Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
V3.2
INDEX 1 ABOUT THIS DOCUMENT ........................................................................................................ 3 1.1 1.2 1.3 2 VERSION.......................................................... 3 SCOPE ........................................................... 3 AUDIENCE ......................................................... 3
ONE TIME PASSWORDS (OTPS) ............................................................................................ 4 2.1 2.2 2.3 ABOUT OTPS....................................................... 4 REQUIREMENTS...................................................... 4 ACCESS SCENARIO ................................................... 4
USING ONE TIME PASSWORDS ............................................................................................. 5 3.1 3.2 MULTIPLE FAILED LOGIN ATTEMPTS....................................... 5 10 LOW OTPS WARNING............................................... 5
4 5
MANAGING OTPS ..................................................................................................................... 6 CONFIGURING "INTRANET-OTP"........................................................................................... 7 5.1 5.2 5.3 CONFIGURING "PRIVILEGED USERS" ...................................... 7 CONFIGURING "PRIVATE"
VS.
INSTALLING "INTRANET-OTP"............................................................................................... 8 6.1 6.2 6.3 "INTRANET-OTP" LICENSE ............................................. 8 OBTAINING INSTALLING
THE THE
OTP SECURITY ANALYSIS...................................................................................................... 9 7.1 7.2 7.3 7.4 7.5 SECURITY CHALLENGE................................................. 9 SUMMARY.......................................................... 9 SECURITY MEASURES TAKEN ............................................ 9 BRUTE-FORCE ATTACK ............................................... 10 OTHER ATTACKS.................................................... 10
Page 2
1.2 Scope
This manual describes how to install, administrate and use the ]project-open[ OTP (One Time Passwords) security module.
1.3 Audience
This manual is written for administrators and users of ]project-open[.
Page 3
2.2 Requirements
The creation of the "intranet-otp" package has been motivated by a recurring conflict between security and user-friendliness: User-Friendliness: The integration of external collaborators (freelancers and customers) into the project execution requires maximum user-friendliness in order to lower the access barriers for these users. Security: The right of privileged users to access financial information poses a serious risk to a company. The increasing spread of spyware, key-loggers and network sniffers converts this risk into a security thread, as soon as a privileged user accesses the application over an unsecured channel such as a home aDSL line or an Internet caf. Internet (insecure) Privileged User Unprivileged User OTP Normal Intranet (secure) Normal Normal
OTPs are only required if a privileged user tries to access the application from outside the office.
The "intranet-otp" packages provides a new type of balance between these two requirements by combining a secure access method with a logic to limit the use of OTPs to privileged users accessing the application from the insecure Internet.
Page 4
The login process starts off as normal with an email and a (static) password. Normal users are signed in after this.
Page 5
4 Managing OTPs
This chapter is written for ]project-open[ users. It explains how users and administrators can setup and change OTPs (self-service): 1. The user's administration component. There is a link (red) to the OTP management screen. 2. The OTP management screen to see the current OTP list. The action menu allows creating a new list and to print/email.
3. The printer-friendly view. This page is designed to let the user print a credit-card sized OTP list. 4. Send per Email this is particularly useful if an administrator has reset the OTP list for a user.
Page 6
5 Configuring "intranetotp"
This chapter is written for System Administrators. The configuration of "intranet-otp" mainly deals with two questions: Who is a "privileged user"? and What is a "secure network"? Privileged User Unprivileged User
The answer to these questions may depend on your company and on your network infrastructure, so "intranet-otp" has been designed with a certain degree of flexibility.
OTPs are only required if a privileged user tries to access the application from outside the office.
A special "AdminNeedsOtpP" parameter in the Admin -> Parematers section defines whether the above configuration should also apply to system administrators. Setting this parameter to "0" allows administrators to authenticate via simple password access in order to test and debug the configuration. However, this parameter should be set to "1" for production use.
Page 7
6 Installing "intranet-otp"
This chapter is written for System Administrators. It will lead you through the installation process.
Page 8
7.2 Summary
The summary of the following chapters is that the OTP algorithm is sufficiently hard so that the attacker won't be able to login into the system as user. However, the attacker may manipulate the browser of compromised computer and gain access to the content transferred between ]po[ and the user.
1 to the shared sequence, effectively implementing a PRG (pseudo random generator). The RPG iterates at least once, protecting the first OTP from exposing bits of the shared secret.
7.5.2
An attacker may try to guess part of the shared secret's information content by collecting information about the server. The following information is included during the creation of the shared secret: The login time and password "salt" of last 10 logins: ~320 bit (10 x 32 bit) Microsecond system clock ticks: ~30 bit (10 digits) Unix process ID: ~16 bit HTTP Session variables: ~30 bit
These available entropy of ~400 bit should be sufficient for the given purpose, even if some parts of the information should be more guessable.
7.5.3
The attacker could perform a kind of "denial of service" to user by giving wrong OTPs for user, effectively locking out user from the system. This attack could be particularly unpleasant in the case of the system administrator who might find himself locked out of the system. The following section deals with this case.
Page 10
8 Administrator's Lockout
A special situation can occur if an administrator fails to authenticate himself, particularly if the administrator needs to use OTPs from the private (trusted) network. In this case there is no standard option to logon to the system using the Web interface. In this case you will have to reset the "otp_failed" field in the Administrator's file in the database using an SQL statement: "update users set otp_logins_failed=0 where user_id in (select party_id from parties where email='sysadmin@tigerpond.com')".
Page 11
Sant Anton, 51 1 2a Barcelona, Spain +34 93 325 0914 +34 93 289 0729
Page 12