@MimmingCodes -- mimming.com

Security Keys are Awesomeand how to use them

Jen TongSecurity AdvocateGoogle Cloud Platform

@MimmingCodesSlides: mimming.com/u2f

About me

How many of you ...● … are Security Engineers?● … use a U2F security key?

@MimmingCodes -- mimming.com

Agenda

Passwords are bad :(

FIDO Alliance -- better than passwords

How U2F works

Use it yourself

The problemwith authentication

@MimmingCodes -- mimming.com

Authentication

Login:

Password: 123456

jen

@MimmingCodes -- mimming.com

123456 password

Source: SplashData

@MimmingCodes -- mimming.com

123456Most common password in 2017

password2nd most common password in 2017

Source: SplashData

@MimmingCodes -- mimming.com

81%of breaches were due to weak or

stolen passwords

Source: Verizon DBIR 2017

@MimmingCodes -- mimming.com

81%of breaches were due to weak or

stolen passwords

28%of phishing attacks were targeted

Source: Verizon DBIR 2017

@MimmingCodes -- mimming.com

Normal login

User Service

@MimmingCodes -- mimming.com

Normal login

User Service

login - foopassword - 1234

@MimmingCodes -- mimming.com

Normal login

User Service

login - foopassword - 1234

logged in

@MimmingCodes -- mimming.com

Phishing

User Service

Fake service

@MimmingCodes -- mimming.com

Phishing

User Service

login - foopassword - 1234

@MimmingCodes -- mimming.com

Phishing

User Service

login - foopassword - 1234

login - foopassword - 1234

@MimmingCodes -- mimming.com

One Time Passwords

SMS

Enter this code: 1234

@MimmingCodes -- mimming.com

One Time Passwords

SMS

Enter this code: 1234

@MimmingCodes -- mimming.com

One Time Passwords

Photo credit - Von Alexander Klink

SMS

Enter this code: 1234

@MimmingCodes -- mimming.com

Phishing

User Service

login - foopassword - 1234OTP - 5678

login - foopassword - 1234OTP - 5678

FIDO AllianceBetter than passwords

“

@MimmingCodes -- mimming.com

FIDO is the world’s largest ecosystem for standards-based,

interoperable authentication

@MimmingCodes -- mimming.com

W3C’s WebAuthn Spec

Source: WebAuthn spec

New!

@MimmingCodes -- mimming.com

FIDO’s U2F Spec

Source: FIDO specs

@MimmingCodes -- mimming.com

Public key cryptography devices

Why hardware?● Hardware isolation● Interoperable across devices and services● Fast & easy to use

@MimmingCodes -- mimming.com

Transport methods

User Device

USB

NFC

Bluetooth

@MimmingCodes -- mimming.com

Certification process

How it works

@MimmingCodes -- mimming.com

How it works

Public key cryptography

Actors

Transport

Registration

Authentication

@MimmingCodes -- mimming.com

Public key cryptography

Public key

Private key

@MimmingCodes -- mimming.com

Public key cryptography

@MimmingCodes -- mimming.com

Public key cryptography

@MimmingCodes -- mimming.com

Actors

User Service

@MimmingCodes -- mimming.com

Actors

User Service

@MimmingCodes -- mimming.com

Actors

User Device Service

@MimmingCodes -- mimming.com

User to device transport

User Device

@MimmingCodes -- mimming.com

User to device transport

User Device

USB

@MimmingCodes -- mimming.com

User to device transport

User Device

USB

NFC

@MimmingCodes -- mimming.com

Ceremonies

@MimmingCodes -- mimming.com

CeremoniesRegistration

@MimmingCodes -- mimming.com

CeremoniesRegistration

@MimmingCodes -- mimming.com

Ceremonies

Authentication

Registration

@MimmingCodes -- mimming.com

Ceremonies

Authentication

Registration

Lost key?

@MimmingCodes -- mimming.com

Registration ceremony

Registration

@MimmingCodes -- mimming.com

Previously authenticatedLogin & passwordLogin & password

@MimmingCodes -- mimming.com

Registration CeremonyChallenge: KJ4kAppId: https://foo.com

@MimmingCodes -- mimming.com

Registration CeremonyChallenge: KJ4kAppId: https://foo.com

@MimmingCodes -- mimming.com

Registration CeremonyChallenge: KJ4kAppId: https://foo.com

Challenge: KJ4kAppId: https://foo.comOrigin: https://foo.com

@MimmingCodes -- mimming.com

Registration CeremonyChallenge: KJ4kAppId: https://foo.com

Challenge: KJ4kAppId: https://foo.comOrigin: https://foo.com

Key handle

@MimmingCodes -- mimming.com

Registration CeremonyChallenge: KJ4kAppId: https://foo.com

Challenge: KJ4kAppId: https://foo.comOrigin: https://foo.com

Key handle

Encrypt registration data

@MimmingCodes -- mimming.com

Registration CeremonyChallenge: KJ4kAppId: https://foo.com

Challenge: KJ4kAppId: https://foo.comOrigin: https://foo.com

Key handle

Encrypt registration data

Challenge: KJ4kOrigin: https://foo.comKey handle: wfn3Cert: ...

@MimmingCodes -- mimming.com

Registration CeremonyChallenge: KJ4kAppId: https://foo.com

Challenge: KJ4kAppId: https://foo.comOrigin: https://foo.com

Key handle

Encrypt registration data

Challenge: KJ4kOrigin: foo.comKey handle: wfn3Key cert: ...

Verify payload

@MimmingCodes -- mimming.com

Authentication ceremony

Authentication

@MimmingCodes -- mimming.com

Basic ceremonyLogin & passwordLogin & password

@MimmingCodes -- mimming.com

Basic ceremonyChallenge: chBs

@MimmingCodes -- mimming.com

Basic ceremonyChallenge: chBsChallenge: chBs

Sign payload

@MimmingCodes -- mimming.com

Basic ceremonyChallenge: chBsChallenge: chBs

Challenge: chBsSign payload Verify

payload

@MimmingCodes -- mimming.com

Mitigate phishingChallenge: chBsChallenge: chBs

Origin: foo.com

Challenge: chBsOrigin: foo.comSign payload Verify

payload

@MimmingCodes -- mimming.com

Prevent tracking across accountsChallenge: chBsKey handle: 6bHc

Challenge: chBsOrigin: foo.comKey handle: 6bHc

Challenge: chBsOrigin: foo.comFind key,

sign payloadVerify

payload

@MimmingCodes -- mimming.com

Mitigate authenticator cloningChallenge: chBsKey handle: 6bHc

Challenge: chBsOrigin: foo.comKey handle: 6bHc

Challenge: chBsOrigin: foo.comCounter: 42

Find key, counter++,

sign payload

Counter went upVerify payload

@MimmingCodes -- mimming.com

Lost key ‘ceremony’

Lost Key?

Demoregistering & using a key

Source: Yubico U2F Test

Use it yourself

@MimmingCodes -- mimming.com

Browser support

@MimmingCodes -- mimming.com

Lots of websites support it today

Google Cloud Platform

GSuite

Big list - https://www.dongleauth.info/

Adding it to your stuffaka deployment

@MimmingCodes -- mimming.com

Deployment options

Run it yourself

Use 3rd party auth

How Google does it

@MimmingCodes -- mimming.com

Run it yourself

Client Server

@MimmingCodes -- mimming.com

Run it yourself - Server

Source: GitHub search for 'u2f server'

Client libraries

@MimmingCodes -- mimming.com

Run it yourself - Server

Source: Yubico U2F Validation Server

Yubico’s open source server

Client libraries

@MimmingCodes -- mimming.com

Code it yourself

Client Server

@MimmingCodes -- mimming.com

Code it yourself

Client ServerJavaScript Flexible

@MimmingCodes -- mimming.com

Code it yourself - Client

Browser support:

@MimmingCodes -- mimming.com

Client - Registration

u2f.register(appId, [{challenge: challenge, version: 'U2F_V2'}], [], function(resp) { if(resp.error) { console.log(resp.errorcode}); return; } // POST resp.clientData // and resp.registrationData to server});

@MimmingCodes -- mimming.com

Client - Authentication

u2f.sign( [{challenge: challenge, version: 'U2F_V2'}], [], function(devResp) { let jsonResp = JSON.stringify(devResp); u2fRespInput.value = jsonResp; loginForm.submit(); });

@MimmingCodes -- mimming.com

Client libraries for

● Java● Ruby● Python● PHP● C#● C● JavaScript

Code it yourself - Server

@MimmingCodes -- mimming.com

Server - Registration (node.js)function registrationChallengeHandler(req, res) { const regReq = u2f.request(APP_ID); req.session.registrationRequest = regReq; return res.send(regReq);}

function registrationVerificationHandler(req, res) { const regRes = u2f.checkRegistration( req.session.registrationRequest, req.body.registrationResponse);

if (regRes.successful) { return res.sendStatus(200); }

return res.send({result});}

@MimmingCodes -- mimming.com

Server - Authentication (node.js)function authenticationChallengeHandler(req, res) { const authRequest = u2f.request(APP_ID, keyHandleFromDB()); req.session.authRequest = authRequest;

return res.send(authRequest);}

function authenticationVerificationHandler(req, res) { const result = u2f.checkSignature( req.session.authRequest, req.body.authResponse, publicKeyFromDB());

if (result.successful) { return res.sendStatus(200); }

return res.send({result});}

@MimmingCodes -- mimming.com

Let someone else deal with it

@MimmingCodes -- mimming.com

BeyondCorpa.k.a. Google Cloud’sIdentity Aware Proxy

Source: GCP's BeyondCorp marketing page

DemoIdentity Aware Proxy on a black box web app

@MimmingCodes -- mimming.com

@MimmingCodes -- mimming.com

@MimmingCodes -- mimming.com

@MimmingCodes -- mimming.com

@MimmingCodes -- mimming.com

@MimmingCodes -- mimming.com

@MimmingCodes -- mimming.com

@MimmingCodes -- mimming.com

Conclusion

● Passwords aren’t enough● Security keys work● That you should use them yourself● Many options to use

@MimmingCodes -- mimming.com

Thank you!

Now go add it to your software so we can reduce pwnage

Slides: https://mimming.com/u2f

@MimmingCodes -- mimming.com

Want to learn more? Here's a reading listThese slides: https://mimming.com/u2f

Spec● FIDO Alliance specs● Yubico U2F docs

Keys● A review of several commercial authenticators

Relaying Party (server) libs● Google’s reference implementation (Java)● Node.js

Other cool talks● Google Case Study: Strong Authentication● U can U2F

@MimmingCodes -- mimming.com