one, two step

Transcript

1. one, two step. Henri Watson

2. $ whoami • Second year student at Abertay
 (HackSoc Secretary

   + Securi-Tay 2017 Organiser) • Intern at SkyScanner (Summer 2017) • I dig • Security UX • Embedded devices • Payments technologies • Public transportation

3. Most web apps implement some form of authentication system

4. Login forms come in all sorts of shapes and sizes

5. None
6. None
7. None

8. Not all login forms are equally secure

9. None
10. None
11. None
12. None

13. HTTPS only secures the transport layer

14. HTTPS does not protect data at rest

15. https://haveibeenpwned.com/

16. http://www.wired.co.uk/article/mark-zuckerberg-hacked-password-released

17. Static information can be stolen and reused

18. Static information is terrible for authentication

19. Two-Factor Authentication attempts to solve this problem

20. Something you know + Something you have

21. Keep the password, but add a physical layer

22. some people missed that “static information” slide

23. None
24. None

25. A different code is requested each time, so replay attacks

    don’t work

26. A different code is requested each time, so replay attacks

    don’t work (unless we can capture 20~30 login attempts)

27. One code does not reveal the remaining codes on the

    card

28. MITM is hard, phishing is so much easier

29. “We need to reactivate your card!”

30. None

31. Static data in a physical format is still static data

32. How can we quickly provide a user with a one

    time use code?

33. Users have phones, text them one-time use codes!

34. None

35. https://www.wired.com/2016/06/hey-stop-using-texts-two-factor-authentication/

36. SS7 attacks also allow your phone number to be hijacked

    without your carrier’s cooperation

37. SMS verification also causes problems when roaming/outwith service areas

38. Could we provide an initialisation vector at sign up?

39. Give the user a code generator!

40. http://www.tokenguard.com/images/tokens/SID700.gif http://www.intech.ro/site/images/otptoken/otp-token-c100.jpg

41. Both the website and the device have a shared secret

    key

42. The code is calculated by computing the HMAC of the

    current time using the shared secret key

43. As long as the key is not intercepted during the

    initial setup, the key can’t be externally determined

44. Fobs can be expensive and inconvenient

45. None
46. None

47. Many of these are based on the Time-based One-Time Password

    algorithm

48. Agree on five parameters: a secret key the current time

    an interval a hash function a token length

49. Our key is 012345ABCDEF, it is 04/06/2017 @ 11:39:58am (UTC),

    we’ll use a 30sec interval, sha1, and 6 digit tokens

50. 04/06/2017 @ 11:39:58am (UTC) is 1491478798 seconds since the UNIX

    epoch

51. 1,491,478,798 divided by our interval (30) results in 49,715,959

52. Compute HMAC-SHA1 (49715959, 012345ABCDEF) = e91433413775c646b2255cfa8bde51247796973e

53. Take the four least significant bits and use this as

    an offset in the original hash (e -> 1110 -> 14) (e91433413775c646b2255cfa8bde51247796973e)

54. Take four bytes starting from the offset and discard the

    most significant bit. (11000110 01000110 10110010 00100101)

55. The token is then the lowest 6 digits (pad from

    the left if needed) (2358076490)

56. If the code generated on both sides matches, all is

    good!

57. but what if the code generator is visible?

58. http://thedailywtf.com/images/remy/robotguys.png

59. This can be avoided by requiring user interaction.

60. HOTP uses a counter instead of a timestamp but can

    have sync issues

61. Some apps ask the user to approve logins on their

    phone.

62. https://9to5google.files.wordpress.com/2016/06/google-prompt-two-factor.png?w=1024&h=0

63. Early Yubikeys used an internal counter to generate codes in

    a similar fashion. https://static1.squarespace.com/static/54764dcde4b0ad59b84ad859/t/ 54eccc9ce4b0328389b9b398/1424805028325/YubiKey-Standard-1030x687.png? format=1500w

64. These are all still vulnerable to phishing

65. As the code generator works independently, it cannot verify the

    website’s identity

66. Challenge-Response protocols fix this issue

67. The Chip Authentication Program is used by several UK banks

    to verify transfers to new recipients https://www.barclays.co.uk/cs/Satellite? blobcol=urldata&blobkey=id&blobtable=MungoBlobs&blobwhere=1367516798251&ssbin ary=true
68. None

69. The Chip Authentication Program piggybacks the Chip and PIN process

    to generate an eight digit code

70. (Barclays UK Debit Card issued in 2015. Inspected using Cardpeek.)

    EMV-wide payment card application selector Visa Debit application, used for most transactions. Link application, used by UK-only ATMs. CAP application, used by online banking login.

71. After verifying the user’s PIN, the authenticator asks the card

    to sign a fake purchase

72. The cryptogram from this fake transaction is encoded as a

    token which can be verified by your bank

73. Phishing attacks are useless as the user has to independently

    confirm the amount and account number

74. What if we’d like to verify the domain name?

75. Some organisations (notably US DoD) have deployed PKCS#11 smartcards https://images-na.ssl-images-amazon.com/images/I/61rdJCNG5nL._SX355_.jpg

76. PKCS#11 smartcards have a limited number of identities and are

    generally unsuitable for use outwith their issuing organisation

77. U2F tries to be a modern version of PKCS#11 client

    authentication certificates
78. None

79. https://twitter.com/meixger/status/654587740365955072

80. None

81. The web browser acts as as middleman between the token

    and the web service

82. A unique private key is generated on the device for

    each account on each web service

83. As this key is based on the domain name, phishing

    attacks are impossible

84. https://developers.yubico.com/U2F/Protocol_details/Overview.html

85. The key generation process is fully handled by the token

    in hardware and can’t be extracted

86. First the user registers their key with a service

87. U2F Token Browser Server u2f.register(); Generate challenge Wait for press

    Generate reply Store token identity Validate challenge AJAX/form submit

88. The service now has a public key specific to this

    user on this service

89. When authenticating the user, we ask for another signature but

    pass the stored identity

90. U2F Token Browser Server u2f.sign(); Generate challenge Wait for press

    Generate reply Look up token identity Validate challenge AJAX/form submit

91. If an adversary is able to present a valid certificate

    for a domain, they could proxy your U2F signature

92. Browser MITM Server u2f.sign(); Generate challenge Look up token identity

    Validate challenge AJAX/form submit Proxy

93. TLS channel ID is a proposed spec to add self-signed

    client certs to the TLS handshake

94. U2F identities can additionally be pinned to a TLS channel

    ID

95. Browser MITM Server u2f.sign(); Generate challenge Look up token identity

    Validate challenge AJAX/form submit Proxy Create keypair Create keypair X keypair public key

96. Although hardware U2F tokens are difficult to use on smartphones,

    software tokens could be used

97. U2F has little support outside of Google Chrome (Firefox bug

    #1065729)

98. Thanks! @henriwatson
 [email protected] https://lobi.to/talks/twostep