authentication without authentication

Authentication Without Authentication

AppSec Israel@omerlh

Source: Nissan

Troy Hunt - Hack Yourself First

Source: Troy Hunt's Blog

- Helping people get the most out of their technology

“...a significant amount of drop-off in app usage,

losing up to 56% of users,

but are pretty much essential for the majority of apps

out there today...”

Source: Optimizely

Source: pinterest

Authenticate Request Per Second

Source: https://www.engadget.com/2016/01/08/samsung-family-hub-smart-fridge-hands-on/

Source: https://turcomusa.com/turcom-smart-home-camera-kit-with-motion-sensor-door-sensor-and-alarm-key-fob.html

User Id

Application Server

Device Id

Application Server

Agenda

● OpenID

● Digital Signature

● One Time Password

● Demo

● Edge Cases

OpenId --- Digital Signature --- One Time Password --- Demo --- Edges Cases

● “Simple Identity Layer”

● Token-based authentication

● Widely supported

● Modularity - many authentication flows

OpenId --- Digital Signature --- One Time Password --- Demo --- Edges Cases

Authorization Server

Application ServerDevice

OpenId --- Digital Signature --- One Time Password --- Demo --- Edges Cases

Supported Authentication Methods

Authorization/Implicit/Hybrid

Client credentials

Resource Owner

JWT client assertion

OpenId --- Digital Signature --- One Time Password --- Demo --- Edges Cases

We need a new authentication flow

OpenId --- Digital Signature --- One Time Password --- Demo --- Edges Cases

Authorization ServerDevice

OpenId --- Digital Signature --- One Time Password --- Demo --- Edges Cases

Authorization Server

Application ServerDevice

OpenId --- Digital Signature --- One Time Password --- Demo --- Edges Cases

Requirements

❏ Strong authentication solution

❏ Unique device identification

❏ Simple

❏ Unique per request

❏ Replay Attacks

❏ Fault tolerant

OpenId --- Digital Signature --- One Time Password --- Demo --- Edges Cases

Questions?

Let’s use Digital Signature

OpenId --- Digital Signature --- One Time Password --- Demo --- Edges Cases

Dear BobDear BobSign Verify

OpenId --- Digital Signature --- One Time Password --- Demo --- Edges Cases

Leo Bob the BuilderTM

Source: Bob the Buildertm Official Site

This sounds familiar...

OpenId --- Digital Signature --- One Time Password --- Demo --- Edges Cases

How we can use it?

OpenId --- Digital Signature --- One Time Password --- Demo --- Edges Cases

Authorization ServerDevice

Public Key, Id

Public Key, Id

OpenId --- Digital Signature --- One Time Password --- Demo --- Edges Cases

Id: 5467

Authorization ServerDevice

Digital Signature, Id

Public Key, Id

OpenId --- Digital Signature --- One Time Password --- Demo --- Edges Cases

Id: 5467

So far we have:

✓ Strong authentication solution

✓ Unique device identification

✓ Simple

❏ Unique per request

❏ Fault tolerant

OpenId --- Digital Signature --- One Time Password --- Demo --- Edges Cases

Questions?

One Time Password

OpenId --- Digital Signature --- One Time Password --- Demo --- Edges Cases

Authorization ServerDevice

Digital Signature, Id

Public Key, Id

OpenId --- Digital Signature --- One Time Password --- Demo --- Edges Cases

Id: 5467

Time Based

● Use current timestamp

● Allowed time range (e.g. +- 1

min)

● 2FA Solution

● Start with a random seed

● Increase by one after each

request

● Allowed value range (e.g. +- 5)

OpenId --- Digital Signature --- One Time Password --- Demo --- Edges Cases

Counter Based

Synchronization Issues

Let’s build our own OTP

OpenId --- Digital Signature --- One Time Password --- Demo --- Edges Cases

Client State Server State

Old 5

New 2

Old 5

New 2

Old 2

New 42Old 5

New 2

Old 2

New 42

Token

OpenId --- Digital Signature --- One Time Password --- Demo --- Edges Cases

So far we have…

✓ Strong authentication solution

✓ Unique device identification

✓ Simple

✓ Unique per request

✓ Fault tolerant

Questions?

Demo Time

OpenId --- Digital Signature --- One Time Password --- Demo --- Edges Cases

Client

Authorization

Server

Application Server

(Sensitive API)

OpenId --- Digital Signature --- One Time Password --- Demo --- Edges Cases

Let’s see it in action...All the code is available on GitHub

OpenId --- Digital Signature --- One Time Password --- Demo --- Edges Cases

Network request can fail

● Reasons:

○ Timeout

○ Network failure

○ Temporary server errors

● Unknown server state

○ State did not changed

○ State changed

OpenId --- Digital Signature --- One Time Password --- Demo --- Edges Cases

Client State Server State

Old 2

New 42

Old 1

New 2

Old 2

New 42

Old 2

New 42

Old 1

New 2

Token

Error

OpenId --- Digital Signature --- One Time Password --- Demo --- Edges Cases

Client State Server State

Old 2

New 42

Old 2

New 42

Old 1

New 2

Old 2

New 42Old 2

New 42Old 2

New 42

Error

OpenId --- Digital Signature --- One Time Password --- Demo --- Edges Cases

Client State Server State

Old 2

New 42

Old 2

New 42Old 42

New 86

Old 42

New 86

Old 2

New 42

Bad Request (400)

Token

OpenId --- Digital Signature --- One Time Password --- Demo --- Edges Cases

Questions?

What is the weakest link in the chain?

Detecting Compromised Devices

OpenId --- Digital Signature --- One Time Password --- Demo --- Edges Cases

OpenId --- Digital Signature --- One Time Password --- Demo --- Edges Cases

Client State Server State

Old 2

New 42

Old 1

New 2

Eve

Old 2

New 42

Old 1

New 2Old 2

New 42

Old 2

New 42 Token

OpenId --- Digital Signature --- One Time Password --- Demo --- Edges Cases

Client State Server State

Old 2

New 42

Old 2

New 42

Eve

Old 42

New 56

Old 2

New 42Old 2

New 42

Bad

Request

(400)

OpenId --- Digital Signature --- One Time Password --- Demo --- Edges Cases

Client State Server State

Old 42

New 78

Old 2

New 42

Eve

Old 42

New 56

Old 2

New 42Old 42

New 78

Old 42

New 78Token

OpenId --- Digital Signature --- One Time Password --- Demo --- Edges Cases

Client State Server State

Old 78

New 4

Old 7

New 78

Eve

Old 7

New 56

Old 7

New 78Old 7

New 93

400 Bad

Request

OpenId --- Digital Signature --- One Time Password --- Demo --- Edges Cases

OpenId --- Digital Signature --- One Time Password --- Demo --- Edges Cases

Questions?

Conclusion

Responsible Disclosure

Requirements

✓ Strong authentication solution

✓ Unique device identification

✓ Simple

✓ Unique per request

✓ Fault tolerant

Authorization ServerDevice

Authorization Server

Application ServerDevice

How can you use it?

@omerlh