Autenticação multi-fator em provedores de identidade Shibboleth
Resumo
O modelo de gerenciamento de identidade federada apresentou uma solução para o problema da proliferação de credenciais de acesso, por exemplo, baseada em senhas. Contudo, ao atacante basta descobrir a senha de um usuário para personificá-lo em todos os provedores de serviço da federação. A autenticação multi-fator surge como uma solução para aumentar a robustez dos processos de autenticação. Este trabalho apresenta uma solução completa e de código aberto para oferecer autenticação multi-fator para usuários de provedores de identidade Shibboleth.
Referências
Alliance, F. (2016). The FIDO UAF metadata service white paper. [link].
Aloul, F., Zahidi, S., and El-Hajj, W. (2009). Multi factor authentication using mobile phones. International Journal of Mathematics and Computer Science, 4(2):65–80.
Arias-Cabarcos, P., Almenárez, F., Trapero, R., Díaz-Sánchez, D., and Marín, A. (2015). Blended identity: Pervasive idm for continuous authentication. IEEE Security Privacy, 13(3):32–39.
Bhargav-Spantzel, A., Squicciarini, A. C., Xue, R., and Bertino, E. (2010). Multifactor identity verification using aggregated proof of knowledge. IEEE Transactions on Systems, Man, and Cybernetics, Part C (Applications and Reviews), 40(4):372–383.
Brainard, J., Juels, A., Rivest, R. L., Szydlo, M., and Yung, M. (2006). Fourth-factor authentication: somebody you know. In Proceedings of the 13th ACM conference on Computer and communications security, pages 168–178. ACM.
Cantor (2015). Authentication flow selection. [link].
Committee, O. S. S. T. et al. (2012). Security assertion markup language (saml) 2.0.
Dasgupta, D., Roy, A., and Nag, A. (2017). Multi-Factor Authentication, pages 185–233. Springer International Publishing, Cham.
Google (2017). Making google prompt the primary choice for 2-step verification. Google Official Blog. [link].
Haller, N., Metz, C., Nesser, P., and Straw, M. (1998). Rfc 2289: A one-time password system. Technical report, Technical report, IETF.
Joie, C. L. (2017). Authentication. [link].
Langenberg, D. (2015). Multi context broker. [link].
Lindemann, R., Bharadwaj, V., Czeskis, A., Jones, M. B., Hodges, J., Kumar, A., Brand, C., Verrept, J., and Ehrensvärd, J. (2017). Fido alliance proposed standard.
Machani, S., Philpott, R., Srinivas, S., Kemp, J., and Hodges, J. (2014). Fido uaf architectural overview. FIDO Alliance, December.
Morii, M., Tanioka, H., Ohira, K., Sano, M., Seki, Y., Matsuura, K., and Ueta, T. (2017). Research on integrated authentication using passwordless authentication method. In 2017 IEEE 41st Annual Computer Software and Applications Conference (COMPSAC), volume 1, pages 682–685.
M’Raihi, D., Bellare, M., Hoornaert, F., Naccache, D., and Ranen, O. (2005). Hotp: An hmac-based one-time password algorithm. RFC 4226, RFC Editor.
M’Raihi, D., Machani, S., Pei, M., and Rydell, J. (2011). Totp: Time-based one-time password algorithm. RFC 6238, RFC Editor.
Mulliner, C., Borgaonkar, R., Stewin, P., and Seifert, J.-P. (2013). Sms-based one-time passwords: attacks and defense. In International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, pages 150–159. Springer.
NIST (2017a). Digital Authentication Guideline. NIST Special Publication 800-63-3. DOI: 10.6028/NIST.SP.800-63-3.
NIST (2017b). Digital Identity Guidelines: Authentication and Lifecycle Management. NIST Special Publication 800-63B.
Refeds (2017). Refeds mfa profile. [link].
Srinivas, S., Balfanz, D., and Tiffany, E. (2014). Fido universal 2nd factor (u2f) overview. Version v1. 0-rd-20140209, FIDO Alliance, February.
TC, O. S. S. (2008). Security assertion markup language (saml) v2.0. [link].
W3C (2018). Web Authentication: An API for accessing Public Key Credentials Level 1. Technical report, World Wide Web Consortium.
Weiser, M. (1991). The computer for the 21st century. Scientific american, 265(3):94–104.
Zhang, N., Yao, L., Chin, J., Shi, Q., Nenadic, A., McNab, A., Rector, A., and Goble, C. (2005). Plugging a scalable authentication framework into shibboleth. In 14th IEEE International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprise (WETICE’05), pages 271–276.
Aloul, F., Zahidi, S., and El-Hajj, W. (2009). Multi factor authentication using mobile phones. International Journal of Mathematics and Computer Science, 4(2):65–80.
Arias-Cabarcos, P., Almenárez, F., Trapero, R., Díaz-Sánchez, D., and Marín, A. (2015). Blended identity: Pervasive idm for continuous authentication. IEEE Security Privacy, 13(3):32–39.
Bhargav-Spantzel, A., Squicciarini, A. C., Xue, R., and Bertino, E. (2010). Multifactor identity verification using aggregated proof of knowledge. IEEE Transactions on Systems, Man, and Cybernetics, Part C (Applications and Reviews), 40(4):372–383.
Brainard, J., Juels, A., Rivest, R. L., Szydlo, M., and Yung, M. (2006). Fourth-factor authentication: somebody you know. In Proceedings of the 13th ACM conference on Computer and communications security, pages 168–178. ACM.
Cantor (2015). Authentication flow selection. [link].
Committee, O. S. S. T. et al. (2012). Security assertion markup language (saml) 2.0.
Dasgupta, D., Roy, A., and Nag, A. (2017). Multi-Factor Authentication, pages 185–233. Springer International Publishing, Cham.
Google (2017). Making google prompt the primary choice for 2-step verification. Google Official Blog. [link].
Haller, N., Metz, C., Nesser, P., and Straw, M. (1998). Rfc 2289: A one-time password system. Technical report, Technical report, IETF.
Joie, C. L. (2017). Authentication. [link].
Langenberg, D. (2015). Multi context broker. [link].
Lindemann, R., Bharadwaj, V., Czeskis, A., Jones, M. B., Hodges, J., Kumar, A., Brand, C., Verrept, J., and Ehrensvärd, J. (2017). Fido alliance proposed standard.
Machani, S., Philpott, R., Srinivas, S., Kemp, J., and Hodges, J. (2014). Fido uaf architectural overview. FIDO Alliance, December.
Morii, M., Tanioka, H., Ohira, K., Sano, M., Seki, Y., Matsuura, K., and Ueta, T. (2017). Research on integrated authentication using passwordless authentication method. In 2017 IEEE 41st Annual Computer Software and Applications Conference (COMPSAC), volume 1, pages 682–685.
M’Raihi, D., Bellare, M., Hoornaert, F., Naccache, D., and Ranen, O. (2005). Hotp: An hmac-based one-time password algorithm. RFC 4226, RFC Editor.
M’Raihi, D., Machani, S., Pei, M., and Rydell, J. (2011). Totp: Time-based one-time password algorithm. RFC 6238, RFC Editor.
Mulliner, C., Borgaonkar, R., Stewin, P., and Seifert, J.-P. (2013). Sms-based one-time passwords: attacks and defense. In International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, pages 150–159. Springer.
NIST (2017a). Digital Authentication Guideline. NIST Special Publication 800-63-3. DOI: 10.6028/NIST.SP.800-63-3.
NIST (2017b). Digital Identity Guidelines: Authentication and Lifecycle Management. NIST Special Publication 800-63B.
Refeds (2017). Refeds mfa profile. [link].
Srinivas, S., Balfanz, D., and Tiffany, E. (2014). Fido universal 2nd factor (u2f) overview. Version v1. 0-rd-20140209, FIDO Alliance, February.
TC, O. S. S. (2008). Security assertion markup language (saml) v2.0. [link].
W3C (2018). Web Authentication: An API for accessing Public Key Credentials Level 1. Technical report, World Wide Web Consortium.
Weiser, M. (1991). The computer for the 21st century. Scientific american, 265(3):94–104.
Zhang, N., Yao, L., Chin, J., Shi, Q., Nenadic, A., McNab, A., Rector, A., and Goble, C. (2005). Plugging a scalable authentication framework into shibboleth. In 14th IEEE International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprise (WETICE’05), pages 271–276.
Publicado
25/10/2018
Como Citar
MELLO, Emerson Ribeiro de; WANGHAM, Michelle Silva; LOLI, Samuel Bristot; DA SILVA, Carlos Eduardo; SILVA, Gabriela Cavalcante da.
Autenticação multi-fator em provedores de identidade Shibboleth. In: SIMPÓSIO BRASILEIRO DE SEGURANÇA DA INFORMAÇÃO E DE SISTEMAS COMPUTACIONAIS (SBSEG), 18. , 2018, Natal.
Anais [...].
Porto Alegre: Sociedade Brasileira de Computação,
2018
.
p. 85-98.
DOI: https://doi.org/10.5753/sbseg.2018.4245.
