The Fenrir Project: Fixing Authentication and Transport protocols

Presented at Still Hacking Anyway (SHA2017), Aug. 8, 2017, 12:20 p.m. (60 minutes)

TLS can be limiting, OAuth is a (somewhat working) mess. What would happen if we redesigned things from scratch? Fenrir is a federated protocol built with both heavy security and high flexibility in mind, with lots of new and interesting security properties. #NetworkSecurity Fenrir started as a master Thesis in network and security. It is a new formally verified, federated, token-based authentication protocol, that spans multiple OSI layers and does not require clock synchronization. The main objective of this protocol is the simplification of the application security, from the perspective of both the end user and the developer. The protocol design forces a strict decoupling of the application and its user, handshake and token management, thus simplifying the application development. The user only needs to login once, as subsequent authentications are handled with only a confirmation. The formal verification of the protocol assures the safety of the user data from attacks ranging from replays, forgery and up to a compromised authentication server, which will not be able to impersonate its users on services where the user has logged in at least once. The token based nature of the protocol lets it work without any clock synchronization. Different authorization levels can be attached to each token, so that an application can be forced by the protocol to work with a limited authorization, without relying on it self-limiting. Finally, the from-scratch approach of the protocol grants both compatibility with the existing infrastructure and support for previously complex data transport modes, with support for multiple streams, each either ordered or unordered, reliable or unreliable, with datastream or datagram delivery, unicast or multicast.

Presenters:

• Luca Fulchir
  Sysadmin, programmer, specialized in network and protocol security. Currently working on Fenrir, a new secure federated authentication and authorization protocol.

Links:

• https://program.sha2017.org/events/150.html

Similar Presentations:

• Black Hat USA 2022 / Automatic Protocol Reverse Engineering
• DEF CON 24 (2016) / Light-Weight Protocol! Serious Equipment! Critical Implications!
• ShmooCon XIII (2017) / (In-)secure messaging with SCIMP and OMEMO