authentication without authentication

Authentication Without Authentication

AppSec Israel@omerlh

Source: Nissan

https://www.nissanusa.com/content/dam/nissan/nissan-connect/features/features-app_3.jpg

Troy Hunt - Hack Yourself First

https://www.troyhunt.com/

https://app.pluralsight.com/courses/hack-yourself-first

Source: Troy Hunt's Blog

https://www.troyhunt.com/controlling-vehicle-features-of-nissan/

- Helping people get the most out of their technology

“...a significant amount of drop-off in app usage,

losing up to 56% of users,

but are pretty much essential for the majority of apps

out there today...”

Source: Optimizely

https://blog.optimizely.com/2015/01/13/7-tips-to-improve-mobile-app-onboarding/

Source: pinterest

https://www.pinterest.com/pin/452259987559781943/

Authenticate Request Per Second

Source: https://www.engadget.com/2016/01/08/samsung-family-hub-smart-fridge-hands-on/

Source: https://turcomusa.com/turcom-smart-home-camera-kit-with-motion-sensor-door-sensor-and-alarm-key-fob.html

User Id

Application Server

Device Id

Application Server

Agenda

● OpenID

● Digital Signature

● One Time Password

● Demo

● Edge Cases

OpenId --- Digital Signature --- One Time Password --- Demo --- Edges Cases

● “Simple Identity Layer”

● Token-based authentication

● Widely supported

● Modularity - many authentication flows


Authorization Server

Application ServerDevice


Supported Authentication Methods

Authorization/Implicit/Hybrid

Client credentials

Resource Owner

JWT client assertion


We need a new authentication flow


Authorization ServerDevice


Requirements

❏ Strong authentication solution

❏ Unique device identification

❏ Simple

❏ Unique per request

❏ Replay Attacks

❏ Fault tolerant


Questions?

Let’s use Digital Signature


Dear BobDear BobSign Verify


Leo Bob the BuilderTM

Source: Bob the Buildertm Official Site

http://www.bobthebuilder.com/en-us/about/who

This sounds familiar...


How we can use it?



Public Key, Id

Public Key, Id


Id: 5467


Digital Signature, Id

Public Key, Id


Id: 5467

So far we have:

✓ Strong authentication solution

✓ Unique device identification

✓ Simple

❏ Unique per request

❏ Fault tolerant


Questions?

One Time Password



Digital Signature, Id

Public Key, Id


Id: 5467

Time Based

● Use current timestamp

● Allowed time range (e.g. +- 1

min)

● 2FA Solution

● Start with a random seed

● Increase by one after each

request

● Allowed value range (e.g. +- 5)


Counter Based

Synchronization Issues

Let’s build our own OTP


Client State Server State

Old 5

New 2

Old 5

New 2

Old 2

New 42Old 5

New 2

Old 2

New 42

Token


So far we have…



✓ Simple

✓ Unique per request

✓ Fault tolerant

Questions?

Demo Time


Client

Authorization

Server

Application Server

(Sensitive API)


Let’s see it in action...All the code is available on GitHub


https://github.com/Soluto/jwt-otp-demo

Network request can fail

● Reasons:

○ Timeout

○ Network failure

○ Temporary server errors

● Unknown server state

○ State did not changed

○ State changed



Old 2

New 42

Old 1

New 2

Old 2

New 42

Old 2

New 42

Old 1

New 2

Token

Error



Old 2

New 42

Old 2

New 42

Old 1

New 2

Old 2

New 42Old 2

New 42Old 2

New 42

Error



Old 2

New 42

Old 2

New 42Old 42

New 86

Old 42

New 86

Old 2

New 42

Bad Request (400)

Token


Questions?

What is the weakest link in the chain?

Detecting Compromised Devices



Old 2

New 42

Old 1

New 2

Eve

Old 2

New 42

Old 1

New 2Old 2

New 42

Old 2

New 42 Token



Old 2

New 42

Old 2

New 42

Eve

Old 42

New 56

Old 2

New 42Old 2

New 42

Bad

Request

(400)



Old 42

New 78

Old 2

New 42

Eve

Old 42

New 56

Old 2

New 42Old 42

New 78

Old 42

New 78Token



Old 78

New 4

Old 7

New 78

Eve

Old 7

New 56

Old 7

New 78Old 7

New 93

400 Bad

Request


Questions?

Conclusion

Responsible Disclosure

Requirements



✓ Simple

✓ Unique per request

✓ Fault tolerant

How can you use it?

@omerlh

authentication without authentication

Technology