Creating One Time Password (OTP) infrastructures using Open Source sofware

Giuseppe Gippa Patern Visiting Researcher Trinity College Dublin

Who am I

Visiting Researcher at Trinity College Dublin ( reland) Solution !rchitect and "#"! Security "$pert in Red %at Pre&iously Security Solution !rchitect in Sun and also in '# Red %at Certified Security Specialist (R%CSS)( Red %at Certified !rchitect (R%C!) and Cisco Certified )etwor* Professinal (CC)P) Part of the italian security community sikurezza.org Published boo*s and whitepapers +orensic analisys for local go&s #ore on,

http,--www.scss.tcd.ie-/iuseppe.Paternohttp,--www.gpaterno.comhttp,--www.lin*edin.com-in-gpaterno

Disclaimer
do not spea* on behalf of my employer( nor am authori0ed to represent it publicly. !ll and any opinion and results e$pressed in this presentation are solely mine and do not represent my employer point1of1&iew. !ll the tests and any pro2ect contribution are done as a TCD researcher out of business hours.

Global IT scenario

"&en more in this recession phase( the T budget is getting lower and lower The pro2ects (demand) are increasing with significantly less money a&ailable

Lowering TCO
"The economic crisis is going to be a catalyst for open source, much like the technology crash of !!" catapulte# Linu$ front an# center"
Laurie Wurster, a Gartner analyst%

The adoption of Open Source software can lower the TCO 3 and increase your security4

%ow Open Source can increase Security5

Open Source 6 Open Standards 6 Choice

The O&T' &lliance

The nitiati&e for Open !uthentication (O!T%) Open alliance of &endors

!cti&e dentity( Vasco( /emalto( !laddin( ...

http,--www.openauthentication.orgCreated a common algorithm for one time password to*ens (%OTP)

! common 7protocol8 for the interoperability of the se&eral impementations a&ailable

What is 'OT(

!n %#!C1'ased One1Time Password !lgorithm (%OTP) ! common shared algorithm that is meant to facilitate the adoption of two1factor authentication !logorithm published as R+C 9::; The complete standard on,

http,--www.rfc1editor.org-

'OT() Internals
The algorithm is, %OTP(<(C) 6 Truncate(%#!C1S%!1=(<(C))
* C +hare# key between client an# ser,er -.byte counter ,alue syncroni/e# between client an# ser,er (erform a #ynamic truncation an# re#uction of the string to e$tract a 2.byte #ynamic binary co#e% The result must e$tract minimum a 3.#igit co#e, but also 4 an# -.#igit co#e

Truncate01

&nathomy of 'OT(

The shared *ey between the OTP peers (to*en and authenticator) is an he$adecimal string

The lenght is a S%!1= digest

"$ample of generating a new %#!C ;1digit shared *ey,

dd if6-de&-random bs69>?; count6= :@-de&-null A sha=sum A aw* BCprint D=EB

'OT( implementations

'oth commercial and open source implementations a&ailable #ost of the hardware to*ens adhere to the %OTP algorithm +ew software implementations( most of which proprietary-closed source Some software client a&ailable,

F:#"( iPhone and Gindows #obile Publically a&ailable algorithm ma*es it simple to implement a client

%ow does it fit all together5

The software

!n open source OTP ser&er,

Only one ser&er implementation a&ailable (OTPD)( formelly from TR 1D Systems )ow made it a&ailable on http://otpd.googlecode.com

+reeR!D HS( the popular radius ser&er for Iinu$ Two tested freely a&ailable client,

oathdsss.2ar (DSSS) for Fa&a # DP ()o*ia) iTo*en (Juest Software) for iPhone

!lso tried some hardware to*ens

OT(D ser,er

t handle the &alidation of the One Time Passwords

Hses files and ID!P as repository

<eeps the state of the OTP to*en (counter) Supported to*ens,

%OTP CRKPTOCard Plain old $?.? (based on D"S( unsecure4)

t listen to autentication reLuests

5ree6&DI7+

Gell *nown high1performance open source R!D HS ser&er

%andle authentication and accounting Plug1in based De&eloped by TR 1D Systems Communicate &ia Hni$ soc*ets with the OTPD ser&er to &erify an OTP to*en

One of the plug1in is rlm_otpd

The soft.token

!n OTP to*en in software Iess 7secure8 than an hardware

Ghat if my laptop is stolen5

! compromise is using a soft1 to*en on a mobile platform

"asy to manage Iower costs 'etter security o&er a 7fat8 client on laptops-des*tops !&ailable for most mobile phones

What can I authenticate8

!ny R!D HS compliant system( e$,

VP) systems Gireless I!)s Routers-networ* eLuipments Core H) M systems (through pamNradius) Capti&e portals common !P s a&ailable in C( P%P( Python( Ruby( Fa&a (F:"")

!ny application can use the R!D HS protocol,

9nteprise scenario

Demo scenario

!uthentication ser&er,

OTP Ser&er +reeR!D HS Ser&er

Client H) M Geb application (P%P) Centrali0ed Geb Single Sign1On (C!S)

Demo 0the clients1

Client Hni$

nteracti&e log1in Ie&erage the pamNradius module 'ased on Kale C!S Customi0ed to login through R!D HS Dummy application to demonstrate C!SB capabilities with OTP integration Virtually e&ery application can le&erage C!S architecture

Geb Single Sign1On

P%P web application

Demo scenario 0big picture1

Interacti,e log.in
OT(:6a#ius +er,er &uthentication 6e;uest 06&DI7+1

Log.on re;uest

Web &pplication
OT(:6a#ius +er,er 6e#irect to C&+< +ingle +ign.on (ortal &uthentication 6e;uest 06&DI7+1

Web &ccess

Demo now4

Than* you44
/iuseppe 7/ippa8 PaternO Visiting Researcher Trinity College Dublin paternogPcs.tcd.ie http,--www.scss.tcd.ie-/iuseppe.Paternohttp,--www.gpaterno.com-