Transcription
2-FACTOR AUTHENTICATION WITHOPENLDAP, OATH-HOTP ANDYUBIKEYAxel Hoffmann
Biography Axel Hoffmann Linux System Administrator 1&1 Mail & Media Dev. & Tech. GmbH axel.hoffmann@1und1.de216.11.20151&1 Gruppe
Introduction – Requirements No (or only less) integration effort on servers Ensure efficient work with MFA-devices No manual typing of additional codesIntegration as Human Interface Device No automatic use of the second factor No software tokens Integration of already LDAP-enabledAppliances and Web GUIs High security level for token enrollment 316.11.2015Only an owner of a token should be able to use itNo pre-generated shared secrets on TokensOwners&admins haven't access to shared secrets1&1 Gruppe
Introduction – Multi Factor Authentication Something that you know: secret, password, passphrase, pin, transactionnumber Something that you own: token, smartcard, key Something that you are: 416.11.2015eye iris, fingerprint, voice, type speed/behaviour1&1 Gruppe
Introduction – Yubikey I Small USB stick-like device Yubikey Standard has componentYubiKey OTP It is using two slots for generating OATH HOTPsgenerating Yubico OTPssending a static passworddoing challenge-response works with default OS HID drivers/modules(simulates keyboard) 2 of these functions can be used (1 per slot)516.11.20151&1 Gruppe
Introduction – Yubikey II OATH HOTP, Yubico OTP, static password aretyped by button press: Short press, slot 1 is typedLong press, slot 2 is typed Yubikey Neo has Java Card Applets & NFC: 616.11.2015ykneo-oath: stores PSKs of HOTPs/TOTPs forAndroid & Desktop AppYubico U2F: is used for FIDO U2F authykneo-openpgp: uses CCID via USB/NFCYubico PIV: Privilege & Identification Card Interface1&1 Gruppe
Introduction – OATH StandardsInitiative for Open Authentication716.11.2015 HOTP: HMAC-Based One-Time Password TOTP: Time-Based One-Time Password OCRA: OATH Challenge-Response Algorithm HOTP to calculate response from challenge psk optional: timeSteps, counter, sessioninformation1&1 Gruppe
Implementation – Overview816.11.20151&1 Gruppe
Implementation – LDAP Structure916.11.20151&1 Gruppe
Implementation – Simple Bind Proxy Listens to Unix domain socket on consumer Back-sock overlay in consumer slapd forwardssimple bind requests to Unix domain socket Checks if user is HOTP user by requestingconsumer slap d over LDAPI Forwards password & OTP to providers slapdby LDAPS A hash of the bind-DN is used as base toforward bind request every time to the sameproviders 1016.11.2015This prevents multi-master replication conflictsBut allows load balancing1&1 Gruppe
Implementation – OTP Validator Listens to Unix domain socket on consumer Back-sock overlay in provider slapd forwardssimple bind requests to Unix domain socket Checks if user is HOTP user by requestingprovider slapd over LDAPI Checks password & OTP by reading HOTP counter of HOTP token entryPassword hash of users entryPassword & OTP policyDecrypting shared secret of users entry If OTP is valid, new HOTP counter must be set1116.11.2015 Value is the counter which led to valid OTP Set a new value to provider is not trivial 1&1 GruppeInsertion with check if new value is greater
Token Enrollment – Token Enrollment Procedure1216.11.20151&1 Gruppe
Token Enrollment – Yubikey Tools and Libraries Graphical Toolsyubikey-personalization-gui set OTP, challenge-response, static password, NFC, optionsget serial & firmware version, usb manufacturer&device idneoman set/get usb mode, (un)installing/show Java Card Appletsrename Yubikey Neo, get serial&firmwareCommand Line Toolsykpersonalize cli version of yubikey-personalization-gui usb modeykeyneomgr ykinfo check if slots programmed, get serial&firmware version Libraries python-yubico 16.11.2015Python, in development, features like yubikey-personalizationyubikey-personalization 13cli version of neoman list SmartCard readers, serial&firmwareC, very mature, features like yubikey-personalization, flags1&1 Gruppe
Token Enrollment – Enrollment Service I python-yubico library was used Not a chaotic shell script which calls clicommands Runs on hardened dedicated enrollmenthardware Binds Yubikey to HOTP token entry Ensures the secure handling of shared secrets Disables all non-used features to preventattacks by unknown issues and side-channels1416.11.20151&1 Gruppe
Token Enrollment – Enrollment Service II Script sequence:1.2.3.4.5.6.7.8.1516.11.2015Clear both slots incl. passwordsRead Yubikey serialLogin into LDAP by Yubikey serial and enroll pwSet USB mode to HID only, disable SmartCardSet mode of slot 1 to HOTP and write secretProtect both slots with a user defined passwordWrite shared secret to LDAP and set counter 0Switch NFC to unused slot 21&1 Gruppe
Future Extensions SmartCard function by ykneo-openpgp applet Extend enrollment service & hw by pgp-agentEnrollment triggers Yubikey to generate PGP keyPGP pubkey will be bound token entryPGP key is used instead of SSH key on usersworkstation TOTP hardware token with HID function 1616.11.2015At the moment there isn’t such deviceA real time clock is needed in tokenProblem: How to synchronise the clock?TOTP is easier to implement on backend sideNo need to write and synchronise a counterHOTP is easier on token side1&1 Gruppe
End of PresentationAre there anyquestions?1716.11.20151&1 Gruppe
Python, in development, features like yubikey-personalization yubikey-personalization C, very mature, features like yubikey-personalization, flags 13 1&1 Gruppe Token Enrollment -Yubikey Tools and Libraries 16.11.2015