Non Person Identities After all, who cares about me? Gilles Lisimaque & Dave Auman Identification technology Partners, Inc.

Transcription

1 Identities Non Person Identities After all, who cares about me? Gilles Lisimaque & Dave Auman Identification technology Partners, Inc.

2 Device Identifiers Most devices we are using everyday have (at least) two unique identifiers: The serial product number (attached to the product) The Owner s reference (attached to the owner) Devices shared by many users have only one identifier: Bank Notes Telephone booth Sep Identification Technology Partners 2

3 Device Identification The manufacturer Serial Number (unique) Signature of the Issuer Sep Identification Technology Partners 3

4 Identifying a car Manufacturer Driver Owner VIN (fix) TAG (variable) Sep Identification Technology Partners 4

5 Identifying an account Account Ez-Pass Driver? Car Owner TAG (back up) Sep Identification Technology Partners 5

6 Identifying a user User File Driver or Passenger Car File Passport Card Car Owner TAG (back up) Sep Identification Technology Partners 6

7 Satellite TV Decoders Viewer Service Provider Subscriber Device & Subscription Authentication Manufacturer Sep Identification Technology Partners 7

8 Identifying a CCTV Direct protected cable Device authentication and physical location required IP addressing mode Sep Identification Technology Partners 8

9 Identifying a network device User Manager MAC (fix) LAN Manufacturer Router Serial Number (fix) IP Address (variable) Sep Identification Technology Partners 9

10 Identifying a computer Stable Identifiers MAC interfaces TAG Service # Internet LAN Variable Identifiers IP Address Transaction User Manufacturer Session User Serial Number (fix) Logon ID (variable) 10 Sep Identification Technology Partners 10

11 Identifying a TPM A TPM encrypts data using the TPM endorsement key, a unique RSA key burned into the chip during its production Since each TPM chip has a unique and secret RSA key burned in as it is produced, d it is capable of performing platform authentication Sep Identification Technology Partners 11

12 Identifying a GSM Cell Phone Other Identifiers Bank Account Transportation purse Door access User Authentication? User consent? User Owner Phone Number Manufacturer Active Authentication Carrier ESN (fix) IMSI (variable) Sep Identification Technology Partners 12

13 Smart Cards Most of the time, smart cards have no proof of trust from the manufacturer. The issuer is the entity which conveys trust in the card and its applications. Each application is a different link (binding) between a service provider and the user of the card We trust Smart Cards only when we trust the issuer In the German eid program, the card comes out of manufacturing with a security certificate (as a TPM) Sep Identification Technology Partners 13

14 Can anybody trust any Smart Card PIV-C is a card which looks like a PIV, quacks like a PIV as it has the technical behavior of PIV It is issued by an entity no other entity trusts, and/or by means no other entity trusts It is supposed to use a PIV card from the APL list but nothing in the card can really prove this is the case If the issuer of a smart card is not trusted, even the card it uses should not be trusted by any other application Sep Identification Technology Partners 14

15 Device, Owner or User? Some devices need to be authenticated even when there is no direct user (surveillance Cameras) Some devices are shared so much that it is the user (or his money) who really matters (telephone booth, rental cars) Some devices are so anonymous it is the owner who really matters (bank note) Sep Identification Technology Partners 15

16 The Three Authentication Factors To prove one s identity we have three independent factors which are commonly used: What is known by the subject (but if it can be verified it generally means it is shared with the verifying gparty) What is owned by the subject (a trusted device such as a smart card issued by a party trusted by the relying gp parties) What the physical subject is (biometric verification against an enrolled trusted reference) Sep Identification Technology Partners 16

17 A trusted device is only ONE factor When is one factor identification enough? It depends on the level of risk/security the application is ready to take It depends on the convenience factor the user imposes It depends on the cost of the solution It depends on the liability of the parties involved It depends on the cost/nature of redress when things go wrong Sep Identification Technology Partners 17

18 Is another factor more secure? Today most online authentications are done using only one factor (What is known). We all know the weaknesses of passwords. There are ways to improve their security but users loose convenience If we switch to the factor what h t is owned, even if it is a very secure device, have we increased really security as a whole or do we need to combine them? Two independent factors are more secure than one Sep Identification Technology Partners 18

19 Combining two factors When the secure device (what you have) is authenticated only when the user consents for it to work, there is a second factor (what the user knows). In EMV, the dynamic signature which authenticates the device is executed only after the user has presented the PIN In PIV the PIV Authentication key can be challenged only after the user has presented the correct PIN to the card In GSM SIM cards it is possible to protect the authentication with the user s PIN which has to be presented each time the phone is powered on Sep Identification Technology Partners 19

20 Password manager in a smart card? Some companies offer Password managers. Some are pure software using encryption protection and certificates, some others are in secure portable devices (USB or smart cards). If the device itself (or even the secure software) has no means to transfer the fact it can be trusted to an external party, the result is only the password and we end up with only one factor (but more secure though) Sep Identification Technology Partners 20

21 But what about transactions? When the authentication device (PIV, SIM or other) used for the login phase stays powered all the time, and it had been activated by the user, how to authenticate the user for elementary transactions? Most systems assume the user authentication is not cached by the trusted device. Do we need to separate User Consent from User Authentication? If Passwords can be compromised by a key logger, it is even easier to cache a Password and replay it Sep Identification Technology Partners 21

22 And what about Biometrics? Some computers use the integrated webcam to authenticate the user Some use an integrated fingerprint scanner Some use dynamic keystroke Using Biometrics as a user authentication factor could be very useful to separate user authentication from user consent (PIN) This brings an additional factor but the lack of standardization has slowed down their adoption Sep Identification Technology Partners 22

23 We are back to the same issue: It is all about risk what level of assurance is required? Decisions: One, two or three factors How to differentiate between user authentication and user consent (transaction ti vs. session) Balance between risk and convenience for the user We have reached a point where two factors are needed d for nearly all online transactions Sep Identification Technology Partners 23

24 No more than three factors Whatever combination we make with one or more devices, we have only one factor (what is owned). We can increase the level of assurance of this factor by multiplying the number of devices (e.g. Smart Card used in a cell-phone in a car in front of a given house) but it is still only one factor when the user s knowledge (PIN or Password) or its biometric (who the subject is physically) is not verified Sep Identification Technology Partners 24

25 Two Passwords are only one factor Similarly, asking the user to verify two passwords (e.g. Smart ID PIN as well as a PACS PIN) increases the level of assurance of the what you know factor but is still only one password. It is roughly equivalent to increasing the length (so the strength) of one Password Sep Identification Technology Partners 25

26 An OTP device is only one factor OTP devices are useful as they generate stronger Passwords than whatever a user can remember. Even if they are activated by the user consent (PIN or Biometric presented to the device for generating the password) they are only one factor as they provide a stronger password but a weak device authentication (resulting information exchanged in clear text at the interface is not a serious cryptographic proof) Sep Identification Technology Partners 26

27 Secure device and biometry As said before, many secure devices are trusted only because of their issuer (e.g. most smart cards) If a user was able to enroll its biometric information in a secure device (e.g. TPM) which could be activated only by the user s biometry (match in TPM), we would have a two factor authentication method without having the need for a device issuer role Sep Identification Technology Partners 27

28 A device without t issuer or PIN? What about having its biometric information signed by a public notary instead of the device issuer? Such a signed reference biometric data would not say anything about any claim the user would make but it would provide a reference for biometric comparisons If the user binds such biometric reference to a device everybody er trusts (e.g. TPM) issuers can then add, protect and certify information about the user s personas Sep Identification Technology Partners 28

29 What about the length of an identifier? Is a FASC-N alone less secure than a UUID? Is a UUID alone more secure than a CHUID? Is a CHUID secure when the signature is not verified? Identifiers are not stolen (or cloned) by humans means only but with quite sophisticated technical means. The length of the identifier does not make any difference anymore. They can be cloned very easily (on any type of interface) as long as they are exchanged in clear text Sep Identification Technology Partners 29

30 Zero factor = Danger Any identifier used without authentication is a ZERO factor authentication level. Two (or more) identifiers used without authentication is still a ZERO factor as they are public information The user of such ascribed identifier should never be held liable on any use of a public identifier Such practice should be forbidden and punishable by law Sep Identification Technology Partners 30

31 The danger of a Global Identifier Virginia Fishing Licensees US Citizens SSN French Citizens Health insurance RFU Maryland Driver Licensees UUID Cell Phone provider BU&U Employed by company Gag Internet Provider Off-Lyne Last Bank Account holder Each persona may have a very different security requirement. Any identifier (public information) should be used with an authenticator. Sep Identification Technology Partners 31

32 Conclusion Whatever device is used for authentication (trusted computer, smart ID card, Cell-phone) at least two factors are now required for most transactions. It means the secure device should come in addition to the usual [ID + Password] and not in replacement unless we get serious about biometrics Sep Identification Technology Partners 32

33 Combining all factors Resistance is futile, you will be assimilated Sep Identification Technology Partners 33