Vidder PrecisionAccess Transparent Multi-Factor Authentication June 2015 910 E HAMILTON AVENUE. SUITE 430. CAMPBELL, CA 95008 P: 408.418.0440 F: 408.706.5590 WWW.VIDDER.COM
Table of Contents I. Overview... 3 II. The Challenge... 3 III. Security Artifacts... 4 IV. Transparent MFA Defined... 4 Single Packet Authorization... 4 Transport Layer Security... 5 Device Fingerprinting... 5 Step-up Authentication Process... 5 V. Defeated Attacks... 6 Credential Theft... 6 Denial of Service... 6 Server Exploitation... 6 Connection Hijacking... 7 PRECISIONACCESS TRANSPARENT MFA - JUNE 2015 2
Overview Multi-factor authentication is a mechanism used in modern day work environments to step-up the trust level of a user by requiring the fulfillment of additional authentication mechanisms before permitting access a network or application. Vidder PrecisionAccess (PrecisionAccess) solution utilizes an authentication system referred to as Transparent Multi-factor Authentication ( Transparent MFA ), a key security component of the solution. PrecisionAccess, in its totality, combines various security methods/mechanism into a single solution. This paper focuses on PrecisionAccess key differentiator: Transparent MFA. The Transparent MFA system was inspired by existing technologies, including port knocking, single packet authorization, and machine authentication. Transparent MFA takes the best aspects of these technologies and combines them in order to provide true and comprehensive multi-factor authentication without impacting user experience. This document is intended to answer the following questions: What is Transparent MFA? How does Transparent MFA work? What are the advantages of using Transparent MFA? What attack vectors does Transparent MFA mitigate? The Challenge Multi-factor authentication ( MFA ) is a highly secure authentication system that requires many separate authentication stages before providing access. The most common initial authentication stage in use today is a normal username and password, which is used to prove the authenticity of the person accessing an application or network. This is combined with an additional authentication stage such as a one-time password, certificate, or biometric system in order to decrease the likelihood that the users first authentication stage has been compromised. The main challenge with existing MFA solutions is the negative impact on user experience. Most solutions require the user to take some action such as typing in a one-time password or scanning their fingerprint. PRECISIONACCESS TRANSPARENT MFA - JUNE 2015 3
However, PrecisionAccess unique implementation of Transparent MFA provides a secure way to provide a second factor device authentication without impeding the user experience. Security Artifacts The Transparent MFA authentication process requires security artifacts to be onboarded to each authorized client. The on-boarding process is extremely automated and appears to the user as a normal software installation. The following security artifacts are used in the Transparent MFA process: Device Identifier A unique number that is used to identify a device. One user can be associated with many devices and therefore can have many associated device identifiers. Seed A one-time password seed that is used to generate tokens for the Single Packet Authorization process. This is stored in an encrypted format. Counter A counter that is used to maintain synchronization in the Single Packet Authorization process. Private Key A private key that is used for both the signing of Single Packet Authorization tokens and establishment of TLS connections. This is stored in the systems keychain or certificate store and is marked as nonexportable. Certificate A certificate that is used for the establishment of TLS connections. This is stored in the systems keychain or certificate store. Transparent MFA Defined Transparent MFA can be thought of as the equivalent of a one-time password that would normally have to be typed out but is instead conducted in a secure connection process. In order to achieve this level of security, a complex step-up authentication system must be used that allows for efficient validation of connections. Single Packet Authorization The first mechanism used in the Transparent MFA process is called Single Packet Authorization (SPA). This concept, originally derived from port knocking, has the client embed a one-time password (OTP) in the single packet of the SPA which is then validated on the server. This OTP is generated and validated using a very efficient, hardware accelerated algorithm that allows for packets to be validated PRECISIONACCESS TRANSPARENT MFA - JUNE 2015 4
with very little performance impact on the server. PrecisionAccess implementation embeds this token (i.e., the SPA packet) in an SSL ClientHello packet. The OTP is also sent along with a counter for synchronization, device identifier for identification, and a signature for integrity validation. Transport Layer Security Transport Layer Security (TLS) is a protocol for protecting data in transit. A secure TLS session is established immediately after the validation of the SPA packet. This connection is established with mutual trust and provides a high level of security against connection hijacking. PrecisionAccess implements the best security possible in TLS by utilizing a single algorithm (AES-256-GCM) and only trusting one Certificate Authority for the connection (through Certificate Pinning ). Device Fingerprinting The next step in the Transparent MFA process is to prove that the authentication artifacts were not moved to an unauthorized device. A fingerprint is created on the Controller when the device is on-boarded and is then associated with its security artifacts. The fingerprint is composed of multiple factors returned by the operating system to create a signature that can later be attested to. It s important to note that the individual fingerprint factors are sent to the Controller and the Controller choses which factors to use for the fingerprint. This means that factors can be randomly changed and the fingerprinting algorithm cannot be reverse engineered from the client. Step-up Authentication Process Three separate authentication stages as mentioned below are combined into a secure, step-up authentication process. As noted above, Transparent MFA is extremely secure but has a very low performance impact on Gateways and Controllers because the first stage of authentication has the least impact on the system. As the trust of the client increases the performance impact can also increase but minimally. Stage 1: Single Packet Authorization This first stage of the process is the most important. This stage will mitigate the vast majority of attacks on the server and must be performed very efficiently. Single Packet Authorization was designed with this foundational premise and has proven to be very effective in thwarting advanced attack vectors. Stage 2: Transport Layer Security The second stage of the process is creating a secure connection using TLS. Since the trust of the client has been partially verified using SPA, this more intensive process can be conducted without increasing the risk of denial of service. PRECISIONACCESS TRANSPARENT MFA - JUNE 2015 5
Stage 3: Device Fingerprinting The last stage is to verify that the security artifacts used for the authentication process are coming from a legitimate device. PrecisionAccess will transmit the fingerprint and compare it to the fingerprint that was created during onboarding time. This proves to a high level of likelihood that the security artifacts were not copied to another device. Defeated Attacks PrecisionAccess Transparent MFA is a key component of the architecture and security value of the solution. It mitigates a multitude of attack vectors by using a secure, lightweight device authentication system. Credential Theft Credential theft is one of the most common attack vectors prevalent in today s enterprise environments. The theft can occur from a variety of channels including key loggers, phishing or brute force attacks to name a few. However, PrecisionAccess Transparent MFA is able to mitigate stolen credentials by requiring that all connections destined to a protected application come from a PrecisionAccess Gateway. In order to gain access to this Gateway a user must undergo the Transparent MFA process that acts as a second factor of authentication. Denial of Service Denial of Service is an attack that is used to compromise the availability of an application. Often performed by activists or competitors, it can ruin the reputation of an organization and cause a loss of services for customers. This attack vector has been exploited in many implementations, all of which aim to starve the resources of a network, application, or server. PrecisionAccess is able to defeat a large portion of these attack vectors by limiting connectivity to only authorized users. For example, a common denial of service attack called the SSL Renegotation DoS continually re-establishes SSL connections to a server until it runs out of resources to service future requests. Malicious adversaries generally perform this attack against internet-accessible websites. Protecting the application with PrecisionAccess Gateway makes the attack far more challenging: it isolates the application server by disallowing anyone to connect to the application until they have been proven their trust. Server Exploitation Server Exploitation can come in many different varieties including SQL Injection, Buffer Overflows, Cross-site Scripting and many others. Attackers are able to perform these attacks remotely and without legitimate credentials. PRECISIONACCESS TRANSPARENT MFA - JUNE 2015 6
For example, one of the most common vulnerabilities is SQL Injection often performed against login and search forms. These forms can generally be accessed and attacked without having a username and password. Attacks such as these are a very serious problem since many applications have been moved to be internetaccessible, ultimately allowing attackers to hack into systems and gain access to an internal network and corporate data. Transparent MFA is able to protect these applications by moving them behind a PrecisionAccess Gateway. An attacker would need to have valid security artifacts and a valid device in order to gain any connectivity to the application. Doing this reduces the attack surface of the application to authorized users, which greatly reduces the likelihood of an attack. Connection Hijacking Connection Hijacking, also known as man-in-the-middle, is an attack vector that is used to steal or modify data in flight. It s not uncommon to hear about users that used a wireless hotspot in public coffee shops that resulted in an eventual compromise of an organization. This is caused by insufficient in-flight encryption systems used by many organizations today. Most applications will use the system s Trusted Certificate Store or Keychain to enumerate a trusted list of Certificate Authorities. This store contains approximately 300 unique Certificate Authorities that could be potentially compromised and result in a connection hijacking attack. PrecisionAccess uses a methodology referred to as Certificate Pinning which only trusts a small subset of trusted Certificate Authorities. This greatly reduces the likelihood that the Certificate Authority is compromised. In addition, PrecisionAccess implements mutual trust in the authentication process by utilizing SPA and TLS. This requires both the client and server to present security artifacts during the connection and authentication process. An adversary will generally not have the artifacts from both parties and will not be able to break the connection as a result. This mutual trust provides an extremely high level of confidentiality and integrity on remote connections being initiated from untrusted locations. Contact Us Email: PrecisionAccess@vidder.com Phone: 408.418.0440 www.vidder.com PRECISIONACCESS TRANSPARENT MFA - JUNE 2015 7