One Step, Two Step by Henri Watson

cool all right so I was sort of mentioned I'm a second year student at Albert a this year I was helping out with the ethical hacking society as a secretary and I was also one of the organizers for this year's security conference this summer will be joining the wonderful folks at skyscanner as an intern and I'm generally interested in the idea of a user experience versus security embedded devices payment technologies and transportation so the reason why I i think everyone might find this topic interesting is because most web apps implement some form of authentication system you know because it's important for websites to know who you are and login forms come in all sorts of favors shapes and sizes so you

might have very simple like bootstrap type plugin form may have something a bit more complicated you know with forgot password field with a sign in field or you might have all sorts of different options for how you can log in you know different kinds of usernames I'm you know login with an email whatever but not all login forms are equally secure you know so what do I mean when I say the login form is secure you know there's the obvious sort of definition of your login form is using HTTPS and definitely now this is something that should be considered you know bare minimum requirement as a January a chrome will surely not secure warning if you go to a website that has

a password field that isn't being served over HTTPS and firefox will even display a little banner saying this connection is not secure on the password field which has led to a few people being angry but you know it's it's still something that we're definitely not going to turn back on you know HTTPS is something that's a necessity now in 2017 but htps only secures the transport layer so it protects information while you're communicating with the server but it does not protect data at rest and as it turns out we're really bad at protecting data at rest services are breached you know almost every other day and their password dumps that are leaked you know all the time and further we're

also really bad at making sure that information thats stolen from one service can't be reused on another service and here's an example of you know Mark Zuckerberg who had his password for multiple social network stolen because he used the same password on multiple services and really this is a problem with static information because it can be stolen from one service from one organization and they can then be reused across multiple organizations and this is why static information on an own is absolutely terrible for authentication so this is why a lot of web services try to implement two-factor authentication as a sort of attempt to solve this problem so two-factor authentication combined something that you know with something

that you have essentially you keep the password but you also add a physical layer to it now as companies first started implementing two-factor authentication some people miss that you know that static information is bad slight so a lot of banks particularly in South America some in Spain implemented these code cards effectively they'd be printed perhaps on the back of your debit card would be given to you when you signed up for online banking and whenever you logged in or you're trying to do some sort of sensitive action it asks you to enter a code from the grid so you know this is fine because a different code is requested each time you do something so you can't just look

at one request and you know reuse the same code again unless you can capture you know 20 30 login attempts and then you've probably captured all the codes on the card but you know still one code doesn't reveal the remaining codes on the card but you know man in the middling the user is really hard you know usually require some sort of malware or you have that physical access to users network so much easier to fish a user you know you can just tell the user we need to reactivate your card otherwise you'll lose access to online banking and you can just ask them for all the codes on their card and this is straight up a very real phishing website

for a bank in Venezuela that hit several people who just went okay you know I have to reactivate in the card let me enter all of the numbers so static data in a physical format is still static data it's bad you know it's still something that can be stolen in this case it's not something that can be reused across multiple services but you know still something where the user can be compromised and they won't necessarily know because you don't need to physically steal the card in order to steal the codes from it so okay how can we then quickly provide a user with a one-time use code something that you know you can generate on the fly

something that can't be stolen from them so okay well I'm users have phone we can text them one time use codes and a lot of services do this so here's an example from paypal sending me a confirmation code because I haven't signed into my paypal account on that computer before and the problem with this is authentication either by text messages or through phone calls does it prove that you have possession of that phone rather accrues possession of that phone number and unfortunately a lot of cell phone carriers aren't taking reasonable measures to ensure that your phone number doesn't fall into the wrong hands so here's news article describing an activist who had someone go to his telco

and pretend to be him and have a sim card reissued and at this point you know the person stole his phone number was able to break into his Twitter account and impersonate him additionally signaling system 7 which is what's used as sort of base for all global tel aviv patient's allows your phone number to be hijacked without your carrier's cooperation essentially you can pretend to be roaming as a user or signal to other phone networks that you'd like SMS is to be reroute it to your network and you can take that over although that involves you working for a telco and is a bit more you know nation state level but these sorts of attacks you know do

happen they happen signal signaling system 7 type specifically happened in Iran or the state was trying to take over some activists telegram accounts additionally SMS verification or call verification cause problems when the users roaming throughout with service areas so I had a lot of issues trying to access my paypal account well I'm visiting my family in the Dominican Republic because I don't want to roam there it's very expensive and you know I can't receive the SMS but I'd still like to prove you know who I am so okay can we provide some sort of you know some some starting point when the user signs up from which they can generate codes independently without having to go

online something that can't easily be cloned so okay we could give the user code generator and these things have been around you know for quite a while RSA keys are really common in banks some you know some people or you know use them internally within organizations as a form two factor authentication but the basic idea is that both the website and the device have a shared secret key and a lot of these work on the totp protocol and the way that works is that you compute the h mac of the current time using the shared secret key and as long as the key isn't intercepted during the initial setup the keycap be externally determined so if your bank how do you

evolve that they programmed internally then you know that programming can't be externally intercepted the fobs can be expensive they can be really inconvenient you know they're kind of bulky you have to change the batteries out and I'm every so instead a lot of companies use apps that generate authentication codes for you and so here a couple popular examples is Google Authenticator steam guard and battle.net authenticator and you know it's a similar idea when you go to sign into service and you know your your app gives you a code which you then enter onto you know the your computer and a lot of these are based on the time-based one-time password algorithm basically the app of the fob and the

service agree on five parameters you agree on the secret key what the current time is an interval a hash function the token lines usually the interval is 30 seconds usually your house function will be shall 1 and usually your token length is about six characters so for example let's say that this is our key and it's currently you know about 24 hours ago yesterday and will use a 30-second interval you know shall one and six digit tokens so this totp starts off by calculating how many seconds have gone by since January first nineteen seventy and so you get this unix time stop you divide that time stamp by your interval you get this other lovely number then

you calculate the H Mac of that that number with your secret key when you get this long hash you take the four least significant bits from the hash so in this case this would be e and use it as an offset in the original half so you just count you know 14 characters up and grab everything from 14 characters on you convert that to binary then you take four bytes starting from the offset and discard the most significant bit so then you get this number and the token is the lowest six digit and the necessary you pad that on zeros the code generated matches on both sides everything's great right so this is also pretty simple math

they're a bunch of libraries to do this you know they're all sorts of websites that implement this you know that's pretty common for TOTP to be you for second factor authentication but there's a problem right because as I mentioned key fobs you know there's a really inconvenient it's the same thing with the software tokens you know you may be using some sort of enterprise grade system you don't want to have to share these tokens around you know you don't want to have to deal with provisioning them it's a lot of people they simply take a webcam and they point it all there you know all their tokens and they you know they stream these on

the internet so when you go to sign in to this you know secure service you pull up the webcam feed and you look for the fob that that you're being asked for and you know you zoom in you read the code off it and then you type that in to your web service and that that's kind of terrible you really shouldn't be doing that because it gets rid of this whole idea of requiring that you have physical access to the key fob you know this deer there are all sorts of webcam feeds like this if you just look around on showdown so okay you can it you can avoid this by requiring user interaction right so if

you have a fob or software token that requires that you press the button you know you use this account or something like that then then you avoid someone being able to just point a webcam right so there's hecho TP which is exactly the same as CEO TV it just uses a counter instead of the current time and the problem is that you know if you have the toddler or someone that just sort of presses this button over and over and over again then the state of the token will be different from the state on the server you know that the counters will be way out of sync so you know there's there's sort of some practicality issues

with having a counter based system and so instead you have some apps that take a sort of different approach and they ask the user to approve logins on their phone right so here's an example of Google's implementation on this you try to sign into Google account and you get a little prompt on your phone saying you know hey or you this person that's trying to sign in you know near Edinburgh let me just you tap yes or no and that's fine and the problem with us those it's still vulnerable to fishing right because if you have if you live in a major city like London or Adam bruh you know their data centers near you you can very well

have a phishing website that tries to sign on to the service as the same time as you know using the credentials that you gave it and you you know when you get the notification you go yeah you know I am trying to sign on to this service you know unknowingly being fish and you know you happily say yes and everything's fine probably until you know all your details yet stolen and UV keys the sort of earlier one used an internal counter to generate codes in similar fashion they include the actual counter value in the generated code so you didn't have the sync issues but at the end of the day all of these methods are still vulnerable to fishing you know

just like the code card with the token you know with the UV key with with log and validation all of these methods are still vulnerable to you know real time fishing because the problem is that your code generator is working independently so it's unable to validate the websites identity you know because it's not connected to your computer that has no way of knowing that you're actually connected to the real domain name and that this is actually the real website that you won't speak with so as a sort of solution to this there are challenge response protocols that use what you're trying to do with the service as part of the authentication system so few UK

thanks namely Barclays not less than RBS use the tip authentication program they use it to verify transfers to new recipients when you're doing something sensitive like changing your address or signing up some mobile banking and basically the idea is and you're given this handheld reader or you have it built into your mobile app and whenever you're doing something sensitive on the website you're asked to confirm the changes that are being made independently on this handheld reader so so for example and if I want to make a new payment to someone I have to go and type in the account number and the payment amount into this token generator so as a result even if I'm being fished it doesn't matter

because I still have to independently validate the account number in the payment amount so unless I'm also being tricked into typing in the wrong account number the wrong payment amount then I can't have my money stolen yeah seems there's an issue of the video ok great we're back alright so and because you have to confirm the account number and the payment amount that you're transferring to on a independent mechanism you know even real time fishing is sort of pointless here because if you know if you're being asked you know enter this completely different account number from the one that you just entered you'll probably be a bit suspicious of what's going on there and the chap authentication

program basically piggybacks the chip and pin process to generate an eight digit code so you use a regular bank card and really there there is a very very small change the weight of that bank heart is set up basically this is a look at a Barclays UK debit card and you've got three applications that old on the debit card and there's this additional you know Barclays application list at the bottom that's used for the online banking you know system and basically after verifying the users pin the authenticator just ask the car to sign a fake purchase so the authenticator pretends that you want to cost or something and instead of buying a coffee for you know to pound

your you have all this additional transaction data that includes you know the account that you're transferring to or perhaps and that you're changing your address you know this information that you want to validate so obviously because your bank is able to validate transactions as coming from your card as genuine they're able to take this faith transaction and validate that it was signed you know by your real debit card just using the same mechanism and as I mentioned because the user has to independently confirm the amount and the account number phishing attacks from useless so this works really well for banks you know massively cuts down phishing attacks this works fine even if the users pc as malware on it again

because of that independent verification system but this is something that's highly specific to a financial institution you know if you're using this to just generally log in on facebook you know it'd be really impractical to you know i have an independent device that you type in you know hey do you want to go to the cinema tonight and then you get a code let you have to enter in today's messenger you know is what it work it would be terrible user experience so you know sort of think of a more generic version of this approach you know can we make a signature where we're tying that to the domain name right because phishing attacks rely on the user noticing that

the domain name you know that that they're on isn't the domain name that corresponds to the real website so as long as you know the domain name matches for amount on the middle attack no we're okay and so some organizations use smart cards with client authentication certificate to sort of get around this the US Department of Defense is they probably the world's largest adopter of the system they use it for their webmail and older web and professor Spain has a similar nationalized system where you can sign into online banking using your spanish national ID card and but the problem is that there's a limited number of identities that can be stored on this smart card so you know this is fine if I

have a smart card issued to me you know by four you know as again using the example of the Department of Defense and I want to sign on to the Department of Defense's website right so it's okay for me to have that one-to-one correlation of my identity um but you know I don't necessarily want every website to have this you know this single identifier of me that follows me around right like if I create an account on some random person's blog I don't necessarily want them to know you know my national ID number I don't want them to know my full legal name so instead there's this new standard called you to F and that Google

has been huge adopters on that tries to be a modern version of these client authentication certificates and a lot of websites have started picking up on this standard as I mentioned you know Google or huge adopters of it github hug also take it up fast Millie's at Facebook use it call box use it duo use it basically you have these little ESP keys you know they're newer you be keys they work sort of in a similar way as the older you bikies work and but when you go to sign on to website you get in this little prompt that says you know please insert your token into your computer and you know push the button on and it waits for

you know the token button to be pushed and then you know uses the information that I guess from the token to authenticate you and basically in this case the web browser acts as a middleman between token and the web servers right because the web browser is aware which domain you're going to its aware of a bunch of attributes regarding the connection so it can't be deceived like a human I would be deceived and you to f helps with the anonymity issue because unique private key is generated on the device for each account on each service so because the key is based on the domain name phishing attacks are impossible if i use my you to F key on facebook com it

will generate you know one key but if I go to fake facebook com it will generate an entirely different p which is useless on the real facebook com and here's a sort of you know complicated algorithm of how that works you've got all this information coming in from the server which the browser pass along to the token token comes back to the signature and then the server verifies that but let's sort of break this down into pieces basically you know the sort of core fundamental part of why this is secure is because the key generation process is fully handled by the token in hardware and can't be extracted there's no way for you to you know if i leave my

youtube token out on a table there's no way for you to take that and without physically destroying the token using an electron microscope you know spending a lot of money to to look at the silicon there's no way for you to easily you're really feasibly extract the private keys from the toad so where is the user registers their key with a service right so I good Facebook can I say okay I want to protect my account I want to sign in using YouTube after an hour and basically when you do this the server generate the challenge is that this random stream to make sure that the token that's being registered is a press registration it's something that's

happening right now we're not stealing someone else's token and so the server takes that challenge passes it along to browser the browser takes information about the current session and takes domain name it takes the username on your service and it takes that challenge and it passes it along to the you to F token used to have token will start flashing and it will confirm you know do you want to generate a key for the service so you push the button and it generates as the key you send it back of our age axis and back before and whatever and the server validates that it received you know new public key and it validates that the

challenge that had previously generated you know this long random string was indeed signed with the public key that it received and if everything checks out and it can store that token identity now the service has a public key specific to this user on this service on 5 so this is something you know again if unique to the service if I wanted to I can use the same you to F token across two accounts on Facebook and it will get entirely different public keys you know because again there's that username field as part of generating the identity you know server set we're ready to use this token for future authentication so in authenticating the user we ask for

another signature but we give the token details about the identity that have previously generated so the server looks up the token identity it generates another challenge you notice this big random string and it calls his sine function instead so it passes that along to the token you know the token generates the key passes it along back to the server and the server validates challenge and if the challenge that it passed along was signed by the same public key that it recorded during registration then we know that the user is in possession of the private key that they provided at registration and we know that everything is fought you know the mass checks out but there's one sort

of nitpicky problem about this right this helps with fishing but it doesn't help for those nation-state attack scenarios where the adversary is able to present a valid certificate for me so if I'm Google right and I'm someone who nation-states would like to attack you know say for example China China has a lot of certificate authorities that they can place political pressure on to create a valid certificate for google com that will validate in a browser so you know you'll be connecting to google com you'll get you know the green bar ever saying everything will seem fine from your perspective and the adversary can simply proxy your connection all they need to do is pass along the challenge your

browser signs it your browser comes back with the sign challenge they pass that along and now they have a valid section for you right because as far as the browser knows you're talking with the real server you know you're talking with the browser the server has a certificate that it trusts so it seems fun but further there's a proposed specification and to TLS which tries to add a self-signed client certificate to the TLS handshake so that this proxy step doesn't work and you can pin you to F identities to a channel ID and here's a modified version of the you to f flow to include this channel ID process essentially what happens is your browser

creates a public/private key pair and it sends the public key of that pair along when it starts at els connection your man in the middling server is going to have to create its own key paper right because it's not able it doesn't have knowledge of the private key that you created and so it's unable to sign messages with that public it has to make its own so you pass this information along to the server the server same as before it looks at the token identity generates a child and the man in the middle you know proxies that information over however as I mentioned previously the browser has information on the whole session context so it's aware of this session ID so it

includes that ID with you know in the signature process so in addition to the challenge you also have this unique ID DD valid only for this session included with the signature so the token you know receive that signed that you know same as usual and when the proxy passes that along the server you know looks at the signature and it goes okay you know this matches the challenge that I gave you earlier but the channel ID that in the signature doesn't match the channel ID for this connection so as a result the man in the middle attack is useless so you can own the entire you know the entire stack in between the user and the

server and you to F will still protect you at this point the only way that you can break you to F is if you have malware on your machine that's actively compromising the signature process so that it doesn't have to do the channel ID process or so that it passes it along to the attacker so although the only issue is that Hardware you to F tokens are really difficult to use on smartphones I mean you could you know take a newer smartphone with us bc or even smartphone with mini with micro USB and you know plugging you to esky into it but you know the browser's don't really support it and you know sort of

awkward tava you know tokens dangling out of your smartphone so there are software implementations at the same thing you know which you could use on a smartphone and when you generate a token it includes in about the u 2f device that generated the token so you know if you're a bank you could say no I only want Hardware tokens if you're a blog you can say no I'm okay with software tokens so you know it is flexible enough to support you know even the most paranoid of use cases but also in a sort of more lenient use case but additionally after minute you to F has very little support outside google chrome there is a firefox bug that's

open to add you Jeff support for google chrome and mozilla are hoping to add you to have support to firefox by the end of second quarter this year so overall you know this is a pretty exciting technology there's a lot you know coming into place with it and you know hopefully it'll help make the web a little bit safer thank you very much

I can recover and super 10 minutes per question and can happen are okay they'll be a particularly technical yourself but other member of the public what would you like me to you something right now and so the question was would a member of the public be likely to use something like this and I think so I mean if you sign up for online banking and you know you get a token in the post from your bank and they say you know when you sign on to online banking you'll need to plug this in and push the button and it will validate your identity you know I can see it catching on it's not something that's cumbersome to use and in fact it

it's easier than the current solution of your banks sending you you know an authenticator device which you have to plug your debit card in to generate you know code type that in so you know it could catch on and but it does have that that sort of higher barrier to entry in that you know you need to buy although inexpensive you know these took its tentacles around ten dollars but you still have to buy the hardware to use it and how do you know anyone maybe how you doing in Ohio and the organization behind the standard Phaedo do have a certification process for the tokens to make sure that they're adequately safeguarding the private keys but you

can make your own there are completely open source you to F tokens or you can buy the pieces you know solder them together you know so because it's an open standard you know there is that sort of flexibility of building your own or using a commercial on but again the service provider can tell if you're using one that you made yourself or commercial one and decide whether they want to trust out or whether they want to use one from a company that they trust I'm talking one more little USB Drive I most you have tokens are USB devices and but as I mentioned you can have software once and they're also nfcu to of tokens as well

computer perspective he helped with Anthony VAP for a private vehicle anymore so yeah so the question was is there any sort of key management involved with a u 2f token and there is it the token itself actually has no onboard storage what it does is when you go to create a signature it algorithmically recreates the same private key and based on a you know a starting private key that it has burnt into its memory so it's able to create unlimited identities as long as the service is able to provide it with you know that's sort of IED from which it can then recreate the private key so there's no way to reset a token but you

know you can just deregister the token and it will create a new identity the next time you register it so the question was what happens if you lose the token it's useless without your password right so that would then depend on on the service in question right so if you lose if you lose your token and need to get back in you know they'll need some sort of recovery method and that's where again it sort of gets sticky because there have been a lot of social engineering cases where people contact support and say you know I've lost my token can you get me back into my account so you know then there is that need for you know okay what what do

you do for recovery I'm in my case I have two tokens I have one that I carry on me and I have one I keep in a locked box at my flat so if i lose the token that I carry with me I can use the one in my plot to sign on to my account do you register the lost token and then add you know new when I got one yeah if swirl and so the question was whether it was similar to Steve Gibson's you know solution to create you know identities based on the domain name and I wasn't aware that he was looking into that but I'll look into it you know when I get the chance to I

don't know if it's related as I mentioned you know it is a an open standard something that's being done in the public is something that anyone can contribute to see very well you know may be involved in the process of working on the specification but I'm not sure of the two projects are related good yep so the question was is there any way to validate that the token is being faithful about its identity and not claiming to be you know commercial token on actually it's a homeroom basically and what's happened is the manufacturer embeds the private key in to the memory of the token that's you know 42 batch so say like every hundred thousand keys and

when you ask the token to validate its it's like you know its manufacturer and the token signs the message using this private key so you know you give it a challenge and finds a challenge with the information about itself using this private key so you can't replay that information in theory if you extracted the private key from the token you could do that but again these tokens are built to be resilient against you know private key extraction attacks so it'd be really expensive and just generally you know counterproductive to try to do that

ok [Applause]