Bypass 2FA, Stealing Private Keys presented at rootcon 2017

by Maxwell Koh,

Summary : The "knowledge factor" (using passwords for authentication) will never be enough for security. We need the second layer of defense -- a "possession factor" or sometimes called the "Two-Factor Authentication", hence the term, "2FA". In fact, nowadays many organization plans to adopt password-free login to authenticate their systems, thereby completely replacing the password-based authentication with key-based authentication, which they believed is more secure because only the key owner capable to log in. However, the truth is far from reality. Although 2FA creates a formidable barrier against potential security breaches, however it doesn't guarantee much security at all, especially when it comes to the inefficacious and often futile private key protection. In that sense, we can say that the effectiveness of the 2FA depends on how well a user protects "something only the user has". What if there are ways to steal the private keys from someone, without performing social engineering? In this talk, I'll introduce and demonstrate the techniques to bypass Two-Factor Authentication. I'll show you in real life how an attacker steals the server/client certificates and obtaining the private keys, as well as presenting the impacts of the aftermath. I will also introduce my tool (2FAssassin) to exploit the vulnerabilities against the affected software which were responsible for causing the private keys extraction. I'll also show you how to compromise the system or possibly, even the entire network after you had stolen the private keys. Nevertheless, I will end the talk by giving recommendation to protect the private keys from been stolen, as well as what to do during the worst case scenario.