Question about "offline" application

Hi everybody…

First time user, evaluating PrivacyIDEA… Most things come nicely.

I have one question about the “offline” application … Maybe I don’t get it right yet.
Can I use this with HOTP tokens in order to allow pam logins even when privacyidea server is down?
What I did is this:
I assigned a specific server and offline app to one hotp token and then I successfully logged (using privacyidea_pam.py through ssh). Afterwards I stopped apache and tried to login again. But I cannot login. ‘Connection refused’ and pam fails.

I am interested to cover login availability in case of not available privacyIDEA server and thought this “offline” application is for that!

Thank you…

Welcome and thank you for your interest in privacyIDEA.

One Time Password authentication is an authentication method that is based on a symmetric secret key. The authentication device (yubikey, smartphone app, keyfob) and the server backend both have the same (symmetric) key to calculate the OTP value and to verify the OTP value.

And here starts the problem with offline authentication.
To take the short cut:

Management summary

Offline authentication in privacyIDEA is not ment to be used, for some moment when the privacyIDEA server is down. (For this you set up a redundant privacyIDEA system). But it is ment for the situation where your notebook is not connected to the network.
So if you really want to use SSH (which means systems have a network connection!) do not use offline authentication!

This is the long story - in case you want to use a desktop login with your notebook, which in certain moments have no network connection:

The bigger picture

As mentioned, the OTP algorithm (HOTP, RFC 4226) is based on a symmetric key. Usual authentication works this way, that your authentication device calculates the OTP value based on HOTP(secretKey, counter), an HMAC function based on the secret key and the counter.

The OTP value is sent to the authentication server, which knows the last counter and also calculates the OTP value in the same manner and compares, if they are matching. If not, it tries the next counter, and the next and the next (up to 10 times, configurable).

So if your authentication system is not available - or better: if the notebook is offline, someone or something has to calculate the OTP value, to check if the OTP value, that the user entered (from his authentication device or his smartphone app) is correct.
This is what the privacyIDEA PAM module can do, without contacting privacyIDEA.

Which death do you want to die?

Now there are basically two possibilities:

  1. the authentication server can distribute the secret key to the notebook into the PAM module, so that the PAM module can use this secret key, to verify the OTP values. If your notebook is stolen or lost, consider the secret key to not be secret anymore.
    2.the authentication server can precalculate a list of OTP values and pass this list to the notebook. The secret key is contained in the authentication server. If the notebook gest stolen, only a certain amount of OTP values are compromised. But if you are offline longer, than the OTP-list, then you will not be able to authenticate anymore.

In both cases there are other challenges:

  • Imagine only your notebook is offline. You are authenticating with OTP value 37. An attacker observes the OTP value 37 and uses this OTP value to login to your company VPN, which authenticates against the authentication server. I.e. with offline you need to assure, that the token or OTP values, that are used for offline authentication can not be used online - because the online authentication server can not know, if this OTP value is used or compromized.

  • Imagine you have an account, that you can use on many different company notebooks, which can go offline. Do you want to distribute the secret key to all notebooks? Or a list to all notebooks? Then you again have the same problem. The attacker can observe OTP value A on notebook A to use this valid OTP value to login to notebook B.

You see there are a lot of issues to deal with when trying to do offline authentication. (Honestly, if you really need offline authentication, because your notebook has no network connection, I recommend using smartcards, which do assymmetric cryptography an do not bear the problem of compromizing a secret key.)

How privacyIDEA does it

Anyways, privacyIDEA implemented it this way, that you need to define, which OTP token can be used by which user on which machine. If a user authenticates from this machine with this very OTP token, privacyIDEA will precalculate an OTP list and pass this list to the notebook. At the same time, privacyIDEA will “mark” the token as being offline, assuring that the OTP values, that were passed to the notebook can not be used for online authentication.

This way we have avoided:

  • online replay attacks with already offline used OTP values
  • compromizing of secret keys, which might otherwise be cumbersome with preseeded hardware tokens.

Still a user with an assigned notebook can use this very notebook with this very token to also login in the tunnel or at Mount Baker, where you absolutely have no cell coverage.

I hope this helped to understand the idea of offline authentication.
Please ask any question, if there is anything left unclear.
We might use this one day to improve our documentation (http://privacyidea.readthedocs.io/en/latest/machines/index.html?highlight=offline#offline) which honestly is shorter than my post :wink:

Kind regards
Cornelius

1 Like

Wow! @cornelinux that was such a detailed answer, thank you so much! :slight_smile:
Indeed this should go to the docs!

While I did my tests of offline application on ssh logins for the time being (as I wrote in my 1st message), this was a test and I am thinking if possible to use this to all logins (ideally even to init 1 / single-user mode without network connectivity). Exactly, as a laptop, as you wrote: useful when the laptop does not have permanent network connectivity (even with PrivacyIDEA server up).

What I did is:

  1. attach a HOTP token not only to a user, but also to a specific machine.
  2. first did one typical 2-fa login (while having network connectivity).
  3. then I “broke” connectivity for testing and tried to login again but failed.

So you suggest that the above 3 steps should work?

Indeed I was using ssh in the test, but I think (correct me if I am wrong) that since ssh also fires up the same exact pam.d rules, ssh can work too.
In that case maybe I am doing something wrong in step 1 above (when attaching token to a machine).

Thank you.

This should work. The question is, what you want to achieve…

Good to know, so I will investigate why this isn’t working yet.

On your question: I was thinking some reasonable ways to improve overall security on a workstation or server, like:

  1. add grub password (no otp of course here)
  2. add bios password (no otp of course here)
  3. have OTP requested even on single-user mode (without network connectivity)
  4. have OTP on ssh connections (done)

(no. 3 above).

Thank you very much again for your great work.