Strong authentication of GUI sessions over Dedicated Links. ipmg Workshop on Connectivity 25 May 2012

Transcription

1 Strong authentication of GUI sessions over Dedicated Links ipmg Workshop on Connectivity 25 May 2012

2 Agenda Security requirements The T2S U2A 2 Factor Authentication solution Additional investigation Terminal Services OTP authentication Remote HSM Conclusions

3 Security requirements 1/2 The T2S Information Security requirements and controls require a strong authentication for remote access of users User authentication for external connections Control: Strong authentication methods (e.g. hardware token, certificates) must be used to control access by remote users. Strong authentication is performed via a two factor authentication Something the user knows (PIN) Something the user owns (a physical object such as a smart card or USB token)

4 Security requirements 2/2 Connectivity workshop on 27 February 2012: The Eurosystem proposal is based upon the strong authentication of GUI sessions via Dedicated Links, based on certificates stored on hardware devices, to be managed by physical users.

5 T2S U2A 2 Factor Authentication solution T2S U2A application is based on the implementation of strong authentication via x509 certificates and smart cards or cryptogprahic USB tokens Association between x509 certificates and T2S users are managed in Static Data; 4CB will provide USB tokens (or smart cards) in the Dedicated Links context and for the Internet channel; VA-NSP have been requested to provide smart cards to their users with certificates to be used for 2FA. The solution implies the usage of a USB port either for the USB Token or for the Smart card reader and specific drivers will have to be installed on the client

6 Additional investigation Is a Terminal Server solution based on Citrix compliant with the T2S U2A solution? Other requests for clarification refer to thin clients (not properly a traditional PC) without USB port or to avoid, in any case, the use of local USB ports on the client

7 Terminal services A Citrix-based environment is a viable solution, but According to our current experience, smart card drivers must be installed on both client and server (investigation ongoing) The USB device must still be plugged into the client

8 OTP authentication 1/2 One Time Password hardware tokens do not need a USB port ( disconnected tokens ) Pseudo random numbers synchronized with autentication server

9 OTP authentication 2/2 Not compliant with T2S U2A current solution It is not based upon x509 certificates It is not in line with the DL CR assessment The need to support different authentication methods for U2A connections through the different channels (VAN, DL, Internet) would increase the costs. U2A user authentication Reference ID T2S.UC.TC.30245: The NSP shall distribute to the end users the credential to access the interface to the T2S. The NSP shall deliver the certificates for U2A to the end users (with a smart-card). More vulnerable than smart cards or USB tokens Man in the middle attacks RSA SecureID attack on March 2011

10 Remote HSM 1/2 Hardware Security Module containing authentication certificates to be managed by IT department of CSDs no USB port required on clients.

11 Remote HSM 2/2 The solution is not compliant with the T2S U2A solution Certificates stored on HSMs are suitable for signature purposes, but not properly for authentication (the user has in any case to be identified for accessing its own certificate on the HSM) The principle something the user owns is not fulfilled

12 Conclusions T2S U2A 2 Factor Authentication solution is based on certificates stored on smart card or USB cryptograhpic token devices. The usage of Citrix is compliant with the solution; the need to install software also on the client must be further investigated. The usage of OTP tokens for 2FA is not compatible with the T2S U2A 2FA solution. The usage of a remote HSM for authentication purposes is not compatible with the T2S U2A 2FA solution.

13 Q & A