The Role of PNT in Cybersecurity Location-based Authentication Dr. Michael O Connor November 14, 2013 Satelles is a Division of ikare Corporation
What do we mean by Authentication? Authentication is the act of confirming the truth of an attribute of a datum or entity The examples in this presentation focus on a user s identity The concepts also apply to document and data authentication Image Source: secureauth.com 2
The Classic Authentication Factors Something you know Something you have Something you are Username Password / PIN SSN Name of first pet Credit/Debit Card Mobile phone Hardware token Encryption key Fingerprint Iris or retinal pattern Voice DNA How many of us (until recently) thought about authentication 3
Passwords Don t Work for Most of Us 123456 123456789 password adobe123 12345678 qwerty 1234567 111111 photoshop 123123 2 million of 38 million users October, 2013, an Adobe security breach revealed these as the top 10 account passwords CONVENIENCE IS THE ENEMY OF SECURITY 4
Two-Factor Authentication Something you know Something you have Something you are Username Password / PIN SSN Name of first pet Credit/Debit Card Mobile phone Hardware token Encryption key Fingerprint Iris or retinal pattern Voice DNA Privacy Data Permanence Amputation How many of us think about authentication today 5
Two Factors are Not Always Enough Businesses like RSA and CA Technologies offer Something You Have authentication In 2011, RSA servers were compromised. Attackers captured algorithms and seeds Cloned SecurID tokens were later used to attack several companies. RSA was required to replace compromised tokens. 6
Adoption of Two Factor Authentication A majority of US consumers have been affected by typical online threats - 56% virus or malware infection on a computer - 37% victim of a phishing attack - 26% victim of account compromise (e.g., hacked, broken into, password theft) - 20% victim of a social media phishing attack - 5% had a phone lost or stolen that resulted in unwanted access to sensitive information. Despite the recent hype, 75% of Americans have never signed into a website using two-factor authentication CONVENIENCE IS THE ENEMY OF SECURITY Source: http://online.wsj.com/article/pr-co-20130627-907711.html?mod=googlenews_wsj 7
Location a Fourth Authentication Factor Something you know Something you have Something you are Somewhere you are Trusted location is independent of other authentication factors Solutions can be invisible to the user no action required LOCATION-BASED AUTHENTICATION HAS THE POTENTIAL TO BE MORE SECURE AND MORE CONVENIENT 8
Location: Used Today, but not Secure Image Source: lifehacker.com 9
GPS / GNSS for Trusted Location Available in nearly every device, but susceptible to spoofing December, 2011 Stealth US RQ-170 Sentinel lost in Iranian airspace Photo above appears days later on Iranian television Iran claims GPS spoofing was used to capture drone July, 2013 UT Austin research team spoofs GPS Cause yacht to veer from its intended course 10
GPS / GNSS for Trusted Location Higher integrity solutions are being considered Nav message encryption and digital signatures P-code correlation techniques P(Y) Code (magenta) Protected signal 10 MHz chipping rate, encrypted Unpredictable C/A Code (blue) Public signal 1 MHz chipping rate, published Predictable 11
Cell Towers for Trusted Location Several methods of location determination possible - Time Difference of Arrival (TDOA/UTDOA) - Cell ID / Enhanced Cell ID - RF pattern matching User-plane solutions are more susceptible to spoofing Control-plane solutions are more resistant to spoofing - Require infrastructure - Carrier specific 12
Local Transmitters for Trusted Location Local beacons can authenticate device proximity Work indoors Require local infrastructure Near Field Communications (NFC) Bluetooth Low Energy (BLE) 13
Applications for Trusted Location Government network and data access control - Examples include DoD, tracking of high value assets, and critical infrastructure such as power plants and water supplies Financial Institutions - Numbers are not published, but these companies lose billions to cyber attacks each year, and the losses are growing - Customers include financial infrastructure, banks and credit card companies Major banks, SWIFT, Fiserv, First Data, Jack Henry Enterprise networks and high value data - Examples include IP, financial, medical records, and cloud security - Customers already paying for, and would value increased security Online Gambling - Locations of users and servers is highly regulated in the US - $6B industry in US; $22B globally Entertainment Industry Increasing Value to Professional Cybercriminals 14
Example Application: Mobile Payments Growth of mobile payments is staggering: 44% annual growth rate Expected to exceed $1B per day in 2014 CAGR >250% Volume still tiny relative to card payments ~$21B per day 15
Mobile Made Easier than a Credit Card Consumer enters a market zone Smart phone provides location data to mobile payment provider Authentication server confirms location for mobile payment provider Informs approved retailers in the area Point of sale ready for transaction Verbal lookup and/or visual confirmation Transaction approved Consumer never reached for phone or wallet 16
Magic Required to Revolutionize Mobile Transactions for Consumers Must be trustworthy Must be virtually invisible to the user Must work where the transactions are happening Ideally would not require significant new infrastructure Cannot drain your phone battery 17
Unique Value Derived from Iridium 1. Worldwide Coverage Without local infrastructure 3. High Power Broadcasts Signals penetrate buildings 5. Focused Spot Beams Key feature for proving user location and time 2. Custom Signals Provide secure time transfer and navigation capabilities 4. Close to GPS Band Hardware is based on standard GPS chipsets Leverages unique capabilities developed and demonstrated by Boeing, Iridium, and Satelles 18
Demonstrated Indoor Signal Penetration Extensive testing performed in dense urban (Tokyo) Iridium signal coverage at 98% of tested sites - 300+ indoor measurements; average attenuation: 36dB 19
Signal Penetration Inside Container Blue points: Brown line: Green points: Iridium in container GPS outdoors Iridium outdoors 20
Site-specific Keys Delivered from Space Overlapping beams provide a distinct, locationspecific pattern Beams for two of 66 satellites at one point in time is shown Notional Iridium beam coverage map property of Iridium Satellite LLC. 21
How it Works 2 User device receives location-specific satellite data User login data and satellite data are sent automatically Satelles determines trusted user location based on satellite data 4 Satelles 3 Authentication Server TLS Socket Iridium Gateway (Co-located) VPN / TLS Socket Connection 1 Valid user or hacker initiates secure online activity Satelles Customer 5 Trusted location is used in decision engine to allow or deny access 22
Magic Required to Revolutionize Mobile Transactions for Consumers Must be trustworthy Spot beams, random data make signal extremely difficult to spoof Must be virtually invisible to the user Reporting trusted location does not require user interaction Must work where the transactions are happening Satelles signals are 1000X stronger than GPS, penetrate buildings Should NOT require significant new infrastructure Signals come from space, world-wide, no local infrastructure Cannot drain your phone battery Satelles processing requires - potentially half the power of GPS 23
Summary There is a compelling need for improved cyber security Current methods of authentication are inadequate Convenience is the greatest enemy to security Trusted location can play an important role in authentication - More Secure AND More Convenient Among a range of good solutions, Iridium-based techniques potentially offer unique and compelling features - Trustworthy - Invisible to the user - Work indoors - Require no local infrastructure - Possible power advantages 24
Questions? Artist depiction of an Iridium LEO satellite in space 25