DOCSLIB.ORG

Rumble Network Discovery User Guide V2.6.4

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Rumble Network Discovery User Guide V2.6.4 RumblE NEtwork DiscovEry UsEr GuiDE v2.6.4 UpDatED on 2021°09°22 Copyright © RumblE, Inc. 2019°2021 RumblE UsEr GuiDE ContEnts UsEr GuiDE ContEnts CrEating an account Activating your account Changing your passworD UpDating your profilE picturE Organizations anD sitEs Organizations CrEating organizations SitEs Installing an ExplorEr Installation SystEm rEquirEmEnts WEb scrEEnshots Configuration NEtwork communication REmoving an ExplorEr Log managEmEnt REstart an ExplorEr CErtificatE AuthoritiEs (CAs) Manual moDE StoragE locations ContainEr installations AutomatED installations Managing ExplorErs ViEwing all ExplorErs ScrEEnshot capabilitiEs SEarching for ExplorErs ExplorEr actions Bulk managEmEnt opErations ViEwing ExplorEr DEtails UpgraDing npcap Installing on a RaspbErry Pi What you’ll nEED ConnEcting to your RaspbErry Pi via SSH NExt stEps AutomatED MSI DEploymEnts Binary DownloaDs Installing sElf-hostED RumblE REquirEmEnts OfflinE moDE 1 RumblE UsEr GuiDE Installation stEps OfflinE installation RumblE upDatEs Managing usErs CLI sErvicE managEmEnt CLI upDatE managEmEnt CLI upDatE with offlinE moDE CLI usEr managEmEnt CLI organization managEmEnt ADvancED configuration PErmissions RumblE binary vErification Binary DownloaDs Managing your tEam SinglE sign-on SSO Multi-factor authEntication (MFA) Global rolEs SEtting up AzurE AD SSO REquirEmEnts StEp 1Ã ADD anD configurE RumblE as an AzurE app StEp 2Ã DownloaD thE SSO configuration mEtaData StEp 3Ã SEt up AzurE AD SSO in RumblE StEp 4Ã ADD usErs to thE RumblE app in AzurE SEtting up Okta SSO REquirEmEnts StEp 1Ã ADD anD configurE RumblE as an Okta app StEp 2Ã SEt up SSO in RumblE StEp 3Ã ADD usErs to thE RumblE App in Okta DiscovEring assEts TargEt sitE DiscovEry ExplorEr DiscovEry scopE Scan namE SchEDulE Scan spEED SchEDulE gracE pErioD ADvancED scan options TCP ports SEt prEscan moDEs for largE IP spacEs Managing tasks Using thE invEntory UnDErstanDing assEts AssEt fiElDs Exporting assEt Data Data rEtEntion 2 RumblE UsEr GuiDE StalE assEt Expiration OfflinE assEt Expiration Scan Data Expiration Exporting HP iLO Data How to Export HP iLO CSV Data in RumblE EntErprisE HP iLO CSV Export Data Enriching scans with EC2 FinD ExplorErs with EC2 EnrichmEnt capabilitiEs ADD pErmissions to DEscribE instancEs AttributEs RumblE gEts from thE EC2 API ViEwing covEragE rEports RFC1918 covEragE rEport SEarch quEry syntax BoolEan opErators WilDcarD anD fuzzy sEarchEs Empty valuEs AssEt anD sErvicE invEntory sEarchEs SEarch quEriEs AssEt sEarch kEyworDs SErvicE sEarch kEyworDs WirElEss sEarch kEyworDs Organization sEarch kEyworDs SitE sEarch kEyworDs QuEry library sEarch kEyworDs CrEDEntial sEarch kEyworDs Automating quEriEs Turn on automatic sEarch quEriEs Managing alErts Using thE rulEs EnginE KEy concEpts CrEatE a rulE CrEating alErt tEmplatEs TEmplatE builDing basics ObjEcts anD fiElDs rEfErEncE ExamplE: AlErt whEn scan complEtEs Data typE accEptED by Each channEl Managing tEmplatEs Managing licEnsEs How Do I viEw my licEnsE? WhEn DoEs my ProfEssional or EntErprisE subscription ExpirE? How Do I rEnEw my ProfEssional subscription? How Do I rEnEw my EntErprisE plan? How Do I convErt to thE StartEr EDition? How Do I finD my invoicEs? How Do I changE or cancEl my subscription? 3 RumblE UsEr GuiDE Using thE scannEr StartEr EDition limits PErformancE & scopE Automatic wEb scrEEnshots RumblE scannEr commanDs anD options Scan outputs Raw Scan Data SErvicENow CMDB BEforE you bEgin SEt up an ETL import Things to know about RumblE Export Data UsEful links Splunk SEarch GEt thE RumblE aDD-on for Splunk AssEt sync moDEs CrowDStrikE Falcon GEtting StartED REquirEmEnts StEp 1Ã ConfigurE CrowDStrikE to allow API accEss to RumblE StEp 2Ã ADD thE CrowDStrikE crEDEntials to RumblE StEp 3Ã SEt up anD activatE thE CrowDStrikE connEction to sync Data StEp 4Ã ViEw CrowDStrikE assEts AzurE Virtual MachinEs GEtting StartED REquirEmEnts StEp 1Ã ConfigurE AzurE to allow API accEss through RumblE. StEp 2Ã ADD thE AzurE crEDEntial to RumblE. StEp 3Ã SEt up anD activatE thE AzurE VM connEction to sync Data StEp 4Ã ViEw AzurE assEts Amazon EC2 GEtting StartED REquirEmEnts StEp 1Ã ConfigurE AWS to allow API accEss through RumblE StEp 2Ã ADD thE AWS crEDEntial to RumblE StEp 3Ã SEt up anD activatE thE AWS EC2 connEction to sync Data StEp 4Ã ViEw AWS assEts MiraDorE MDM GEtting StartED REquirEmEnts StEp 1Ã CrEatE a MiraDorE API kEy. StEp 2Ã ADD thE MiraDorE API kEy to RumblE. StEp 3Ã SEt up anD activatE thE MiraDorE MDM connEction to sync Data StEp 4Ã ViEw MiraDorE assEts LEvEraging thE API Data formats 4 RumblE UsEr GuiDE Formats Scan Data AssEt Data ChangE rEports FrEquEntly AskED QuEstions Why arE thErE so many iDEntical assEts in my invEntory? How Do I run RumblE without crashing my routEr? How Do I scan VMwarE virtual machinEs without crashing thE host? Why DiDn’t thE RumblE ExplorEr capturE scrEEnshots? What protocols DoEs RumblE scan for? What ports DoEs RumblE scan? RumblE rElEasE notEs LatEst rElEasE notEs OlDEr platform rElEasE notEs Platform rElEasE notEs OlDEr ExplorEr rElEasE notEs ExplorEr rElEasE notEs (agEnts) OlDEr scannEr rElEasE notEs ScannEr rElEasE notEs 5 RumblE UsEr GuiDE CrEating an account To gEt startED, you’ll nEED to sign up for a RumblE account. RumblE offErs thrEE EDitions: startEr, profEssional, anD EntErprisE. ChoosE thE EDition that works for you. ProfEssional account: This is grEat for miD-sizE anD largEr companiEs, as wEll as consultants, who nEED to scan morE than 256 assEts. You’ll nEED a businEss Email to sign up. Sign up for a profEssional account StartEr account: This is grEat for pErsonal or small businEss usE, if you havE lEss than 256 assEts. You can usE a businEss or pErsonal Email to sign up. Sign up for a startEr account Activating your account AftEr you sign up for an account, wE’ll Email you a link to activatE your account. If you Don’t sEE an Email from us, chEck your spam folDEr. OpEn thE link in thE Email to go to thE Activation pagE. Follow thE instructions on thE pagE to activatE your account. You’ll nEED to proviDE your namE, sEt up a passworD, spEcify your location, anD accEpt our privacy policy anD tErms of sErvicE. AftEr activating your account, you’ll bE takEn DirEctly to thE RumblE ConsolE. Your nEw account has aDministrativE accEss, so you will bE ablE to managE sitEs, organizations, usErs, anD ExplorErs. If you havE any troublE crEating your account, plEasE contact support. Changing your passworD To changE your passworD, go to your account sEttings. You’ll nEED to proviDE your currEnt passworD bEforE you can EntEr a nEw onE. All passworDs must contain: At lEast 8 charactErs At lEast 1 uppErcasE charactEr At lEast 1 lowErcasE charactEr At lEast 1 numbEr 6 RumblE UsEr GuiDE UpDating your profilE picturE UsEr profilE imagEs arE managED through Gravatar anD associatED with your Email aDDrEss. If you Don’t havE an account, sign up for onE. 7 RumblE UsEr GuiDE Organizations anD sitEs RumblE usEs thE concEpt of organizations anD sitEs to managE information within your account. Organizations An organization rEprEsEnts a Distinct Entity; this can bE your businEss, a spEcific DEpartmEnt within your businEss, or onE of your customErs. All actions, tasks, ExplorErs, scans, anD othEr objEcts managED by RumblE arE tiED to spEcific organizations anD isolatED from Each othEr. Your activE organization can bE switchED by using thE DropDown sElEct fiElD on thE top right of thE RumblE ConsolE. CrEating organizations Organizations can bE crEatED, moDifiED, anD DEactivatED by going to thE organizations sEction within thE consolE. Click thE Organizations button unDEr Global SEttings on thE lEft-hanD siDEbar. SitEs EvEry organization has at lEast onE sitE, but may also havE multiplE sitEs. A sitE rEprEsEnts a Distinct nEtwork sEgmEnt, usually DEfinED by aDDrEssing, or accEssibility. All analysis actions within RumblE occur at thE sitE lEvEl. This allows for multiplE sitEs to usE thE samE RFC1918 spacE, somEthing common in rEtail, whilE still bEing possiblE to DiffErEntiatE thEir assEts within thE InvEntory. For flat nEtworks, a singlE sitE is usually Enough, but complicatED, sprawling, anD highly-sEgmEntED EnvironmEnts bEnEfit from thE usE of SitEs. SitEs can also bE tiED to spEcific ExplorErs, which can hElp limit traffic bEtwEEn low- banDwiDth sEgmEnts. ThE sitE configuration allows a DEfault scan scopE to bE DEfinED, along with an optional list of ExcluDED scan scopEs. ThEsE fiElDs sEt thE DEfaults for futurE scans of this SitE. By DEfault, your account incluDEs a singlE organization, which itsElf contains a singlE sitE, namED Primary. ThE DEfault sitE cannot bE rEmovED, but it can bE rEnamED anD havE its assEts pErmanEntly DElEtED as nEcEssary. 8 RumblE UsEr GuiDE 9 RumblE UsEr GuiDE Installing an ExplorEr RumblE rEquirEs thE usE of at lEast onE ExplorEr within your EnvironmEnt to EnablE nEtwork DiscovEry. ThE ExplorEr shoulD bE installED on a systEm with rEliablE connEctivity to thE nEtwork you want to DiscovEr. For intErnal nEtworks, RumblE works bEst whEn installED on a systEm with a wirED (vs wirElEss) connEction. For ExtErnal nEtwork DiscovEry, nEarly any clouD proviDEr with a rEliablE connEction shoulD Do. If thE RumblE ExplorEr is installED in a containEr or virtualizED systEm, EnsurE that it has DirEct accEss to thE nEtwork (host nEtworking in DockEr, briDgED nEtworking in VMwarE, Etc). Installation To install thE RumblE ExplorEr, log in to thE RumblE ConsolE anD switch to thE Organization that shoulD bE associatED with thE ExplorEr. ThE ExplorEr DownloaD link is spEcific to your activE Organization anD using thE wrong link can rEsult a nEw ExplorEr bEing associatED with thE wrong organization. DownloaD thE corrEct binary for your systEm from thE ExplorEr DownloaD pagE. For most systEms, sElEct thE 64-bit (x86_64 architEcturE. For EmbEDDED DEvicEs, such as thE RaspbErry Pi 3Ú, choosE thE ARM7 architEcturE. WinDows binariEs arE signED with a valiD AuthEnticoDE signaturE, which shoulD bE valiDatED bEforE thE ExEcutablE is launchED. ThE ExplorEr installation procEss rEquirEs aDministrativE privilEgEs.
Load more

Recommended publications
  • Move Beyond Passwords Index
    Move Beyond Passwords Index The quest to move beyond passwords 4 Evaluation of current authentication method 6 Getting started with passwordless authentication 8 Early results to going passwordless 9 Common approaches to going passwordless 11 Email magic links 11 Factor sequencing 12 Webauthn 14 Planning for a passwordless future 16 Move Beyond Passwords 2 Introduction Traditional authentication using a username and password has been the foundation of digital identity and security for over 50 years. But with the ever-growing number of user accounts, there are a number of new issues: the burden on end users to remember multiple passwords, support costs, and most importantly, the security risks posed by compromised credentials. These new challenges are now outweighing the usefulness of passwords. The case for eliminating passwords from the authentication experience is getting more compelling every day. Emerging passwordless security standards, elevated consumer and consumer-like experience expectations, and ballooning costs have moved eliminating passwords from a theoretical concept to a real possibility. In this whitepaper, we will explore the case for going passwordless for both customer and employee authentication, and map out steps that organizations can take on their journey to true passwordless authentication. Move Beyond Passwords 3 The quest to move beyond passwords Understanding the need for passwordless authentication starts with understanding the challenges presented by passwords. The core challenges with passwords can be broken down into the following areas: Poor Account Security Passwords have spawned a whole category of security/identity-driven attacks — compromised passwords due to credential breaches, phishing, password spraying attacks, or poor password hygiene can result in account takeover attacks (ATO).
    [Show full text]
  • Cybersecurity in a Digital Era.Pdf
    Digital McKinsey and Global Risk Practice Cybersecurity in a Digital Era June 2020 Introduction Even before the advent of a global pandemic, executive teams faced a challenging and dynamic environ- ment as they sought to protect their institutions from cyberattack, without degrading their ability to innovate and extract value from technology investments. CISOs and their partners in business and IT functions have had to think through how to protect increasingly valuable digital assets, how to assess threats related to an increasingly fraught geopolitical environment, how to meet increasingly stringent customer and regulatory expectations and how to navigate disruptions to existing cybersecurity models as companies adopt agile development and cloud computing. We believe there are five areas for CIOs, CISOs, CROs and other business leaders to address in particular: 1. Get a strategy in place that will activate the organization. Even more than in the past cybersecurity is a business issue – and cybersecurity effectiveness means action not only from the CISO organiza- tion, but also from application development, infrastructure, product development, customer care, finance, human resources, procurement and risk. A successful cybersecurity strategy supports the business, highlights the actions required from across the enterprise – and perhaps most importantly captures the imagination of the executive in how it can manage risk and also enable business innovation. 2. Create granular, analytic risk management capabilities. There will always be more vulnerabilities to address and more protections you can consider than you will have capacity to implement. Even companies with large and increasing cybersecurity budgets face constraints in how much change the organization can absorb.
    [Show full text]
  • Implementing a Web Application for W3C Webauthn Protocol Testing †
    proceedings Proceedings Implementing a Web Application for W3C WebAuthn Protocol Testing † Martiño Rivera Dourado 1,* , Marcos Gestal 1,2 and José M. Vázquez-Naya 1,2 1 Grupo RNASA-IMEDIR, Departamento de Computación, Facultade de Informática, Universidade da Coruña, Elviña, 15071 A Coruña, Spain; [email protected] (M.G.); [email protected] (J.M.V.-N.) 2 Centro de Investigación CITIC, Universidade da Coruña, Elviña, 15071 A Coruña, Spain * Correspondence: [email protected] † Presented at the 3rd XoveTIC Conference, A Coruña, Spain, 8–9 October 2020. Published: 18 August 2020 Abstract: During the last few years, the FIDO Alliance and the W3C have been working on a new standard called WebAuthn that aims to substitute the obsolete password as an authentication method by using physical security keys instead. Due to its recent design, the standard is still changing and so are the needs for protocol testing. This research has driven the development of a web application that supports the standard and gives extensive information to the user. This tool can be used by WebAuthn developers and researchers, helping them to debug concrete use cases with no need for an ad hoc implementation. Keywords: WebAuthn; authentication; testing 1. Introduction Authentication is one of the most critical parts of an application. It is a security service that aims to guarantee the authenticity of an identity. This can be done by using several security mechanisms but currently, without a doubt, the most common is the username and password method. Although this method is easy for a user to conceptually understand, it constitutes many security problems.
    [Show full text]
  • 8 Steps for Effectively Deploying
    8 Steps for Effectively Deploying MFA Table of Contents The value of MFA 3 1. Educate your users 4 2. Consider your MFA policies 5 3. Plan and provide for a variety of access needs 7 4. Think twice about using SMS for OTP 10 5. Check compliance requirements carefully 11 6. Plan for lost devices 12 7. Plan to deploy MFA to remote workers 14 8. Phase your deployment: Be prepared to review and revise 16 8 Steps for Effectively Deploying MFA 2 The value of MFA Multi-factor authentication (MFA) has never been more important. With the growing number of data breaches and cybersecurity threats—and the steep financial and reputational costs that come with them—organizations need to prioritize MFA deployment for their workforce and customers alike. Not doing so could spell disaster; an invitation for bad actors to compromise accounts and breach your systems. Adopting modern MFA means implementing a secure, simple, and context-aware solution that ensures that only the right people have access to the right resources. It adds a layer of security, giving your security team, your employees, and your customers peace of mind. Unfortunately, while the benefits are clear, implementing MFA can be a complex project. In our Multi-factor Authentication Deployment Guide, we’ve outlined eight steps that you can take to better enable your MFA deployment: Educate your users Consider your MFA policies Plan and provide for a variety of access needs Think twice about using SMS for OTP Check compliance requirements carefully Plan for lost devices Plan to deploy MFA to remote workers Phase your deployment: be prepared to review and revise In this eBook, we’ll take a deeper dive into each of these elements, giving you tactical advice and best practices for how to implement each step as you get ready to roll out Okta MFA.
    [Show full text]
  • Mfaproxy: a Reverse Proxy for Multi-Factor Authentication
    Iowa State University Capstones, Theses and Creative Components Dissertations Fall 2019 MFAProxy: A reverse proxy for multi-factor authentication Alan Schmitz Follow this and additional works at: https://lib.dr.iastate.edu/creativecomponents Part of the Digital Communications and Networking Commons Recommended Citation Schmitz, Alan, "MFAProxy: A reverse proxy for multi-factor authentication" (2019). Creative Components. 425. https://lib.dr.iastate.edu/creativecomponents/425 This Creative Component is brought to you for free and open access by the Iowa State University Capstones, Theses and Dissertations at Iowa State University Digital Repository. It has been accepted for inclusion in Creative Components by an authorized administrator of Iowa State University Digital Repository. For more information, please contact [email protected]. MFAProxy: A reverse proxy for multi-factor authentication by Alan Schmitz A Creative Component submitted to the graduate faculty in partial fulfillment of the requirements for the degree of MASTER OF SCIENCE Major: Information Assurance Program of Study Committee: Doug Jacobson, Major Professor The student author, whose presentation of the scholarship herein was approved by the program of study committee, is solely responsible for the content of this Creative Component. The Graduate College will ensure this Creative Component is globally accessible and will not permit alterations after a degree is conferred. Iowa State University Ames, Iowa 2019 Copyright c Alan Schmitz, 2019. All rights reserved. ii TABLE OF CONTENTS Page LIST OF FIGURES . iii ABSTRACT . iv CHAPTER 1. INTRODUCTION . .1 CHAPTER 2. BACKGROUND . .3 2.1 Passwords and PINs . .3 2.2 Short Message Service . .4 2.3 One-Time Passwords . .5 2.4 U2F and WebAuthn .
    [Show full text]
  • Strong Authentication Based on Mobile Application
    View metadata, citation and similar papers at core.ac.uk brought to you by CORE provided by Helsingin yliopiston digitaalinen arkisto STRONG AUTHENTICATION BASED ON MOBILE APPLICATION Helsingin yliopisto Faculty of Science Department of Computer Science Master's thesis Spring 2020 Harri Salminen Supervisor: Valtteri Niemi Tiedekunta - Fakultet - Faculty Osasto - Avdelning - Department Faculty of Science The Department of Computer Science Tekijä - Författare - Author Harri Salminen Työn nimi - Arbetets titel Title STRONG AUTHENTICATION BASED ON MOBILE APPLICATION Oppiaine - Läroämne – Subject Computer Science Työn laji/ Ohjaaja - Arbetets art/Handledare - Aika - Datum - Month and Sivumäärä - Sidoantal - Number of Level/Instructor year pages Master's thesis / Valtteri Niemi June, 2020 58 Tiivistelmä - Referat - Abstract The user authentication in online services has evolved over time from the old username and password-based approaches to current strong authentication methodologies. Especially, the smartphone app has become one of the most important forms to perform the authentication. This thesis describes various authentication methods used previously and discusses about possible factors that generated the demand for the current strong authentication approach. We present the concepts and architectures of mobile application based authentication systems. Furthermore, we take closer look into the security of the mobile application based authentication approach. Mobile apps have various attack vectors that need to be taken under consideration when designing an authentication system. Fortunately, various generic software protection mechanisms have been developed during the last decades. We discuss how these mechanisms can be utilized in mobile app environment and in the authentication context. The main idea of this thesis is to gather relevant information about the authentication history and to be able to build a view of strong authentication evolution.
    [Show full text]
  • HTML5 Cheatsheet 2019
    CHEAT SHEET HTML5 WEB DEVELOPMENT Created by @Manz ( https://twitter.com/Manz ) https://lenguajehtml.com/ S HTML Syntax Tag structure C Comment Syntax Dev annotations S Social metadata For social networks HTML TAG/ATTRIBUTE SYNTAX HTML COMMENT SYNTAX FACEBOOK OPEN GRAPH <tag attribute="value"> content </tag> <!-- text without effects on webpage --> <meta> metadata tag for open graph property metadata type open graph D Document tags HTML main structure H Head tags Header & document metadata content metadata value open graph MAIN TAGS RELATIONS REQUIRED METADATA PROPERTIES <!DOCTYPE html> HTML5 document <link> document relation og:title title of your object <html> document content root tag href link to related document og:type type of your object <head> metadata header related docs hreflang code doc language en, es... music video article book <body> page content visible content type mime hint type for browser profile website title set title to stylesheet set og:image image url for preview G Global Attributes for all elements sizes hint size for favicon 64x64, 96x96 og:url canonical & absolute url DOM / STYLE ATTRIBUTES rel relation type with other document OPTIONAL METADATA PROPERTIES id element identifier unique per page BASIC RELATION og:audio complementary audio url class element class multiple per page alternate link to alternate version og:description 1-2 sentence descr. slot element slot reference to <slot> author link to author URL og:determiner word auto, the, a, an, ... style inline CSS styles css properties help link to help URL
    [Show full text]
  • EL PASSO: Efficient and Lightweight Privacy-Preserving Single Sign On
    Proceedings on Privacy Enhancing Technologies ; 2021 (2):70–87 Zhiyi Zhang, Michał Król, Alberto Sonnino, Lixia Zhang, and Etienne Rivière EL PASSO: Efficient and Lightweight Privacy-preserving Single Sign On Abstract: Anonymous credentials are a solid founda- 1 Introduction tion for privacy-preserving Single Sign-On (SSO). They enable unlinkable authentication across domains and al- Single Sign-On (SSO) is an answer to the complexity low users to prove their identity without revealing more and fragility of using individual passwords on the web, than necessary. Unfortunately, anonymous credentials i.e., leading to reuse and leaks [1]. SSO enables the use schemes remain difficult to use and complex to deploy. of a unique identity provided by an Identity Provider They require installation and use of complex software at (IdP). Users authenticate themselves to services (called the user side, suffer from poor performance, and do not Relying Parties–RP) with tokens provided by their IdP. support security features that are now common, such SSO improves overall web security [2] and enables the as two-factor authentication, secret recovery, or sup- generalization of good security practices such as the use port for multiple devices. In contrast, Open ID Con- of 2-factor authentication (2FA) [3]. nect (OIDC), the de facto standard for SSO is widely deployed and used despite its lack of concern for users’ Limitations of OpenID Connect. OpenID Connect privacy. We present EL PASSO, a privacy-preserving (OIDC) is a dominant SSO solution used by over a mil- SSO system based on anonymous credentials that does lion websites in 2020 [4].
    [Show full text]
  • Zero-Knowledge User Authentication: an Old Idea Whose Time Has Come
    Zero-Knowledge User Authentication: An Old Idea Whose Time Has Come Laurent Chuat, Sarah Plocher, and Adrian Perrig ETH Zurich Abstract User authentication can rely on various factors (e.g., a pass- word, a cryptographic key, and/or biometric data) but should not re- veal any secret information held by the user. This seemingly paradoxical feat can be achieved through zero-knowledge proofs. Unfortunately, naive password-based approaches still prevail on the web. Multi-factor authen- tication schemes address some of the weaknesses of the traditional login process, but generally have deployability issues or degrade usability even further as they assume users do not possess adequate hardware. This as- sumption no longer holds: smartphones with biometric sensors, cameras, short-range communication capabilities, and unlimited data plans have become ubiquitous. In this paper, we show that, assuming the user has such a device, both security and usability can be drastically improved using an augmented password-authenticated key agreement (PAKE) pro- tocol and message authentication codes. 1 Introduction User authentication still typically involves transmitting a plaintext password to the web server, which is problematic for many reasons. First, an attacker could obtain the user’s password using malware, a keystroke logger, phishing, or a man-in-the-middle attack. Second, the user might be using the same password on different websites, allowing a malicious server operator to impersonate the user. Third, if the website’s database is breached, although passwords may be protected by a hash function, a brute-force attack could reveal low-entropy pass- words. Fourth, as password-reuse and low-entropy passwords are problematic, users are constantly advised to pick new, long, complicated passwords.
    [Show full text]
  • Privacy-Preserving Messaging Formal Verification
    NEXt generation Techno-social Legal Encryption Access and Privacy nextleap.eu Grant No. 688722. Project started 2016-01-01. Duration 36 months. DELIVERABLE D4.3 PRIVACY PRESERVING MESSAGING FORMAL MODELLING Karthikeyan Bhargavan, Bruno Blanchet, Iness Ben Guirat, Harry Halpin, Benjamin Lipp, Nadim Kobeissi (INRIA) Beneficiaries: INRIA (lead) Workpackage:4 Description: Models of messaging protocols from WP2 with respect to a number of possible primitives for properties related to decentralization,privacy, security, and anonymity. Version: 1.0 Nature: Report (R) Dissemination level: Public (PU) Pages: 107 Date: 2018-12-31 Project co-funded by the European Commission within the Horizon 2020 Programme. D4.2 NEXTLEAP Grant No. 688722 Contents Executive Summary 3 1 Introduction 4 2 W3C Web Authentication (Authentication) 5 3 Signal Protocol (Synchronous Messaging) 22 4 Noise (Network-level Encryption) 58 5 Wireguard (VPN) 83 2 D4.2 NEXTLEAP Grant No. 688722 Executive Summary In this deliverable, we present the results of formally verifying various protocols relevant to privacy-preserving messaging. In general, we verify their security properties, although consideration is taken if possible on privacy and anonymity although these two latter properties are hard to verify with the current toolset. We focus on ProVerif, veriying under the Dolev-Yao symbolic model in order to discover if a protocol is secure, and we also present some new work using CryptoVerif, which creates computational proofs. We detail the verificaton of the W3C Web Authentication
    [Show full text]
  • The Webauthn Standard: Why It Should Matter to the Public Sector and How It Works Executive Summary
    WEBAUTHN WHITE PAPER SERIES: MAY 2020 The WebAuthn Standard: Why It Should Matter to the Public Sector and How It Works Executive Summary This paper is the second in a series of WebAuthn whitepapers published by Yubico. For an introduction to WebAuthn and why it is both more secure and easier to use, see the first paper, Introducing WebAuthn: Enabling a Streamlined and More Secure User Authentication Experience. Most websites, services, and applications have difficulty providing secure, convenient authentication for users. Passwords are the problem. They tend to be either so simple they are easily guessed by hackers or so complex they are hard for users to remember. And all passwords, regardless of their complexity, are vulnerable to phishing and data breaches. Fortunately, WebAuthn, a new web authentication standard approved in March 2019 by the World Wide Web Consortium (W3C), makes it easy for websites, services, and applications to offer strong authenti- cation without relying on passwords. By replacing passwords with strong authentication based on public key cryptography, in which the private key never leaves the user’s device, WebAuthn makes authentication both easier to use and more secure, benefitting users and service providers alike. The WebAuthn standard is already supported by all major browsers and most platforms including: ● Windows 10 ● Android ● Google Chrome ● Mozilla Firefox ● Microsoft Edge ● Apple Safari ● Apple iOS WebAuthn supports various models for account authentication, leveraging both external roaming authenticators, such as hardware security keys, and authenticators built into computing and mobile devices, such as fingerprint readers and facial recognition technology. Applications and web services can choose to implement WebAuthn for passwordless authentication, two-factor authentication (2FA), and multi-factor authentication (MFA).
    [Show full text]
  • UCAN — Coding Earth Berlin:Remote April 2020
    AUTHORIZING USERS WITHOUT A BACKEND …AND UCAN TOO � AUTHORIZING USERS WITHOUT A BACKEND BROOKLYN ZELENKA, @expede AUTHORIZING USERS WITHOUT A BACKEND BROOKLYN ZELENKA, @expede • Cofounder/CTO at Fission • https://fission.codes • PLT & VMs • Previously an Ethereum Core Dev • EIPs 615, 902, 1066, 1444 • ECIP 1050 • VanFP, Code & Cofee YVR • Witchcraft, Algae, Exceptional, & others WE HAVE STICKERS! WE HAVE STICKERS! PING ME AND WE’LL MAIL SOME SOME BACKGROUND CONTEXT SOME BACKGROUND CONTEXT WHAT SET OF PROBLEMS IS FISSION SOLVING? SOME BACKGROUND CONTEXT SHIPPING A WEB APP IN 2020 IS TOO HARD! Backends DevOps • Multi-tenant • Expensive & complex • Increasingly sharded • Very much its specialty • Highly concurrent • We’re close to peak Kubernetes • Data leaks everywhere � • ACL complexity & GDPR SOME BACKGROUND CONTEXT SHIPPING A WEB APP IN 2020 IS TOO HARD! Backends DevOps • Multi-tenant • Expensive & complex • Increasingly sharded • Very much its specialty • Highly concurrent • We’re close to peak Kubernetes • Data leaks everywhere � • ACL complexity & GDPR SOME BACKGROUND CONTEXT FRONTEND IS EATING THE BACKEND � � • Frontend is never going away • Browsers keep getting more powerful (e.g. WebAssembly, WebAuthN) • Trend to more granular edge — Cloudflare Workers / Fastly Edge Cloud • Empower front end devs / full stack web apps for the 20’s and beyond � LAMP CONTAINERS SERVERLESS WEB NATIVE ☁λ � SOME BACKGROUND CONTEXT CONSTRAINTS SOME BACKGROUND CONTEXT CONSTRAINTS • Everything for a modern web app directly in the browser • Vanilla browsers
    [Show full text]