The Beginner's Guide to Alternative Authentication

Transcript

1. The Beginners Guide to Alternative Authentication Chris Cornutt : @enygma

   - ConFoo 2015

2. Authentication Authorization

3. Authentication Authorization

4. Identity Management

5. Usual Suspects Access Control? What’s that? Permissions Access Control Lists

   Role-Based Access Controls
6. None

7. Attribute-Based Flexible… …to a fault. XACML

8. Resource Subject Environment Action Attribute-Based Attribute-Based

9. Resource Subject Environment Action Decider/Enforcer Policy Attribute-Based

10. <Policy PolicyId="SamplePolicy" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:permit-overrides"> <!-- This Policy only applies to requests

    on the SampleServer --> <Target> <Subjects> <AnySubject/> </Subjects> <Resources> <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">SampleServer</AttributeValue> <ResourceAttributeDesignator DataType="http://www.w3.org/2001/XMLSchema#string" AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"/> </ResourceMatch> </Resources> <Actions> <AnyAction/> </Actions> </Target> <!-- Rule to see if we should allow the Subject to login --> <Rule RuleId="LoginRule" Effect="Permit"> <!-- Only use this Rule if the action is login --> <Target> <Subjects> <AnySubject/> </Subjects> <Resources> <AnyResource/> </Resources> <Actions> <ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">login</AttributeValue> <ActionAttributeDesignator DataType="http://www.w3.org/2001/XMLSchema#string" AttributeId="ServerAction"/> </ActionMatch> </Actions> </Target> <!-- Only allow logins from 9am to 5pm --> <Condition FunctionId="urn:oasis:names:tc:xacml:1.0:function:and"> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:time-greater-than-or-equal" <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:time-one-and-only"> <EnvironmentAttributeSelector DataType="http://www.w3.org/2001/XMLSchema#time" AttributeId="urn:oasis:names:tc:xacml:1.0:environment:current-time"/> </Apply> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#time">09:00:00</AttributeValue> </Apply> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:time-less-than-or-equal" <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:time-one-and-only"> <EnvironmentAttributeSelector DataType="http://www.w3.org/2001/XMLSchema#time" AttributeId="urn:oasis:names:tc:xacml:1.0:environment:current-time"/> </Apply> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#time">17:00:00</AttributeValue> </Apply> </Condition> </Rule> <!-- We could include other Rules for different actions here --> <!-- A final, "fall-through" Rule that always Denies --> <Rule RuleId="FinalRule" Effect="Deny"/> </Policy>

11. Resource Subject Environment Action Policy /user/view/1 username1 production GET /user/view/1

    username1 production GET

12. Resource Subject Environment Action Policy /user/view/1 username1 production GET /user/view/1

    username1 production GET

13. Resource Subject Environment Action Policy /user/view/1 username1 production GET /user/view/42

    username1 dev GET

14. Resource Subject Environment Action Policy /user/view/1 username1 production GET /user/view/42

    username1 dev GET

15. Multifactor Something you have Something you know Something you are

    Someplace

16. Multifactor

17. Multifactor Stolen shared secret Steal the thing Copy the thing

    Intercept/masquerade Hijack after use

18. Federated Identity Portable, standards-based Do you need to host? Removes

    the burden

19. Federated Identity

20. Federated Identity IDP

21. Federated Identity IDP Unification

22. Federated Identity User-to-user User-to-application Application-to-application Levels of trust

23. Federated Identity But isn’t that just Single-Sign On? One word…context.

24. Federated Identity Credentials User attributes Access levels Provisioning Auditing Domain

25. Single Sign On Credentials Multiple services, one login Interface requirements

    Not always username & password

26. Single Sign On Primary Domain

27. Single Sign On Subset of Federation Intranets Remove authentication burden

    Makes users happy…as long as it works.

28. SAML Security Assertion Markup Langauge Cross-service Passes needed info Version

    2 XML based

29. SAML Security Assertion Markup Langauge

30. SAML Security Assertion Markup Langauge Assertions Statements used in IdP

    decisions Protocols How elements are packaged Bindings Mapping of protocol to standard format Profiles Combines assertions, protocols and bindings

31. SAML Security Assertion Markup Langauge

32. SAML Security Assertion Markup Langauge Authentication Context Schemas Intranet, MobileTwoFactor,

    PublicKey, SSL/TLS Certificate, etc. Identification information How “secret” is defined

33. So, which to use? Level of protection needed Current systems

    and integration Defense in depth Risk (Frequency, Probability, Cost) Don’t have to pick just one…

34. Thanks! Questions? @enygma http://securingphp.com - @securingphp http://websec.io