wso2 guest webinar: fido universal second factor (u2f) for wso2 identity server

38
FIDO Universal Second Factor (U2F) for WSO2 Identity Server Ishara Karunarathna, Senior Software Engineer, WSO2 Jerrod Chong, Solutions Team leader, Yubico Rob Blaauboer, Integration Consultant Yenlo December 8t h 2015

Upload: yenlo

Post on 22-Feb-2017

1.397 views

Category:

Software


1 download

TRANSCRIPT

Page 1: WSO2 Guest Webinar: FIDO Universal Second Factor (U2F) for WSO2 Identity Server

FIDO Universal Second Factor (U2F) for WSO2 Identity Server

Ishara Karunarathna, Senior Software Engineer, WSO2Jerrod Chong, Solutions Team leader, YubicoRob Blaauboer, Integration Consultant Yenlo

December 8th 2015

Page 2: WSO2 Guest Webinar: FIDO Universal Second Factor (U2F) for WSO2 Identity Server

About the presenters

2

Ishara KarunarathnaSenior Software Engineer, WSO2Ishara is a Senior Software Engineer at WSO2 and a key member of WSO2 Identity server team, contributing towards the Identity Server and WSO2's platform security. He has participated in several customer engagements helping them to realize enterprise use cases and to build solutions On top of WSO2 platform.

Jerrod ChongSolutions Team leader, YubicoJerrod leads the Solutions team at Yubico with over fifteen years of experience specializing in enterprise security solutions. He works with small, medium and enterprise customers to consult and build open scalable security solutions. Jerrod is also an active contributor in the FIDO Alliance U2F technical working group and security certification development committee.

Rob BlaauboerSenior Consultant, YenloRob is a Senior Business Consultant and Solution Architect with more than twenty years experience. In addition to his work he is an active blogger working on a number of articles on the 'Internet of Things' and a WSO2 'Getting Started with ...' series in which he talks about WSO2 components and their purpose especially aimed at non technical readers.

Page 3: WSO2 Guest Webinar: FIDO Universal Second Factor (U2F) for WSO2 Identity Server

3

• Global enterprise, founded in 2007 with an international focus on delivering integration solutions based on Java open source

• #1 in the field of Integration Solutions

• #1 in Managed Services for middleware environments

• #1 Global Strategic Alliance partner of WSO2

• WSO2 Product Support

• WSO2 Development

• WSO2 QuickStarts

• WSO2 Training & Certifications

• WSO2 24/7 Managed Services

• WSO2 Events

About Yenlo

Page 4: WSO2 Guest Webinar: FIDO Universal Second Factor (U2F) for WSO2 Identity Server

What Yenlo delivers4

Enterprise Architecture Software Development Managed Services

WSO2 Product Support WSO2 Development Support WSO2 QuickStart

WSO2 Training & Certifications WSO2 Managed Services WSO2 Events

Page 5: WSO2 Guest Webinar: FIDO Universal Second Factor (U2F) for WSO2 Identity Server

Agenda

5

Making WSO2 Identity Server more secure with FIDO UAF & U2F

• Our security is at risk • introduction to FIDO and Why FIDO U2F•Introduction WSO2 IS• Demo• Benefits of the solution• Q&A

Page 6: WSO2 Guest Webinar: FIDO Universal Second Factor (U2F) for WSO2 Identity Server

Our security is at risk

Page 7: WSO2 Guest Webinar: FIDO Universal Second Factor (U2F) for WSO2 Identity Server

Making it more secure

Starts at the basis!Access to a mail service enables a hacker to access many more systems Gmail supports Fido and other 2nd factorsSensitive information should be secured

Page 8: WSO2 Guest Webinar: FIDO Universal Second Factor (U2F) for WSO2 Identity Server

What is a factor?

o Something you know is for instance as password or even a username

o Something you have is a smartcard, token or smartphone

o Something you are is your face, voice and fingerprint (and many more, even the way you type)

o The more factors the better

Page 9: WSO2 Guest Webinar: FIDO Universal Second Factor (U2F) for WSO2 Identity Server

Depending on the use case the level of security needs to be highero Logging in to a news website: userId and password

o Logging in to an eCommerce website like Amazon: userId and password and the option to increase the level of security

o Logging into your internet banking or government services: userId and password and a challenge / response

Page 10: WSO2 Guest Webinar: FIDO Universal Second Factor (U2F) for WSO2 Identity Server

10

FIDO Universal 2nd FactorSimple, secure, open and scalable 2FA

Page 11: WSO2 Guest Webinar: FIDO Universal Second Factor (U2F) for WSO2 Identity Server

11

Benefits of U2F Over Other 2FA

One device, many sites, with no shared secrets

Open standard, platform/ browser support

(no client, no driver)

Protection againstphishing and MitM

Page 12: WSO2 Guest Webinar: FIDO Universal Second Factor (U2F) for WSO2 Identity Server

12

Stats from Google Deployment U2F vs Google Authenticator

4x faster to login

Support reduced by 40%

Significant fraud reduction

Page 13: WSO2 Guest Webinar: FIDO Universal Second Factor (U2F) for WSO2 Identity Server

13

Online services

Chip providers

Device providers

Biometrics technology

Enterprise servers

Open source sw/servers

Mobile apps & clients

Browsers

FIDO U2F Ecosystem

250+ Members

Page 14: WSO2 Guest Webinar: FIDO Universal Second Factor (U2F) for WSO2 Identity Server

1414

Server sends challenge1

Server receives and verifies device signature using attestation cert5Key handle and public key are stored in database6

Device generates key pair2Device creates key handle3Device signs challenge + client info4

Server sends challenge + key handle 1

Server receives and verifies using stored public key 4

Device unwraps/derives private key from key handle 2Device signs challenge + client info 3

Authentication

Individual with U2F Device Relying Party

Registration

Page 15: WSO2 Guest Webinar: FIDO Universal Second Factor (U2F) for WSO2 Identity Server

15

Relying PartyUser Side

U2F CodeUSB (HID) API

U2F JS APISecure U2F Element (optional)

TransportUSB (HID)

Web Application

U2F Library

Public Keys + Key Handles + Certificates

User Action

FIDO Client Browser

U2F Authenticator

U2F Entities

NFC API

Bluetooth API

NFC

Bluetooth

Page 16: WSO2 Guest Webinar: FIDO Universal Second Factor (U2F) for WSO2 Identity Server

16

Protocol DesignStep-­By-­Step

Page 17: WSO2 Guest Webinar: FIDO Universal Second Factor (U2F) for WSO2 Identity Server

17

U2F Device Client

Relying Party

challenge

challenge

Sign with kpriv signature(challenge)

sChecksignature (s)using kpub

s

Lookupkpub

Authentication

Page 18: WSO2 Guest Webinar: FIDO Universal Second Factor (U2F) for WSO2 Identity Server

18

U2F Device Client

Relying Party

challenge

challenge, origin, channel id

Sign with kpriv

signature(c)

c, sCheck susing kpub

Verify origin & channel id

s

Lookupkpub

Phishing/MitM Protection

Page 19: WSO2 Guest Webinar: FIDO Universal Second Factor (U2F) for WSO2 Identity Server

19

U2F Device Client

Relying Party

handle, app id, challenge

h, a;; challenge, origin, channel id, etc.

c

aCheckapp id

Lookupthe kprivassociated with h

Sign with kpriv

signature(a,c)

c, sCheck susing kpub

Verify origin & channel id

s

h

Lookup the kpubassociated with h

Application-­Specific Keys

Page 20: WSO2 Guest Webinar: FIDO Universal Second Factor (U2F) for WSO2 Identity Server

20

U2F Device Client

Relying Party

app id, challenge

a;; challenge, origin, channel id, etc.

c

aCheckapp id

Generate:kpubkprivhandle h kpub, h, attestation cert, signature(a,c,kpub,h)

c, kpub, h, attestation cert, s

Associate kpub with handle hfor user

s

Registration + Device Attestation

Page 21: WSO2 Guest Webinar: FIDO Universal Second Factor (U2F) for WSO2 Identity Server

21

Original DB

Original Database

user_id Password#

JohnDoe 4^hfd;;`gpo

U2F Database

U2F DB

Relation

Relying Party

user_id Meta U2F Data

JohnDoe Yubico, Security Key, USB

Key handle, public key, certificate

JohnDoeYubico, YubiKey NEO, USB + NFC Key handle, public

key, certificate

Adding U2F Support

Page 22: WSO2 Guest Webinar: FIDO Universal Second Factor (U2F) for WSO2 Identity Server

Yubico -­ inventors of the YubiKeyFind out more at yubi.co

Page 23: WSO2 Guest Webinar: FIDO Universal Second Factor (U2F) for WSO2 Identity Server

Introduction WSO2 Identity Server

Page 24: WSO2 Guest Webinar: FIDO Universal Second Factor (U2F) for WSO2 Identity Server

What is WSO2 Identity Server

An open source Identity & Entitlement management server

o 100% free and open source with commercial support

o Lightweight and high performanceoHighly modular and extensibleoUser friendly with minimal learning curveoBased on open standards

Page 25: WSO2 Guest Webinar: FIDO Universal Second Factor (U2F) for WSO2 Identity Server

Authentication framework

o No more federation silos or spaghetti identity anti-­patterns

o Multi-­option and multi-­step authenticationo Authentication Bridge o Provisioning Bridge

Page 26: WSO2 Guest Webinar: FIDO Universal Second Factor (U2F) for WSO2 Identity Server

Authentication framework

Page 27: WSO2 Guest Webinar: FIDO Universal Second Factor (U2F) for WSO2 Identity Server

Local and federated authentication

Page 28: WSO2 Guest Webinar: FIDO Universal Second Factor (U2F) for WSO2 Identity Server

FIDO U2F implementation in Identity server

o Implements the U2F authentication via local authenticator

Page 29: WSO2 Guest Webinar: FIDO Universal Second Factor (U2F) for WSO2 Identity Server

FIDO U2F implementation in Identity server

oImplements the U2F registration via user dashboard

Page 30: WSO2 Guest Webinar: FIDO Universal Second Factor (U2F) for WSO2 Identity Server

ADDING FIDO TO A LOGIN SEQUENCE

Page 31: WSO2 Guest Webinar: FIDO Universal Second Factor (U2F) for WSO2 Identity Server

Demo scenario

o Prerequisites for the demo o Start WSO2 Identity Server 5.1.0o Log in on User Dashboardo Add U2F device (Yubico)

Page 32: WSO2 Guest Webinar: FIDO Universal Second Factor (U2F) for WSO2 Identity Server

Secure Single Sign-On solution

Page 33: WSO2 Guest Webinar: FIDO Universal Second Factor (U2F) for WSO2 Identity Server

Demo …….

Page 34: WSO2 Guest Webinar: FIDO Universal Second Factor (U2F) for WSO2 Identity Server

FIDO AND WSO2 IDENTITY SERVER: WHAT ARE THE BENEFITS?

Page 35: WSO2 Guest Webinar: FIDO Universal Second Factor (U2F) for WSO2 Identity Server

Making it more secure

Fido is an open standardOne key can be used for multiple applications+WSO2 is an open platformIntegration is easy=Level of security increasesCost is relatively low

Page 36: WSO2 Guest Webinar: FIDO Universal Second Factor (U2F) for WSO2 Identity Server

Questions & Answers

Page 37: WSO2 Guest Webinar: FIDO Universal Second Factor (U2F) for WSO2 Identity Server

http://www.slideshare.net/YenloBV

Download the webinar presentation on slideshare:

30

Page 38: WSO2 Guest Webinar: FIDO Universal Second Factor (U2F) for WSO2 Identity Server

Contact us !