WHITE PAPER AUGUST 2014. Preventing Security Breaches by Eliminating the Need to Transmit and Store Passwords



Similar documents
SOLUTION BRIEF ADVANCED AUTHENTICATION. How do I increase trust and security with my online customers in a convenient and cost effective manner?

How CA Arcot Solutions Protect Against Internet Threats

Dashlane Security Whitepaper

Contents. Identity Assurance (Scott Rea Dartmouth College) IdM Workshop, Brisbane Australia, August 19, 2008

Improving Online Security with Strong, Personalized User Authentication

White Paper Preventing Man in the Middle Phishing Attacks with Multi-Factor Authentication

Security Architecture Whitepaper

Enhancing Organizational Security Through the Use of Virtual Smart Cards

Designing a CA Single Sign-On Architecture for Enhanced Security

CA ArcotOTP Versatile Authentication Solution for Mobile Phones

Authentication Strategy: Balancing Security and Convenience

White Paper: Multi-Factor Authentication Platform

Network Security CS 5490/6490 Fall 2015 Lecture Notes 8/26/2015

The Security Behind Sticky Password

The Key to Secure Online Financial Transactions

Closing the Biggest Security Hole in Web Application Delivery

The NIST Framework for Improving Critical Infrastructure Cybersecurity - An Executive Guide

Strong Authentication for Secure VPN Access

SOLUTION BRIEF CA ADVANCED AUTHENTICATION. How can I provide effective authentication for employees in a convenient and cost-effective manner?

Strong Authentication: Enabling Efficiency and Maximizing Security in Your Microsoft Environment

SOLUTION BRIEF Enterprise Mobility Management. Critical Elements of an Enterprise Mobility Management Suite

defending against advanced persistent threats: strategies for a new era of attacks agility made possible

SENSE Security overview 2014

WHITE PAPER. Smart Card Authentication for J2EE Applications Using Vintela SSO for Java (VSJ)

Apache Milagro (incubating) An Introduction ApacheCon North America

Salesforce1 Mobile Security Guide

The Feasibility and Application of using a Zero-knowledge Protocol Authentication Systems

Entrust Managed Services PKI. Getting started with digital certificates and Entrust Managed Services PKI. Document issue: 1.0

IDRBT Working Paper No. 11 Authentication factors for Internet banking

Arcot Systems, Inc. Securing Digital Identities. FPKI-TWG Mobility Solutions Today s Speaker Tom Wu Principal Software Engineer

Advanced Authentication Methods: Software vs. Hardware

Is your data safe out there? -A white Paper on Online Security

Analyzing the Security Schemes of Various Cloud Storage Services

Welcome Guide for MP-1 Token for Microsoft Windows

Device-Centric Authentication and WebCrypto

Key Steps to Meeting PCI DSS 2.0 Requirements Using Sensitive Data Discovery and Masking

Assessing the Security of Hardware-Based vs. Software-Based Encryption on USB Flash Drives

Connected from everywhere. Cryptelo completely protects your data. Data transmitted to the server. Data sharing (both files and directory structure)

How Secure is your Authentication Technology?

Two Factor Zero Knowledge Proof Authentication System

Message authentication and. digital signatures

RSA SecurID Two-factor Authentication

FileCloud Security FAQ

Securing your Online Data Transfer with SSL

Protecting Online Customers from Man-inthe-Browser and Man-in-the-Middle Attacks

Adding Stronger Authentication to your Portal and Cloud Apps

Leveraging Privileged Identity Governance to Improve Security Posture

Password regulations for Karolinska Institutet

SY system so that an unauthorized individual can take over an authorized session, or to disrupt service to authorized users.


TLP WHITE. Cloud storage and data security

Multi Factor Authentication API

Using Foundstone CookieDigger to Analyze Web Session Management

The 12 Essentials of PCI Compliance How it Differs from HIPPA Compliance Understand & Implement Effective PCI Data Security Standard Compliance

SOLUTION BRIEF SEPTEMBER Healthcare Security Solutions: Protecting your Organization, Patients, and Information

best practices for encryption in android

Public Key Infrastructure (PKI)

Advanced Authentication

High Security Online Backup. A Cyphertite White Paper February, Cloud-Based Backup Storage Threat Models

PrivyLink Cryptographic Key Server *

Mobile Identity: Improved Cybersecurity, Easier to Use and Manage than Passwords. Mika Devonshire Associate Product Manager

Designing a Secure Client-Server System Master of Science Thesis in the Programme Software Engineering & Technology

Proactive Credential Monitoring as a Method of Fraud Prevention and Risk Mitigation. By Marc Ostryniec, vice president, CSID

IDENTITY & ACCESS. Providing Cost-Effective Strong Authentication in the Cloud. a brief for cloud service providers

THE FUTURE OF MOBILE SECURITY

Web Payment Security. A discussion of methods providing secure communication on the Internet. Zhao Huang Shahid Kahn

Cisco Trust Anchor Technologies

Steve Gibson Revolutionizing Website Login and Authentication with SQRL SQRL

HP ProtectTools Windows Mobile

Computer Networks. Network Security and Ethics. Week 14. College of Information Science and Engineering Ritsumeikan University

Entrust IdentityGuard

How To Encrypt Data With Encryption

Remote Access Securing Your Employees Out of the Office

Securing Data Stored On Tape With Encryption: How To Choose the Right Encryption Key Management Solution

Secure VidyoConferencing SM TECHNICAL NOTE. Protecting your communications VIDYO

Self-Encrypting Hard Disk Drives in the Data Center

IDENTITY & ACCESS. Privileged Identity Management. controlling access without compromising convenience

Social-Engineering. Hacking a mature security program. Strategic Penetration Testing

Penetration Testing: Lessons from the Field

Mitigating Server Breaches with Secure Computation. Yehuda Lindell Bar-Ilan University and Dyadic Security

Using Entrust certificates with VPN

Finding Security in the Cloud

Building Customer Confidence through SSL Certificates and SuperCerts

SOLUTION BRIEF CA TECHNOLOGIES IDENTITY-CENTRIC SECURITY. How Can I Both Enable and Protect My Organization in the New Application Economy?

DRAFT Standard Statement Encryption

What Are Certificates?

Business Banking Customer Login Experience for Enhanced Login Security

Modern two-factor authentication: Easy. Affordable. Secure.

Sync Security and Privacy Brief

Application Layer Encryption: Protecting against Application Logic and Session Theft Attacks. Whitepaper

True Identity solution

What is an SSL Certificate?

Securing PostgreSQL From External Attack

Transcription:

WHITE PAPER AUGUST 2014 Preventing Security Breaches by Eliminating the Need to Transmit and Store Passwords

2 WHITE PAPER: PREVENTING SECURITY BREACHES Table of Contents on t Become the Next Headline 3 ake the Breachable Unbreachable 3 hy Passwords Are Susceptible to Attacks 3 Preventing Security Breaches by Eliminating the Need to Store Passwords 4 Additional Resources 6 Conclusion 6

3 WHITE PAPER: PREVENTING SECURITY BREACHES Don t Become the Next Headline It seems like every day we see in the news that another breach has occurred. In fact, the New York Times recently reported on a security breach that involved over a billion online account passwords. Why does this keep happening? One reason is that many websites continue to use simple passwords for authentication and choose to store them as hashes. Another reason is that identity theft and fraud is a big business. According to a Ponemon Study, U.S. organizations experienced the highest total average cost at more than $5.4 million for a data breach. Part of the reason for this is that according to this study the United States companies had data breaches that resulted in the greatest number of exposed and compromised records. This is a real money cost, but the cost to your brand and customer confidence can have an even bigger impact on your business. Make the Breachable Unbreachable What would happen if hackers got hold of the database of credentials, but discovered that it didn t contain any passwords that were hashed or encrypted? Implementing CA Advanced Authentication can help solve the problem of compromised passwords. The strong authentication credentials help prevent security breaches by eliminating the password hash file, thus making the breachable unbreachable. Why Passwords Are Susceptible to Attacks One attack point for a security breach is the stored repository of passwords, for example, the password hash file. Common practice is to protect passwords using hash algorithms. But the databases where they are stored are still the subject of many successful hacks, using brute force to reveal the passwords. Many brute-force attacks exist today that can decode these files in realistic times. The continued use of simple passwords for authentication, stored hashes (often adding salt for extra protection), makes these attacks possible. Hashing turns a bit of data, like your password, into another bit of data that looks random or unrecognizable. For example, the password MiloPug, when hashed, might become xh^21hdgxeoud76@%@d Hashing is one-way. It s easy to create the hash from the original text but impossible to start with the hash and get back to the original text. While there s no algorithm to reverse a good hash function, they can be attacked using brute-force techniques. Given current advanced hacking techniques, this is not so hard to accomplish.

4 WHITE PAPER: PREVENTING SECURITY BREACHES Preventing Security Breaches by Eliminating the Need to Store Passwords The concept is simple. Many systems today authenticate by comparing the hash of the user s entered password to the hash value that they have stored on their server. CA Technologies takes a different approach and does not store the password anywhere, not even as a hash. Using patented cryptographic camouflage (U.S. Patent 6,170,058), CA Advanced Authentication uses the password to protect or lock a secret key. The protected key is sent to the browser or application from the server, where it is unlocked using the password. The unlocked key then is used to sign a random challenge, with the resulting signature sent back to the server. The password and unlocked key only appear briefly in memory at the browser. Camouflage technology ensures that the protected key, if obtained by an attacker, cannot be unlocked. Because the password is only stored permanently in the user s mind, there is no password file for the attacker to steal. The password is used during the credential creation and the authentication process, but is never stored anywhere. It is not stored in a repository. It is not stored on the client. It is not stored anywhere that hackers could target. How CA Advanced Authentication Works As part of the enrollment process, the end user is asked to select a PIN or password when they set up the CA Auth ID. Each end user is assigned a key pair, consisting of a private key and a public key. Using patented cryptographic camouflage technology from CA, the private key is camouflaged based on the user s PIN or password. Camouflage is a way of protecting data, based on standard encryption algorithms that prevent brute-force attacks. The effect of this process is that decryption, even using an incorrect password, will always produce a result that, while looking correct to the attacker, will not produce a valid signature. This is detected by the server when the signature is returned. In the case of a simple six-digit password (using letters, numbers and ten special characters), a brute-force attack on a camouflaged key will produce 72 6 = 139,314,069,504 plausible keys. Only one of these will generate a valid signature, and the attacker has nothing to indicate which one it is they all look equally valid. The attacker has no recourse but to try the keys individually by sending signatures to the server that is, by trying to authenticate. After a few failures the server will detect the attack.

5 WHITE PAPER: PREVENTING SECURITY BREACHES This diagram shows how CA Advanced Authentication uses a password but doesn t pass it to the server or need to validate it against a password repository. The Technology that Enables the Solution The CA Auth ID credential is available to anyone who asks for it by username even bad guys. The bad guys can t use it because they can t brute force the key, so it does them no good. The ID is provided by the server at login time, so it can work from any device, anywhere. It works on any device with a browser that has JavaScript and can work with any mobile app developed using our software development toolkit (SDK). The user sees no changes to the existing enrollment process, forgot your password (FYP) steps or other password flows. Any existing risk and secondary authentication processes are preserved. Login flows and the familiar login sequence (single page or double page) remain unchanged. Users can be migrated behind the scenes from their current credentials to these look alike, yet protected credentials. While the CA AuthID can also be used for meeting two-factor authentication compliance requirements, this implementation uses the proven credential to eliminate the organization s need to create, manage and secure a password database. In doing so, it removes the most attractive attack vector for hackers: large, credential repositories that are vulnerable to brute force.

6 WHITE PAPER: PREVENTING SECURITY BREACHES Benefits of CA Advanced Authentication include: Immunizes against server-side hash file attacks Protects from man-in-the-middle attacks that occur when passwords are transmitted Keeps the familiar username/password login process Reduces the need for password complexity and storage Works with a variety of risk-based solutions Works on any browser or device. No client footprint required. Simple SDK for mobile apps. Conclusion The CA Advanced Authentication suite of products can help keep an organization s name out of the headlines for a security breach. This solution, which can be easily integrated into existing applications, helps eliminate the weak point that many systems possess the password hash file. CA Advanced Authentication provides a password-like credential that doesn t store passwords on the server, so there are no passwords for an attacker to steal for a security breach. Additional Resources: Be Smarter Than a Hacker webcast (http://bit.ly/1s38ygj) The educate Channel for CA Advanced Authentication (http://bit.ly/1xerzqh)

7 WHITE PAPER: PREVENTING SECURITY BREACHES Connect with CA Technologies at CA Technologies (NASDAQ: CA) creates software that fuels transformation for companies and enables them to seize the opportunities of the application economy. Software is at the heart of every business, in every industry. From planning to development to management and security, CA is working with companies worldwide to change the way we live, transact and communicate across mobile, private and public cloud, distributed and mainframe environments. Learn more at. 1 Cost of a Data Breach Study: Global Analysis, Ponemon Institute, May 2013 CA 2014. All rights reserved. All trademarks, trade names, service marks and logos referenced herein belong to their respective companies. This document is for your informational purposes only, and does not form any type of warranty. CS200-200-86850_0814

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information