PyCon 2014

Sistemas avanzados de autenticación para aplicaciones Python

Ying Li  · 




Extracto de la transcripción automática del vídeo realizada por YouTube.

hello everyone and welcome to the third session in our security track and i am happy to present Yingli who will be talking to us about multi-factor authentication and possession factors big hand for young plays so hi my name is yang I work at Rackspace not

on authentication but thank you all for coming despite that I know this talk is supposed to be about multi-factor authentication I'm actually going to go slightly off script and instead I'm just going to tell you a story about two people named alice

and bob bob is a gamer he really likes playing games so he built his own an MMO called world of Bob Kraft it became incredibly popular so much so that in game items and gold became worth real money on the open market so stealing accounts became a very profitable

business one day Alice a long time elite player with lots of high level items and gold reports that all our gear and items had been liquidated her gold stolen by someone who hijacked her account bob has to spend all day verifying her story and restoring her

accounts and possessions every day more and more players start reporting their account stolen Bob spends all of his time restoring accounts rather than making new content which makes Bob sad he reads about how companies like github google facebook and Blizzard

at a two-factor authentication to their services to increase account security this seems to involve asking for two things on login instead of one so Bob adds a second password requirement to the world of Bob Kraft login and account thefts continue and Bob

continues being sad why what did Bob do wrong well multi-factor authentication doesn't mean just asking for any two things on login it requires at least two different factors which are something you know such as a password or pin something you have such

as an ATM card phone or RSA token and something you are meaning something inherent to you such as your fingerprints are your retinal pattern two of the same factors like Bob's two required passwords don't count the reason they don't count is that

using multiple passwords is like putting a secret let's say the count data you want to protect inside of a box which represents a password and so the point of this completely legitimate and legal fair use of copyrighted material is that layers or boxes

do not protect against an attacker who can open even a single box because they can do the same to all the boxes for instance a keylogger will steal any number of passwords as easily as it will steal one without any further costs the attacker multi-factor authors

like placing a security guard in front of your box an attacker has to be up to both get around the security guard and open the box even if they stolen the key to the box from you your password in this analogy they don't automatically get past the security

guard without having to do more work each type of factor has a different set of ulnar abilities or weaknesses that an attacker like this can use to break in it's important to consider what this attacker is going to do and how your defenses will prevent

against that rather than just throwing up defenses willy-nilly without them actually doing anything for instance some attacks against password authentication include men in the middle attacks where an attacker sits between Alice and Bob and pretends he's

bald to Alice and Princeton's he's a lyst Bob and reason perhaps modifies traffic that Alice was sending to Bob or vice versa password authentication is also vulnerable to phishing attacks where an attacker tries to trick us into giving her password

keyla keylogging attacks were an attacker logged all the keystrokes on Alice's machine and replay where an attacker may not be able to read traffic but he can copy traffic from Alice to Bob without being able to understand or modify it and replays the

traffic back to Bob at a later point while pretending to be Alice possession factors are also vulnerable to man in the middle attacks and they can be physically stolen and then the attacker would be in possession of Alice's possession factor various types

of possession factors also have their own weaknesses but these are the general attacks against all possession factors without going into specifics biometric factors like fingerprints can also be stolen people leave them everywhere so an attacker can easily

obtain them since fingerprints don't change the credentials can never be revoked and they're vulnerable to replay attacks but this talk is just going to discuss two-factor authentication 2fa if you ever see this acronym using knowledge and possession

factors because this is currently the most common combination when two factors are combined the attacks against two factor auth is the intersection against one factor and the attacks against the other so an attack that works only against one factor is insufficient

[ ... ]

Nota: se han omitido las otras 2.443 palabras de la transcripción completa para cumplir con las normas de «uso razonable» de YouTube.