Stop sweating the password and learn to love public key cryptography. Chris Streeks Solutions Engineer, Yubico

Transcription

1 1 Stop sweating the password and learn to love public key cryptography Chris Streeks Solutions Engineer, Yubico

2 Stop Sweating the Password! 2 Agenda Introduction The modern state of Phishing How to become unphishable Walking through FIDO U2F Wrap-up 2

3 What is my password? Encryption Computer Login Developer? Tools Online Services Privileged Access Password Mgmt Remote Access & VPN Identity Access Mgmt 3

4 What s worse than one password? Two passwords. 4

5 But it s not just passwords... Smart Cards SMS Mobile Push One Time Password 5

6 ...resulting in cognitive overload... making your users vulnerable to phishing. 6

7 NIST on Password Complexity Key Takeaways from B Please stop forcing users to create passwords they cannot remember Password length is the primary factor in characterizing strength Many attacks associated with the use of passwords are not affected by password complexity or length 7

8 NIST on Phishing Risk Policy Recommendations: Decouple Identity assurance from Authenticator assurance Deprecate the use of SMS as Out-of-Band verifier FIDO U2F approved for use at highest Authenticator assurance level (AAL3) 8

9 Modern Phishing in 2017 Increasing Volume & Sophistication 2017 Yubico 9

10 Anatomy of a Phishing Attack 1 Initial Reconnaissance Phish User Use Stolen Credentials to Access System Impersonate user to gain access to higher privileged account Extract data or install backdoor for future access 10

11 Phishing with Fake Mobile Login 11 11

12 Phishing with Fake Login load stuff from this URL bar instead of from the web This plausiblelooking URL is treated as HTML to display, and just gets overwritten later Loads of blank spaces: if I didn t have a high-dpi monitor this d push the rest of screen Load some JavaScript that pulls in the actual phishing page in an iframe 12

13 Phishing with Attachment Not an attachment, but an embedded image that links out to a fake sign in with Google page 13 13

14 Phishing with Mobile Push Attacker s IP User s Push Attacker s Push 14

15 Emoji Phishing 15

16 Homograph Phishing Attacker exploits characters that look alike 16 16

17 Social Engineering SMS 1 Hello, I had an issue with my phone can you port my phone # to ? 2 SMS Text Message Online Service 3 Password Reset Victim s gotvish@vishyou.com Security Passcode: Victim s Phone Attacker s Phone Cellphone Provider Your Online Service security passcode is

18 Phishing is effective! 1,220,523 total number of phishing attacks (+65% YOY) 1 81% of breaches due to compromised passwords (+63% YOY) million phishing URLs identified in Q Sources: 1 Anti-Phishing Working Group Report Verizon Data Breach Report 3 Cyren CyberThreat Report 18

19 How to Become Unphishable With Strong Authentication 2017 Yubico 19

20 Current State of Authentication Smart Card Security Trusted Platform Module Mobile Push One Time Password Biometric Username/Password Simplicity 20

21 Stop Phishing with Strong Auth Username/ Password One Time Password Mobile Push Smart Card FIDO U2F Computer Login Web Applications Remote Access (VPN/RDP/VDI) Weak Moderate Moderate Strong? Weak Moderate Moderate Strong Strong Weak Moderate Moderate Strong - Privileged Access Weak Moderate Moderate Strong - 21

22 Exploring FIDO U2F Usability meets Security 2017 Yubico 22

23 What is FIDO U2F Open authentication standard Retains the benefits of PKI Co-authored by Yubico & Google 23

24 Core FIDO Benefits Usability Ease of Registration Ease of Authentication Security Phishing protections Man-in-the-Middle attack protections Unique secrets for every service 24

25 U2F User Experience 25

26 and FIDO How FIDO Authentication Works 1 Login request User 4 Require test of user presence before private key can be used Authenticator (e.g. YubiKey) 3 Challenge, origin, channel ID Client (e.g. web browser) 2 Challenge Relying Party (e.g. web service/site) Private key (per service/site) 5 Signed response 6 Signed response 7 Public key Check signature using public key to verify origin and channel ID 8 Successful login 26

27 Credential Phishing Attack Attacker site acm3.com acme.com Impersonate phished credentials Phishing Pwd, OTP, SMS, Push Attacker 27

28 and FIDO U2F Credential Phishing Protection 1 Login request Authenticator (e.g. YubiKey) 3 Challenge, origin, channel ID Client (e.g. web browser) 2 Challenge Relying Party (e.g. web service/site) 4 Require test of user presence before private key can be used Private key (per service/site) 5 Signed response 6 Signed response 7 Public key Check signature using public key to verify origin and channel ID 8 Successful login 28

29 U2F Credential Phishing Protection Attacker site acm3.com acme.com Unable to use signed response Require proof of user presence Phishing password Attacker 29

30 U2F Credential Phishing Protection Attacker site acm3.com acme.com Require proof of user presence Unable to invoke Trusted Path to Authenticator Attacker 30

31 Hijack User Login Session 1 Use fake/stolen cert - Heartbleed, BEAST MitM acme.com 4 2 Successful authentication 3 Steal authentication assertion Attacker use cookie 31

32 MitM Protection Token Binding (Channel ID) TLS Bind Token with Token Binding ID acme.com Token Binding using client Private Key Token Binding ID: Hash<Public Key> + algorithm Token Binding (Public Key) 32

33 and FIDO U2F MitM Protection 1 Login request Authenticator (e.g. YubiKey) 3 Challenge, origin, channel ID Client (e.g. web browser) 2 Challenge Relying Party (e.g. web service/site) 4 Require test of user presence before private key can be used Private key (per service/site) 5 Signed response includes channel ID 6 Signed response Public key includes channel ID 7 Check signature using public key to verify origin and channel ID 8 Successful login 33

34 U2F MitM Protection MitM Assertion Token Bound acme.com 2 1 Cannot use authentication Steal authentication assertion - assertion attacker client channel ID mismatch Attacker 34

35 FIDO Current Status Supported browsers Google Chrome, Opera Mozilla Firefox (Native support in current Firefox Nightly build) Supported platforms Android, Chrome OS FIDO 2 (U2F merged into FIDO 2) Client-To-Authenticator Protocol (CTAP) for external authenticators W3C standardizing web authentication specification Microsoft and Yubico working on delivering products that enable FIDO 2 35

36 Wrap-up A quick case study with Google 2017 Yubico 36

37 Google Login with FIDO Secure Eliminates Phishing & Prevents MitM Simple Insert and Touch Gold Contact Scalable Use the Same Key for Unlimited Services Private No Shared Secrets Between Services No Shared Secrets with Yubico 37

38 Google Internal Research Study U2F vs Google Authenticator 4x faster to login Significant fraud reduction Support reduced by 40% Read more: yubico.com/google-study 38

39 Google Used Internally Mandated for Google employees Corporate SSO (Web) SSH Custom authentication Available to End-Customers Available to all Enterprise and Consumer customers for free Adopted by other relying parties: Facebook, Salesforce, Dropbox, GitHub, and more 39

40 Yubico Enterprise Authentication Employee Users Computer Login Web Applications Remote Access Employee Admins Privileged Access Vendor & Supplier Remote Access Web Applications IDENTITY ACCESS CONTROL SYSTEMS On-premises Services Cloud Services Customer Web Applications 40

41 41 Stop Sweating the Password! Questions -&- Answers 41