Initiative for Open Authentication OATH Interoperability without Sacrificing Security Donald E. Malloy, Jr. NagraID Security XCL@B September 7 th 2010
The Open Authentication Reference Architecture (OATH) initiative is a group of companies working together to help drive the adoption of open strong authentication technology across all networks. Q1
Why the need for OATH Fraud continues to grow world-wide 2008 285 million consumer records were breached resulting in almost $1Trillion in losses 10 Million Americans were victims of fraud last year This amounts to over $300M of online fraud last year alone Hacking into web sites and stealing passwords continue to be a main focus of fraudsters Static Passwords are not secure: 80% hacked
OPERATION PHISH PHRY Major Cyber Fraud Takedown The defendants in Operation Phish Phry targeted U.S. banks and victimized hundreds and possibly thousands of account holders by stealing their financial information and using it to transfer about $1.5 million to bogus accounts they controlled.
More Hacks HIGH-TECH HEIST 2,100 ATMs Worldwide Hit at Once With cloned or stolen debit cards in hand and the PINs to go with them they hit more than 2,100 money machines in at least 280 cities on three continents, in such countries as the U.S., Canada, Italy, Hong Kong, Japan, Estonia, Russia, and the Ukraine. When it was all over incredibly within 12 hours the thieves walked off with a total of more than $9 million in cash. And that figure would ve been more, had the targeted ATMs not been drained of all their money
ATM Spews Money Barnaby Jack compromised 2 ATMs he purchased from EBAY and demonstrated at the recent Black Hat Security Conference He hacked into the firmware not the OS These are the type of ATMs found in bars and convenience stores He found he could upgrade the firmware via the USB interface The key provided by one ATM opened all others of the same model He also demonstrated a remote hack of the ATMs over the telephone more dangerous hack
Types of Bank Fraud Phishing Scams Phony Fraud Alert Credit Card Scams Card Skimming Nigerian 419 Scams Check overpayment Scams Transferring money Spyware and keylogging
Recent hacks this year As Social Networking develops into a payment model, the hacking in more than a nuisance problem, real money is being scammed. Koobface Has tormented users of numerous social networks for the past two years or so, including MySpace and Facebook. During that time, Koobface has evolved in a number of ways, and has been linked to rogue antivirus and malware posing as an Adobe Flash Player update. Weekend of the Clickjack During Memorial Day weekend, a clickjacking worm squirmed its way into the lives of hundreds of thousands of Facebook users. The scam worked this way: A message such as "The Prom Dress That Got This Girl Suspended from School" was used as a lure. Clicking on the link that came with the message led users to a third-party site, and clicking anywhere on that page published the initial message on the victim's Facebook page, marked the page as something the user liked and recommended the page to their Facebook friends. In response, Facebook blocked the malicious site associated with the attack.
Malicious Applications From time to time, social networks are hit with malicious applications. Trend Micro recently found a number of rogue apps on Facebook (with names such as "Stream" and "Birthday Invitations") that sent users to a known phishing domain with a page claiming they needed to enter their login credentials to use the application. Victims would then be directed to the Facebook site. Facebook removed six of the apps identified by Trend by Aug. 20. Unfortunately, more popped up. Users should be wary of applications from unknown developers and that request personal information.
Malvertising Hits Farm Town In April, users of the popular "Farm Town" game on Facebook were hit with a rogue antivirus scam tied to malicious advertising. Command and Control In 2009, security expert Jose Nazario found attackers were using Twitter as a means to send commands to infected computers. In July, EMC's RSA security division uncovered a scheme that used an unidentified social networking site to send commands to a Brazilian banker Trojan. The good news is once detected, removing these types of C&C points is relatively simple and quick.
Distracting Beach Babes Just when you thought it was safe to click on a link with a racy picture, the "Distracting Beach Babes" attack struck. Messages were posted on the walls of Facebook users, and the thousands who clicked on the messages were directed to a rogue Facebook app that, if given permission to run, urges users to upgrade their FLV player and directs them to download adware to their computer. Dislike the Disliking Scam This survey scam spread virally throughout Facebook. Using the tried-and-true method of enticing messages about celebrities and news (for example, "Justin Bieber trying to flirt"), the scammers tried to trick users into giving them access to their profiles. If a user installed the "dislike button," the app updated their Facebook status to promote the link that tricked them. The app then prompted users to fill out an online survey and directed them to a Firefox browser add-on.
20/9/10 Issues Facing IT Managers
OATH History Created 5 years ago to provide open source strong authentication. It is an industry-wide collaboration that.. Leverages existing standards and creates an open reference architecture for strong authentication which users and service providers can rely upon, and leverage to interoperate. Reduces the cost and complexity of adopting strong authentication solutions. 20/9/10 Q1
OATH : Background Networked entities face three major challenges today. Theft of or unauthorized access to confidential data. The inability to share data over a network without an increased security risk limits organizations. The lack of a viable single sign-on framework inhibits the growth of electronic commerce and networked operations. 20/9/10 Q1
OATH : Justification The Initiative for Open Authentication (OATH) addresses these challenges with standard, open technology that is available to all. OATH is taking an all-encompassing approach, delivering solutions that allow for strong authentication of all users on all devices, across all networks. The use of Multi-factor authentication products with an OATH application will protect against The ATM hacks mentioned previously. Q1
OATH Membership (Partial)
Standardized Authentication Algorithms - Open and royalty free specifications - Proven security: reviewed by industry experts - Choice: one size does not fit all HOTP OCRA T-HOTP - Event-based OTP - Based on HMAC, SHA-1 - IETF RFC 4226 - Based on HOTP - Challenge-response authentication - Short digital signatures - Time-based HOTP - Submitted to IETF - Standard expected end of 2010
Token Innovation and Choice HOTP applets on SIM cards and smart cards OTP embedded in credit card OTP so< token on mobile phones OTP Token HOTP OTP embedded in flash devices So< OTP Token 50+ products shipping Mul$ Func$on Token (OTP & USB Smart Card) Q11
OATH Reference Architecture: Establishing common ground Sets the technical vision for OATH 4 guiding principles Open and royalty-free specifications Device Innovation & embedding Native Platform support Interoperable modules v2.0 Risk based authentication Authentication and Identity Sharing 20/9/10 Q4
OATH Authentication Framework 2.0 Validation Framework Risk Interface Risk Evaluation & Sharing Authentication Methods HOTP Certificate Challenge/ Response Time Based Authentication Token Token Interface Client Applications Authentication Protocols Provisioning Protocol Applications (VPN, Web Application, Etc.) User Store Validation Protocols Validation Services Token Store Authentication and Identity Sharing Models Client Framework Provisioning Service Bulk Provisioning Protocols Credential Issuer(s) Provisioning Framework Q4
Credential Provisioning Token manufacturer offline model Portable Symmetric Key Container standard format (PSKC Internet-Draft) Dynamic real-time model Dynamic Symmetric Key Provisioning Protocol (DSKPP Internet-Draft) OTA provisioning to mobile devices, or online to PC/USB IETF KeyProv WG Current RFC submissions Q5
OATH Roadmap CHOICE of AUTHENTICATION METHODS CREDENTIAL PROVISIONING & LIFECYCLE APPLICATION INTEGRATION & ADOPTION - HOTP - OCRA - T-HOTP - PSKC - DSKPP - Certification program - WS Validation - Auth & Identity Sharing work
Objectives Understand the full lifecycle support needed for strong authentication integration Learn different approaches to supporting strong authentication in your applications Take away with the best practices for enabling strong authentication in applications
Certification Program The OATH Certification Program Intended to provide assurance to customers that products implementing OATH standards and technologies will function as expected and interoperate with each other. Enable customers to deploy best of breed solutions consisting of various OATH certified authentication devices such as tokens and servers from different providers. Introduced 2 Draft Certification Profiles at RSA Tokens HOTP Standalone Client Servers HOTP Validation Server 10 Additional Profiles to be introduced throughout the year
One Time Password Devices Ini'al Applica'ons Financial Most Governments have demanded more than sta'c passwords Online Authen'ca'on Physical Access
One Time Password Devices Subsequent Applica'ons Contactless Payment Secure Network Access E wallet applica'on
Layered Approach to Security Applica'ons OTP Pin Ac'va'on Challenge/Response Physical Access Contactless Payment Secure Network Access Cards will be used for: EMV Payment Debit Cards Single sign on and mul' apps
Payment or Authentication Recent certification by MasterCard announced at their Debit Conference in Budapest this summer. VISA trialing a PinPad OTP card in Europe at 9 different banks EMV for secure payment application OATH authentication device as well
Typical Application Scenario Transaction authentication & Signing Log on to Bank s web site Give user name and password Bank sends a challenge number used to create pin User enters number into card and new secure pass code is generated User then submits this new number to the bank s web site Transaction is then authorized by the bank
Interoperability Sharing between devices Organization wants various devices USB key for office personnel Card based token for travelers Mobile for other travelers All connects to same back end providing numerous options for banks to secure their online access
20/9/10 Recommended Validation Framework
Authentication Integration Architecture Direct authentication integration over standard protocol Plugin based authentication integration
Plugin Based Enable two-factor authentication in your existing third party authentication server for user password Your application codes don t need to change Out of box strong authentication support in your existing third party authentication server Integration Connectors available from authentication solution vendors, e.g. RSA, VeriSign e.g. CDAS plugin for IBM Tivoli Access Manager Develop your customized plugin for your existing third party authentication server
Open Source Implementation RADIUS Client Java http://wiki.freeradius.org/radiusclient.net C/C++ Authentication Server with OTP Support Radius server http://www.freeradius.org/ Need to add OTP auth plugin Triplesec http://cwiki.apache.org/dirxtriplesec/
References and Resources Initiative for Open AuTHentication (OATH) http://www.openauthentication.org HOTP: An HMAC-Based One-Time Password Algorithm RFC 4226 http://www.ietf.org/rfc/rfc4226.txt OATH Reference Architecture http://www.openauthentication.org Other draft specifications http://www.openauthentication.org
Key is being Involved Visit the OATH website Download Reference Architecture v2 Download and review draft specifications Engage - contribute ideas, suggestions Review public draft specifications Get involved in developing specifications Become a member! 3 levels - Coordinating, Contributing, Adopting Become an active participant
An industry-wide problem mandates an industry wide solution Strong Authentication to stop identity theft across all the networks A reference architecture based on open standards Foster innovation & lower cost Drive wider deployment across users and networks Minimal bureaucracy to get the work done!
Other Trends The movement toward 3 factor authentication What a person knows password What a person has card or token What a person is or how he behaves biometric and behavioral keystroke patterns Security in the Cloud Who has your data? Where is your data?
Questions & Answers Thank You!
Backup Slides
OATH Timeline Common OTP Algorithm OATH Reference Architecture 1.0 - New HOTP devices - Membership expansion - Public Roadmap release Roadmap Advances - Portable Symmetric Key Container - Challenge-Response Mutual Authentication - Provisioning Protocol OATH Reference Architecture 2.0 - Risk-based Authentication - Authentication Sharing - IETF KeyProv - Interop Demo HOTP A humble beginning! Steady Progress Q3
Risk Based Authentication Architecture Risk-based authentication Convenient authentication for low risk transactions Stronger authentication for higher risk transactions OATH will define standardized interfaces Risk Evaluation Sharing fraud information (ThraudReport) Q7
Authentication and Identity Sharing Promotes use of single credential across applications Force multiplier! Multiple approaches One size does not fit all Models that leverage identity sharing technologies Liberty, SAML, OpenID, etc. Models to enable sharing of 2 nd factor authentication only Simpler liability models
Authentication Sharing Centralized Token Service model Token is validated centrally in the validation service Same token can be activated at multiple sites Easy integration for application web site(s). Can leverage OATH Validation Service work! Q8
Authentication Sharing Distributed Validation Model Inspired by DNS Rich set of deployment models Standalone system can join the network by publishing token discovery information There needs to be a central Token Lookup Service. OATH considering developing Token Lookup protocol. Q8
Authentication Sharing Credential Wallet Shared device Multiple credentials Credentials are dynamically provisioned onto the device. Leverage OATH Provisioning specifications. Q8
Identity Federation & OATH Enables user to use same identity across website(s) Traditional federation (Liberty) User-centric models (OpenID, CardSpace) Single Identity becomes more valuable Needs to protected using strong authentication OATH: promote the user of strong authentication with these technologies!