Exploiting Token-Based Authentication: Attacking and Defending Identities in the 2020s.

Token-based authentication has been out there for over twenty years now. It enabled authenticating to Service Providers (SPs) without sending them usernames and passwords over the network. Token-based authentication is based on trust in an Identity Provider (IdP), which creates tokens to be consumed by SPs.

Technically, the trust is implemented using cryptography. The tokens are either signed or encrypted using symmetric or asymmetric cryptography or a combination of them.

There are at least two techniques to exploit token-based authentication: stealing tokens (aka token-replay) and forging tokens. MITRE has categorised these attacks as T11134/001 and T1606, respectively. Regardless of the technical implementation of the token-based authentication (Kerberos, SAML, OAuth, etc.), the latter requires getting access to used cryptographic secrets.

In this demo-packed session, I will cover both token-based authentication attack techniques. First, you will learn how adversaries conduct token-replay attacks and how to protect against them. Second, you will learn how adversaries are forging tokens to impersonate users, how to detect the exploitation, and how to prevent it.

Although the attack techniques are provider-agnostic, I will use Microsoft on-prem and cloud identity platforms for live demos.