,

Securing bank transactions with privacyIDEA

Making wiring money secure is a big challenge. We are all grateful, that we no longer need to go to the bank institute for wiring money to another bank account. It is also great that we do not need to use these TAN lists anymore, when we were asked to cross out number by number after each bank transaction.

But what are still the challenges with electronic bank transactions?

Integrity of the transaction data

The banking user uses a web interface to tell the bank, how much money he wishes to send to another account. A malware in the user’s browser, can change this data. Originially the user wanted to send €100 to the account 1234567890, but when he clicked the button “send”, the malware changed the transaction data to €10000 and to the account 666.666.XX. The bank receives the 10000 Euros for the evil account. It has no chance to know, that originally the user wanted to send 100 Euros to his friend. Also the user does not immediately know what happened.

The money might be gone.

TAN lists and OTP tokens

The transaction data could be changed before they reach the bank.

Several years ago TAN lists were used. Some banks are using OTP tokens, to identify the user, during a transaction. But the TAN lists and the OTP tokens can not ensure the integrity of the transaction data. The OTP token can be used to verify that it is really the true user, who is in the possession of the token and who triggered the transaction. But still a man in the middle can intercept a valid transaction and change the amount and account! Still neither the bank nor the user know, that something happened in between.

This is due to the problem, that there is no cryptographic link between the transaction data and the OTP.

OCRA: Linking transation and TAN

The OATH Challenge Response Algorithm (OCRA) can provide this missing link. OCRA is specified in RFC 6287. 

Just like HOTP and TOTP – which you might know from the Google Authenticator – the OCRA algorithm is defined by the Initiative for Open Authentication. Basically OCRA is some kind of enhanced HOTP algorithm.

The HOTP algorithm takes only one parameter, the “counter”, which is increased continously by each key press. In conjunction with the secret key a 6 or 8 digit one time password is calculated. The secret key represents the possession factor. Thus the one time password depends on the secret key and the parameter “counter”. In case you like buzz words like HMAC and SHA, take a look at RFC4226).

To cut a long story short, OCRA simply enhances the “counter” and allows many more input parameters for roughly the same algorithm. I.e. you can also put the account number and the amount into the OCRA algorithm. This will result in a one time password, which depends on the secret key and the complete transaction data. If you or an attacker would put other transaction data (input parameters) into the algorithm, this would result in another OTP value.

How can this be used for online banking?

The bank initially hands over the secret key to the user. The key can be contained in a hardware device or in a smartphone app. The bank knows each secret key of each user.

The user enters his transaction data on the banking website. The user also transfers the transaction data to his device (which contains the secret key). This transfer could be done manually or in any automatic manner using QR codes, network or bluetooth.

On the device the user verifies the correctness of the transaction data. Only then he continues by generating the TAN on the device. He now can add this TAN in the banking website. The transaction data and the TAN is sent to the bank.

As mentioned earlier the TAN cryptographically depends on the transaction data. The bank can use the user’s secret key to also calculate the TAN for the given transaction data. If the bank gets the same TAN, the bank knows, that the user really was willing to perform this transaction and that the transaction data were not modified by an attacker. Otherwise the modified transaction data would result in a different TAN.

In this scenario each and every transaction which is issued by a bank customer is cryptographically secure. So it is more important to protect the secret key in the device than the online banking account itself, since there can be no transaction without the secret key.

privacyIDEA, OCRA and DisplayTAN

privacyIDEA supports OCRA (the TiQR token) for quite a while. In the upcoming version 2.20 the OCRA mechanism was enhanced, so that it can be used with many different devices, especially with the DisplayTAN-card.

Banks do not need to program the key management for their web application on their own to support OCRA. They can easily use one single REST API call with privacyIDEA to add strong transaction security with privacyIDEA.

The DisplayTAN cards are attractive for customers, since they can be integrated in the banking card itself. This way the customer can have on card for all tasks.

Just ask us!

, ,

privacyIDEA 2.19.1 on Univention Corporate Server

The Enterprise Version 2.19.1 of privacyIDEA is now available on the Univention Corporate Server. With version 2.19.1 privacyIDEA is now available on the Univention Corporate Server 4.2. Customers can easily upgrade from UCS 4.1 with privacyIDEA 2.18.1 to UCS 4.2 with privaccyIDEA 2.19.1.

Besides the improvements in Univention Corporate Server 4.2 privacyIDEA 2.19.1 also comes with interesting improvements. These are the generic user cache, which can reduce the authentication time dramatically. Using policies the administrator can define which U2F devices may be registered and used by the users. A Token Janitor allows the administrator to find orphaned tokens and either disable or delete these. We already blogged about the complete new features in privacyIDEA 2.19.

Service Level Agreement and Subscription

privacyIDEA4UCS can be installed on the Univention Corporate Server quickly and easily via the Univention App Center. You can find further details on privacyIDEA4UCS on the product page and also get a test subscription. The normal service level agreement for privacyIDEA also entitles the customer to use privacyIDEA on the Univention Corporate Server.

,

NetKnights at IT Security Expo and Congress it-sa

This year NetKnights will be at the IT Security Expo and Congress “it-sa” together with the partners bytemine and Rempartec.  it-sa takes place once a year in Nuremberg, Germany in autumn. This year it is October 10th-12th 2017. During the last years up to 500 exhibitors presented new services and products in the field of IT Security. it-sa attracts over 10.000 visitors every year.

News about NetKnights and privacyIDEA

Use this chance to also get all news about NetKnights and privacyIDEA first hand! Learn more about privacyIDEA Enterprise Edition, the privacyIDEA Appliance or the privacyIDEA LDAP-Proxy.

Visit us in Hall 10.1, stand 208 – right accross from Cisco Systems or make up your personal date!

,

privacyIDEA Enterprise Edition and Appliance

The privacyIDEA Enterprise Edition comes with new services and its own Enterprise-Repository. This Repository will contain Enterprise-Packages. These software packages will be released shortly after the main feature release as a kind of stable bug fixing release. E.g. after the main release 2.19 an additional enterprise version 2.19.1 will be released.

The Enterprise-Repository will only contain version 2.19.1, not the version 2.19. This way all software that can be installed from the Enterprise-Repository are stable enterprise releases. The customer can easily upgrade fom one enterprise release to the next enterprise release.

In addition the Enterprise-Repository also contains the new privacyIDEA appliance. We already blogged about it.

The Enterprise-Repository is available for Ubuntu 16.04LTS.

Howto use the Enterprise Repository

You need to create a file /etc/apt/sources.list.d/privacyidea-enterprise.list with the following contents:

deb https://yourname:yourpassword@lancelot.netknights.it/apt/stable xenial main

You as a customer will get your own credentials from NetKnights. Replace yourname and yourpassword with these credentials.

The software packages are signed. To verify the signature you need the public key:

wget https://lancelot.netknights.it/NetKnights-Release.asc

Verify the fingerprint (0940 4ABB EDB3 586D EDE4 AD22 00F7 0D62 AE25 0082) of the public key:

gpg --with-fingerprint NetKnights-Release.asc

Add the key to the keyring:

apt-key add NetKnights-Release.asc

Now you can update the package list and install the privacyIDEA Appliance:

apt update
apt install pi-appliance

Using the tool pi-manage you can create the first admin for the WebUI, create RADIUS clients and setup MySQL Master-Master-Replication.

Get your enterprise edition and your appliance!

 

Enhanced services for privacyIDEA Enterprise Edition

The Open Source Multi Factor Authentication system privacyIDEA is used by many users. NetKnights provides consultancy and support in different kind of subscription levels. Customers now receive more services with the privacyIDEA Enterprise Edition. These will be available by end of June.

Additional, stable packages

With every release the privacyIDEA project releases installation packages for Ubuntu 14.04 LTS and 16.04 LTS on the Ubuntu Launchpad repository. NetKnights’ Support customers will get additional access to an enterprise repository. Those packages will be available a few weeks after the release of the project packages. The enterprise packages contain bug fixes of possible bugs that might have occurred after the official release. The enterprise repository allows customers to easily update to newer versions. Thus support customers have an easy possibility to automatically update to the latest stable version.

The enterprise packages will be available for Ubuntu 14.04 LTS, Ubuntu 16.04 LTS and CentOS 7.

Applicance functionalities

Within the enterprise repository customers will also find a tool, that provides several appliance functionalities. This way the administrator does not need to type in any commands to the command line interface and does not need edit any configuration files.

To allow for best robustness and avoid additional attack vectors, the appliance-tool goes without a web interface, a database and configuration file templates. This also allows still the experienced administrator to edit configuration files directly.

The appliance-tool helps the administrator with the usual configuration tasks…

The privacyIDEA appliance-tool covers the following topics:

  • Base configuration of the privacyIDEA service as used in the file pi.cfg,
  • manage administrative realms,
  • manage local token administrators,
  • configuring the RADIUS server and especially the RADIUS clients,
  • configuring the master master replication of the MySQL server,
  • automatic time based backups,
  • manual backups and restore,
  • automatic time based Audit log rotation.

…like configuring RADIUS clients

Using the privacyIDEA appliance-tool the administrator can quickly and reliably fullfil daily tasks.

…or define automatic time based backups.

What customers say

It’s not often that I find an open source package which is truly as well thought and polished as privacyIDEA.

John WhittenSenior Systems Administrator, Network Manager

Support from NetKnights is very good. I received actionable responses in reasonable turnaround times accompanied by code examples and patches when necessary.

Kurt BendlSenior System Analyst

Get in touch

You want to stay up to date? Subscribe to our newsletter!

You want to take a look at privacyIDEA? Register for a test instance!

You want to know more? Get in touch!

,

privacyIDEA 2.19 – Performance, U2F and secure Smartphone Apps

Today we released privacyIDEA 2.19. Packages are available in the Launchpad-Repos for Ubuntu 14.04LTS and 16.04LTS. You can also install privacyIDEA on any Linux distribution using the python package index.

New Features in privacyIDEA

Authentication performance

privacyIDEA 2.19 is up to 72% faster!

In tests in the lab privacyIDEA 2.19 shows improved performance. Authentication requests are up to 72% faster than in the previous version. This is also due to a new generic user cache. This user cache stores the link between login name and user object in the local SQL database. Thus time consuming requests to the originial user store like LDAP servers or Active Directory get obsolete.

Filter U2F devices for the users

Using policies the administrator can define which type of U2F device the user is allowed to register. In further policies the administrator can also define, which U2F types the users can use to authenticate at certain applications. This way the usage of certain U2F devices can be denied in your company or certain devices from specific vendors can be required for login to sensitive systems.

Secure smartphone apps with privacyIDEA

The classical smartphone app enrollment comes with several problems, which privacyIDEA 2.19 can solve.

In a previous blog post we already pointed out the limitations of the usual smartphone enrollment with the Google Authenticator.  As a company or large organization you want to keep control over the enrollment processes of your users. Thus in version 2.19 of privacyIDEA a better rollout possibility was added. The smartphone and the privacyIDEA server do a mutual key generation. Both create a component, the secret key is generated from both components. This avoids easy copying of the QR-Codes.

Read more details in the privacyIDEA Blog.

More functions

Version 2.19 comes with further detail improvements like using the IP address or the browser user agent in the event handler framework. The date and timeformat was consolidated. Now the complete ISO date with timezone is saved to the database. This heavily eases working across timezones in international setups.

You may want to take a look at the complete Changelog.

Enterprise Edition and Consultancy

NetKnights provides consulting and support with the privacyIDEA Enterprise Edition. Using Open Source you optimize your total cost of ownership this way, that there are no external limitations which dictate how long or short your may use the software. Getting the privacyIDEA Enterprise Edition including an SLA you get the warranty and thus operating safety.

 

You want to stay tuned? Please subscribe to our newsletter!

You want to test the system yourself? Register for a test instance!

You want to know more? Get in touch!

, ,

Multi Factor Authentication with privacyIDEA at ownCloud X Event

On May 23rd ownCloud introduces ownCloud X to their customers. ownCloud invites you to their   release event in Cologne. NetKnights will be there, too and preset how you can easily add two factor authentication with privacyIDEA via the new ownCloud Marketplace. This is a great way to protect your data with a centrally managed multi factor authentication system.

Cornelius Kölbel will give a talk to give some first impressions on the possibilities of such a central multi factor solution for your companies employees. In the meeting area we will have a demo point with such a two factor authentication at ownCloud X against privacyIDEA. You can come, ask and try it yourself. Several different devices like Yubikey, U2F, OTP-Token, Smartphones or Smartdisplayer-Cards can be used for authentication.

We are looking forward to your visit.

Register now!

 

privacyIDEA 2.18.1 on RHEL7 / CentOS7

As of today privacyIDEA 2.18.1 is available for RHEL7 and CentOS7 via our package repository. Packaging privacyIDEA for CentOS 7 is a special service for our Enterprise Customers, to ease updates and bug fixes.

Existing customers can easily update to version 2.18.1. We introduced the changelog or privacyIDEA 2.18.1 earlier.

Update to privacyIDEA 2.18.1

It might be that you need to clear or recreate the Yum Cache, if yum does not find the latest version:

yum makecache

Then you can run the update:

yum update

After the update please assure, that MySQL/MariaDB and httpd are restarted:

service mariadb restart
service httpd restart
,

privacyIDEA 2.18 – authentication and trust

Today privacyIDEA 2.18 was released. Packages are available in the launchpad respository for Ubuntu 14.04LTS and 16.04LTS. Using the Python package index privacyIDEA can be installed on any distribution.

privacyIDEA manages certificate authorities

The flexible Open Source multi-factor-authentication system privacyIDEA comes with new featues in regards to certificate authorities. In addition to OTP tokens, smartphones, email- and SMS-token, Yubikeys and Nitrokeys privacyIDEA has improved the managing capabilites of certificate tokens. The administrator can use a setup wizard to setup a local CA more easily. If a certificate token is revoked, the CRL will be created automatically. Using certificate templates it is easier for administrators and users to enroll the type of certificate which suites the best.

You can get more information from the privacyIDEA blog.

 

Further Enhancements

privacyIDEA 2.18 comes with a lot of further enhancements which will ease the work with your privacyIDEA installation. You should definitively take a look at the complete Changelog.

If your users are located in an LDAP directory you should check the settings of your LDAP resolver. The new version of privacyIDEA relies on a new version of the Python ldap3 module and the privacyIDEA can easily check the validity of the LDAP server certificate thus mitigating the risk of man-in-the-middle attacks.

Enterprise Edition

NetKnights provides consulting and support with the privacyIDEA Enterprise Edition. Using Open Source you optimize your total cost of ownership this way, that there are no external limitations which dictate how long or short your may use the software. Getting the privacyIDEA Enterprise Edition including an SLA you get the warranty and thus operating safety.

, , ,

Two factor authentication everywhere with privacyIDEA LDAP-Proxy

In order to secure the login process with two factor authentication in an application there are different approaches.

Two-Factor-Authentication via standard protocols and plugins

With privacyIDEA we used standard protocols like RADIUS and SAML. If the application that you need to protect can facilitate RADIUS or SAML, the validate of the second factor can be performed by the privacyIDEA RADIUS Server or by privacyIDEA acting as a SAML Identity Provider. In this case you only need to change the configuration of the application, but you do not need to change the application.

Other applications provide an authentication framework, where the authentication can be extended using plugins. For such scenarios many different plugins are available to connect the application to the privacyIDEA Authentication Server. As of know a long list of plugins is already available for applications like TPYO3, ownCloud, NextCloud, WordPress, dokuwiki, django, OTRS, Apache, NGINX, PAM/OpenVPN and also for authenticating at the Windows Desktop.

But some applications do not support RADIUS or SAML and also do not provide an authentication framework to add 2FA via a plugin. Sometimes simply time is short, to develop a plugin in the corresponding programming language.

privacyIDEA LDAP-Proxy

To also provide strong authentication also for those applications and authenticate the users with two factors against privacyIDEA, we develop the privacyIDEA LDAP-Proxy.

The privacyIDEA LDAP-Proxy can be used, if the application authenticates the users against an LDAP server like OpenLDAP or Microsoft Active Directory. The privacyIDEA LDAP-Proxy is plugged between the application and the originial LDAP server. The application is reconfigured, to not use the LDAP server for authentication anymore, but to authenticate users against the LDAP-Proxy. Now, the privacyIDEA LDAP-Proxy can authenticate the users and verify the the authentication against the privacyIDEA Server and use the original LDAP server to only fetch user data.

The two factor authentication is totally transparent for the user and for the application.

The advantage of the IT department is obvious: The originial LDAP server is not touched or modified. The program code of the application is not modified or exteneded. The application is only reconfigured within the limits of the intended possibilities and supported scenarios. To the application the LDAP-Proxy looks like a normal LDAP server. Thus you will not loose any warranty and support by the vendor of the application.

In contrast to two factor solutions, which are solely based on OpenLDAP, the privacyIDEA LDAP-Proxy has one big advantage. It will work with any kind of originial LDAP server, be it OpenLDAP, Microsoft Active Directory or Samba.

Example Scenario

In our example scenario we look at the login at SuiteCRM. SuiteCRM is an Open Source Customer Relation Management solution. There are no two factor plugins for SuiteCRM. But SuiteCRM authenticates it’s users against LDAP. So we will configure SuiteCRM to authenticate the users against the privacyIDEA LDAP-Proxy to add transparent two factor authentication to SuiteCRM.

We could also look at any other application, which authenticates users against an LDAP server. But SuiteCRM suites us well. We install SuiteCRM on the Univention Corporate Server. The installation of the application works like a charm, SuiteCRM is nicely configured against the Univention Corporate Server Domain Controller – the original LDAP server. This is just to have the test scenario up and runing in a few minutes.

We can install the privacyIDEA Authentication Server on any Linux distribution or we can also install the privacyIDEA Server on the Univention Corporate Server. privacyIDEA is also contained in the Univention App Center and can be installed on the UCS within a few minutes. Then privacyIDEA is setup against the users in the Univention LDAP server automatically and the administrator only needs to enroll or assign tokens like Yubikeys, OTP tokens or smartphone apps to the users.

SuiteCRM will be configured this way, that it does not connect to the UCS LDAP server but to the privacyIDEA LDAP-Proxy.

If needed several of the components can be installed on one single system.

Integration

LDAP-Proxy installieren und konfigurieren

The privacyIDEA LDAP-Proxy is currently available via Github in a beta version. It is developed based on Python and Twisted. Thus there are many different ways for the deployment. All necessary configurations are done in configuration file once.

The administrator needs to tell, were the original (UCS) LDAP server and the privacyIDEA instance are located. In the SuiteCRM setup an additional LDAP service account is needed, which the administrator also adds to the configuration file.

For more detailed information see the file README.md.

To start the LDAP proxy run

twistd -n ldap-proxy -c config.ini

In a productive environment you would start the LDAP proxy automatically as a service via systemd. The configuration file config.ini can be stored at the location of your choice. The file example-proxy.ini contains a lot of comments, which explain all possible configuration settings.

The configuration file

The administrator needs to adapt the following configuration settings:

The parameter instance in the section privacyidea determines, where the LDAP proxy can contact the privacyIDEA Authentication Server.

The administrator needs to define the connection to the original LDAP server in the section ldap-backend including IP address or FQDN and the protocal being LDAP, LDAPS or LDAP+STARTTLS

The parameter endpoint in the ldap-proxy section also contains the information on which port the original LDAP server is listening.

Finally the administrator needs to configure the LDAP attribute which contains the loginname. This can be done using the paramter attribute in the sections user-mapping.

The service account allows common LDAP searches

Simple applications, which only verify the user with a user bind do not need any additional settings. However, SuiteCRM uses an additional service account for common LDAP searches. The administrator needs to add this service account in the section ldap-proxy with the parameter passthrough-binds and in the section service-account.

Configure SuiteCRM

In SuiteCRM the administrator only needs to reconfigure the LDAP server. Go to the Admin-Menu which can be reached in the upper right corner.

Choose Password Managemant.

Here you can configure the LDAP server. Enter the FQDN or IP address of the new LDAP proxy.

Done.

Conclusion

The SuiteCRM user is now authenticated via the LDAP proxy against privacyIDEA. The complete password entry is sent to privacyIDEA for validation. The user has to enter his static (probably LDAP password) and the OTP value. Thus you can also do smooth migrations since this looks the same to the user.

Which device (2nd factor) the user has to use for authentication is completely centrally defined by privacyIDEA. The administrator can also assign different device types to the users. Some users can authenticate with Yubikeys, others with OTP tokens or OTP cards, some with a smartphone app like the Google Authenticator and some users may get their login code via SMS or Email.

We will continue developing the LDAP-Proxy and we are looking forward to any feedback. If you want to stay updated watch the Github repository or subscribe to our newsletter.