Days 6 94 8(Ve>r 0 8 62 4C4dkD5p 0,1 8 94 F,nB4r=$ 4 10 94 X9Zq-Sz,zQ 36.076 20 62 5UiqgFLmlL8KlnTqm580 4E+20 https://hashcat.net/forum/thread-6972.html Time to brute force all hashes on 1 AWS p3.16xlarge with hashcat 4

28. BED-CON / Password-Free Authentication BCrypt OpenBSD, SuSE PW Length Charset

    Example Days 6 94 8(Ve>r 18 8 62 4C4dkD5p 5822 8 94 F,nB4r=$ 162.562 10 94 X9Zq-Sz,zQ 1E+09 20 62 5UiqgFLmlL8KlnTqm580 1E+25 https://hashcat.net/forum/thread-6972.html Time to brute force all hashes on 1 AWS p3.16xlarge with hashcat 4

29. BED-CON / Major Data Breaches of PPT Master 16:9 /

    Edition 2018 http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/

30. BED-CON / $ adduser jochen $ tail /etc/shadow jochen: $6$BCdbmeYs$7nTt9u6RDDbaHF5r59AP9DpVmy33Vx7AUFGtL64fUUrFlR5haXPUBJK3R

    Z8/QM1sQn0ljTGzUHD.q22UYryID0:17499:0:99999:7::: $ apt-get install hashcat $ hashcat -m 1800 -a 3 '$6$BCdbmeYs$7nTt9u6RDDbaHF5r59AP9DpVmy33Vx7AUFGtL64fUUrFlR5haXPUBJK3 RZ8/QM1sQn0ljTGzUHD.q22UYryID0' ?l?l?l?l?l?l # Crack Ubuntu Password 101 Password-Free Authentication

31. BED-CON / Problem #3 Passwords are reused Password-Free Authentication

32. BED-CON / 87% Password-Free Authentication reuse passwords on multiple sites

    https://keepersecurity.com/assets/pdf/Keeper-Mobile-Survey-Infographic.pdf

33. BED-CON / Problem #4 Difficult to create Password-Free Authentication

34. BED-CON / Password-Free Authentication Typical Password Policy • Min 8

    Characters • Uppercase • Lowercase • Digits • Special Characters • No Dictionary Words

35. BED-CON / 83% Password-Free Authentication needed 4 attempts (avg) for

    a valid string https://www.nist.gov/publications/passwords-and-people-measuring-effect-password-composition-policies Study !

36. BED-CON / 25% Password-Free Authentication completely failed https://www.nist.gov/publications/passwords-and-people-measuring-effect-password-composition-policies

37. BED-CON / Problem #5 Hard to Remember Password-Free Authentication

38. BED-CON / EXPERIMENT Password-Free Authentication Remember that password

39. BED-CON / bT,t1K=+lf Password-Free Authentication

40. BED-CON / EXPERIMENT Password-Free Authentication Now, write it down

41. BED-CON / Problem #6 Inconvenient to enter Password-Free Authentication

42. None
43. None

44. BED-CON / Passwords are omnipresent,
 yet insecure and inconvenient. Password-Free

    Authentication

45. BED-CON / Yes, there are alternatives Password-Free Authentication

46. BED-CON / Authentication Factors Knowledge Possession Inherence • PINs •

    Passwords • Security Questions • Gestures • Private URLs • Current Account Balance • Place of a hidden item • Smartcard • USB-Token • TAN-List • Mobile Phone • Key • Fingerprint • Voice • Iris • Face • Skin Color • Birthmark • Tattoo • Key strike sequences

47. BED-CON / Magic Link Password-Free Authentication

48. None
49. None
50. None
51. None
52. None

53. BED-CON / Magic Links • Simple to Use • No

    registration required (with Email as Identifier) • Relies on Mail System • Convenient for Infrequent Logins • Magic Link in Mail Body • Mails are unencrypted :-/ • -> However, same security as Password Reset feature Password-Free Authentication

54. BED-CON / One Time Code
 over SMS Password-Free Authentication

55. None

56. BED-CON / One Time Code over SMS • Simple to

    Use • No registration required (Phone Number as Identifier) • Relies on Carrier • Convenient for infrequent Logins • SMS not very secure... Password-Free Authentication

57. BED-CON / Google 
 Hands-Free Password-Free Authentication / Google Hands-Free

58. Official Google Video https://youtu.be/NfIU1RGmbhI

59. BED-CON / Google Hands-Free • Based on Possession, Location, and

    Inherence • PoS only • Great Usability Experience :-) • Service was shut down in 2017 :-/ Password-Free Authentication / Google Hands-Free

60. BED-CON / Social / Federated Logins Password-Free Authentication

61. None
62. None
63. None
64. None

65. BED-CON / Private Key Password-Free Authentication / Private Key

66. BED-CON /Password-Free Authentication / Private Key

67. BED-CON / git clone [email protected]:innoq/SCS.git Password-Free Authentication / Private Key

68. None
69. None

70. BED-CON / Private Keys • Asymmetric cryptography • Based on

    possession • Usually secured with a PIN or password :-/ • Great for your business accounts! • Cumbersome for Web • Very tedious for Mobile Apps • Costs for USB devices Password-Free Authentication / Private Key

71. BED-CON / Authentication App Password-Free Authentication

72. None

73. BED-CON /

74. BED-CON / Authentication App • Asymmetric cryptography • Requires Smartphone

    with enabled Secure Element • Simple to use • Requires One-Time-Password for Registration Password-Free Authentication

75. BED-CON / WebAuthn Password-Free Authentication

76. BED-CON / Browser Web Authentication API 76 Password-Free Authentication Web

    Authentication JavaScript API Device-local Platform Authenticator My JavaScript App

77. BED-CON / Demo 77 Password-Free Authentication

78. BED-CON / # Registration var publicKey = { challenge: new

    Uint8Array([21,31,105 /* 29 more random bytes generated by the server */]), rp: { name: "My App" }, user: { id: Uint8Array.from(window.atob("MIIBkzCCATigAwIBAjCCAZMwggE4oAMCAQIwggGTMII="), c=>c.charCodeAt(0)), name: "[email protected]", displayName: "Jochen Christ" }, pubKeyCredParams: [ /* supported algorithms ... */ ], }; navigator.credentials.create({ publicKey }) .then(function (newCredentialInfo) { // Send new credential info to server for verification and registration. // Save the Credential ID and the public key with the user ID on the server }).catch(function (err) { // No acceptable authenticator or user refused consent. Handle appropriately. }); Password-Free Authentication

79. BED-CON / # Authentication if (!window.PublicKeyCredential) { /* Client not

    capable. Handle error. */ } // credentialId is generated by the authenticator and is an opaque random byte array var credentialId = new Uint8Array([183, 148, 245 /* more random bytes previously generated by the authenticator */]); var options = { // The challenge is produced by the server; see the Security Considerations challenge: new Uint8Array([4,101,15 /* 29 more random bytes generated by the server */]), timeout: 60000, // 1 minute allowCredentials: [{ type: "public-key", id: credentialId }] }; navigator.credentials.get({ "publicKey": options }) .then(function (assertion) { // Send assertion to server for verification // Extract the Credential ID and verify the assertion signature with the public key in database }).catch(function (err) { // No acceptable credential or user refused consent. Handle appropriately. }); Password-Free Authentication

80. BED-CON / WebAuthn • W3C Candidate Recommendation • Supported by

    all major Desktop Browsers • Support for FIDO2 compliant Hardware Tokens (YubiKey) • No Safari Implementation, yet • No Mobile Browser Implementation, yet • No TouchID Integration, yet • Initial Registration Flow? • New Device Registration Flow? Password-Free Authentication

81. BED-CON / My Expectations for 2019+ 81 Magic-Links are great

    for low-frequent logins. WebAuthn will be the dominating password-free authentication scheme, once implemented on iOS and Android. -> WebAuthn in combination with Magic-Links for Registration and New Device. Password-Free Authentication Quelle / Max Mustermann

82. Jochen Christ Ohne Passwörter geht es auch Sichere und einfache

    Benutzerauthentifizierung 
 ohne Passwörter