Moving to Multi-factor Authentication. Kevin Unthank

Transcription

1 Moving to Multi-factor Authentication Kevin Unthank

2 What is Authentication 3 steps of Access Control Identification: The entity makes claim to a particular Identity Authentication: The entity proves that they are who they say they are Authorization: The entity is granted certain access rights based on that Authenticated Identity

3 What is Multi factor Authentication Authentication is based upon 3 Factors Something you know: Pin, Password, Picture Something you have: Token, Card, Certificate Something you are: Biometrics Fingerprint, Iris Scan, Hand Geometry, Voice Print, Facial Image

4 Why Consider Multi factor Authentication with PKI Regulatory Requirements Security Benefits Economic Benefits Usability Benefits

5 Regulatory: HSPD 12 & FIPS 201 Therefore, it is the policy of the United States to enhance security, increase Government efficiency, reduce identity fraud, and protect personal privacy by establishing a mandatory, Government wide standard for secure and reliable forms of identification issued by the Federal Government to its employees and contractors Homeland Security Presidential Directive/HSPD 12 FIPS 201 is a mandatory Federal Information Processing Standard which describes how HSPD 12 should be addressed. References several Special Publications SP 800 xx

6 Regulatory: FFEIC Guidance The agencies consider single factor authentication, as the only control mechanism, to be inadequate for high risk transactions involving access to customer information or the movement of funds to other parties. FIL October 12, 2005

7 Regulatory: Sarbanes Oxley Public companies are required to produce an internal control report, which shall: (1) state the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting; and (2) contain an assessment, as of the end of the most recent fiscal year of the issuer, of the effectiveness of the internal control structure and procedures of the issuer for financial reporting. Sarbanes Oxley Act of 2002: SEC MANAGEMENT ASSESSMENT OF INTERNAL CONTROLS.

8 Security Benefits Increased Trust Digital Identity Authenticity and Integrity Strong authentication Encrypted data Non repudiation

9 Economic Benefits Reports estimate 30% 80% of help desk calls are password related Each help desk call costs, on average, from $25 to $50 Consolidate multiple functions onto a single token Consolidate physical and logical access systems

10 Usability Benefits End User Convenience ATM transactions Portability: Easily Displayed Fits in your Wallet or key ring Foundation for Single Sign on

11 Smartcards Pros Can store photo, proximity antenna and smart chip all on a single token PKI enables encryption and assures content integrity for secure interactions Cons Card readers are not ubiquitous User acceptance issues

12 Java Card Supports multiple applications including physical and logical access Add and delete applications to adapt to future needs Only trusted server can access its own associated applet on Java Card Each applet is firewalled from each other Biometric templates can be stored on card, eliminating risk of theft from biometric database

13 Global Open Platform Defines card components, command sets, transaction sequences and interfaces. Card Manager Applet Secure Channel Key Sets Global PIN Security Domains

14 US Department of Defense Common Access Card Single credential for: Personnel identification Building or facility access Systems and network access. In addition the CAC will have the capacity to host applications in other functional areas such as medical, personnel and logistics. (Photo credit: Lana Baumgartner)

15 USB Tokens Pros All the benefits of a Smartcard in a convenient form factor USB ports readily available Cons Logical authentication only. Cannot be used for physical identification or access

16 OTP Tokens Pros No reader hardware required No local client software required Cons Logical authentication only. Cannot be used for physical identification or access Can have clumsy UI Cannot be used for PKI operations

17 Software Tokens Pros No separate hardware token required Cons Does not provide non repudiation Vulnerable to automated attacks

18 Token Management Infrastructure Client Server Subsystems User Firewall HTML ESC CA DRM TPS TKS APDU Smartcard DB

19 Client Architecture IE Outlook login ESC VPN Firefox Thunderbird NSS MS CAPI PKCS#11 PC/SC E Gate USB

20 Demonstration Enrollment Authentication Encryption/Decryption

21 Questions?