Embed Size (px)
Citation preview
Understanding the Role of Smart Cards for Strong Authentication in Network Systems
Bryan Ichikawa Deloitte Advisory
• This session will discuss the state of authentication today, identify some of the main vulnerabilities that exist, and introduce options to consider for strengthening authentication. This session will also look at technologies that support multi-factor authentication, talk about FIDO and how this specification brings a change to the world of online authentication, and discuss how smart card technology can be highly effective and how it is already being used in many places today.
Overview
2
• What is authentication? • Vulnerabilities • Strengthening authentication • Identifiers vs. authentication • Multi-factor authentication • FIDO • Smart cards as authenticators • Authentication futures
Agenda
3
In information technology, logical access controls are tools and protocols used for identification, authentication, authorization, and accountability in computer information systems. Electronic authentication (e-authentication) is the process of establishing confidence in user identities electronically presented to an information system.
• I want to define and differentiate between plain old logical access and electronic authentication. Logical access is simply logging into a network, system, or application. E-authentication is YOU logging into a network, system, or application.
• In the physical access world, most systems allow the card to gain access, and allows whatever carbon life form attached to that card to tag along.
• The question is, how do you establish confidence that the carbon life form attached to that access request is the one you think it is?
Authentication – What is it?
4
• More and more transactions in our business and personal lives are being conducted online
• The connected universe is a target rich environment for “bad actors”
• It is the collective responsibility of organizations and individuals alike to protect personal and sensitive data
• Userid/passwords as the primary authentication mechanism is not sufficient
• Many of today’s identifiers provide little or no identity assurance
• Criminal sophistication is increasing at an exponential rate (it is amazing what the devious mind can conjure)
Vulnerabilities – the business drivers
5
A first line of defense is to elevate the security for how we gain access to online resources
• Initial registration / application • (Optional) Identity proofing • Establish an “identity” that the online system can uniquely
recognize (e.g., userid) • Establish a secret that only both parties know (e.g.,
password) • Off you go…. but…
•How do you know you are logging into the right place? •How do they know it is you? •How do you prevent someone else from hijacking your account? •….. ???
How does logical access control work?
6
• Identifiers by themselves simply identify an entity of sorts • There is no identity assurance necessarily associated here
• Authentication is measurable – assurance is the measuring stick
• A level of assurance can be established commensurate with the sensitivity of the information or transaction conducted
Identifiers vs. authentication
7
• In plain English, a token is a secret that comes in a variety of formats. The format of the token has a direct relationship to its strength. For example, a simple password is a very weak token, one that could be easily cracked. A cryptographically protected smart card, on the other hand, is a very strong token.
• The following slides describe the different types of tokens
Tokens – What are they?
8
From NIST Special Publication 800-63-2* Token - Something that the claimant possesses and
controls (typically a cryptographic module or password) that is used to authenticate the claimant’s identity.
* http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63-2.pdf
• Tokens contain secrets: • Shared secrets • Public key cryptography
• The classic paradigm for authentication identifies three factors as the fundamentals for authentication: • Something you know • Something you have • Something you are
• But not all factors are secrets. For example: • KBA (something you know) • Biometrics (something you are) • Therefore, not all factors can be considered tokens
What are tokens?
9
• Use of a single factor is referred to as “single factor authentication”
• Combining more than one factor is referred to as “multi-factor authentication”
• But… • Combining multiple single factors (same factor types) is
multiple single factor, NOT multi-factor
Factors
10
• Typically these are User ID / Password combinations • Sometimes only User IDs • Sometimes only PIN/Password • Finger patterns (drawing a “Z” on screen)
Something you know
11
• Hardware Token Device • Phone (smart or not) • PKI Certificates • Smart Cards • Grid Cards
Something you have
12
• OTP – From “One Time Pad”, a cryptographic ciphering technique using pads of paper where the top sheet of keying material was torn off after using it one time
• Today, OTP refers to One Time Password
OTP – One Time Pad (Historic)
13
One Time Pad Example
• Typically hardware (e.g., RSA SecurID or cards) • Token (number) generated on smart phones • Token can be delivered via SMS, email, phone message (IVR)
OTP – One Time Password (today)
14
• User login with User ID / Password (1st factor) • System asks for OTP token • User queries device* and gets token • User enters token into system (2nd factor) • System allows access
OTP protocol as 2nd factor
15
* OTP tokens can be delivered in many ways, including SMS text, emails, voice messages, computer-based applications,
smartphone applications, and hardware devices.
OTP tokens are also called verification codes, security codes, passwords, login codes, multi-factor authentication secrets, etc.
• Biometrics: • Fingerprint • Face • Voice • Iris
• Other biometrics modalities are out there, but the above four are the predominant types in use today
Something you are
16
• Memorized Secret Token (Password) • Pre-registered Knowledge Token (Favorite Color) • Look-up Secret Token (Grid Card) • Out of Band Token (SMS OTP) • Single Factor One-time Password Device (OTP Device) • Single Factor Cryptographic Device (Transport Layer Security
Hardware) • Multi-factor Software Cryptographic Token (Soft Cert) • Multi-factor One-time Password Device (Multi-factor OTP) • Multi-factor Cryptographic Device (Smart Card)
Token types
17
• Memorized Secret Token: • A secret shared between the Subscriber and the CSP. Memorized Secret
Tokens are typically character strings (e.g., passwords and passphrases) or numerical strings (e.g., PINs.) Memorized secret tokens are something you know.
• Pre-registered Knowledge Token: • A series of responses to a set of prompts or challenges. These
responses may be thought of as a set of shared secrets. The set of prompts and responses are established by the Subscriber and CSP during the registration process. Pre-registered Knowledge Tokens are something you know.
• Look-up Secret Token: • A physical or electronic token that stores a set of secrets shared
between the claimant and the CSP. The claimant uses the token to look up the appropriate secret(s) needed to respond to a prompt from the verifier (the token input). For example, a specific subset of the numeric or character strings printed on a card in table format. Look-up secret tokens are something you have.
Token types
18
• Out of Band Token: • A physical token that is uniquely addressable and can receive a verifier-
selected secret for one-time use. The device is possessed and controlled by the claimant and supports private communication over a channel that is separate from the primary channel for e-authentication. Out of Band Tokens are something you have.
• Single Factor One-time Password Device: • A hardware device that supports the spontaneous generation of one-
time passwords. This device has an embedded secret that is used as the seed for generation of one-time passwords and does not require activation through a second factor. Single Factor OTP devices are something you have.
• Single Factor Cryptographic Device: • A hardware device that performs cryptographic operations on input
provided to the device. This device does not require activation through a second factor of authentication. This device uses embedded symmetric or asymmetric cryptographic keys. Single Factor Cryptographic Devices are something you have.
Token types
19
• Multi-factor Software Cryptographic Token: • A cryptographic key is stored on disk or some other “soft” media and
requires activation through a second factor of authentication. The token authenticator is highly dependent on the specific cryptographic protocol, but it is generally some type of signed message. The multi-factor software cryptographic token is something you have (plus something you know/are).
• Multi-factor One-time Password Device: • A hardware device that generates one-time passwords for use in
authentication and which requires activation through a second factor of authentication. The second factor of authentication may be achieved through some kind of integral entry pad, biometric reader or a direct computer interface (e.g., USB port). The multi-factor OTP device is something you have (plus something you know/are).
• Multi-factor Cryptographic Device: • A hardware device that contains a protected cryptographic key that
requires activation through a second authentication factor. The multi-factor Cryptographic device is something you have (plus something you know/are).
Token types
20
• OOBA – Out Of Band Authentication: • The use of two separate networks to perform authentication • Can be OTP, smartphone app that confirms query, biometrics, but
typical OOBA apps do not cross over attributes or artifacts*
• Step-up Authentication:
• System asks for an additional factor when a security threshold has been crossed
Other authentication methods
21
* OOBA – Typically, a user tries to login on a computer and the OOBA app on the smart phone asks the user if the login
attempt is authorized. The user says yes, and the login takes place on the computer. The authentication protocol on the phone does not interact with the computer login attempt.
• Credentials are tokens that are bound to an identity • Identity proofing becomes an integral element of credential
issuance • Credentials are issued and maintained by Credential Service
Providers (CSP) • Credentials are associated with a Level of Assurance (LOA);
therefore all credentials are not created equal!
Credentials and Credential Service Providers (CSP)
22
• Relying parties are those organizations that “consume” credentials.
• Some relying parties issue their own credentials, others simply trust credentials issue by other CSPs.
Relying parties
23
If a relying party wants to trust a credential issued by a CSP other than themselves, how do they know
how trustworthy that credential is?
• Identity Proofing – proving you are who you claim to be
• In-person Proofing: • Present one or two forms of government issued id • Usually has a picture on it, plus relevant personal information (DOB,
address, etc.) • Perform address or telephone verification
• Remote Proofing:
• Submit valid government ID • Submit financial or utility account numbers
Registration and assurance
24
Identity proofing is the activity that binds an identity to a token to create a credential. There are 4 defined levels of assurance.
• NIST Special Publication 800-63-2:
• Electronic Authentication Guideline • Released August 2013 • 800-63-2 supplements OMB guidance, E-Authentication Guidance for
Federal Agencies [OMB M-04-04*]: Specifically, provides guidelines for implementing step 3 of e-
authentication process (next slide)
NIST SP 800-63-2
25
800-63-2 provides technical guidelines to agencies to allow an individual to remotely authenticate their identity to a Federal IT
system. These guidelines address traditional methods for remote authentication based on secrets.
* https://www.whitehouse.gov/sites/default/files/omb/memoranda/fy04/m04-04.pdf
• OMB M-04-04: • Defines 4 levels of assurance (Levels 1 to 4) • Outlines 5-step process:
Conduct a risk assessment of the government system Map identified risks to the appropriate assurance level Select technology based on e-authentication technical guidance Validate that the implemented system has met the required
assurance level Periodically reassess the information system to determine technology
refresh requirements
OMB M-04-04
26
Level 1 Level 2 Level 3 Level 4
Little or no
confidence in
the asserted
identity
Some
confidence in
asserted
identity
High confidence
in the asserted
identity
Very high
confidence in
the asserted
identity
•Self-assertion
•Minimum
records
•Online, instant
qualification
•Out-of-band
follow-up
•Remote proofing
•Online with out-
of-band
verification or
qualification
•Cryptographic
solution
•In-person
proofing
•Recording of a
biometric
•Cryptographic
solution
•Hardware
token
Authentication levels
27
OMB M04-04 Levels of Assurance
• Fast IDentity Online – An alliance whose mission is to change
the nature of online identification.
• UAF and U2F • UAF = Universal Authentication Framework (password-less experience) • U2F = Universal Second Factor (two factor experience)
FIDO Alliance*
28 * https://fidoalliance.org/
• Alibaba Group • ARM • Bank of America • CrucialTec • Discover • Egis Technology • Google • IdentityX • ING • Intel • Lenovo • MasterCard • Microsoft
FIDO Alliance – Board level
29
• Nok Nok Labs • NTT DOCOMO • NXP • Oberthur Technologies • PayPal • Qualcomm • RSA • Samsung • Synaptics • USAA • Visa Inc. • Yubico
• Aetna
• Ally
• Authasas
• Authentify
• BKM
• Blackberry
• CA Technologies
• UK Cabinet Office
• Certivox
• Chase
• Cherry
• Costco
• Crossmatch
• Cypress
• DDS
• Dell
• Duo
• E-Trade
• Early Warning
• Entersekt
• ETRI
• eyeLock
• FacialNetwork
FIDO Alliance – Sponsor level
30
• Feitian
• FingerQ
• Forgerock
• Gemalto
• G&D
• Goldman Sachs
• Goodix
• Happlink
• Hoyos Labs
• IDEX
• Infineon
• Infoguard
• Intercede
• Intuit
• ISR
• KICA
• LG Electronics
• MedImpact
• Safran
• Netflix
• NXTID
• Netflix
• NIST
• NXTID
• nymi
• OSD
• Ping Identity
• Plantronics
• Rambus
• Redsys
• Samsung SDS
• SecureKey
• SecureAuth
• SK Telecom
• Sonavation
• ST
• Tendyron
• Usher
• Vanguard
• Vasco
• Visa
• Watchdata
• Wells Fargo
• WoSign
• Yahoo! Japan
• 126 Additional organizations (as of 9/17/2015) • Specification 1.0 is final and available for UAF and U2F • https://fidoalliance.org
FIDO Alliance – Associate level
31
The business drivers among various industry sectors are very different
• Public sector and critical infrastructure are driven by policy
and standards: • FIPS 201
• Commercial industry is driven by profitability: • And slowly…by security
• The general public is driven by convenience and reward: • And slowly…by increasing concern
• Everyone is slowly being driven by education…
Authentication business drivers
32
• Banking, Payment and Investments
• Many financial businesses now offer multi-factor authentication as an additional security measure
• Email • Most leading email providers support stronger authentication
• Gaming
• The gaming industry is becoming a leader in end-user security
Other industries
Visit www.twofactorauth.org for a comprehensive list of organizations that support stronger levels of
authentication
33
• Mobility: • Today’s smart phones contain a “smart card”
• FIDO: • U2F devices are smart card-based
• Financial: • EMV cards are smart cards
• Transit: • Transit cards are moving to smart card technology
Smart cards playing a role for strong authentication
• The US federal government has defined standards and specifications for electronic authentication
• There is no consistency or standardization outside of the federal government
• Commercial and consumer requirements are much different • Separation of token and identity assurance is a notion that is
not defined by federal standards (this is where FIDO fits) • But…passwords alone are being recognized as insufficient for
the future of online authentication • Smart card technology already exists in many places – use it!
Authentication futures
As more and more transactions are conducted online, federal and even state governments can require the binding of identities to
tokens, but many commercial and consumer enterprises, for the most part, do not require strong identity proofing
35
Bryan Ichikawa Deloitte Advisory [email protected]
This presentation contains general information only and Deloitte is not, by means of this presentation, rendering accounting, business,
financial, investment, legal, tax, or other professional advice or services. This presentation is not a substitute for such professional advice
or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking
any action that may affect your business, you should consult a qualified professional advisor.
Deloitte shall not be responsible for any loss sustained by any person who relies on this presentation.
As used in this document, “Deloitte Advisory” means Deloitte & Touche LLP, which provides audit and enterprise risk services; Deloitte
Financial Advisory Services LLP, which provides forensic, dispute, and other consulting services; and its affiliate, Deloitte Transactions
and Business Analytics LLP, which provides a wide range of advisory and analytics services. Deloitte Transactions and Business
Analytics LLP is not a certified public accounting firm. These entities are separate subsidiaries of Deloitte LLP. Please see
www.deloitte.com/us/about for a detailed description of the legal structure of Deloitte LLP and its subsidiaries. Certain services may not be
available to attest clients under the rules and regulations of public accounting.
