WIXLIB

2-FACTOR AUTHENTICATION WITHOPENLDAP, OATH-HOTP ANDYUBIKEYAxel Hoffmann

Biography Axel Hoffmann Linux System Administrator 1&1 Mail & Media Dev. & Tech. GmbH axel.hoffmann@1und1.de216.11.20151&1 Gruppe

Introduction – Requirements No (or only less) integration effort on servers Ensure efficient work with MFA-devices No manual typing of additional codesIntegration as Human Interface Device No automatic use of the second factor No software tokens Integration of already LDAP-enabledAppliances and Web GUIs High security level for token enrollment 316.11.2015Only an owner of a token should be able to use itNo pre-generated shared secrets on TokensOwners&admins haven't access to shared secrets1&1 Gruppe

Introduction – Multi Factor Authentication Something that you know: secret, password, passphrase, pin, transactionnumber Something that you own: token, smartcard, key Something that you are: 416.11.2015eye iris, fingerprint, voice, type speed/behaviour1&1 Gruppe

Introduction – Yubikey I Small USB stick-like device Yubikey Standard has componentYubiKey OTP It is using two slots for generating OATH HOTPsgenerating Yubico OTPssending a static passworddoing challenge-response works with default OS HID drivers/modules(simulates keyboard) 2 of these functions can be used (1 per slot)516.11.20151&1 Gruppe

Introduction – Yubikey II OATH HOTP, Yubico OTP, static password aretyped by button press: Short press, slot 1 is typedLong press, slot 2 is typed Yubikey Neo has Java Card Applets & NFC: 616.11.2015ykneo-oath: stores PSKs of HOTPs/TOTPs forAndroid & Desktop AppYubico U2F: is used for FIDO U2F authykneo-openpgp: uses CCID via USB/NFCYubico PIV: Privilege & Identification Card Interface1&1 Gruppe

Introduction – OATH StandardsInitiative for Open Authentication716.11.2015 HOTP: HMAC-Based One-Time Password TOTP: Time-Based One-Time Password OCRA: OATH Challenge-Response Algorithm HOTP to calculate response from challenge psk optional: timeSteps, counter, sessioninformation1&1 Gruppe

Implementation – Overview816.11.20151&1 Gruppe

Implementation – LDAP Structure916.11.20151&1 Gruppe

Implementation – Simple Bind Proxy Listens to Unix domain socket on consumer Back-sock overlay in consumer slapd forwardssimple bind requests to Unix domain socket Checks if user is HOTP user by requestingconsumer slap d over LDAPI Forwards password & OTP to providers slapdby LDAPS A hash of the bind-DN is used as base toforward bind request every time to the sameproviders 1016.11.2015This prevents multi-master replication conflictsBut allows load balancing1&1 Gruppe

Implementation – OTP Validator Listens to Unix domain socket on consumer Back-sock overlay in provider slapd forwardssimple bind requests to Unix domain socket Checks if user is HOTP user by requestingprovider slapd over LDAPI Checks password & OTP by reading HOTP counter of HOTP token entryPassword hash of users entryPassword & OTP policyDecrypting shared secret of users entry If OTP is valid, new HOTP counter must be set1116.11.2015 Value is the counter which led to valid OTP Set a new value to provider is not trivial 1&1 GruppeInsertion with check if new value is greater

Token Enrollment – Token Enrollment Procedure1216.11.20151&1 Gruppe

Token Enrollment – Yubikey Tools and Libraries Graphical Toolsyubikey-personalization-gui set OTP, challenge-response, static password, NFC, optionsget serial & firmware version, usb manufacturer&device idneoman set/get usb mode, (un)installing/show Java Card Appletsrename Yubikey Neo, get serial&firmwareCommand Line Toolsykpersonalize cli version of yubikey-personalization-gui usb modeykeyneomgr ykinfo check if slots programmed, get serial&firmware version Libraries python-yubico 16.11.2015Python, in development, features like yubikey-personalizationyubikey-personalization 13cli version of neoman list SmartCard readers, serial&firmwareC, very mature, features like yubikey-personalization, flags1&1 Gruppe

Token Enrollment – Enrollment Service I python-yubico library was used Not a chaotic shell script which calls clicommands Runs on hardened dedicated enrollmenthardware Binds Yubikey to HOTP token entry Ensures the secure handling of shared secrets Disables all non-used features to preventattacks by unknown issues and side-channels1416.11.20151&1 Gruppe

Token Enrollment – Enrollment Service II Script sequence:1.2.3.4.5.6.7.8.1516.11.2015Clear both slots incl. passwordsRead Yubikey serialLogin into LDAP by Yubikey serial and enroll pwSet USB mode to HID only, disable SmartCardSet mode of slot 1 to HOTP and write secretProtect both slots with a user defined passwordWrite shared secret to LDAP and set counter 0Switch NFC to unused slot 21&1 Gruppe

Future Extensions SmartCard function by ykneo-openpgp applet Extend enrollment service & hw by pgp-agentEnrollment triggers Yubikey to generate PGP keyPGP pubkey will be bound token entryPGP key is used instead of SSH key on usersworkstation TOTP hardware token with HID function 1616.11.2015At the moment there isn’t such deviceA real time clock is needed in tokenProblem: How to synchronise the clock?TOTP is easier to implement on backend sideNo need to write and synchronise a counterHOTP is easier on token side1&1 Gruppe

End of PresentationAre there anyquestions?1716.11.20151&1 Gruppe

Python, in development, features like yubikey-personalization yubikey-personalization C, very mature, features like yubikey-personalization, flags 13 1&1 Gruppe Token Enrollment -Yubikey Tools and Libraries 16.11.2015