Identities Non Person Identities After all, who cares about me? Gilles Lisimaque & Dave Auman Identification technology Partners, Inc.
Device Identifiers Most devices we are using everyday have (at least) two unique identifiers: The serial product number (attached to the product) The Owner s reference (attached to the owner) Devices shared by many users have only one identifier: Bank Notes Telephone booth Sep. 2010 Identification Technology Partners 2
Device Identification The manufacturer Serial Number (unique) Signature of the Issuer Sep. 2010 Identification Technology Partners 3
Identifying a car Manufacturer Driver Owner VIN (fix) TAG (variable) Sep. 2010 Identification Technology Partners 4
Identifying an account Account Ez-Pass Driver? Car Owner TAG (back up) Sep. 2010 Identification Technology Partners 5
Identifying a user User File Driver or Passenger Car File Passport Card Car Owner TAG (back up) Sep. 2010 Identification Technology Partners 6
Satellite TV Decoders Viewer Service Provider Subscriber Device & Subscription Authentication Manufacturer Sep. 2010 Identification Technology Partners 7
Identifying a CCTV Direct protected cable Device authentication and physical location required IP addressing mode Sep. 2010 Identification Technology Partners 8
Identifying a network device User Manager MAC (fix) LAN Manufacturer Router Serial Number (fix) IP Address (variable) Sep. 2010 Identification Technology Partners 9
Identifying a computer Stable Identifiers MAC interfaces TAG Service # Internet LAN Variable Identifiers IP Address Transaction User Manufacturer Session User Serial Number (fix) Logon ID (variable) 10 Sep. 2010 Identification Technology Partners 10
Identifying a TPM A TPM encrypts data using the TPM endorsement key, a unique RSA key burned into the chip during its production Since each TPM chip has a unique and secret RSA key burned in as it is produced, d it is capable of performing platform authentication Sep. 2010 Identification Technology Partners 11
Identifying a GSM Cell Phone Other Identifiers Bank Account Transportation purse Door access User Authentication? User consent? User Owner Phone Number Manufacturer Active Authentication Carrier ESN (fix) IMSI (variable) Sep. 2010 Identification Technology Partners 12
Smart Cards Most of the time, smart cards have no proof of trust from the manufacturer. The issuer is the entity which conveys trust in the card and its applications. Each application is a different link (binding) between a service provider and the user of the card We trust Smart Cards only when we trust the issuer In the German eid program, the card comes out of manufacturing with a security certificate (as a TPM) Sep. 2010 Identification Technology Partners 13
Can anybody trust any Smart Card PIV-C is a card which looks like a PIV, quacks like a PIV as it has the technical behavior of PIV It is issued by an entity no other entity trusts, and/or by means no other entity trusts It is supposed to use a PIV card from the APL list but nothing in the card can really prove this is the case If the issuer of a smart card is not trusted, even the card it uses should not be trusted by any other application Sep. 2010 Identification Technology Partners 14
Device, Owner or User? Some devices need to be authenticated even when there is no direct user (surveillance Cameras) Some devices are shared so much that it is the user (or his money) who really matters (telephone booth, rental cars) Some devices are so anonymous it is the owner who really matters (bank note) Sep. 2010 Identification Technology Partners 15
The Three Authentication Factors To prove one s identity we have three independent factors which are commonly used: What is known by the subject (but if it can be verified it generally means it is shared with the verifying gparty) What is owned by the subject (a trusted device such as a smart card issued by a party trusted by the relying gp parties) What the physical subject is (biometric verification against an enrolled trusted reference) Sep. 2010 Identification Technology Partners 16
A trusted device is only ONE factor When is one factor identification enough? It depends on the level of risk/security the application is ready to take It depends on the convenience factor the user imposes It depends on the cost of the solution It depends on the liability of the parties involved It depends on the cost/nature of redress when things go wrong Sep. 2010 Identification Technology Partners 17
Is another factor more secure? Today most online authentications are done using only one factor (What is known). We all know the weaknesses of passwords. There are ways to improve their security but users loose convenience If we switch to the factor what h t is owned, even if it is a very secure device, have we increased really security as a whole or do we need to combine them? Two independent factors are more secure than one Sep. 2010 Identification Technology Partners 18
Combining two factors When the secure device (what you have) is authenticated only when the user consents for it to work, there is a second factor (what the user knows). In EMV, the dynamic signature which authenticates the device is executed only after the user has presented the PIN In PIV the PIV Authentication key can be challenged only after the user has presented the correct PIN to the card In GSM SIM cards it is possible to protect the authentication with the user s PIN which has to be presented each time the phone is powered on Sep. 2010 Identification Technology Partners 19
Password manager in a smart card? Some companies offer Password managers. Some are pure software using encryption protection and certificates, some others are in secure portable devices (USB or smart cards). If the device itself (or even the secure software) has no means to transfer the fact it can be trusted to an external party, the result is only the password and we end up with only one factor (but more secure though) Sep. 2010 Identification Technology Partners 20
But what about transactions? When the authentication device (PIV, SIM or other) used for the login phase stays powered all the time, and it had been activated by the user, how to authenticate the user for elementary transactions? Most systems assume the user authentication is not cached by the trusted device. Do we need to separate User Consent from User Authentication? If Passwords can be compromised by a key logger, it is even easier to cache a Password and replay it Sep. 2010 Identification Technology Partners 21
And what about Biometrics? Some computers use the integrated webcam to authenticate the user Some use an integrated fingerprint scanner Some use dynamic keystroke Using Biometrics as a user authentication factor could be very useful to separate user authentication from user consent (PIN) This brings an additional factor but the lack of standardization has slowed down their adoption Sep. 2010 Identification Technology Partners 22
We are back to the same issue: It is all about risk what level of assurance is required? Decisions: One, two or three factors How to differentiate between user authentication and user consent (transaction ti vs. session) Balance between risk and convenience for the user We have reached a point where two factors are needed d for nearly all online transactions Sep. 2010 Identification Technology Partners 23
No more than three factors Whatever combination we make with one or more devices, we have only one factor (what is owned). We can increase the level of assurance of this factor by multiplying the number of devices (e.g. Smart Card used in a cell-phone in a car in front of a given house) but it is still only one factor when the user s knowledge (PIN or Password) or its biometric (who the subject is physically) is not verified Sep. 2010 Identification Technology Partners 24
Two Passwords are only one factor Similarly, asking the user to verify two passwords (e.g. Smart ID PIN as well as a PACS PIN) increases the level of assurance of the what you know factor but is still only one password. It is roughly equivalent to increasing the length (so the strength) of one Password Sep. 2010 Identification Technology Partners 25
An OTP device is only one factor OTP devices are useful as they generate stronger Passwords than whatever a user can remember. Even if they are activated by the user consent (PIN or Biometric presented to the device for generating the password) they are only one factor as they provide a stronger password but a weak device authentication (resulting information exchanged in clear text at the interface is not a serious cryptographic proof) Sep. 2010 Identification Technology Partners 26
Secure device and biometry As said before, many secure devices are trusted only because of their issuer (e.g. most smart cards) If a user was able to enroll its biometric information in a secure device (e.g. TPM) which could be activated only by the user s biometry (match in TPM), we would have a two factor authentication method without having the need for a device issuer role Sep. 2010 Identification Technology Partners 27
A device without t issuer or PIN? What about having its biometric information signed by a public notary instead of the device issuer? Such a signed reference biometric data would not say anything about any claim the user would make but it would provide a reference for biometric comparisons If the user binds such biometric reference to a device everybody er trusts (e.g. TPM) issuers can then add, protect and certify information about the user s personas Sep. 2010 Identification Technology Partners 28
What about the length of an identifier? Is a FASC-N alone less secure than a UUID? Is a UUID alone more secure than a CHUID? Is a CHUID secure when the signature is not verified? Identifiers are not stolen (or cloned) by humans means only but with quite sophisticated technical means. The length of the identifier does not make any difference anymore. They can be cloned very easily (on any type of interface) as long as they are exchanged in clear text Sep. 2010 Identification Technology Partners 29
Zero factor = Danger Any identifier used without authentication is a ZERO factor authentication level. Two (or more) identifiers used without authentication is still a ZERO factor as they are public information The user of such ascribed identifier should never be held liable on any use of a public identifier Such practice should be forbidden and punishable by law Sep. 2010 Identification Technology Partners 30
The danger of a Global Identifier Virginia Fishing Licensees US Citizens SSN French Citizens Health insurance RFU Maryland Driver Licensees UUID Cell Phone provider BU&U Employed by company Gag Internet Provider Off-Lyne Last Bank Account holder Each persona may have a very different security requirement. Any identifier (public information) should be used with an authenticator. Sep. 2010 Identification Technology Partners 31
Conclusion Whatever device is used for authentication (trusted computer, smart ID card, Cell-phone) at least two factors are now required for most transactions. It means the secure device should come in addition to the usual [ID + Password] and not in replacement unless we get serious about biometrics Sep. 2010 Identification Technology Partners 32
Combining all factors Resistance is futile, you will be assimilated Sep. 2010 Identification Technology Partners 33