Two-Factor authentication: Demand Bi-Directional - Joe Kirwin

I grabbed the official or the official cheat sheet here although I've worked with Joe before Joe used to work with us in the lab at sofas and we'd like to welcome him here to track 2 for our talk on two-factor authentication and maybe you'll contradict some of the things I talked about during my podcast downstairs earlier on multi-factor authentication or we'd love to have a healthy debate over that and hit on that note I'll hand things back over to Joe thanks Joe hi everyone Mike's ok yes yeah so oh I was told that I should ask questions at conferences so who here is used to factor authentication who's recommended it to the grandparents I just want to sue for measles yeah so

what I wanted to cover today is some sort distortion thing basically there's two sets of users I like to target if you can take away you know maybe one thing from here so if you're a user you know ask your providers what the options are for bi-directional authentication I'll go from some of the attacks and I'll go through some of the defenses that I'm proposing and hopefully that might persuade you release the question has to be asked I'm not suggesting that the technology I'm saying as a defense would be something you'd want but just ask the question if they have something to provide bi-directional for you and for developers and stereo experts just hardening the server is not really good

enough these days you have to think about protecting the users giving them tools to know that they're talking with legenda sauce hand waving that TLS enough is offer is also that's not good enough and yes so given the tools for that so the type of two parts are off the hand planes talked about today is the offline type so I'm not going to cover anything to do with the SMS stuff or push based specifically talking about event based one-time pads so that would be like Google Authenticator or fee or something like that so I'm just going to dive into a quick overview of how that works I'm sure like most of you already know how these work

but I'd like to just get everyone to the kind of baseline before I talk about some of the attacks and defenses that is that okay for everyone to see you can you see that okay well at the back you could come further down all right cool right so in 2005 ish there's an RFC that came out to describe counter based to factor and this is mostly schemes depend on hash-based message authentication code if you want to look that up there's just some key properties of that that differ from the basic cash in terms of its it doesn't get collisions and the truncation which is one of the key things that were looking for here which

allows you to have just like a six digit code instead of having to up the full twenty characters so that's one of the strengths of the H Mac and why they use it in this case so they take the heat Mac which is just a key hashing algorithm and they hashed that with a counter and the thing that's transferred at the beginning might be through like a QR code or something like that and that would give you the counter and it would give you the secret and that's just a symmetric secret that's shared between you the server and that's the other thing that's in your Google Authenticator is the thing that it stores then in 2011 they made a variant

of this called time-based one-time pads uses pretty much the same cell except for the counter it uses the current time from epoch in unix time - the time that you first registered or first up your two-factor authentication token with the server divided by a period which could be like sixty thousand milliseconds something like that just you know that's baggage either the rotation of the code and then this symbol is just a mathematical symbol for floors to make sure that the algorithms take in an integer value so those are the kind of two types there so what I wanted to discuss is the problem so the original problem that these things were designed to address was to make sure that when

credential dumps happened that someone couldn't use those to brute-force the server because you had a static value but then you also had this ephemeral thing that was always changing while that is good these things do not stop from direct fishing and they also the way they're implemented have a couple of flaws in terms of the you know static information is passed first and then that their varying information is passed second and that to me strikes me the floor so if I just zoom in on this today didn't do as well as I'd hoped I blame you for that Jake so say we've got a legitimate site live.com which would be like Outlook hotmail LabVIEW and then we take a hama

glyph of this which will be I've comm like you know lowercase I but when you uppercase that it looks like exactly like live so that would be a you know plus a comma glyph attack and what we can construct here is even though if you see the two arrows between the sites or under padlock with representing TLS the username password OTP have passed across and this side just acts as a site in the middle and forwards that on to legitimate site and they can then take your session so while it does provide protection from a password don't it doesn't provide protection from a phishing attack like this and I'll show you that in a second

this type of attack this replay attack was actually detailed funnily enough when the original H Mac RFC came out in 2005 it was detailed that CR AM md5 which some of you might know about a challenge response authentication mechanism which was kind of a similar kind of password hashing scheme they identified that this was vulnerable to replay attacks and it came out you know kind of a similar time to the RFC I think it might have come out just after so these things were not captured in the original RFC maybe they might have refined how they designed this it could have been that it was meant for different purpose and times have progressed since then right let me jump

to a demo so does anyone know what this site is no developers any developers here one developer at the back what is it right nailed it I got I can read from all the way back there right so Heroku is a platform of the service if you want to like be a developer and you do no js' or Python or something and you want to say okay got my Arbor got my day where I'm going to put it in here and just let them handle a virtualization containerization scalability everything I'm not picking on Heroku because they suck or anything I'm just begun Heroku because this is the state of the industry there was lots of other sites that did this and this is

not actually Heroku this is just this is a faker okay the real Heroku is felony this is just one I mocked up just by doing like save page so let me just type in my password you guys have to do that right okay yeah you can see my password so anyway we go to the two-factor thing and oh my phone in the audience and this is not part of the thing I actually didn't mean to leave my phone man so if I grab my phone put in my Roku thing over those greatest mo ever six six zero two one five hopefully this will log me into the next phase I specifically put these timeouts in just

an attack and if you notice we've redirected to the actual Heroku here I think oh let me run my again we didn't actually get oh no we did okay so my screen showing capabilities a second one so we can see here like this actually logged into the real Heroku here and I had this app that Craig called hello 'besides van 2017 if you don't trust that that was actually there like these things you might have seen them populate here but afterwards I could do like a cryptographic proof for you to show that I definitely submitted that at that time if you guys don't believe it that's jokes but anyway yeah so what I'm saying is this was just using phantom J s just

like a simple nodejs app and I was just snapping credentials from ID Heroku calm which was actually available as a domain to purchase and so I told the Roku about it and said you should probably just buy this lets you 99 and it's so easy like if you look at the difference between you know this side and this side like there's not much difference in terms of the font there and it's very hard to distinguish that so possibly back to the main thing I want to talk about some of the issues with this so the desired features of a solution to this would be that we can prevent an attacker from stealing users credentials that's

the main thing and that would be by DNS hijacker tax that's not something that I've covered in that particular attack but is definitely possible it becomes a little more challenging with TLS do DNS hijacking attack but it's not outside the bounds of an actual attacker to do that we'd like it that the authentication system was resistant to those two and the more common common one is the Hama glyph hostname attack I actually did a little site that I thought that you guys might seen on how can use at some point that was called elfin and all I did is it just take your devane name and it generates all the different Hama glyphs so say it was like

a W it give you two V's if it was an M it give you a lowercase R next to an N and it kind of looks exactly like Gmail or something like that and that that would be that those are so easy to kind of do against a user and the user as they progress through using the service their tolerance to my new share and changes in their experience of login becomes lesson so you know if they've been using Gmail for 10 years there's probably indistinguishable for them to see an RN for an M and so the other features are we want to submit our static input second variable inputs first so that like someone can't do a

partial attack against your potentials I'd rather they stole my two practicode then stole my password technology independent this is another one that some of the people that do offer bi-directional authentication server from they can offer it for your own surprise and they can offer it you know for only when you use an enterprise stuff because you have to have certain things set up it doesn't work for all browsers it doesn't work for all devices things like that maybe technology agnostic would have been a better word for this but just something that can be you know an open standard that can easily be applied to any technology stack and and then the final one is ads

no more friction to the current user experience I've noticed myself that I had so many different two-factor codes stored in my Authenticator app and it becomes kind of a slowdown and impedance in my workflow and so we wouldn't want to add any more things to that it possible so a proposed solution if we actually look slightly up screen right the original RFC that came out for a event-based one-time pad had this section that no one really well maybe someone did I'm sure someone's read this and there's the software huh but like it didn't seem to get much attention by any other vendors and this is like section 9 is bi-directional authentication it says interestingly enough you can use H OTP

and what they mean by this is the counter mode that talked about earlier so you can you know you can do work first direction towards the server and then the server sends you back the challenge that they generated and you verify that and then you continue with the log in a TOTP in this form that they're talking about the counter base one is not used as much these days and the reason for that while it is more secure than the time-based one because the time base one would be vulnerable to NTP type attacks it's not used as much because she doesn't worth multiple devices because you have to share the counter stay amongst tablets phones

other logins everything where at the time is a way to easily share this date but we could do something similar at the time base one-time pad and that's the thing that I'd like to cover here so let me okay right so I've created this scheme called Baylor's I don't know why I came with our name it just was a name that no one else is using so this is what it's called so when you visit the site to say we've got this spoof site in the middle exactly the same set that we saw in the previous attack you go there it says X fearless in there that's just a header that comes along and that tells

your client to start watching for a vilas response which would be from the server so you put in your username the server then would look up using the username would look up the secret I uses to represent itself and it would generate a two back to code and it would pass that back to the client in a valus response and the way I've constructed the villus response I'll go into this last concatenation bit in a second but essentially this will be T OTP but but in the server direction the client Direction would follow after this and the reason I put in the IP block is if we look at this set that we have here

you could see that this could easily be replayed to for example say the the server in the middle I could connect to the legitimate server get the replay code and then send that back so we have to have some out of Channel way identifying that the thing works are talking to did actually give it this code that's why I've embedded the DNS resolution of that and it could be an IP block so for example it could be arraigned it could be an alternative system number it could be an ipv6 block it could be just something that makes it more hard for the attacker to cite in the middle your authentication and so the client would actually have to have

DNS resolution in this case which I'll go on to intersect so I'll give you a demo of that so I set this aside called Billis Pro because pro is a really cheap domain it because we like to dollars for VLS and BER I eat of less so I can show you like a hama glyph attack on this so it's type in user 1 I shouldn't block me I bet type in user 1 and it gives me my client code which is 6 for FB 1 6 I think fubar password super secure and then it logs me in right so then say I go to the other one which would be various ProSource login so they gave me this

Jake what's happenin to your internet oh okay it's back go to user 1 and it should block me right so what happened here is that this site gave me the wrong VLS response here and so the only thing that I've actually disclosed is my username the rest of the stuff has been kept from me disclosing it let me just go back to this so there's some design compromises that I went for in the solution I did it the browser plugin and it uses some of Chrome's declarative web extensions there so we can actually monitor for certain headers come in across and take actions based on that there's some restrictions with that because you have to ahead of time

compute it so you can't listen for a code and say what the code was you can just say I need it to match this code the reason I chose plug-ins for example instead of the Google Authenticator approach as you can imagine the friction will be quite high in this case because if you want to use Google Authenticator I'd go to the site the site would then my device would then at all my laptop would then have to give me the dns resolution of that via an IP block i'd have to then put that into my device I'd have to put in the code from the server into my device then the client Google Authenticator could tell me okay is your

two parts of code everything checks out now I manually put that end so there's like a lot of you know manual input between those and so the browser plug-in approach is not ideal either because you know I'm on the laptop and I'm using the same mechanism to log in and there's a risk of compromise there in general and it's nice it have like an air gap solution like Google Authenticator and so ideally what I'd like to do is some sort of hybrid implementation where the plug-in is actually just doing a DNS resolution and then and and again obtaining the code for you and just sending that round to an Android app via something like firebase communication

we've got a cloud messaging or used to be called Google Cloud messaging so something like that a way just to send here's the data that I observed on the laptop and you can now tell me whether my to vector code when it's going on there's also some other options that you could do with CLS there is a company called miracle that I think I have somewhere in here yeah amp in full is something else you can read about that one is again an example of something that's technology coupled it would only work for you if you're a customer of miracle you're not going to get that an open standard to implement it not browsers all clients but it is a very

good solution and allows you to do you know two-factor codes tunneled through itself until you get this kind of granular pipeline that would be ideal if that was a standard also so some of the benefits of this is credential fishing kind of goes away near enough because you can't if we're protecting you from authenticating to a Hamakua for dns hijacked at you can't actually authenticate there because we won't give you the second factor from the login the other thing is it corrects the user trust model and so the most vulnerable part of this design is at registration time and that's when the user first of all has the least value to their portfolio because they have no data

stored in that and but also they're also the maximum scrutiny for example if you had never been to Facebook before you're very curious you don't know what everything is you look in all the fields you're inspecting things you're looking at the tls log everything like that the screw needs of the max with the current model your scrutiny has to be at the highest level all the time with this one the max scrutiny has to be registration time and after that you are more protected than you would be anomaly challenges is the client needs DNS resolution capabilities this is a beta API in Chrome Firefox doesn't have it not sure about the other browsers I didn't try

there's compromises between usability and secure a solution so like I said with the Google Authenticator approach that would be the most secure but it's also the most friction to users because they've got to put in two values and then wait for a value to return from the Google Authenticator and put that back in so there's a balance there and then the next one is user adoption if the site has an option not to use 2fa and this might not work as well to defend those passwords because there's no ephemeral code to protect you there I mean potentially they could deploy the plug-in and just have the server-side code working and not the client side stuff that would be an option but it

would still be a struggle to get them to adopt that if they didn't already want to adopt totp yeah the other directions is M pins fall which I already covered and then this other one was quite cool which the Yubikey u2s and I just zoomed in on this because as we can see this is one of the things that we wanted in the solution we wanted the user name/password the static variables to be given later and so this one's still falling foul of if you can impersonate the server you can steal the user name and password and then you might be able to find another attack to be able to forge a challenge later kind of you know

just a piecemeal attack against the user and we'd rather give away the ephemeral code to us and that's it oh there was a mean there is a me Matt then I lied yeah any questions that wasn't Mike there is a mic over there if you have any questions I was going to close it

so that would be the app that takes push notifications yes so Microsoft swooned the the Authenticator at least I'd say that's not as easy to forge at least in terms of like the Jamica within DNS based attacks this improvements mostly around Google Authenticator and more open standards but yeah like the push based ones are pretty solid the only thing I'd say about the push based ones if you look at octopus for example octopus if I use that for my android for work is supposed to be behind a separate password from the device password octopus can actually bypass that so octopus will come come down and say do you want to approve access to this and

your user could say have a really weak password of like fubar but then the device might have a very strong policy from the enterprise saying that the security vise profile might have a really strong password papal bypassing that then you know there's different attack vectors with that but I would say that the Microsoft one is quite strong competitive alright I'm going to give you five seconds and then the bars open five four oh come on

all right yeah that would have been good stock but I should have come speak to you before this so yeah the actual bailiffs scheme is up on github and that's a at Joker on github is my first name is Joe my last names ker but then you become buying it sounds like Joker right cool hacker name anyway so if you go and get hub it's up there and I plan to also release the slides and I plan to also hopefully release that Heroku snapping thing as long as it's like not something that can be used for evil stuff yeah so I what I would like is just more of an open discussion about this I I if I think my

goal today was if I can get to the point where people can see that there's an issue here and say someone comes to me and says oh I thought your solution was crummy but here's how I do it then my talk has been successful because what I wanted people to realize is that it's not secure that could be and I would like us to improve so if people want to you know contact me via the github link review the code want to make improvements have ways to simplify it for users that would be great I'd like to see it implemented somewhere I just don't know where a minute all right I'll do this count again if someone just

jumped how do you want me to move that I have there the gnomes gun right oh yeah I guess it's just currently the bar to attack is so low I mean that would be the next level of that and then how do you integrity protect the plug-in I mean you could make it so that the policy on the actual site was so strict that it didn't actually take a password on this over these bi-directional ephemeral codes I haven't really thought about that level of attack because that would come after you've actually deployed this thing but very good point what if the sewer phase on the city sorry

right so the question the question was what if you're using two-factor authentication it's on the same device that using for the primary factor that would definitely not be recommendable and that's one of the problems with like SMS for example if you're using HSBC as that gentleman said about that and yeah that would be a problem and that's why I talked about in terms of secure right elation like I'd prefer it if it was an air-gap solution like google authenticate it doesn't actually have any Android permissions the only thing it needs access to is the time source from Android itself which should hopefully be running through NTP so the the angle for attack on that his only

NTP but with stuff where it's actually SMS based there would be an avenue for Tonya okay five four three two one go all right let's see done