Docstoc

12 Authentications of Hercules - ISSA - Vancouver

Document Sample
12 Authentications of Hercules - ISSA - Vancouver Powered By Docstoc
					 The 12 Authentications of Hercules

The 2007 Guide to Strong Authentication

                                             Don McKillican
                      Senior Security Architect, Bell Canada
                                 donald.mckillican@bell.ca
Because on the Internet…



                                                  No one
                                                  can tell
                                                    that
                                                  you’re
                                                   NOT
                                                   Elvis!




   April 19, 2007   ISSA: Strong Authentication
    Everybody is Down on Passwords

•    “A major problem for identity systems is the weakness of
     passwords… We aren't going to be able to rely on passwords.
     Moving to biometric and smart cards is a wave that is coming,
     and we see our leading customers doing this.” –Bill Gates, 2004
•    “Username-password-based authentication is badly outdated;
     those who continue using this weak authentication method will
     continue to reap the consequences.” –Eugene Schultz, 2005
•    “Where risk assessments indicate that the use of single-factor
     authentication is inadequate, financial institutions should
     implement multifactor authentication, layered security, or other
     controls reasonably calculated to mitigate those risks.” –US
     FFIEC, 2005



       April 19, 2007      ISSA: Strong Authentication
    So What’s Wrong with Passwords?

•    Authentication is supposed to provide us with a
     (reasonable) assurance that the person identifying
     themselves to us is in fact who they claim to be.
•    Passwords can be written down (especially since “good”
     passwords can be hard to remember!)
•    Passwords can be shared and/or stolen
•    Passwords are repeatable: they can be re-used
•    Passwords can be stored unencrypted, or brute-forced even
     if they are encrypted


       April 19, 2007   ISSA: Strong Authentication
    What Exactly Is “Strong Authentication”?

•    N-Factor Authentication
          “Something you know”
          “Something you have”
          “Something you are”




         April 19, 2007   ISSA: Strong Authentication
    What Exactly Is “Strong Authentication”?

•    N-Factor Authentication
          “Something only you know”
          “Something only you have”
          “Something only you are”




         April 19, 2007   ISSA: Strong Authentication
    What Exactly Is “Strong Authentication”?

•    N-Factor Authentication
          “Something only you know”
          “Something only you have”
          “Something only are”
•    Cryptographic Protection for the Credential Exchange
          Intended to allow “soft” certificates to be considered
           “strong authentication
          Hard to distinguish between “soft” PKI and Kerberos




         April 19, 2007    ISSA: Strong Authentication
    What Exactly Is “Strong Authentication”?

•    N-Factor Authentication
          “Something only you know”
          “Something only you have”
          “Something only are”
•    Cryptographic Protection for the Credential Exchange
          Intended to allow “soft” certificates to be considered
           “strong authentication
          Hard to distinguish between “soft” PKI and Kerberos

                          •   Basically, something stronger than passwords

         April 19, 2007            ISSA: Strong Authentication
    Why Exactly Is “Strong Authentication”?
•    Provide better assurance that the person identifying
     themselves to us is in fact who they claim to be.
•    Provide a means of authentication that cannot be brute-
     forced (or at least is a LOT harder to brute-force)
•    Provide a means of authentication that cannot be shared or
     stolen (e.g. by spyware)
•    Provide protection for consumers against identity theft
     and/or phishing attacks




       April 19, 2007    ISSA: Strong Authentication
    Why Exactly Is “Strong Authentication”?
•    Provide better assurance that the person identifying
     themselves to us is in fact who they claim to be.
•    Provide a means of authentication that cannot be brute-
     forced
•    Provide a means of authentication that cannot be shared or
     stolen (e.g. by spyware)
•    Provide protection for consumers against identity theft
     and/or phishing attacks
•    Most likely:
     The regulator or the auditor says we have to…

       April 19, 2007    ISSA: Strong Authentication
How Can I Authenticate Thee?




                                      Let me count the ways!




   April 19, 2007   ISSA: Strong Authentication
    1. Token Cards or Fobs

•    Passive cards (e.g. RSA/SecurID or Verisign/VIP) have a
     display with a six or eight digit number that changes
     “randomly” every 60 seconds
•    Challenge/response cards (CRYPTOCard): The system sends
     a number that the user enters onto a keypad on the card,
     then the card calculates the valid response to the challenge
•    “Soft” versions also available (for pcs, pdas and cellphones)
•    Never been cracked, can‟t be cloned (except “soft” version)
•    Verisign token can be used for more than one vendor (eBay
     presently using them)

       April 19, 2007    ISSA: Strong Authentication
    2. PKI (Public Key Infrastructure)

•     On a smart card (Aladdin, Verisign, etc.), or “soft”
•     PKI is a significantly complex infrastructure!
•     Smart cards require a reader, but soft certificates can be
      shared/stolen
•     The TPM could prevent soft certificates from being stolen –
      maybe?
•     Plus, is there a way relying parties can know for certain that
      a soft certificate is being protected by a TPM?



        April 19, 2007    ISSA: Strong Authentication
    Biometrics

•    Both identification and authentication
•    Need to balance false positive rate vs false negative rate
•    Potentially a very “brittle” solution: If your password is
     compromised, we can reset it. But it‟s a little harder to
     “reset” your iris – and you don‟t have very many of them!
•    Still, is it more expensive to compromise your iris than the
     asset being protected is worth?
•    Remember: a biometric by itself is one single factor, not
     two!


       April 19, 2007    ISSA: Strong Authentication
    3. Biometrics: Fingerprints

•    Mature technology
•    Convenient, non-invasive (though you may need to manage
     privacy concerns)
•    Many suppliers, broad range of features and prices
•    Built-in for many new laptops
•    However built-in fingerprint scanners frequently have very
     high false negative rates
•    Ask your vendor about the gummi-bear attack!


       April 19, 2007    ISSA: Strong Authentication
    4. & 5. Biometrics: Eye scanning (Retina & Iris)

•    Retina scanning has to be done from very close range:
     extremely invasive. No longer common.
•    Iris scanning is less invasive, as it can be done from further
     away
•    Iris scanning starting to be used in places like airports and
     even ATM machines, but not likely on your pc for a few
     years (cost and size need to come down)




       April 19, 2007    ISSA: Strong Authentication
    6. Biometrics: Hand geometry

•    New arrival from Fujitsu and others
•    Bulkier than a fingerprint reader
•    Perhaps more suitable for building access?




       April 19, 2007    ISSA: Strong Authentication
    7. Biometrics: Voiceprint

•    Traditionally suffers from both high false positive rates
     (recordings) and high false negative rates (“I‟ve got a cold
     today!”)
•    More commonly used as identification, with authentication
     provided by a pass phrase
•    One interesting approach matches your recorded voiceprint,
     but then prompts you to repeat a randomly chosen word,
     and then ensures that the same voice was used for each
•    Obvious market segment: IVR



       April 19, 2007    ISSA: Strong Authentication
    8. Biometrics: Facial Recognition

•    Frequently used with surveillance cameras, e.g. casinos,
     increasingly for public spaces
•    Has a very bad reputation: not precise, invasive, “police
     state”, etc.
•    Canadian startup Bioscrypt claims to be have a device
     suitable for pcs that can distinguish between twins, but still
     allow you to grow (or shave) your beard!
•    Uses a small desktop camera and “40,000 identification
     points”)



       April 19, 2007    ISSA: Strong Authentication
    9. Biometrics: Behaviour

•    Some financial institutions are beginning to look at
     behavioural profiling of financial transactions, and referring
     to this as “two-factor authentication”
•    “Is this transaction „odd‟ for this user?”
•    May be stretching the definition just a bit thin ;-)
•    But this is a very useful tool, and has long been used by
     credit card companies, telcos and others




       April 19, 2007     ISSA: Strong Authentication
    10. Telephony

•    Cellphones are the new token fobs: Use the telephony
     channel to take part of the authentication “out of band”
•    E.g. (1) When you access a site, it sends a PIN to you with
     SSL and then calls your cellphone, and you enter the PIN
     on the keypad.
•    E.g. (2) When you access a site, it sends a password to
     your cellphone (e.g. via SMS), and you enter the password
     on your computer keyboard
•    However if you‟re using a land line, your phone may be
     shared – can you be sure this is really a cellphone?
•    And VoIP could mean that this maybe isn‟t “out of band”
       April 19, 2007    ISSA: Strong Authentication
    11. Pattern Recognition

•    Frequently not authentication, as such
•    Simplest example: CAPCHAs, which just ensure that you
     are human and not a program
•    SiteKey (Bank of America), provides you an image you can
     use to be sure (mostly) that you‟re not being phished
•    Can be used for authentication too, e.g. if your “password”
     consists of choosing faces or other images from a randomly
     ordered list




       April 19, 2007   ISSA: Strong Authentication
    12. Pattern Recognition Plus

•    Authernative: the ultimate pattern recognition!
             3     1    4   1   5   9     2     6    5     3
             5     8    9   7   9   3     2     3    8     4

             6     2    6   4   3   3     8     3    2     7

             9     5    0   2   8   8     4     1    9     7

             1     6    9   3   9   9     3     5    7     1

             0     5    8   2   0   9     7     4    9     4

             4     5    9   2   3   0     7     8    1     6

             4     0    6   2   8   6     2     0    8     9

             9     8    6   2   8   0     3     4    8     2

             5     3    4   2   1   1     7     0    6     7




       April 19, 2007               ISSA: Strong Authentication
    So which one is right for you?

•    It depends:
          What is your business case?
          Who are your users? Are they customers, who will go to your
           competitors if they dislike your strong authentication, or are they
           employees who have no choice? (Or are they contractors or vendor
           helpdesk personnel?)
          Do you have an existing PKI?
          Do you have control of your users‟ pcs?
          Do all of your users have cellphones?
          Which privacy regulations apply to you?

•    Conduct a thorough evaluation and pilot, with real users!
•    Be sure you know what problem you are trying to solve!


         April 19, 2007       ISSA: Strong Authentication

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:4
posted:4/22/2011
language:English
pages:25