A fully compliant strong authentication

server for less than $100!

Application Security Forum Western Switzerland 2014-11-04

André Liechti (@multiOTP, @andreliechti)

SysCo systèmes de communication sa, Neuchâtel, Switzerland

Last update : 2014-12-09

Trainer

SysCo systèmes de communication sa

16 years old Swiss based company installed in Neuchâtel

Security, consulting services, customized development

Linux and Windows (Open Source) solutions

André Liechti

CTO of SysCo systèmes de communication sa

MSc in communication systems

Bsc in Electronics

2014-11-04

2

Schedule

Why regular passwords are never strong enough ?

What are the different solutions for more security ?

multiOTP, our PHP open source library solution

How to setup a device for less than CHF 100

Let’s make a strong two factors authentication device

with a Raspberry Pi

Some questions ?

2014-11-04 3

Why regular passwords are

never strong enough ?

(on the Internet, but elsewhere too…)

2014-1

1-0

4

Why regular passwords are never strong enough ?

Same password for different applications…

2014-11-04 5

Some nice hardware tools…

2014-11-04 6

Key logger…

Camera in car key…

fake USB Keyboard mounted in a memory stick…

... and some «nicer» hardware tools… ;-)

2014-11-04 7

wireless Key logger…

and so on …

What are the different solutions

for more security ?

2014-1

1-0

4

What are the different solutions for more security ?

Two-factor authentication

A daily usage for the combination of knowledge

and possession factors.

The ATM machine

We have the physical ATM card and we know

our personal PIN.

2014-11-04 9

Strong authentication with one-time password

No software installation is required for the user

(compatible with all OS and Internet navigator)

Passwords list

2014-11-04 10

Passwords list

Login = username

+ password

+ next code

2014-11-04 11

Lists on the server

List for User A

Historical market leader

Time-based automatic generator with a secret algorithm

70% of the market in 2003

(25 mio of devices have been sold up to 2003)

2014-11-04 12

First open-source one-time password solution

Mobile-OTP (2003)

Hash (md5) of a “PIN code + time based algorithm”

open source, more than 40 different implementations

Java J2ME for mobile phones (at the beginning)

Unix shell script on server side

2014-11-04 13

Standardized one-time password generator

HOTP : HMAC-based One-time Password Algorithm (2005)

code construction is based on a HMAC hash function

open standard (OATH: Initiative for open authentication)

RFC 4226

2014-11-04 14

HOTP authentication mechanism

2014-11-04 15

UserServer

0382

754812

0380-03840379

No synchronization problem anymore with TOTP

TOTP : Time-based One-time Password Algorithm (2008)

based on HOTP

The counter is now the time divided in slices of 30 seconds

RFC 6238

2014-11-04 16

TOTP authentication mechanism

2014-11-04 17

UserServer

0382

754812

Yubico OTP

2014-11-04 18

YubiCloud

2014-11-04 19

Yubico OTP code

2014-11-04 20

Some HOTP and TOTP tokens

2014-11-04 21

OTP Server

SMS-Token

2014-11-04 22

username + password + token

multiOTP

our PHP open source library

… since June 2010 !

2014-1

1-0

4

History of the multiOTP package

2009 PHP PoC implementing the Mobile-OTP protocol

2010 class creation with basic TOTP/HOTP

2011 Workshop during ASFWS 2011 (Application Security Forum)

2012 Wider deployment in the community and feedbacks

2013 New functionalities

SMS tokens

scratch passwords list

QRcode/URL provisioning

Client/server implementation with local cache

MySQL backend support

2014 More functionalities

OATH certified

Yubico OTP support (Yubikey)

Active Directory and LDAP synchronization

Support for Active Directory / LDAP passwords (instead of PIN)

2014-11-04 24

multiOTP

Why did we develop the multiOTP package ?

no free and easy to use solution for small companies

a lot of existing commercial products need Windows Server

Existing products need a lot of resources

Why open source ?

To receive feedbacks and proposals from the users

security issues are analyzed by other developers

users can be sure that there is no Trojan and other NSA-friendly

“tools” in our code

2014-11-04 25

multiOTP concept

open source PHP class (embedded in only one file)

OS independent

Works also on any web server, including in shared hosting

data or stored in flat files or in a MySQL database

all methods are implemented in a command line tool

Command line tool is compatible with the centralized open

source authentication server FreeRADIUS

(FreeRADIUS is also available for Windows)

The system administrator can create scripts in order to handle

the package and to create users

2014-11-04 26

multiOTP concept (2)

common standards are supported

Mobile-OTP, HOTP, TOTP, Yubico OTP

SMS tokens

scratch passwords list

HOTP and TOTP software tokens can simply be configured by flashing a Qrcode generated by multiOTP

hardware tokens definition files can be imported

Authenex definition files (proprietary .sql file)

SafeNet definition files (proprietary .dat file)

any standard PSKC files (since December 2013)

Yubico log file in Traditional format (since November 2014)

simple web GUI

2014-11-04 27

multiOTP – Windows installation

installed in 3 minutes !

surf on http://www.multiOTP.net

download the last version

unpack the files in the C:\multiotp\ folder

read the readme file ;-)

install the FreeRADIUS service

C:\multiotp\radius_install.cmd

that’s it !

2014-11-04 28

multiOTP – how to create a user

create the user on the server sideC:\multiotp>multiotp -fastcreate bergen11 INFO: User successfully created or updated

(in real life, user must be created with an activated prefix PIN !)

save the QRcode image in a fileC:\multiotp>multiotp -qrcode bergen C:\multiotp\tefo.png16 INFO: QRcode successfully created

Send the QRcode to the user(using a secure channel !)

… or simply use the webinterface to print a niceHTML provisioning page;-) !

2014-11-04 29

multiOTP – how to provision the token received

2014-11-04 30

install the Google Authenticator App

Android, iOS, BlackBerry

scan the QRcode received

token is ready !

multiOTP – how to authenticate a user

Authenticate the user

C:\multiotp>multiotp bergen 452549

0 OK: Token accepted

authenticate again the user with the same token

C:\multiotp>multiotp bergen 452549

26 ERROR: The time based token has already been used

creating a scratch passwords list

C:\multiotp>multiotp -scratchlist bergen

317493, 134580, 326450, 941356, 000298,

412420, 456790, 222461, 645113, 837303

2014-11-04 31

multiOTP – how to use hardware tokens

Import the tokens definition file

C:\multiotp>multiotp -import importAlpine.dat

(…)

Info: Token 0003000b31da successfully imported

15 INFO: Tokens definition file successfully imported

create a user linked with the token 0003000b31da

(and with the prefix PIN 1234)

C:\multiotp>multiotp -create demo -token-id 0003000b31da 1234

11 INFO: User successfully created or updated

require a prefix PIN for the user

C:\multiotp>multiotp -set demo prefix-pin=1

19 INFO: Requested operation successfully done

2014-11-04 32

multiOTP typical usage

2014-11-04 33

How to build a working server

device for less than CHF 100 ?

2014-1

1-0

4

Hardware selection

2014-11-04 35

Raspberry Pi very cheap (< CHF 40)

no OS licence (Debian Linux or others)

widely distributed

community support

microUSB powered

CPU 700 MHz (ARM)

RAM 512 MB

How to make your own strong authentication server ?

2014-11-04 36

SD card with Debian Linux

for Raspberry Pi ($10)

Real-time clock ($15)

+ multiOTP ($0)

< CHF 100

Let’s make a strong two factors

authentication device with a Raspberry Pi

2014-1

1-0

4

Build an authentication server in some easy steps

1/17

If you want to have a battery backed up Real Time Clock, install it

in your Raspberry Pi

http://afterthoughtsoftware.com/products/rasclock

http://www.cjemicros.co.uk/micros/products/rpirtc.shtml

http://www.robotshop.com/ca/en/mini-real-time-clock-rtc-module.html

http://nicegear.co.nz/raspberry-pi/high-precision-real-time-clock-for-raspberry-pi/

2014-11-04 38

Build an authentication server in some easy steps

2/17

Download the last image of Raspbian to be flashed

http://downloads.raspberrypi.org/raspbian_latest

(currently 2014-09-09-wheezy-raspbian.zip)

2014-11-04 39

Build an authentication server in some easy steps

3/17

Format your SD Card using the SD Card Association’s formatting

tool:

https://www.sdcard.org/downloads/formatter_4/

2014-11-04 40

Build an authentication server in some easy steps

4/17

Flash the raw image using the UNIX tool dd or the

Win32DiskImager for Windows

http://sourceforge.net/projects/win32diskimager/files/latest/download

This should take about 10 minutes.

2014-11-04 41

Build an authentication server in some easy steps

5/17

Surf on http://www.multiOTP.net and download the last version

Copy all files from multiotp/raspberry/boot-part to the root of the

SD Card (it could overwrite some files like config.txt)

2014-11-04 42

Build an authentication server in some easy steps

6/17

When copy it's done, eject the SD Card

2014-11-04 43

Build an authentication server in some easy steps

7/17

Connect the Raspberry Pi to the local network

2014-11-04 44

Build an authentication server in some easy steps

8/17

Put the SD card into the Raspberry Pi and boot it

2014-11-04 45

Build an authentication server in some easy steps

9/17

Login directly on your Raspberry Pi, or using SSH, with the default

username "pi" and the password "raspberry"

2014-11-04 46

Build an authentication server in some easy steps

10/17

Launch the initial configuration by typing sudo raspi-config

2014-11-04 47

Build an authentication server in some easy steps

11/17

Choose the following options

1) Expand Filesystem

2) Change User Password

4) Internationalisation Options (if needed)

8) Advanced Options

A2 Hostname (change the hostname to your favorite name,

like for example "multiotp")

2014-11-04 48

Build an authentication server in some easy steps

12/17

Select Finish and answer "<Yes>" to reboot, or type "sudo reboot"

2014-11-04 49

Build an authentication server in some easy steps

13/17

Login again directly on your Raspberry Pi, or using SSH, with the

default username "pi" and your new password

2014-11-04 50

Build an authentication server in some easy steps

14/17

Type "sudo /boot/install.sh“

Everything is done automatically (it will take about 35 minutes)

and the Raspberry Pi will reboot automatically at the end

2014-11-04 51

Build an authentication server in some easy steps

15/17

The fixed IP address is set to 192.168.1.44

with a default gateway at 192.168.1.1

To adapt the network configuration, edit the file

/etc/network/interfaces

2014-11-04 52

Build an authentication server in some easy steps

16/17

Congratulations! You have now an open source and fully OATH

compliant strong two factors authentication server !

Surf now on http(s)://192.168.1.44 to use the basic web interface

(The default radius secret is set to myfirstpass for the subnet

192.168.0.0/16. To adapt the freeradius configuration, edit the file

/etc/freeradius/clients.conf)

2014-11-04 53

… or build an authentication server in ONE step ;-)

If you want to download a multiOTP Raspberry Pi

image ready to use, follow this URL:

http://download.multiOTP.net/raspberry/

Nano-computer name: multiOTP

IP address: 192.168.1.44 (netmask: 255.255.255.0)

Username: pi

Password: raspberry

You can now flash the SD Card, put it into the Raspberry Pi

and boot it.

2014-11-04 54

Any questions ?

2014-11-04 55

Crêt-Taconnet 13tel 032 730 11 10

fax 032 730 11 09

2000 Neuchâtelinfo@sysco.ch

www.sysco.ch

S y s C o ® systèmes de communication sa