Category: security

It’s Back to the Future day

· Leave a comment ·

30 years out in the future seemed far out. But here we are on Oct 21, 2015 when Marty arrives back to the future.

What were some security features in the movie ?

  1. Thumbpads or fixed fingerprint scanners are used as a door locks.  They are well integrated in the life of people.
  2. Vehicle had barcode license plates that were remotely scannable. This could allow remote scanning by other vehicles or building infrastructure.
  3. Police carry mobile fingerprint scanners to identify a person – they press their thumb and obtain the name, address and date of birth.
  4. An autonomous drone walks the dog and apparently is safe enough on the roads.

How does Marty identify the characters in a different age ? It is interesting to think about identification schemes that can last for decades. He first recognizes their mannerisms and relationships. Identification mechanisms are being built to leverage such signatures.

In Minority Report, there is personal advertising scene of the future which uses face/eye recognition to flash ads to Tom Cruise. https://www.youtube.com/watch?v=7bXJ_obaiYQ

In Mission Impossible, Rogue Nation there are several futuristic authentication schemes (gait, hand, eye) and security schemes (automatic wipe, isolation). https://www.youtube.com/watch?v=0iZ-nQ4yFn4

SSO, SAML, OAuth, JWT, OpenID

· Leave a comment ·

Web authentication and SSO typically imply that state is maintained on the server to indicate whether the user is logged in or not. The identity provider maintains this state and the identity consumers check this state with the identity provider. The protocol and message format differ in different implementations – SAML, OAuth, OpenID and several others.

SAML is the richest, most flexible auth protocol, but also most complex to implement. It covers the most number of use cases. The security assertions about an identity are captured in an xml format which can be exchanged between providers and consumers over the web.

OAuth is simpler and requires fewer things from the implementer. OAuth 2 has become a vehicle for enterprise use cases like SAML. SDKs for OAuth are available.

OAuth 2 and OpenID both use Json WebToken (JWT) which is a JSON format specification for interoperability.

OpenID Connect is the most open and newest of the three. It reduces  reliance on checking auth state with the identity provider by embedding more information in the JWT and standardizing things like scope to increase interoperability. If officially supports authentication use cases, unlike OAuth2 which is designed for authorization, but is used for pseudo-authentication.

A key consideration when deciding on an implementation is the scalability requirement. Ideally the system is structured to keep the least amount of state (zero) on the server. This is not true of most SSO implementations.

Like a stateless NFS server, based on leases for lock state that can be refreshed, a stateless implementation for SSO is possible (classic NFS has no open, only lookup). The tradeoff is that revocation is not as easy and reporting may need to be handled differently than with a stateful implementation. Here’s a discussion – http://stackoverflow.com/questions/26739167/jwt-json-web-token-automatic-prolongation-of-expiration

Update. Here’s another discussion which points to some tradeoffs – https://developer.okta.com/blog/2017/08/17/why-jwts-suck-as-session-tokens , basically that this is more useful for SSO and API implementations not simple websites.

iOS TouchID Enterprise Use Cases

· Leave a comment ·

When implementing TouchID for an enterprise authentication solution there are some interesting attack vectors to consider, that are not obvious.

There are differences in requirements between COPE and BYOD deployments for instance.

Depending on the type of deployment and the type of data accessed, the security required may call for (a) a simple TouchId based “user presence check”,  without a password being stored or retrieved, or (b) for a password to be stored in the enclave to be retrieved, or (c) for TouchId to be combined with another factor for a multi-factor authentication solution.

Some drawbacks to the initial TouchID implementation for enterprise uses cases, were discussed here . There is now a developer API available which allows more flexibility in implementing a solution for the enterprise.