Non Person Identities After all, who cares about me? Gilles Lisimaque & Dave Auman Identification technology Partners, Inc.

Similar documents
Authentication Technology for a Smart eid Infrastructure.

MAESON MAHERRY. 3 Factor Authentication and what it means to business. Date: 21/10/2013

COMPGA12 1 TURN OVER

Authentication Technologies

PKI Credentialing Handbook

Security & Privacy. Web Architecture and Information Management [./] Spring 2009 INFO (CCN 42509) Contents. Erik Wilde, UC Berkeley School of

Strategies for the Implementation of PIV I Secure Identity Credentials

Lecture 9 User Authentication

Can eid card make life easier and more secure? Michal Ševčík Industry Solution Consultant Hewlett-Packard, Slovakia ITAPA, November 9 th, 2010

Authentication and Password CS166 Introduction to Computer Security 2/11/18 CS166 1

Key Management. Digital signatures: classical and public key Classic and Public Key exchange. Handwritten Signature

Test Conditions. Closed book, closed notes, no calculator, no laptop just brains 75 minutes. Steven M. Bellovin October 19,

See the ID Rules Before Us: FAL IAL AAL eh? Aaaagh!!! How, How, How, How?

CSE 565 Computer Security Fall 2018

Towards a uniform solution to identity theft

Trusona Confidence Score Calculating Risk for Online Authentication and Identity-Proofing

Mobile: Purely a Powerful Platform; Or Panacea?

CS530 Authentication

UNIT - IV Cryptographic Hash Function 31.1

Trusona Insurance Formula

Chapter 9: Key Management

Past & Future Issues in Smartcard Industry

Assuring Identity. The Identity Assurance Framework CTST Conference, New Orleans, May-09

How Next Generation Trusted Identities Can Help Transform Your Business

How I Learned to Stop Worrying and Love the Internet of Things

Dissecting NIST Digital Identity Guidelines

APG8205 OTP Generator

A NEW MODEL FOR AUTHENTICATION

Public Key Infrastructure PKI. National Digital Certification Center Information Technology Authority Sultanate of Oman

An Introduction to Digital Identity

The Match On Card Technology

ITU-T SG 17 Q10/17. Trust Elevation Frameworks

Lord of the Rings J.R.R. TOLKIEN

Deprecating the Password: A Progress Report. Dr. Michael B. Jones Identity Standards Architect, Microsoft May 17, 2018

2 Electronic Passports and Identity Cards

COMPUTER NETWORK SECURITY

Chapter 3: User Authentication

TPM v.s. Embedded Board. James Y

CERN Certification Authority

Authentication Methods

Digital Identity Guidelines aka NIST SP March 1, 2017 Ken Klingenstein, Internet2

NASS Remote Notarization Task Force

Outline Key Management CS 239 Computer Security February 9, 2004

White Paper Implementing mobile electronic identity

Pro s and con s Why pins # s, passwords, smart cards and tokens fail

Authentication. Chapter 2

AIT 682: Network and Systems Security

Authentication. Identification. AIT 682: Network and Systems Security

Identity Ecosystem Design challenges. Wim Coulier eidas Expert Belgian Mobile ID

ICT 6541 Applied Cryptography Lecture 8 Entity Authentication/Identification

CSCE 548 Building Secure Software Entity Authentication. Professor Lisa Luo Spring 2018

Identity & security CLOUDCARD+ When security meets convenience

A Multi-Application Smart-Card ID System for George Mason University. - Suraj Ravichandran.

ECA Trusted Agent Handbook

Smart cards are made of plastic, usually polyvinyl chloride. The card may embed a hologram to prevent counterfeiting. Smart cards provide strong

Lecture 41 Blockchain in Government III (Digital Identity)

Interagency Advisory Board Meeting Agenda, February 2, 2009

BIOMETRIC MECHANISM FOR ONLINE TRANSACTION ON ANDROID SYSTEM ENHANCED SECURITY OF. Anshita Agrawal

CERTIFICATE POLICY CIGNA PKI Certificates

New Paradigms of Digital Identity:

Yubico with Centrify for Mac - Deployment Guide

Single Secure Credential to Access Facilities and IT Resources

Identity management. Tuomas Aura T Information security technology. Aalto University, autumn 2011

Internet is Global. 120m. 300m 1.3bn Users. 160m. 300m. 289m

Next Generation Physical Access Control Systems A Smart Card Alliance Educational Institute Workshop

Secure Government Computing Initiatives & SecureZIP

CSC 474 Network Security. Authentication. Identification

Online Banking Security

CREDENTSYS CARD FAMILY

Identity management. Tuomas Aura CSE-C3400 Information security. Aalto University, autumn 2014

Cryptologic and Cyber Systems Division

Digital Certificates Demystified

User Authentication. Modified By: Dr. Ramzi Saifan

(PIV-I) Trusted ID across States, Counties, Cities and Businesses in the US

Biometrics. Overview of Authentication

6.857 L17. Secure Processors. Srini Devadas

AXIAD IDS CLOUD SOLUTION. Trusted User PKI, Trusted User Flexible Authentication & Trusted Infrastructure

Building on existing security

Securing Federal Government Facilities A Primer on the Why, What and How of PIV Systems and PACS

Copy-Resistant Credentials with Minimum Information Disclosure

iclass SE Platform Solutions The New Standard in Access Control

Distributed Systems. Smart Cards, Biometrics, & CAPTCHA. Paul Krzyzanowski

Security Strategy for Mobile ID GSMA Mobile Connect Summit

Paul A. Karger

cryptovision s Government Solutions Adam Ross, Ben Drisch cryptovision GmbH

Security Solutions. End-to-end security. Protecting your physical access control system.

FIDO Alliance: Standards-based Solutions for Simpler, Strong Authentication

Keystroke Dynamics: Low Impact Biometric Verification

HOST Authentication Overview ECE 525

Role of Biometrics in Cybersecurity. Sam Youness

Chip Authentication for E-Passports: PACE with Chip Authentication Mapping v2

Match On Card MINEX 2

DFARS Requirements for Defense Contractors Must Be Satisfied by DECEMBER 31, 2017

TWIC / CAC Wiegand 58 bit format

The Future of Smart Cards: Bigger, Faster and More Secure

Signer Authentication

The Cryptographic Sensor

Network Security CHAPTER 31. Solutions to Review Questions and Exercises. Review Questions

DataTraveler 5000 (DT5000) and DataTraveler 6000 (DT6000) Ultimate Security in a USB Flash Drive. Submitted by SPYRUS, Inc.

Measuring Authentication: NIST and Vectors of Trust

Transcription:

Identities Non Person Identities After all, who cares about me? Gilles Lisimaque & Dave Auman Identification technology Partners, Inc.

Device Identifiers Most devices we are using everyday have (at least) two unique identifiers: The serial product number (attached to the product) The Owner s reference (attached to the owner) Devices shared by many users have only one identifier: Bank Notes Telephone booth Sep. 2010 Identification Technology Partners 2

Device Identification The manufacturer Serial Number (unique) Signature of the Issuer Sep. 2010 Identification Technology Partners 3

Identifying a car Manufacturer Driver Owner VIN (fix) TAG (variable) Sep. 2010 Identification Technology Partners 4

Identifying an account Account Ez-Pass Driver? Car Owner TAG (back up) Sep. 2010 Identification Technology Partners 5

Identifying a user User File Driver or Passenger Car File Passport Card Car Owner TAG (back up) Sep. 2010 Identification Technology Partners 6

Satellite TV Decoders Viewer Service Provider Subscriber Device & Subscription Authentication Manufacturer Sep. 2010 Identification Technology Partners 7

Identifying a CCTV Direct protected cable Device authentication and physical location required IP addressing mode Sep. 2010 Identification Technology Partners 8

Identifying a network device User Manager MAC (fix) LAN Manufacturer Router Serial Number (fix) IP Address (variable) Sep. 2010 Identification Technology Partners 9

Identifying a computer Stable Identifiers MAC interfaces TAG Service # Internet LAN Variable Identifiers IP Address Transaction User Manufacturer Session User Serial Number (fix) Logon ID (variable) 10 Sep. 2010 Identification Technology Partners 10

Identifying a TPM A TPM encrypts data using the TPM endorsement key, a unique RSA key burned into the chip during its production Since each TPM chip has a unique and secret RSA key burned in as it is produced, d it is capable of performing platform authentication Sep. 2010 Identification Technology Partners 11

Identifying a GSM Cell Phone Other Identifiers Bank Account Transportation purse Door access User Authentication? User consent? User Owner Phone Number Manufacturer Active Authentication Carrier ESN (fix) IMSI (variable) Sep. 2010 Identification Technology Partners 12

Smart Cards Most of the time, smart cards have no proof of trust from the manufacturer. The issuer is the entity which conveys trust in the card and its applications. Each application is a different link (binding) between a service provider and the user of the card We trust Smart Cards only when we trust the issuer In the German eid program, the card comes out of manufacturing with a security certificate (as a TPM) Sep. 2010 Identification Technology Partners 13

Can anybody trust any Smart Card PIV-C is a card which looks like a PIV, quacks like a PIV as it has the technical behavior of PIV It is issued by an entity no other entity trusts, and/or by means no other entity trusts It is supposed to use a PIV card from the APL list but nothing in the card can really prove this is the case If the issuer of a smart card is not trusted, even the card it uses should not be trusted by any other application Sep. 2010 Identification Technology Partners 14

Device, Owner or User? Some devices need to be authenticated even when there is no direct user (surveillance Cameras) Some devices are shared so much that it is the user (or his money) who really matters (telephone booth, rental cars) Some devices are so anonymous it is the owner who really matters (bank note) Sep. 2010 Identification Technology Partners 15

The Three Authentication Factors To prove one s identity we have three independent factors which are commonly used: What is known by the subject (but if it can be verified it generally means it is shared with the verifying gparty) What is owned by the subject (a trusted device such as a smart card issued by a party trusted by the relying gp parties) What the physical subject is (biometric verification against an enrolled trusted reference) Sep. 2010 Identification Technology Partners 16

A trusted device is only ONE factor When is one factor identification enough? It depends on the level of risk/security the application is ready to take It depends on the convenience factor the user imposes It depends on the cost of the solution It depends on the liability of the parties involved It depends on the cost/nature of redress when things go wrong Sep. 2010 Identification Technology Partners 17

Is another factor more secure? Today most online authentications are done using only one factor (What is known). We all know the weaknesses of passwords. There are ways to improve their security but users loose convenience If we switch to the factor what h t is owned, even if it is a very secure device, have we increased really security as a whole or do we need to combine them? Two independent factors are more secure than one Sep. 2010 Identification Technology Partners 18

Combining two factors When the secure device (what you have) is authenticated only when the user consents for it to work, there is a second factor (what the user knows). In EMV, the dynamic signature which authenticates the device is executed only after the user has presented the PIN In PIV the PIV Authentication key can be challenged only after the user has presented the correct PIN to the card In GSM SIM cards it is possible to protect the authentication with the user s PIN which has to be presented each time the phone is powered on Sep. 2010 Identification Technology Partners 19

Password manager in a smart card? Some companies offer Password managers. Some are pure software using encryption protection and certificates, some others are in secure portable devices (USB or smart cards). If the device itself (or even the secure software) has no means to transfer the fact it can be trusted to an external party, the result is only the password and we end up with only one factor (but more secure though) Sep. 2010 Identification Technology Partners 20

But what about transactions? When the authentication device (PIV, SIM or other) used for the login phase stays powered all the time, and it had been activated by the user, how to authenticate the user for elementary transactions? Most systems assume the user authentication is not cached by the trusted device. Do we need to separate User Consent from User Authentication? If Passwords can be compromised by a key logger, it is even easier to cache a Password and replay it Sep. 2010 Identification Technology Partners 21

And what about Biometrics? Some computers use the integrated webcam to authenticate the user Some use an integrated fingerprint scanner Some use dynamic keystroke Using Biometrics as a user authentication factor could be very useful to separate user authentication from user consent (PIN) This brings an additional factor but the lack of standardization has slowed down their adoption Sep. 2010 Identification Technology Partners 22

We are back to the same issue: It is all about risk what level of assurance is required? Decisions: One, two or three factors How to differentiate between user authentication and user consent (transaction ti vs. session) Balance between risk and convenience for the user We have reached a point where two factors are needed d for nearly all online transactions Sep. 2010 Identification Technology Partners 23

No more than three factors Whatever combination we make with one or more devices, we have only one factor (what is owned). We can increase the level of assurance of this factor by multiplying the number of devices (e.g. Smart Card used in a cell-phone in a car in front of a given house) but it is still only one factor when the user s knowledge (PIN or Password) or its biometric (who the subject is physically) is not verified Sep. 2010 Identification Technology Partners 24

Two Passwords are only one factor Similarly, asking the user to verify two passwords (e.g. Smart ID PIN as well as a PACS PIN) increases the level of assurance of the what you know factor but is still only one password. It is roughly equivalent to increasing the length (so the strength) of one Password Sep. 2010 Identification Technology Partners 25

An OTP device is only one factor OTP devices are useful as they generate stronger Passwords than whatever a user can remember. Even if they are activated by the user consent (PIN or Biometric presented to the device for generating the password) they are only one factor as they provide a stronger password but a weak device authentication (resulting information exchanged in clear text at the interface is not a serious cryptographic proof) Sep. 2010 Identification Technology Partners 26

Secure device and biometry As said before, many secure devices are trusted only because of their issuer (e.g. most smart cards) If a user was able to enroll its biometric information in a secure device (e.g. TPM) which could be activated only by the user s biometry (match in TPM), we would have a two factor authentication method without having the need for a device issuer role Sep. 2010 Identification Technology Partners 27

A device without t issuer or PIN? What about having its biometric information signed by a public notary instead of the device issuer? Such a signed reference biometric data would not say anything about any claim the user would make but it would provide a reference for biometric comparisons If the user binds such biometric reference to a device everybody er trusts (e.g. TPM) issuers can then add, protect and certify information about the user s personas Sep. 2010 Identification Technology Partners 28

What about the length of an identifier? Is a FASC-N alone less secure than a UUID? Is a UUID alone more secure than a CHUID? Is a CHUID secure when the signature is not verified? Identifiers are not stolen (or cloned) by humans means only but with quite sophisticated technical means. The length of the identifier does not make any difference anymore. They can be cloned very easily (on any type of interface) as long as they are exchanged in clear text Sep. 2010 Identification Technology Partners 29

Zero factor = Danger Any identifier used without authentication is a ZERO factor authentication level. Two (or more) identifiers used without authentication is still a ZERO factor as they are public information The user of such ascribed identifier should never be held liable on any use of a public identifier Such practice should be forbidden and punishable by law Sep. 2010 Identification Technology Partners 30

The danger of a Global Identifier Virginia Fishing Licensees US Citizens SSN French Citizens Health insurance RFU Maryland Driver Licensees UUID Cell Phone provider BU&U Employed by company Gag Internet Provider Off-Lyne Last Bank Account holder Each persona may have a very different security requirement. Any identifier (public information) should be used with an authenticator. Sep. 2010 Identification Technology Partners 31

Conclusion Whatever device is used for authentication (trusted computer, smart ID card, Cell-phone) at least two factors are now required for most transactions. It means the secure device should come in addition to the usual [ID + Password] and not in replacement unless we get serious about biometrics Sep. 2010 Identification Technology Partners 32

Combining all factors Resistance is futile, you will be assimilated Sep. 2010 Identification Technology Partners 33

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback