2-FACTOR AUTHENTICATION WITH OPENLDAP, OATH-HOTP AND YUBIKEY. Axel Hoffmann



Similar documents
NetIQ Advanced Authentication Framework

NEO Manager Quick Start Guide

Yubico Authenticator User's Guide

Evaluation and Implementation of SQRL and U2F as 2 nd Factor Authenticators for CERN Single Sign-On

YubiKey Integration for Full Disk Encryption

Yubico PIV Management Tools

YubiKey & OATH- TOTP Verification

YubiKey PIV Deployment Guide

NetIQ Access Manager - Advanced Authentication Plugin. User's Guide. Version 5.1.0

YubiKey Authentication Module Design Guideline

September 25, Programming YubiKeys for Okta Adaptive Multi-Factor Authentication

Infra-estruturas e dispositivos para a protecção integral segura de dados na Nuvem. Manuel Eduardo Correia CRACS/INESC TEC DCC/FCUP

YubiKey OSX Login. yubico. Via Yubico-PAM Challenge-Response. Version 1.6. October 24, 2015

Internet Banking Two-Factor Authentication using Smartphones

Two Factor Authentication. Using mobile for additional IT security

Two-Factor Solutions Choosing the Right One"

YubiRADIUS Deployment Guide for corporate remote access. How to Guide

External authentication with Astaro AG Astaro Security Gateway UTM appliances Authenticating Users Using SecurAccess Server by SecurEnvoy

Rohos Logon Key for Windows Remote Desktop logon with YubiKey token

The YubiKey Manual. Usage, configuration and introduction of basic concepts

Facebook s Security Philosophy, and how Duo helps.

Replacing legacy twofactor. with YubiRADIUS for corporate remote access. How to Guide

IDENTIKEY Server Product Guide

Configuring a YubiKey for the YubiCloud

DIGIPASS Authentication for Check Point Connectra

Identikey Server Getting Started Guide 3.1

CA ArcotOTP Versatile Authentication Solution for Mobile Phones

Draft Technical Specifications for Multilevel Security Authentication Device

Virtualization and Cloud Computing

VIP YubiKey Unlock Guide

Identikey Server Product Guide

Shellshock Security Patch for X86

Moving to Multi-factor Authentication. Kevin Unthank

YubiRADIUS Virtual Appliance. Configuration and Administration Guide Software version: Document version: 1.0

ipad or iphone with Junos Pulse and Juniper SSL VPN appliance Authenticating Users Using SecurAccess Server by SecurEnvoy

SSH to Ubuntu Server Authenticating Users Using SecurAccess Server by SecurEnvoy

External Authentication with Juniper SSL VPN appliance Authenticating Users Using SecurAccess Server by SecurEnvoy

Smart Card Setup Guide

Strong Authentication in details

Intel Identity Protection Technology: the Robust, Convenient, and Cost-Effective Way to Deter Identity Theft

OVERVIEW. DIGIPASS Authentication for Office 365

DESlock+ Mobile allows you to encrypt and decrypt and attachments, text and files on your ios device.

Entrust IdentityGuard

GreenRADIUS Virtual Appliance

NetMotion + YubiRADIUS Quick Start Guide

NetIQ Advanced Authentication Framework - Smartphone Applications

MIGRATION GUIDE. Authentication Server

Secure Web Access Solution

INTEGRATION GUIDE. DIGIPASS Authentication for F5 FirePass

Step by Step Guide to implement SMS authentication to F5 Big-IP APM (Access Policy Manager)

Administration Guide Modular Authentication Services (NMAS) April 2013

Setup Citrix Access Gateway Enterprise Edition (NetScaler) for use of multiple authentication methods.

What s New in Propalms VPN 3.5?

Product Guide Revision A. McAfee One Time Password 4.1.0

SAP Single Sign-On 2.0 Overview Presentation

Presentation Rundown. Introduction Product Overview Product Features Product Value Product Applications Question and Answer

Two-Factor Authentication Basics for Linux. Pat Barron Western PA Linux Users Group

Xerox DocuShare Security Features. Security White Paper

ZyWALL OTPv2 Support Notes

2 factor + 2. Authentication. way

SECUREAUTH IDP AND OFFICE 365

Flexible Identity. OTP software tokens guide. Multi-Factor Authentication. version 1.0

nexus Hybrid Access Gateway

External Authentication with CiscoSecure ACS. Authenticating Users Using. SecurAccess Server. by SecurEnvoy

SafeNet Authentication Client (Windows)

Enhancing Web Application Security

Two-factor authentication Free portable encryption for USB drive Hardware disk encryption Face recognition logon

Using GhostPorts Multi-Factor Authentication

Cisco Networking Academy Program Curriculum Scope & Sequence. Fundamentals of UNIX version 2.0 (July, 2002)

WHITEPAPER SECUREAUTH AND CAC HSPD-12 AUTHENTICATION TO WEB, NETWORK, AND CLOUD RESOURCES

FreeIPA Cross Forest Trusts

Security Configuration Guide P/N Rev A05

5 Day Imprivata Certification Course Agenda

DIGIPASS Authentication for Sonicwall Aventail SSL VPN

AuthLite Administrator's Manual for software revision 2.0

DIGIPASS Authentication for Cisco ASA 5500 Series

RSA SecurID Software Token 1.3 for iphone and ipad Administrator s Guide

Token User Guide. Version 1.0/ July 2013

Authentication in a Heterogeneous Environment

VASCO Data Security International, Inc. DIGIPASS GO-7. FIPS Non-Proprietary Cryptographic Module Security Policy

PT Activity: Configure Cisco Routers for Syslog, NTP, and SSH Operations

Introducing etoken. What is etoken?

Manual pdf-recover Page 2

AuthLite Administrator's Manual for software revision 2.1

INTEGRATION GUIDE. DIGIPASS Authentication for Cisco ASA 5505

Strong authentication of GUI sessions over Dedicated Links. ipmg Workshop on Connectivity 25 May 2012

WifiOTP: Pervasive Two-Factor Authentication Using Wi-Fi SSID Broadcasts. HUSEYNOV, Emin, SEIGNEUR, Jean-Marc. Abstract

2013 AWS Worldwide Public Sector Summit Washington, D.C.

Multi-Factor Authentication for first time users

DIGIPASS Authentication for SonicWALL SSL-VPN

Multi-Factor Network Authentication

Requirements Collax Security Gateway Collax Business Server or Collax Platform Server including Collax SSL VPN module

INTEGRATION GUIDE. DIGIPASS Authentication for Google Apps using IDENTIKEY Federation Server

Ciphermail Frequently Asked Questions

INTEGRATION GUIDE. DIGIPASS Authentication for Juniper SSL-VPN

Free Multi-Factor Authentication. Using and SMS in Enterprise/Random Password Manager (E/RPM)

Connecting your Aiki phone to a network

Guide to Evaluating Multi-Factor Authentication Solutions

How To Login To The Mft Internet Server (Mft) On A Pc Or Macbook Or Macintosh (Macintosh) With A Password Protected (Macbook) Or Ipad (Macro) (For Macintosh) (Macros

Yale Software Library

Transcription:

2-FACTOR AUTHENTICATION WITH OPENLDAP, OATH-HOTP AND YUBIKEY Axel Hoffmann

Biography Axel Hoffmann Linux System Administrator 1&1 Mail & Media Dev. & Tech. GmbH axel.hoffmann@1und1.de 2

Introduction Requirements No (or only less) integration effort on servers Ensure efficient work with MFA-devices No manual typing of additional codes Integration as Human Interface Device No automatic use of the second factor No software tokens Integration of already LDAP-enabled Appliances and Web GUIs High security level for token enrollment Only an owner of a token should be able to use it No pre-generated shared secrets on Tokens Owners&admins haven't access to shared secrets 3

Introduction Multi Factor Authentication Something that you know: secret, password, passphrase, pin, transaction number Something that you own: token, smartcard, key Something that you are: eye iris, fingerprint, voice, type speed/behaviour 4

Introduction Yubikey I Small USB stick-like device Yubikey Standard has component YubiKey OTP It is using two slots for generating OATH HOTPs generating Yubico OTPs sending a static password doing challenge-response works with default OS HID drivers/modules (simulates keyboard) 2 of these functions can be used (1 per slot) 5

Introduction Yubikey II OATH HOTP, Yubico OTP, static password are typed by button press: Short press, slot 1 is typed Long press, slot 2 is typed Yubikey Neo has Java Card Applets & NFC: ykneo-oath: stores PSKs of HOTPs/TOTPs for Android & Desktop App Yubico U2F: is used for FIDO U2F auth ykneo-openpgp: uses CCID via USB/NFC Yubico PIV: Privilege & Identification Card Interface 6

Introduction OATH Standards Initiative for Open Authentication HOTP: HMAC-Based One-Time Password TOTP: Time-Based One-Time Password OCRA: OATH Challenge-Response Algorithm HOTP to calculate response from challenge + psk optional: timesteps, counter, session information 7

Implementation Overview 8

Implementation LDAP Structure 9

Implementation Simple Bind Proxy Listens to Unix domain socket on consumer Back-sock overlay in consumer slapd forwards simple bind requests to Unix domain socket Checks if user is HOTP user by requesting consumer slap d over LDAPI Forwards password & OTP to providers slapd by LDAPS A hash of the bind-dn is used as base to forward bind request every time to the same providers This prevents multi-master replication conflicts But allows load balancing 10

Implementation OTP Validator 11 Listens to Unix domain socket on consumer Back-sock overlay in provider slapd forwards simple bind requests to Unix domain socket Checks if user is HOTP user by requesting provider slapd over LDAPI Checks password & OTP by reading HOTP counter of HOTP token entry Password hash of users entry Password & OTP policy Decrypting shared secret of users entry If OTP is valid, new HOTP counter must be set Value is the counter which led to valid OTP Set a new value to provider is not trivial Insertion with check if new value is greater

Token Enrollment Token Enrollment Procedure 12

Token Enrollment Yubikey Tools and Libraries Graphical Tools yubikey-personalization-gui set OTP, challenge-response, static password, NFC, options neoman get serial & firmware version, usb manufacturer&device id set/get usb mode, (un)installing/show Java Card Applets rename Yubikey Neo, get serial&firmware Command Line Tools ykpersonalize cli version of yubikey-personalization-gui + usb mode ykeyneomgr cli version of neoman + list SmartCard readers, serial&firmware ykinfo check if slots programmed, get serial&firmware version Libraries python-yubico Python, in development, features like yubikey-personalization yubikey-personalization C, very mature, features like yubikey-personalization, flags 13

Token Enrollment Enrollment Service I python-yubico library was used Not a chaotic shell script which calls cli commands Runs on hardened dedicated enrollment hardware Binds Yubikey to HOTP token entry Ensures the secure handling of shared secrets Disables all non-used features to prevent attacks by unknown issues and side-channels 14

Token Enrollment Enrollment Service II Script sequence: 1. Clear both slots incl. passwords 2. Read Yubikey serial 3. Login into LDAP by Yubikey serial and enroll pw 4. Set USB mode to HID only, disable SmartCard 5. Set mode of slot 1 to HOTP and write secret 6. Protect both slots with a user defined password 7. Write shared secret to LDAP and set counter 0 8. Switch NFC to unused slot 2 15

Future Extensions SmartCard function by ykneo-openpgp applet Extend enrollment service & hw by pgp-agent Enrollment triggers Yubikey to generate PGP key PGP pubkey will be bound token entry PGP key is used instead of SSH key on users workstation TOTP hardware token with HID function At the moment there isn t such device A real time clock is needed in token Problem: How to synchronise the clock? TOTP is easier to implement on backend side No need to write and synchronise a counter HOTP is easier on token side 16

End of Presentation Are there any questions? 17

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information