alex karasulu
DESCRIPTION
Apache Triplesec: Strong (2-factor) Mobile Identity Management. Alex Karasulu. Agenda. Drivers Multiple factors & OTP Triplesec Solution Miscellaneous Summary & Conclusion. Agenda: Drivers. Problems Demand Market Costs Logistics. An Integration Problem!. The Identity Problem. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Alex Karasulu](https://reader030.vdocuments.net/reader030/viewer/2022033101/56814716550346895db44f09/html5/thumbnails/1.jpg)
Alex Karasulu
Apache Triplesec: Strong (2-factor) Mobile Identity Management
![Page 2: Alex Karasulu](https://reader030.vdocuments.net/reader030/viewer/2022033101/56814716550346895db44f09/html5/thumbnails/2.jpg)
Agenda
1. Drivers2. Multiple factors & OTP3. Triplesec Solution4. Miscellaneous5. Summary & Conclusion
![Page 3: Alex Karasulu](https://reader030.vdocuments.net/reader030/viewer/2022033101/56814716550346895db44f09/html5/thumbnails/3.jpg)
Agenda: Drivers
• Problems• Demand• Market• Costs• Logistics
![Page 4: Alex Karasulu](https://reader030.vdocuments.net/reader030/viewer/2022033101/56814716550346895db44f09/html5/thumbnails/4.jpg)
The Identity Problem
An Integration Problem!
![Page 5: Alex Karasulu](https://reader030.vdocuments.net/reader030/viewer/2022033101/56814716550346895db44f09/html5/thumbnails/5.jpg)
The Phishing Problem
Increasing demand for multi-factor authentication.
![Page 6: Alex Karasulu](https://reader030.vdocuments.net/reader030/viewer/2022033101/56814716550346895db44f09/html5/thumbnails/6.jpg)
Multi-Factor Gold Rush
• FEICC-mandated multi-factor for 2007• Financial companies are desperate• Many new vendors• Lack of standards• Just get into the market mentality• Lot's of ugly products• Lot's of suckers to be born!
![Page 7: Alex Karasulu](https://reader030.vdocuments.net/reader030/viewer/2022033101/56814716550346895db44f09/html5/thumbnails/7.jpg)
Commercial Products
• 2-factor products– SecureId (RSA)– Safeword– ActiveIdentity
• Identity Management products– Netegrity (CA)– Oblix (Oracle)– SUN Identity
![Page 8: Alex Karasulu](https://reader030.vdocuments.net/reader030/viewer/2022033101/56814716550346895db44f09/html5/thumbnails/8.jpg)
How much does multi-factor authentication cost?
• One Time Device Cost – 15-110$ USD per user– logistics costs: delivery & RMA?
• Recurring Cost Per User (server)– 10-35$ USD per user per year
• Authentication Server Cost– 0-100K USD one time cost– Maintenance covered by per user cost
• Integration Services?
![Page 9: Alex Karasulu](https://reader030.vdocuments.net/reader030/viewer/2022033101/56814716550346895db44f09/html5/thumbnails/9.jpg)
How much does identity management cost?
• Recurring Cost Per User (server)– 12-30$ USD per user per year
• Server Cost– 0-100K USD one time cost (10K users)– Maintenance covered by per user cost
• Integration Services?
![Page 10: Alex Karasulu](https://reader030.vdocuments.net/reader030/viewer/2022033101/56814716550346895db44f09/html5/thumbnails/10.jpg)
Identity Management + Multi-factor authentication = too much!
• Combined cost per user can climb rapidly• Increased entropy: 2 products not 1• Integration between products required• More to Manage: each has own interfaces
![Page 11: Alex Karasulu](https://reader030.vdocuments.net/reader030/viewer/2022033101/56814716550346895db44f09/html5/thumbnails/11.jpg)
Agenda: Multiple Factors and OTP
• One Time Passwords (OTP)• HOTP• Inhibitors• Mobile Solution
![Page 12: Alex Karasulu](https://reader030.vdocuments.net/reader030/viewer/2022033101/56814716550346895db44f09/html5/thumbnails/12.jpg)
One Time Passwords (OTP)
• Generated by hardware token• Changes with each use• Algorithms
– Time Based– S/Key (MD4/5)– HMAC– HOTP
![Page 13: Alex Karasulu](https://reader030.vdocuments.net/reader030/viewer/2022033101/56814716550346895db44f09/html5/thumbnails/13.jpg)
HOTP – RFC 4226
• Shared secret• Counter• Throttling parameter• Look-ahead parameter: self service• Bi-directional authentication• Low resource utilization• No network needed
![Page 14: Alex Karasulu](https://reader030.vdocuments.net/reader030/viewer/2022033101/56814716550346895db44f09/html5/thumbnails/14.jpg)
OTP Inhibitors
• A token per account• Must carry extra device on person• Replacing broken or stolen device• Device cost• Device provisioning• Invasive changes required to use within existing
infrastructure
![Page 15: Alex Karasulu](https://reader030.vdocuments.net/reader030/viewer/2022033101/56814716550346895db44f09/html5/thumbnails/15.jpg)
Proposed Solution
• Use mobile phones to generate OTP– everybody has a cell phone– no new hardware to buy or carry
• Simple provisioning process– WAP push to mobile device
• Standard protocols for authentication• Standard JSE, JEE & JME interfaces• Integrated noninvasive IdM
![Page 16: Alex Karasulu](https://reader030.vdocuments.net/reader030/viewer/2022033101/56814716550346895db44f09/html5/thumbnails/16.jpg)
Agenda: Triplesec Solution
• Intro• Mobile Token• Authentication & Authorization• Administrator UI• Feature Demos
![Page 17: Alex Karasulu](https://reader030.vdocuments.net/reader030/viewer/2022033101/56814716550346895db44f09/html5/thumbnails/17.jpg)
Triplesec “Strong Identity Server”
• FOSS – ASL Licensed• Identity Management Platform
– 2-Factor Authentication– Authorization (RBAC)– Auditing– SSO
• JME & JSE OTP client• Want to see it?
![Page 18: Alex Karasulu](https://reader030.vdocuments.net/reader030/viewer/2022033101/56814716550346895db44f09/html5/thumbnails/18.jpg)
Mobile Token
• JME based OTP generator– MIDP 1.0 compatible– 33Kb footprint– Runs on low end phones
• Connectionless OTP generation– No data subscription need– No service need
• Uses HOTP from OATH (RFC 4226)
![Page 19: Alex Karasulu](https://reader030.vdocuments.net/reader030/viewer/2022033101/56814716550346895db44f09/html5/thumbnails/19.jpg)
Authentication
• Password & passcode (OTP value)• Optional realm field• Kerberos• LDAP• JAAS Login Module
![Page 20: Alex Karasulu](https://reader030.vdocuments.net/reader030/viewer/2022033101/56814716550346895db44f09/html5/thumbnails/20.jpg)
Authorization
• Authorization Policy Store– applications– permissions– roles– authorization profiles– users– groups
• Guardian API
![Page 21: Alex Karasulu](https://reader030.vdocuments.net/reader030/viewer/2022033101/56814716550346895db44f09/html5/thumbnails/21.jpg)
Administration Tool
• Manage– applications– users– groups– roles– permissions– profiles
• Let's take a look!
![Page 22: Alex Karasulu](https://reader030.vdocuments.net/reader030/viewer/2022033101/56814716550346895db44f09/html5/thumbnails/22.jpg)
Servlet Demo
• Simple Servlet• Uses Guardian API• Application = demo• Read & report roles and permissions• Reads profile for each request• Should respond to policy change events?
![Page 23: Alex Karasulu](https://reader030.vdocuments.net/reader030/viewer/2022033101/56814716550346895db44f09/html5/thumbnails/23.jpg)
Policy Change Listener
• Guardian API has listener interface• Receives policy change events
– permission changes– role changes– profile changes
• Asynchronous notification• No polling!
![Page 24: Alex Karasulu](https://reader030.vdocuments.net/reader030/viewer/2022033101/56814716550346895db44f09/html5/thumbnails/24.jpg)
Dynamic Policy Demo
• Simple Swing Application• Uses Policy Change Listener• Paints menu with permissions of user• Update dependent:
– grants– denials– roles
• UI responds to events to redraw menu
![Page 25: Alex Karasulu](https://reader030.vdocuments.net/reader030/viewer/2022033101/56814716550346895db44f09/html5/thumbnails/25.jpg)
Simple Policy Management
• Simple Schema for Policy Store• Any LDAP client can be used• Easy to write access API in any lang• Easy to administer policy with scripts• Export Policies for testing
– Guardian LDIF & LDAP Drivers
![Page 26: Alex Karasulu](https://reader030.vdocuments.net/reader030/viewer/2022033101/56814716550346895db44f09/html5/thumbnails/26.jpg)
Sync Protocol
What happens when the counter gets out of sync?
![Page 27: Alex Karasulu](https://reader030.vdocuments.net/reader030/viewer/2022033101/56814716550346895db44f09/html5/thumbnails/27.jpg)
Better Web Demo
Let's see the sync protocol in action with a better demo.
![Page 28: Alex Karasulu](https://reader030.vdocuments.net/reader030/viewer/2022033101/56814716550346895db44f09/html5/thumbnails/28.jpg)
Agenda: Miscellaneous
• Built on ApacheDS Protocols• SSO & SAML• Future Plans
![Page 29: Alex Karasulu](https://reader030.vdocuments.net/reader030/viewer/2022033101/56814716550346895db44f09/html5/thumbnails/29.jpg)
Based on ApacheDS
• Triplesec uses ApacheDS for:– LDAP– Kerberos– ChangePW
• Simple Schema• Looking inside with LDAP Studio
![Page 30: Alex Karasulu](https://reader030.vdocuments.net/reader030/viewer/2022033101/56814716550346895db44f09/html5/thumbnails/30.jpg)
Single Sign On & SAML
• Use Kerberos for OS authentication– Windows (default)– Linux (pam_krb5)– MacOSX (optional)
• Can be integrated w/ CAS• Can be integrate w/ Shibboleth• HOTP transparent to all clients
![Page 31: Alex Karasulu](https://reader030.vdocuments.net/reader030/viewer/2022033101/56814716550346895db44f09/html5/thumbnails/31.jpg)
Future Plans
• Improve various features• Experiment with Bluetooth for MIDlet• Make into JACC provider• Add more polish• Administrator plug-in for LDAP Studio
![Page 32: Alex Karasulu](https://reader030.vdocuments.net/reader030/viewer/2022033101/56814716550346895db44f09/html5/thumbnails/32.jpg)
Agenda: Summary & Conclusions
• Uncovered Material• Benefits• Drawbacks• Conclusions• Questions
![Page 33: Alex Karasulu](https://reader030.vdocuments.net/reader030/viewer/2022033101/56814716550346895db44f09/html5/thumbnails/33.jpg)
Things we did not have time to present to you
• MIDLet OTP Generator– SMS & Email Provisioning– Pin Cracking Protection
• OS SSO & Configuration• Auditing & Compliance• JAAS LoginModule• Configuration UI• Integration• Delegation of Administration• Authentication Delegation to external services
![Page 34: Alex Karasulu](https://reader030.vdocuments.net/reader030/viewer/2022033101/56814716550346895db44f09/html5/thumbnails/34.jpg)
Benefits
• Single device for all OTP generators (accounts)• Easy to use & simple design• Dynamic notification of policy changes• Uses standards: HOTP, Kerberos, LDAP, JAAS,
MIDP 1.0• FOSS – ASL 2.0
![Page 35: Alex Karasulu](https://reader030.vdocuments.net/reader030/viewer/2022033101/56814716550346895db44f09/html5/thumbnails/35.jpg)
Drawbacks
• Waiting on ApacheDS MMR• Heavy re-factoring needed: prototype• Schema redesign needed for JACC• Better management interfaces
![Page 36: Alex Karasulu](https://reader030.vdocuments.net/reader030/viewer/2022033101/56814716550346895db44f09/html5/thumbnails/36.jpg)
Conclusions
•Simple solution for:– Simple identity management needs– 2-factor mobile authentication
•Low complexity: minimize integration•No need for extra hardware•Easy provisioning•Increased security•Reduced cost
![Page 37: Alex Karasulu](https://reader030.vdocuments.net/reader030/viewer/2022033101/56814716550346895db44f09/html5/thumbnails/37.jpg)
Questions?