The Role of PNT in Cybersecurity Location-based Authentication

Transcription

1 The Role of PNT in Cybersecurity Location-based Authentication Dr. Michael O Connor November 14, 2013 Satelles is a Division of ikare Corporation

2 What do we mean by Authentication? Authentication is the act of confirming the truth of an attribute of a datum or entity The examples in this presentation focus on a user s identity The concepts also apply to document and data authentication Image Source: secureauth.com 2

3 The Classic Authentication Factors Something you know Something you have Something you are Username Password / PIN SSN Name of first pet Credit/Debit Card Mobile phone Hardware token Encryption key Fingerprint Iris or retinal pattern Voice DNA How many of us (until recently) thought about authentication 3

4 Passwords Don t Work for Most of Us password adobe qwerty photoshop million of 38 million users October, 2013, an Adobe security breach revealed these as the top 10 account passwords CONVENIENCE IS THE ENEMY OF SECURITY 4

5 Two-Factor Authentication Something you know Something you have Something you are Username Password / PIN SSN Name of first pet Credit/Debit Card Mobile phone Hardware token Encryption key Fingerprint Iris or retinal pattern Voice DNA Privacy Data Permanence Amputation How many of us think about authentication today 5

6 Two Factors are Not Always Enough Businesses like RSA and CA Technologies offer Something You Have authentication In 2011, RSA servers were compromised. Attackers captured algorithms and seeds Cloned SecurID tokens were later used to attack several companies. RSA was required to replace compromised tokens. 6

7 Adoption of Two Factor Authentication A majority of US consumers have been affected by typical online threats - 56% virus or malware infection on a computer - 37% victim of a phishing attack - 26% victim of account compromise (e.g., hacked, broken into, password theft) - 20% victim of a social media phishing attack - 5% had a phone lost or stolen that resulted in unwanted access to sensitive information. Despite the recent hype, 75% of Americans have never signed into a website using two-factor authentication CONVENIENCE IS THE ENEMY OF SECURITY Source: 7

8 Location a Fourth Authentication Factor Something you know Something you have Something you are Somewhere you are Trusted location is independent of other authentication factors Solutions can be invisible to the user no action required LOCATION-BASED AUTHENTICATION HAS THE POTENTIAL TO BE MORE SECURE AND MORE CONVENIENT 8

9 Location: Used Today, but not Secure Image Source: lifehacker.com 9

10 GPS / GNSS for Trusted Location Available in nearly every device, but susceptible to spoofing December, 2011 Stealth US RQ-170 Sentinel lost in Iranian airspace Photo above appears days later on Iranian television Iran claims GPS spoofing was used to capture drone July, 2013 UT Austin research team spoofs GPS Cause yacht to veer from its intended course 10

11 GPS / GNSS for Trusted Location Higher integrity solutions are being considered Nav message encryption and digital signatures P-code correlation techniques P(Y) Code (magenta) Protected signal 10 MHz chipping rate, encrypted Unpredictable C/A Code (blue) Public signal 1 MHz chipping rate, published Predictable 11

12 Cell Towers for Trusted Location Several methods of location determination possible - Time Difference of Arrival (TDOA/UTDOA) - Cell ID / Enhanced Cell ID - RF pattern matching User-plane solutions are more susceptible to spoofing Control-plane solutions are more resistant to spoofing - Require infrastructure - Carrier specific 12

13 Local Transmitters for Trusted Location Local beacons can authenticate device proximity Work indoors Require local infrastructure Near Field Communications (NFC) Bluetooth Low Energy (BLE) 13

14 Applications for Trusted Location Government network and data access control - Examples include DoD, tracking of high value assets, and critical infrastructure such as power plants and water supplies Financial Institutions - Numbers are not published, but these companies lose billions to cyber attacks each year, and the losses are growing - Customers include financial infrastructure, banks and credit card companies Major banks, SWIFT, Fiserv, First Data, Jack Henry Enterprise networks and high value data - Examples include IP, financial, medical records, and cloud security - Customers already paying for, and would value increased security Online Gambling - Locations of users and servers is highly regulated in the US - $6B industry in US; $22B globally Entertainment Industry Increasing Value to Professional Cybercriminals 14

15 Example Application: Mobile Payments Growth of mobile payments is staggering: 44% annual growth rate Expected to exceed $1B per day in 2014 CAGR >250% Volume still tiny relative to card payments ~$21B per day 15

16 Mobile Made Easier than a Credit Card Consumer enters a market zone Smart phone provides location data to mobile payment provider Authentication server confirms location for mobile payment provider Informs approved retailers in the area Point of sale ready for transaction Verbal lookup and/or visual confirmation Transaction approved Consumer never reached for phone or wallet 16

17 Magic Required to Revolutionize Mobile Transactions for Consumers Must be trustworthy Must be virtually invisible to the user Must work where the transactions are happening Ideally would not require significant new infrastructure Cannot drain your phone battery 17

18 Unique Value Derived from Iridium 1. Worldwide Coverage Without local infrastructure 3. High Power Broadcasts Signals penetrate buildings 5. Focused Spot Beams Key feature for proving user location and time 2. Custom Signals Provide secure time transfer and navigation capabilities 4. Close to GPS Band Hardware is based on standard GPS chipsets Leverages unique capabilities developed and demonstrated by Boeing, Iridium, and Satelles 18

19 Demonstrated Indoor Signal Penetration Extensive testing performed in dense urban (Tokyo) Iridium signal coverage at 98% of tested sites indoor measurements; average attenuation: 36dB 19

20 Signal Penetration Inside Container Blue points: Brown line: Green points: Iridium in container GPS outdoors Iridium outdoors 20

21 Site-specific Keys Delivered from Space Overlapping beams provide a distinct, locationspecific pattern Beams for two of 66 satellites at one point in time is shown Notional Iridium beam coverage map property of Iridium Satellite LLC. 21

22 How it Works 2 User device receives location-specific satellite data User login data and satellite data are sent automatically Satelles determines trusted user location based on satellite data 4 Satelles 3 Authentication Server TLS Socket Iridium Gateway (Co-located) VPN / TLS Socket Connection 1 Valid user or hacker initiates secure online activity Satelles Customer 5 Trusted location is used in decision engine to allow or deny access 22

23 Magic Required to Revolutionize Mobile Transactions for Consumers Must be trustworthy Spot beams, random data make signal extremely difficult to spoof Must be virtually invisible to the user Reporting trusted location does not require user interaction Must work where the transactions are happening Satelles signals are 1000X stronger than GPS, penetrate buildings Should NOT require significant new infrastructure Signals come from space, world-wide, no local infrastructure Cannot drain your phone battery Satelles processing requires - potentially half the power of GPS 23

24 Summary There is a compelling need for improved cyber security Current methods of authentication are inadequate Convenience is the greatest enemy to security Trusted location can play an important role in authentication - More Secure AND More Convenient Among a range of good solutions, Iridium-based techniques potentially offer unique and compelling features - Trustworthy - Invisible to the user - Work indoors - Require no local infrastructure - Possible power advantages 24

25 Questions? Artist depiction of an Iridium LEO satellite in space 25