SlideShare a Scribd company logo

Stronger/Multi-factor Authentication for Enterprise Applications

Ramesh Nagappan
Ramesh Nagappan
Technology
1 of 25
Download to read offline
Stronger / Multi-factor Authentication For Enterprise Applications (Identity Assurance using PKI, Smart cards and Biometrics) Sun Virtualization Solutions Presented to OWASP Seminar, Hartford (Feb 10, 2009) Ramesh Nagappan Sun Microsystems, Burlington, MA http://www.coresecuritypatterns.com/blogs
Agenda ● The Identity Dilemma ● Identity Assurance vs. Stronger Security ● Multi-factor Authentication Strategies ➢ OTPs, Smartcards, PKI and Biometrics ➢ Choosing the credential: Pros and Cons ● Understanding Real-world Implementation ➢ Tools of the Trade ➢ Role of JAAS ● Role of Sun OpenSSO Enterprise ● Architecture and Deployment ● Demonstration ➢ Multi-factor SSO with PKI, Smart cards and Biometrics. ● Q&A
Who am I ? • A technical guy from Sun Microsystems, Burlington, MA. > Focused on Security and Identity Management technologies • Co-Author of 5 technology books and numerous articles on Java EE, XML Web Services and Security. • Holds CISSP and CISA. • Contributes to Java, XML security, Biometrics, Smart cards standards and open-source initiatives. • Contributes to Graduate curriculum of Information Security programs at multiple universities. • Ph.D drop-out. • Read my blogs at http://www.coresecuritypatterns.com/blogs • Write to me at nramesh@post.harvard.edu
The Identity Dilemma : Who Are You ? • Internet is a faceless channel of interaction. > No mechanisms for physically verify a person – who is accessing your resources. • Identifying the legitimate user has become crucial. > With higher strength of authentication and security. > Mandates mechanisms driven by human recognition characteristics. > Growing trends on on-demand SaaS, Cloud computing infrastructures. > Everyone is concerned about their Cartoon by Peter Steiner. The New Yorker, July 5, 1993 issue (Vol.69 (LXIX) no. 20) page 61 private information and privacy.
How do I know..it's you ? • Identity thefts and on-line frauds: The fastest growing crime in the world. > Someone wrongfully obtains or abuses another person's identity – for economic or personal gain. > Impersonation, Counterfeits, stolen or forged credentials (PINs, Passwords, ID cards), Phishing are widely becoming common. > Most frauds happens through trusted insiders. > Fake credentials are everywhere : Few detected and many undetected ! • Identity thefts results huge losses to organizations. > Loss of consumer confidence and leading to incur huge government penalties. > Growing needs for stringent “Personal Identity Verification and Assurance” (i.e HSPD-12, ICAO 9303). > Growing mandates for protecting Identity information and compliance (i.e. Massachusetts 201 CMR 17.00)
Growing need for Identity Assurance • High degree of authentication and assurance is the most critical requirement for physical and logical access control. • Acquire Identity credentials that tightly binds an event to a person's proof of possessions, physiological characteristics and behavioural traits. > Identification and authentication as equivalent to Face-to-Face verification of a person. > Credentials must provide at-least some long-term stability. > Credentials should be non-intrusive but still qualitatively and quantitatively measured. > Integrate/Interoperable with physical and logical infrastructures for assured identity verification. > Support for pervasive use (On-demand SaaS and Cloud-computing based application infrastructures) for authenticating a person with irrefutable proof . > Lesser impact on privacy and social values.
Human Factors of Identity Assurance Human attributes as Identity Assurance Credentials • Proof-of-Knowledge > Something I know ? > Passwords, PIN, Mom's Maiden Name, Phone #, etc. • Proof-of-Possession > Something I have ? > Smartcards, Tokens, Driver's license, PKI certificates • Proof-of-Characteristics > Something I physiologically or behaviorally own ? > Fingerprints, Hand geometry, Facial image, Iris, Retina, DNA, voice, signature patterns > Proof-of-Physical Presence
Security Levels vs. Identity Assurance Courtesy: Randy Vanderhoof, Smartcard Alliance
Strong Authentication Strategies • Authentication Questions • HTTP/s Request/Response attributes • Hardware/Software Token based One-time Passwords (OTP) • Hardware/Software Token based Challenge/Response OTP • Phone call based OTP • SMS based OTP • PKI Certificate • USB Tokens/Smart cards (PIN and PKI Certificates) • Biometrics (Fingerprints) • USB Token/Smart cards (PKI and Match-on-card Biometrics).
One-Time Passwords Hardware/Software Tokens • Generate one-time passwords > Mathematical problem or Crypto function or Random number generation > Challenge/Response Dynamic password, Asynchronous Password > Time synchronization between client & server. • Deliver Passwords > Proprietary devices, USB, Key fobs > SMS Messages, Email, Phone • Known issues > Vulnerable to MITM, Phishing attacks where Time-synchronization not effective. > DES key and Lost token issues • Standards: OAUTH (Open Authentication Initiative) One-Time Passwords : Alternative to static passwords
Smart cards w. PKI Smart cards Standards • A credit card sized computing device acts as a • ISO-7816 Cryptographic token. • Java Card, Multos > Contact / Contactless cards • Global Platform • Allows perforning security functions > Key generation • PC/SC > Public/Private key operations • FIPS-201/PIV, CAC > PIN/Biometric authentication • PKCS#11, PKCS#15 > Challenge/response authentication • GSM/PCS • Supports the use of Public-key infrastructure to verify • EMV the Identity claim. (Europay/Mastercard/Visa) > PKI credential issuance. > Credential validation/verification via OCSP, CRLs • Defends against tampering and hacking. > PKI/Private key protection • Issues: Lost cards, Key compromise recovery is difficult. Smart cards as a Cryptographic Token
Biometric Assurance Biometric Identity Standards • Use of Physiological or Behavioral characteristics to • INCITS 378 / CBEFF (Fingerprints) identify a person. • INCITS 379 (Iris) > High degree of assurance with proof of presence. > Fingerprints, Facial image/geometry, Iris, Retina, • OASIS BIAS Voice, Hand geometry, Keystroke, Signature • BioAPI • Biometric templates can be stored on Smart card for • JavaCard BioAPI personal identification. • FIPS-201 / PIV > Fingerprint template is ~200 bytes > Iris template is 500 bytes • Biometric credential must be exchanged in a secure network channel (Trusted path) • Issues: > Biometrics is not a secret > False Acceptance (FAR) & False Reject (FRR) rates > Vulnerable to Message replay/MITM attacks, if not exchanged in secure channel. Biometric Assurance : Who I claim to be
Real-world Scenario : Authentication Identity Assurance Credentials Authentication  User name, password Server / Directory  One-time Passwords  Smart Card (PKI Certificates) Enterprise  Biometrics Applications Validate  Good  Bad Ideally, credentials are: something you know + something you have + something you are
Real World Scenario : SSO / Federation IDP/SSO Server + Directory Application A Multi-factor Identity Credentials (e.g. username/password, 1. Application B Smartcard PKI, Biometrics) 2. 3. SSO Token  SAML  Artifact Acquire  Proprietary token Credentials  Kerberos ticket  etc
Tools of the Trade : What do you need ? Multi-factor Authentication for Enterprise Applications • Web Authentication > JAAS Login Module • Desktop Authentication > PAM Module (Solaris, Linux) > GINA (Windows XP, 2003) • Identity Provider Infrastructure (IDP) > Single Sign-on (SSO) > Multi-factor authentication • Directory Server > Repository for user accounts • Your target applications
Tools of the Trade : From Authentication Providers Multi-factor Authentication for Enterprise Applications • Browser Plugin > PKCS#11 Client for Smartcard > ActiveX/Java Plugin for USB Biometric Scanners • Enrollment Middleware > Biometric Enrollment, Smartcard/Token Credential Issuance/Management > One-time Password (Token) registration/issuance • Authentication Middleware > Biometric Authentication, One-time password authentication > PKI Credential validation via OCSP, CRL, Directory, Certificate Authority
Java Authentication Authorization Service (JAAS) • JAAS plays a vital role delivering Multi-factor authentication. > All Java EE compliant Application server provide support for JAAS. • JAAS allows to enable Multi-factor authentication in Java EE Enterprise environment. > Facilitates pluggable authentication providers as “Login Modules”. > Ensure Java EE remain independent of authentication providers. • Implementing a Login module is not cumbersome.. > Callback handler – Prompt the user for acquiring credentials > Login (), commit (), Logout () • Choose your own JAAS based Identity Provider Infrastructure ? > Get introduced to Sun OpenSSO
Sun OpenSSO Enterprise • Identity Services Infrastructure facilitates Single Sign-On (SSO) for Web applications residing within an enterprise or across networks. • Based on Sun's Open-source initiative. • Open standards based framework supports centralized authentication, authorization and auditing. > JAAS based authentication services > Agent-based and XACML based policy enforcement > Identity-enabled XML Web services for AuthN, AuthX, Audit and Provisioning > Identity Federation Protocols support include SAMLv2, ID-*, WS-Federation,WS- Policy) > XML Web Services Security (WS-Security, WS-Trust, WS-I Basic Security Profile) > Multi-factor authentication via chaining > Centralized configuration, logging and auditing services > Supports multiple Java EE application servers and Web containers > Fedlets • Deployed as a Web application (single WAR file)
Multi-factor Authentication and Session Upgrade OpenSSO Authentication Chain and Session upgrade thru’ AuthN • OpenSSO facilitates stronger/ multi-factor authentication through authentication chain including multiple authentication providers. > Enables an authentication process where an user must pass credentials to one or more authentication modules before session validation. > Session validation is determined based on the JAAS control flag (Required, Requisite, Sufficient, Optional) configured to the authentication module instance chain. > The overall authentication success or failure is determined based on the control flag assigned to each module in the authentication stack. > OpenSSO is tested and verified to provide multi-factor authentication chain that include BiObex Login, Smartcard/PKI and other OpenSSO supported authentication providers. • Session Upgrade allows upgrading a valid session based on a successful “second-factor authentication” performed by the same user. > Allows user authenticate to access second resource under the same or different realm > If authentication is successful - OpenSSO updates the session based on the second- level authentication. If authentication fails, the current session will be maintained.
OpenSSO Policy Agents Authorization and Policy Enforcement • Policies are managed by Policy Configuration Service in OpenSSO. > Policy service authorizes a use based on the policies stored in OpenSSO. > Policy consists of Rules, Subjects, Conditions and Response providers. • OpenSSO Policy Agents enforce policy and Policy decisions on protected resources. > Intercepts the requests from user clients and applications and redirects them to OpenSSO server for authentication – If no SSO token exists. > Once authenticated, the policy agent communicates with OpenSSO Policy service to grant/deny access to the user based on policy evaluation.
Multi-factor Authentication w. Biometrics
Multi-factor Authentication Smartcard/PIN/PKI and Biometrics
Deployment Architecture
Participate in OpenSSO Community ! • Join 700 project members at opensso.org Join Download Sign up at OpenSSO opensso.org Enterprise 8 Subscribe Chat OpenSSO Mailing #opensso Lists on freenode.net dev, users, announce Sun Confidential: Partners and Customers NDA/CDA only
Demonstration... Thank You Sun Virtualization Solutions Ramesh Nagappan Sun Microsystems, Burlington, MA http://www.coresecuritypatterns.com/blogs

Recommended

Authentication Technologies
Authentication TechnologiesAuthentication Technologies
Authentication TechnologiesNicholas Davis
 
User Authentication Overview
User Authentication OverviewUser Authentication Overview
User Authentication OverviewJim Fenton
 
Electronic authentication more than just a password
Electronic authentication more than just a passwordElectronic authentication more than just a password
Electronic authentication more than just a passwordNicholas Davis
 
Authentication(pswrd,token,certificate,biometric)
Authentication(pswrd,token,certificate,biometric)Authentication(pswrd,token,certificate,biometric)
Authentication(pswrd,token,certificate,biometric)Ali Raw
 
Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Moataz Kamel
 
Authentication vs authorization
Authentication vs authorizationAuthentication vs authorization
Authentication vs authorizationFrank Victory
 
Secure Electronic Transaction (SET)
Secure Electronic Transaction (SET)Secure Electronic Transaction (SET)
Secure Electronic Transaction (SET)Syed Taimoor Hussain Shah
 
Two Factor Authentication
Two Factor AuthenticationTwo Factor Authentication
Two Factor AuthenticationNikhil Shaw
 

Recommended

Authentication Technologies
Authentication TechnologiesAuthentication Technologies
Authentication TechnologiesNicholas Davis
 
User Authentication Overview
User Authentication OverviewUser Authentication Overview
User Authentication OverviewJim Fenton
 
Electronic authentication more than just a password
Electronic authentication more than just a passwordElectronic authentication more than just a password
Electronic authentication more than just a passwordNicholas Davis
 
Authentication(pswrd,token,certificate,biometric)
Authentication(pswrd,token,certificate,biometric)Authentication(pswrd,token,certificate,biometric)
Authentication(pswrd,token,certificate,biometric)Ali Raw
 
Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Moataz Kamel
 
Authentication vs authorization
Authentication vs authorizationAuthentication vs authorization
Authentication vs authorizationFrank Victory
 
Secure Electronic Transaction (SET)
Secure Electronic Transaction (SET)Secure Electronic Transaction (SET)
Secure Electronic Transaction (SET)Syed Taimoor Hussain Shah
 
Two Factor Authentication
Two Factor AuthenticationTwo Factor Authentication
Two Factor AuthenticationNikhil Shaw
 
Digital Signature
Digital SignatureDigital Signature
Digital Signaturesaurav5884
 
Digital signature
Digital signatureDigital signature
Digital signature9799907840kd
 
Introduction to Public Key Infrastructure
Introduction to Public Key InfrastructureIntroduction to Public Key Infrastructure
Introduction to Public Key InfrastructureTheo Gravity
 
Kerberos : An Authentication Application
Kerberos : An Authentication ApplicationKerberos : An Authentication Application
Kerberos : An Authentication ApplicationVidulatiwari
 
Phishing: Swiming with the sharks
Phishing: Swiming with the sharksPhishing: Swiming with the sharks
Phishing: Swiming with the sharksNalneesh Gaur
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practicesScott Hurrey
 
Oauth2.0
Oauth2.0Oauth2.0
Oauth2.0Yasmine Gaber
 
SSL
SSLSSL
SSLBadrul Alam bulon
 
Symmetric Key Algorithm
Symmetric Key AlgorithmSymmetric Key Algorithm
Symmetric Key AlgorithmSHUBHA CHATURVEDI
 
Authentication
AuthenticationAuthentication
Authenticationprimeteacher32
 
Single Sign On - The Basics
Single Sign On - The BasicsSingle Sign On - The Basics
Single Sign On - The BasicsIshan A B Ambanwela
 
Digital signature
Digital signatureDigital signature
Digital signatureCHESStest{perfect Kadhu}
 
Stream Ciphers
Stream CiphersStream Ciphers
Stream CiphersSHUBHA CHATURVEDI
 
EMV Card Migration: How the EMV Transaction Flow Works
EMV Card Migration: How the EMV Transaction Flow WorksEMV Card Migration: How the EMV Transaction Flow Works
EMV Card Migration: How the EMV Transaction Flow WorksAnnMargaret Tutu (AMT)
 
Digital signature(Cryptography)
Digital signature(Cryptography)Digital signature(Cryptography)
Digital signature(Cryptography)Soham Kansodaria
 
Biometric Authentication Technology - Report
Biometric Authentication Technology - ReportBiometric Authentication Technology - Report
Biometric Authentication Technology - ReportNavin Kumar
 
Digital signature
Digital signatureDigital signature
Digital signatureAJAL A J
 
OWASP Secure Coding
OWASP Secure CodingOWASP Secure Coding
OWASP Secure Codingbilcorry
 
Digital signature
Digital signatureDigital signature
Digital signatureFilipp Kolobov
 
x.509-Directory Authentication Service
x.509-Directory Authentication Servicex.509-Directory Authentication Service
x.509-Directory Authentication ServiceSwathy T
 
User Authentication for Government
User Authentication for GovernmentUser Authentication for Government
User Authentication for GovernmentCarahsoft
 
Identity Assertions Draftv5
Identity Assertions Draftv5Identity Assertions Draftv5
Identity Assertions Draftv5Salvatore D'Agostino
 

More Related Content

What's hot

Digital Signature
Digital SignatureDigital Signature
Digital Signaturesaurav5884
 
Introduction to Public Key Infrastructure
Introduction to Public Key InfrastructureIntroduction to Public Key Infrastructure
Introduction to Public Key InfrastructureTheo Gravity
 
Kerberos : An Authentication Application
Kerberos : An Authentication ApplicationKerberos : An Authentication Application
Kerberos : An Authentication ApplicationVidulatiwari
 
Phishing: Swiming with the sharks
Phishing: Swiming with the sharksPhishing: Swiming with the sharks
Phishing: Swiming with the sharksNalneesh Gaur
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practicesScott Hurrey
 
EMV Card Migration: How the EMV Transaction Flow Works
EMV Card Migration: How the EMV Transaction Flow WorksEMV Card Migration: How the EMV Transaction Flow Works
EMV Card Migration: How the EMV Transaction Flow WorksAnnMargaret Tutu (AMT)
 
Digital signature(Cryptography)
Digital signature(Cryptography)Digital signature(Cryptography)
Digital signature(Cryptography)Soham Kansodaria
 
Biometric Authentication Technology - Report
Biometric Authentication Technology - ReportBiometric Authentication Technology - Report
Biometric Authentication Technology - ReportNavin Kumar
 
Digital signature
Digital signatureDigital signature
Digital signatureAJAL A J
 
OWASP Secure Coding
OWASP Secure CodingOWASP Secure Coding
OWASP Secure Codingbilcorry
 
x.509-Directory Authentication Service
x.509-Directory Authentication Servicex.509-Directory Authentication Service
x.509-Directory Authentication ServiceSwathy T
 

What's hot (20)

Digital Signature
Digital SignatureDigital Signature
Digital Signature
 
Digital signature
Digital signatureDigital signature
Digital signature
 
Introduction to Public Key Infrastructure
Introduction to Public Key InfrastructureIntroduction to Public Key Infrastructure
Introduction to Public Key Infrastructure
 
Kerberos : An Authentication Application
Kerberos : An Authentication ApplicationKerberos : An Authentication Application
Kerberos : An Authentication Application
 
Phishing: Swiming with the sharks
Phishing: Swiming with the sharksPhishing: Swiming with the sharks
Phishing: Swiming with the sharks
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practices
 
Oauth2.0
Oauth2.0Oauth2.0
Oauth2.0
 
SSL
SSLSSL
SSL
 
Symmetric Key Algorithm
Symmetric Key AlgorithmSymmetric Key Algorithm
Symmetric Key Algorithm
 
Authentication
AuthenticationAuthentication
Authentication
 
Single Sign On - The Basics
Single Sign On - The BasicsSingle Sign On - The Basics
Single Sign On - The Basics
 
Digital signature
Digital signatureDigital signature
Digital signature
 
Stream Ciphers
Stream CiphersStream Ciphers
Stream Ciphers
 
EMV Card Migration: How the EMV Transaction Flow Works
EMV Card Migration: How the EMV Transaction Flow WorksEMV Card Migration: How the EMV Transaction Flow Works
EMV Card Migration: How the EMV Transaction Flow Works
 
Digital signature(Cryptography)
Digital signature(Cryptography)Digital signature(Cryptography)
Digital signature(Cryptography)
 
Biometric Authentication Technology - Report
Biometric Authentication Technology - ReportBiometric Authentication Technology - Report
Biometric Authentication Technology - Report
 
Digital signature
Digital signatureDigital signature
Digital signature
 
OWASP Secure Coding
OWASP Secure CodingOWASP Secure Coding
OWASP Secure Coding
 
Digital signature
Digital signatureDigital signature
Digital signature
 
x.509-Directory Authentication Service
x.509-Directory Authentication Servicex.509-Directory Authentication Service
x.509-Directory Authentication Service
 

Similar to Stronger/Multi-factor Authentication for Enterprise Applications

User Authentication for Government
User Authentication for GovernmentUser Authentication for Government
User Authentication for GovernmentCarahsoft
 
Ynamono Hs Lecture
Ynamono Hs LectureYnamono Hs Lecture
Ynamono Hs Lectureynamoto
 
Authentication technologies
Authentication technologiesAuthentication technologies
Authentication technologiesNicholas Davis
 
Eds user authenticationuser authentication methods
Eds user authenticationuser authentication methodsEds user authenticationuser authentication methods
Eds user authenticationuser authentication methodslapao2014
 
Authentication.Next
Authentication.NextAuthentication.Next
Authentication.NextMark Diodati
 
FrontOne our new and different solutions
FrontOne our new and different solutionsFrontOne our new and different solutions
FrontOne our new and different solutionsfrontone
 
Wayfs and Strays - Jonathan Richardson
Wayfs and Strays - Jonathan RichardsonWayfs and Strays - Jonathan Richardson
Wayfs and Strays - Jonathan RichardsonEduserv
 
Biometrics and authentication webinar v3
Biometrics and authentication webinar v3Biometrics and authentication webinar v3
Biometrics and authentication webinar v3DigitalPersona
 
Authenticationtechnologies 120711134100-phpapp01
Authenticationtechnologies 120711134100-phpapp01Authenticationtechnologies 120711134100-phpapp01
Authenticationtechnologies 120711134100-phpapp01Hai Nguyen
 
#MFSummit2016 Secure: Mind the gap strengthening the information security model
#MFSummit2016 Secure: Mind the gap strengthening the information security model#MFSummit2016 Secure: Mind the gap strengthening the information security model
#MFSummit2016 Secure: Mind the gap strengthening the information security modelMicro Focus
 
Pki & Personal Digital Certificates, Securing Sensitive Electronic Commun...
Pki & Personal Digital Certificates, Securing Sensitive Electronic Commun...Pki & Personal Digital Certificates, Securing Sensitive Electronic Commun...
Pki & Personal Digital Certificates, Securing Sensitive Electronic Commun...Nicholas Davis
 
Pki & personal digital certificates, securing sensitive electronic communicat...
Pki & personal digital certificates, securing sensitive electronic communicat...Pki & personal digital certificates, securing sensitive electronic communicat...
Pki & personal digital certificates, securing sensitive electronic communicat...Nicholas Davis
 
Why and how to implement strong authentication on the web cartes 2010 - pat...
Why and how to implement strong authentication on the web cartes 2010 - pat...Why and how to implement strong authentication on the web cartes 2010 - pat...
Why and how to implement strong authentication on the web cartes 2010 - pat...Keynectis
 
Two factor authentication 2018
Two factor authentication 2018Two factor authentication 2018
Two factor authentication 2018Will Adams
 
Government Citizen ID using Java Card Platform
Government Citizen ID using Java Card PlatformGovernment Citizen ID using Java Card Platform
Government Citizen ID using Java Card PlatformRamesh Nagappan
 
Digital Identity Landscape for Vancouver IAM Meetup 2017 12-19
Digital Identity Landscape for Vancouver IAM Meetup 2017 12-19Digital Identity Landscape for Vancouver IAM Meetup 2017 12-19
Digital Identity Landscape for Vancouver IAM Meetup 2017 12-19Andrew Hughes
 
Jan Keil - Identity and access management Facts. Challenges. Solution
Jan Keil - Identity and access management Facts. Challenges. SolutionJan Keil - Identity and access management Facts. Challenges. Solution
Jan Keil - Identity and access management Facts. Challenges. SolutionTimetogrowup
 

Similar to Stronger/Multi-factor Authentication for Enterprise Applications (20)

User Authentication for Government
User Authentication for GovernmentUser Authentication for Government
User Authentication for Government
 
Identity Assertions Draftv5
Identity Assertions Draftv5Identity Assertions Draftv5
Identity Assertions Draftv5
 
Ynamono Hs Lecture
Ynamono Hs LectureYnamono Hs Lecture
Ynamono Hs Lecture
 
Authentication technologies
Authentication technologiesAuthentication technologies
Authentication technologies
 
Eds user authenticationuser authentication methods
Eds user authenticationuser authentication methodsEds user authenticationuser authentication methods
Eds user authenticationuser authentication methods
 
Authentication.Next
Authentication.NextAuthentication.Next
Authentication.Next
 
FrontOne our new and different solutions
FrontOne our new and different solutionsFrontOne our new and different solutions
FrontOne our new and different solutions
 
Wayfs and Strays - Jonathan Richardson
Wayfs and Strays - Jonathan RichardsonWayfs and Strays - Jonathan Richardson
Wayfs and Strays - Jonathan Richardson
 
E collaborationscottrea
E collaborationscottreaE collaborationscottrea
E collaborationscottrea
 
Biometrics and authentication webinar v3
Biometrics and authentication webinar v3Biometrics and authentication webinar v3
Biometrics and authentication webinar v3
 
Authenticationtechnologies 120711134100-phpapp01
Authenticationtechnologies 120711134100-phpapp01Authenticationtechnologies 120711134100-phpapp01
Authenticationtechnologies 120711134100-phpapp01
 
#MFSummit2016 Secure: Mind the gap strengthening the information security model
#MFSummit2016 Secure: Mind the gap strengthening the information security model#MFSummit2016 Secure: Mind the gap strengthening the information security model
#MFSummit2016 Secure: Mind the gap strengthening the information security model
 
Pki & Personal Digital Certificates, Securing Sensitive Electronic Commun...
Pki & Personal Digital Certificates, Securing Sensitive Electronic Commun...Pki & Personal Digital Certificates, Securing Sensitive Electronic Commun...
Pki & Personal Digital Certificates, Securing Sensitive Electronic Commun...
 
Pki & personal digital certificates, securing sensitive electronic communicat...
Pki & personal digital certificates, securing sensitive electronic communicat...Pki & personal digital certificates, securing sensitive electronic communicat...
Pki & personal digital certificates, securing sensitive electronic communicat...
 
Why and how to implement strong authentication on the web cartes 2010 - pat...
Why and how to implement strong authentication on the web cartes 2010 - pat...Why and how to implement strong authentication on the web cartes 2010 - pat...
Why and how to implement strong authentication on the web cartes 2010 - pat...
 
Two factor authentication 2018
Two factor authentication 2018Two factor authentication 2018
Two factor authentication 2018
 
Government Citizen ID using Java Card Platform
Government Citizen ID using Java Card PlatformGovernment Citizen ID using Java Card Platform
Government Citizen ID using Java Card Platform
 
Authentication
AuthenticationAuthentication
Authentication
 
Digital Identity Landscape for Vancouver IAM Meetup 2017 12-19
Digital Identity Landscape for Vancouver IAM Meetup 2017 12-19Digital Identity Landscape for Vancouver IAM Meetup 2017 12-19
Digital Identity Landscape for Vancouver IAM Meetup 2017 12-19
 
Jan Keil - Identity and access management Facts. Challenges. Solution
Jan Keil - Identity and access management Facts. Challenges. SolutionJan Keil - Identity and access management Facts. Challenges. Solution
Jan Keil - Identity and access management Facts. Challenges. Solution
 

More from Ramesh Nagappan

Post Quantum Cryptography: Technical Overview
Post Quantum Cryptography: Technical OverviewPost Quantum Cryptography: Technical Overview
Post Quantum Cryptography: Technical OverviewRamesh Nagappan
 
Biometric Authentication for J2EE applications - JavaONE 2005
Biometric Authentication for J2EE applications - JavaONE 2005Biometric Authentication for J2EE applications - JavaONE 2005
Biometric Authentication for J2EE applications - JavaONE 2005Ramesh Nagappan
 
Interoperable Provisioning in a distributed world
Interoperable Provisioning in a distributed worldInteroperable Provisioning in a distributed world
Interoperable Provisioning in a distributed worldRamesh Nagappan
 
Secure Multitenancy on Oracle SuperCluster
Secure Multitenancy on Oracle SuperClusterSecure Multitenancy on Oracle SuperCluster
Secure Multitenancy on Oracle SuperClusterRamesh Nagappan
 
Secure Multi-tenancy on Private Cloud Environment (Oracle SuperCluster)
Secure Multi-tenancy on Private Cloud Environment (Oracle SuperCluster)Secure Multi-tenancy on Private Cloud Environment (Oracle SuperCluster)
Secure Multi-tenancy on Private Cloud Environment (Oracle SuperCluster)Ramesh Nagappan
 
High Performance Security and Virtualization for Oracle Database and Cloud-En...
High Performance Security and Virtualization for Oracle Database and Cloud-En...High Performance Security and Virtualization for Oracle Database and Cloud-En...
High Performance Security and Virtualization for Oracle Database and Cloud-En...Ramesh Nagappan
 
High Performance Security With SPARC T4 Hardware Assisted Cryptography
High Performance Security With SPARC T4 Hardware Assisted CryptographyHigh Performance Security With SPARC T4 Hardware Assisted Cryptography
High Performance Security With SPARC T4 Hardware Assisted CryptographyRamesh Nagappan
 
Analysis of Security and Compliance using Oracle SPARC T-Series Servers: Emph...
Analysis of Security and Compliance using Oracle SPARC T-Series Servers: Emph...Analysis of Security and Compliance using Oracle SPARC T-Series Servers: Emph...
Analysis of Security and Compliance using Oracle SPARC T-Series Servers: Emph...Ramesh Nagappan
 
ICAM - Demo Architecture review
ICAM - Demo Architecture reviewICAM - Demo Architecture review
ICAM - Demo Architecture reviewRamesh Nagappan
 
PIV Card based Identity Assurance in Sun Ray and IDM environment
PIV Card based Identity Assurance in Sun Ray and IDM environmentPIV Card based Identity Assurance in Sun Ray and IDM environment
PIV Card based Identity Assurance in Sun Ray and IDM environmentRamesh Nagappan
 
Java Platform Security Architecture
Java Platform Security ArchitectureJava Platform Security Architecture
Java Platform Security ArchitectureRamesh Nagappan
 
Managing PIV Card Lifecycle and Converging Physical & Logical Access Control
Managing PIV Card Lifecycle and Converging Physical & Logical Access ControlManaging PIV Card Lifecycle and Converging Physical & Logical Access Control
Managing PIV Card Lifecycle and Converging Physical & Logical Access ControlRamesh Nagappan
 
Stronger Authentication with Biometric SSO
Stronger Authentication with Biometric SSOStronger Authentication with Biometric SSO
Stronger Authentication with Biometric SSORamesh Nagappan
 
Wire-speed Cryptographic Acceleration for SOA and Java EE Security
Wire-speed Cryptographic Acceleration for SOA and Java EE SecurityWire-speed Cryptographic Acceleration for SOA and Java EE Security
Wire-speed Cryptographic Acceleration for SOA and Java EE SecurityRamesh Nagappan
 

More from Ramesh Nagappan (14)

Post Quantum Cryptography: Technical Overview
Post Quantum Cryptography: Technical OverviewPost Quantum Cryptography: Technical Overview
Post Quantum Cryptography: Technical Overview
 
Biometric Authentication for J2EE applications - JavaONE 2005
Biometric Authentication for J2EE applications - JavaONE 2005Biometric Authentication for J2EE applications - JavaONE 2005
Biometric Authentication for J2EE applications - JavaONE 2005
 
Interoperable Provisioning in a distributed world
Interoperable Provisioning in a distributed worldInteroperable Provisioning in a distributed world
Interoperable Provisioning in a distributed world
 
Secure Multitenancy on Oracle SuperCluster
Secure Multitenancy on Oracle SuperClusterSecure Multitenancy on Oracle SuperCluster
Secure Multitenancy on Oracle SuperCluster
 
Secure Multi-tenancy on Private Cloud Environment (Oracle SuperCluster)
Secure Multi-tenancy on Private Cloud Environment (Oracle SuperCluster)Secure Multi-tenancy on Private Cloud Environment (Oracle SuperCluster)
Secure Multi-tenancy on Private Cloud Environment (Oracle SuperCluster)
 
High Performance Security and Virtualization for Oracle Database and Cloud-En...
High Performance Security and Virtualization for Oracle Database and Cloud-En...High Performance Security and Virtualization for Oracle Database and Cloud-En...
High Performance Security and Virtualization for Oracle Database and Cloud-En...
 
High Performance Security With SPARC T4 Hardware Assisted Cryptography
High Performance Security With SPARC T4 Hardware Assisted CryptographyHigh Performance Security With SPARC T4 Hardware Assisted Cryptography
High Performance Security With SPARC T4 Hardware Assisted Cryptography
 
Analysis of Security and Compliance using Oracle SPARC T-Series Servers: Emph...
Analysis of Security and Compliance using Oracle SPARC T-Series Servers: Emph...Analysis of Security and Compliance using Oracle SPARC T-Series Servers: Emph...
Analysis of Security and Compliance using Oracle SPARC T-Series Servers: Emph...
 
ICAM - Demo Architecture review
ICAM - Demo Architecture reviewICAM - Demo Architecture review
ICAM - Demo Architecture review
 
PIV Card based Identity Assurance in Sun Ray and IDM environment
PIV Card based Identity Assurance in Sun Ray and IDM environmentPIV Card based Identity Assurance in Sun Ray and IDM environment
PIV Card based Identity Assurance in Sun Ray and IDM environment
 
Java Platform Security Architecture
Java Platform Security ArchitectureJava Platform Security Architecture
Java Platform Security Architecture
 
Managing PIV Card Lifecycle and Converging Physical & Logical Access Control
Managing PIV Card Lifecycle and Converging Physical & Logical Access ControlManaging PIV Card Lifecycle and Converging Physical & Logical Access Control
Managing PIV Card Lifecycle and Converging Physical & Logical Access Control
 
Stronger Authentication with Biometric SSO
Stronger Authentication with Biometric SSOStronger Authentication with Biometric SSO
Stronger Authentication with Biometric SSO
 
Wire-speed Cryptographic Acceleration for SOA and Java EE Security
Wire-speed Cryptographic Acceleration for SOA and Java EE SecurityWire-speed Cryptographic Acceleration for SOA and Java EE Security
Wire-speed Cryptographic Acceleration for SOA and Java EE Security
 

Recently uploaded

EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdflior mazor
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfhans926745
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 

Recently uploaded (20)

EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 

Stronger/Multi-factor Authentication for Enterprise Applications

  • 1. Stronger / Multi-factor Authentication For Enterprise Applications (Identity Assurance using PKI, Smart cards and Biometrics) Sun Virtualization Solutions Presented to OWASP Seminar, Hartford (Feb 10, 2009) Ramesh Nagappan Sun Microsystems, Burlington, MA http://www.coresecuritypatterns.com/blogs
  • 2. Agenda ● The Identity Dilemma ● Identity Assurance vs. Stronger Security ● Multi-factor Authentication Strategies ➢ OTPs, Smartcards, PKI and Biometrics ➢ Choosing the credential: Pros and Cons ● Understanding Real-world Implementation ➢ Tools of the Trade ➢ Role of JAAS ● Role of Sun OpenSSO Enterprise ● Architecture and Deployment ● Demonstration ➢ Multi-factor SSO with PKI, Smart cards and Biometrics. ● Q&A
  • 3. Who am I ? • A technical guy from Sun Microsystems, Burlington, MA. > Focused on Security and Identity Management technologies • Co-Author of 5 technology books and numerous articles on Java EE, XML Web Services and Security. • Holds CISSP and CISA. • Contributes to Java, XML security, Biometrics, Smart cards standards and open-source initiatives. • Contributes to Graduate curriculum of Information Security programs at multiple universities. • Ph.D drop-out. • Read my blogs at http://www.coresecuritypatterns.com/blogs • Write to me at nramesh@post.harvard.edu
  • 4. The Identity Dilemma : Who Are You ? • Internet is a faceless channel of interaction. > No mechanisms for physically verify a person – who is accessing your resources. • Identifying the legitimate user has become crucial. > With higher strength of authentication and security. > Mandates mechanisms driven by human recognition characteristics. > Growing trends on on-demand SaaS, Cloud computing infrastructures. > Everyone is concerned about their Cartoon by Peter Steiner. The New Yorker, July 5, 1993 issue (Vol.69 (LXIX) no. 20) page 61 private information and privacy.
  • 5. How do I know..it's you ? • Identity thefts and on-line frauds: The fastest growing crime in the world. > Someone wrongfully obtains or abuses another person's identity – for economic or personal gain. > Impersonation, Counterfeits, stolen or forged credentials (PINs, Passwords, ID cards), Phishing are widely becoming common. > Most frauds happens through trusted insiders. > Fake credentials are everywhere : Few detected and many undetected ! • Identity thefts results huge losses to organizations. > Loss of consumer confidence and leading to incur huge government penalties. > Growing needs for stringent “Personal Identity Verification and Assurance” (i.e HSPD-12, ICAO 9303). > Growing mandates for protecting Identity information and compliance (i.e. Massachusetts 201 CMR 17.00)
  • 6. Growing need for Identity Assurance • High degree of authentication and assurance is the most critical requirement for physical and logical access control. • Acquire Identity credentials that tightly binds an event to a person's proof of possessions, physiological characteristics and behavioural traits. > Identification and authentication as equivalent to Face-to-Face verification of a person. > Credentials must provide at-least some long-term stability. > Credentials should be non-intrusive but still qualitatively and quantitatively measured. > Integrate/Interoperable with physical and logical infrastructures for assured identity verification. > Support for pervasive use (On-demand SaaS and Cloud-computing based application infrastructures) for authenticating a person with irrefutable proof . > Lesser impact on privacy and social values.
  • 7. Human Factors of Identity Assurance Human attributes as Identity Assurance Credentials • Proof-of-Knowledge > Something I know ? > Passwords, PIN, Mom's Maiden Name, Phone #, etc. • Proof-of-Possession > Something I have ? > Smartcards, Tokens, Driver's license, PKI certificates • Proof-of-Characteristics > Something I physiologically or behaviorally own ? > Fingerprints, Hand geometry, Facial image, Iris, Retina, DNA, voice, signature patterns > Proof-of-Physical Presence
  • 8. Security Levels vs. Identity Assurance Courtesy: Randy Vanderhoof, Smartcard Alliance
  • 9. Strong Authentication Strategies • Authentication Questions • HTTP/s Request/Response attributes • Hardware/Software Token based One-time Passwords (OTP) • Hardware/Software Token based Challenge/Response OTP • Phone call based OTP • SMS based OTP • PKI Certificate • USB Tokens/Smart cards (PIN and PKI Certificates) • Biometrics (Fingerprints) • USB Token/Smart cards (PKI and Match-on-card Biometrics).
  • 10. One-Time Passwords Hardware/Software Tokens • Generate one-time passwords > Mathematical problem or Crypto function or Random number generation > Challenge/Response Dynamic password, Asynchronous Password > Time synchronization between client & server. • Deliver Passwords > Proprietary devices, USB, Key fobs > SMS Messages, Email, Phone • Known issues > Vulnerable to MITM, Phishing attacks where Time-synchronization not effective. > DES key and Lost token issues • Standards: OAUTH (Open Authentication Initiative) One-Time Passwords : Alternative to static passwords
  • 11. Smart cards w. PKI Smart cards Standards • A credit card sized computing device acts as a • ISO-7816 Cryptographic token. • Java Card, Multos > Contact / Contactless cards • Global Platform • Allows perforning security functions > Key generation • PC/SC > Public/Private key operations • FIPS-201/PIV, CAC > PIN/Biometric authentication • PKCS#11, PKCS#15 > Challenge/response authentication • GSM/PCS • Supports the use of Public-key infrastructure to verify • EMV the Identity claim. (Europay/Mastercard/Visa) > PKI credential issuance. > Credential validation/verification via OCSP, CRLs • Defends against tampering and hacking. > PKI/Private key protection • Issues: Lost cards, Key compromise recovery is difficult. Smart cards as a Cryptographic Token
  • 12. Biometric Assurance Biometric Identity Standards • Use of Physiological or Behavioral characteristics to • INCITS 378 / CBEFF (Fingerprints) identify a person. • INCITS 379 (Iris) > High degree of assurance with proof of presence. > Fingerprints, Facial image/geometry, Iris, Retina, • OASIS BIAS Voice, Hand geometry, Keystroke, Signature • BioAPI • Biometric templates can be stored on Smart card for • JavaCard BioAPI personal identification. • FIPS-201 / PIV > Fingerprint template is ~200 bytes > Iris template is 500 bytes • Biometric credential must be exchanged in a secure network channel (Trusted path) • Issues: > Biometrics is not a secret > False Acceptance (FAR) & False Reject (FRR) rates > Vulnerable to Message replay/MITM attacks, if not exchanged in secure channel. Biometric Assurance : Who I claim to be
  • 13. Real-world Scenario : Authentication Identity Assurance Credentials Authentication  User name, password Server / Directory  One-time Passwords  Smart Card (PKI Certificates) Enterprise  Biometrics Applications Validate  Good  Bad Ideally, credentials are: something you know + something you have + something you are
  • 14. Real World Scenario : SSO / Federation IDP/SSO Server + Directory Application A Multi-factor Identity Credentials (e.g. username/password, 1. Application B Smartcard PKI, Biometrics) 2. 3. SSO Token  SAML  Artifact Acquire  Proprietary token Credentials  Kerberos ticket  etc
  • 15. Tools of the Trade : What do you need ? Multi-factor Authentication for Enterprise Applications • Web Authentication > JAAS Login Module • Desktop Authentication > PAM Module (Solaris, Linux) > GINA (Windows XP, 2003) • Identity Provider Infrastructure (IDP) > Single Sign-on (SSO) > Multi-factor authentication • Directory Server > Repository for user accounts • Your target applications
  • 16. Tools of the Trade : From Authentication Providers Multi-factor Authentication for Enterprise Applications • Browser Plugin > PKCS#11 Client for Smartcard > ActiveX/Java Plugin for USB Biometric Scanners • Enrollment Middleware > Biometric Enrollment, Smartcard/Token Credential Issuance/Management > One-time Password (Token) registration/issuance • Authentication Middleware > Biometric Authentication, One-time password authentication > PKI Credential validation via OCSP, CRL, Directory, Certificate Authority
  • 17. Java Authentication Authorization Service (JAAS) • JAAS plays a vital role delivering Multi-factor authentication. > All Java EE compliant Application server provide support for JAAS. • JAAS allows to enable Multi-factor authentication in Java EE Enterprise environment. > Facilitates pluggable authentication providers as “Login Modules”. > Ensure Java EE remain independent of authentication providers. • Implementing a Login module is not cumbersome.. > Callback handler – Prompt the user for acquiring credentials > Login (), commit (), Logout () • Choose your own JAAS based Identity Provider Infrastructure ? > Get introduced to Sun OpenSSO
  • 18. Sun OpenSSO Enterprise • Identity Services Infrastructure facilitates Single Sign-On (SSO) for Web applications residing within an enterprise or across networks. • Based on Sun's Open-source initiative. • Open standards based framework supports centralized authentication, authorization and auditing. > JAAS based authentication services > Agent-based and XACML based policy enforcement > Identity-enabled XML Web services for AuthN, AuthX, Audit and Provisioning > Identity Federation Protocols support include SAMLv2, ID-*, WS-Federation,WS- Policy) > XML Web Services Security (WS-Security, WS-Trust, WS-I Basic Security Profile) > Multi-factor authentication via chaining > Centralized configuration, logging and auditing services > Supports multiple Java EE application servers and Web containers > Fedlets • Deployed as a Web application (single WAR file)
  • 19. Multi-factor Authentication and Session Upgrade OpenSSO Authentication Chain and Session upgrade thru’ AuthN • OpenSSO facilitates stronger/ multi-factor authentication through authentication chain including multiple authentication providers. > Enables an authentication process where an user must pass credentials to one or more authentication modules before session validation. > Session validation is determined based on the JAAS control flag (Required, Requisite, Sufficient, Optional) configured to the authentication module instance chain. > The overall authentication success or failure is determined based on the control flag assigned to each module in the authentication stack. > OpenSSO is tested and verified to provide multi-factor authentication chain that include BiObex Login, Smartcard/PKI and other OpenSSO supported authentication providers. • Session Upgrade allows upgrading a valid session based on a successful “second-factor authentication” performed by the same user. > Allows user authenticate to access second resource under the same or different realm > If authentication is successful - OpenSSO updates the session based on the second- level authentication. If authentication fails, the current session will be maintained.
  • 20. OpenSSO Policy Agents Authorization and Policy Enforcement • Policies are managed by Policy Configuration Service in OpenSSO. > Policy service authorizes a use based on the policies stored in OpenSSO. > Policy consists of Rules, Subjects, Conditions and Response providers. • OpenSSO Policy Agents enforce policy and Policy decisions on protected resources. > Intercepts the requests from user clients and applications and redirects them to OpenSSO server for authentication – If no SSO token exists. > Once authenticated, the policy agent communicates with OpenSSO Policy service to grant/deny access to the user based on policy evaluation.
  • 24. Participate in OpenSSO Community ! • Join 700 project members at opensso.org Join Download Sign up at OpenSSO opensso.org Enterprise 8 Subscribe Chat OpenSSO Mailing #opensso Lists on freenode.net dev, users, announce Sun Confidential: Partners and Customers NDA/CDA only
  • 25. Demonstration... Thank You Sun Virtualization Solutions Ramesh Nagappan Sun Microsystems, Burlington, MA http://www.coresecuritypatterns.com/blogs