Strong Authentication for Future Web Applications



Similar documents
An Introduction to Cryptography as Applied to the Smart Grid

Executive Summary P 1. ActivIdentity

2014 IBM Corporation

How To Encrypt Data With Encryption

Savitribai Phule Pune University

I N F O R M A T I O N S E C U R I T Y

I N F O R M A T I O N S E C U R I T Y

SEC100 Secure Authentication and Data Transfer with SAP Single Sign-On. Public

SAP Single Sign-On 2.0 Overview Presentation

Where are Organizations Today? The Cloud. The Current and Future State of IT When, Where, and How To Leverage the Cloud. The Cloud and the Players

Device-Centric Authentication and WebCrypto

The Convergence of IT Security and Physical Access Control

IDENTITY & ACCESS. BYOD and Mobile Security Seizing Opportunities, Eliminating Risks in a Dynamic Landscape

Connected from everywhere. Cryptelo completely protects your data. Data transmitted to the server. Data sharing (both files and directory structure)

Secure remote access to your applications and data. Secure Application Access

nexus Hybrid Access Gateway

DRAFT Standard Statement Encryption

Division of Information Technology Lehman College CUNY

CoSign by ARX for PIV Cards

CRIPT - Cryptography and Network Security

The increasing popularity of mobile devices is rapidly changing how and where we

Wireless Mobile Internet Security. 2nd Edition

Symantec Mobile Management Suite

How Reflection Software Facilitates PCI DSS Compliance

FileCloud Security FAQ

White Paper. Anywhere, Any Device File Access with IT in Control. Enterprise File Serving 2.0

Course Content Summary ITN 262 Network Communication, Security and Authentication (4 Credits)

Security Policy. Security Policy.

PostFiles. The file sharing and synchronization solution dedicated to professionals.

S E C U R I T Y A S S E S S M E N T : B o m g a r A p p l i a n c e s

Secure file sharing and collaborative working solution

Using etoken for SSL Web Authentication. SSL V3.0 Overview

HotSpot Enterprise Mobile Printing Solution. Security Whitepaper

Release Notes. NCP Secure Client Juniper Edition. 1. New Features and Enhancements. 2. Problems Resolved

a) Encryption is enabled on the access point. b) The conference room network is on a separate virtual local area network (VLAN)

Compliance and Security Challenges with Remote Administration

MaaSter Microsoft Ecosystem Management with MaaS360. Chuck Brown Jimmy Tsang

NIST Cyber Security Activities

Strong Authentication for Secure VPN Access

Cisco WebEx Meetings Server

Chapter 7 Transport-Level Security

OFFICE OF THE CONTROLLER OF CERTIFICATION AUTHORITIES TECHNICAL REQUIREMENTS FOR AUDIT OF CERTIFICATION AUTHORITIES

Cloud Managed Printing

Network Security Essentials Chapter 5

The Convergence of IT Security and Physical Access Control

Secure web transactions system

Key & Data Storage on Mobile Devices

White Paper. Enhancing Website Security with Algorithm Agility

Is Your SSL Website and Mobile App Really Secure?

WebSphere DataPower Release FIPS and NIST SP a support.

The Security Behind Sticky Password

Using BroadSAFE TM Technology 07/18/05

McAfee Firewall Enterprise 8.2.1

FileDrawer An Enterprise File Sharing and Synchronization (EFSS) solution.

ipad in Business Security

PRIME IDENTITY MANAGEMENT CORE

Apple Inc. Certification Authority Certification Practice Statement Worldwide Developer Relations Version 1.14 Effective Date: September 9, 2015

How To Secure Your Data Center From Hackers

Security Policy Revision Date: 23 April 2009

Overview of CSS SSL. SSL Cryptography Overview CHAPTER

Security Technical. Overview. BlackBerry Enterprise Service 10. BlackBerry Device Service Solution Version: 10.2

Complying with PCI Data Security

Citrix MetaFrame XP Security Standards and Deployment Scenarios

Enable Your Applications for CAC and PIV Smart Cards

Applying Cryptography as a Service to Mobile Applications

EAC Decision on Request for Interpretation (Operating System Configuration)

Best Practices for Privileged User PIV Authentication

An Enterprise Approach to Mobile File Access and Sharing

CryptoNET: Security Management Protocols

Research Information Security Guideline

SMPTE Standards Transition Issues for NIST/FIPS Requirements v1.1

Proof of Concept Guide

Securing Internet Facing. Applications. Technical White Paper. configuration drift, in which IT members open up ports or make small, supposedly

Mobility, Security and Trusted Identities: It s Right In The Palm of Your Hands. Ian Wills Country Manager, Entrust Datacard

A viable alternative to TMG / UAG Web Application security, acceleration and authentication with DenyAll s DA-WAF

SSL Server Rating Guide

SSL VPN vs. IPSec VPN

Release Notes. NCP Secure Entry Mac Client. 1. New Features and Enhancements. 2. Improvements / Problems Resolved. 3. Known Issues

The Seven Habits of State-of-the-Art Mobile App Security

Egnyte Cloud File Server. White Paper

National Security Agency Perspective on Key Management

NSA/DHS CAE in IA/CD 2014 Mandatory Knowledge Unit Checklist 4 Year + Programs

WHITEPAPER. SECUREAUTH 2-FACTOR AS A SERVICE 2FaaS

Deriving a Trusted Mobile Identity from an Existing Credential

Contents. Identity Assurance (Scott Rea Dartmouth College) IdM Workshop, Brisbane Australia, August 19, 2008

Single Sign-On. Security and comfort can be friend. Arnd Langguth. September, 2006

API-Security Gateway Dirk Krafzig

Meeting Today s Data Security Requirements with Cisco Next-Generation Encryption

WHITE PAPER COMBATANT COMMAND (COCOM) NEXT-GENERATION SECURITY ARCHITECTURE USING NSA SUITE B

GENERIC SECURITY FRAMEWORK FOR CLOUD COMPUTING USING CRYPTONET

Improving Online Security with Strong, Personalized User Authentication

Implementing Cisco IOS Network Security

Transcription:

Strong Authentication for Future Web Applications Chris Williams Leidos, Inc. July 18, 2014 For W3C Identity in the Browser Workshop Abstract Leidos (formerly SAIC), has been using strong authentication within its enterprise for over a decade to protect Internet access to its resources and protect against advanced cyber threats. We have watched the US government attempt to adopt strong authentication, first through the HSPD 12 mandate for smart card badges for all employees and contractors, and later with the OMB 11 11 mandate for all new information systems to be enabled for HSPD 12 credentials for logical authentication. Yet, we have watched as adoption rates have remained low, implementation has been difficult, expensive, and seldom executed well, and the government has failed time and time again to realize the full business value of its investment. Now, with the advent of mobile and cloud, we have a new opportunity to do authentication on the Internet well, and with more at stake than ever before. Leidos would like to ask that the W3C consider the full and complex use cases for strong authentication, and design present and future protocols to support those use cases in a manner that is straightforward and secure by default. Strong Authentication at Leidos Leidos (formerly SAIC) was an early adopter of strong authentication technology going back to the late 1990s using one time password tokens, and evolving to include smart cards, smart card badges, and most recently, hybrid token devices that combine the capabilities of smart cards and one time password tokens into a single device. In addition to these strong authentication capabilities, we use smart card logon to our computers, strong authentication for system administration accounts, and digital signature and encryption for documents and e mail. All of this in an environment with over 23,000 employees, with over 50% of them using strong authentication, digital signature or encryption capabilities in some way or another on a daily basis. See figure below for a graphical representation of this roadmap. Page 1 of 5

Figure 1: SAIC/Leidos strong authentication over ten years Strong Authentication in the US Government Strong authentication at the US Government goes back more than 15 years, to the Department of defense Common Access Card and various token technologies before that. While one can debate the philosophical merits endlessly, the fact is that the US government has committed seriously to smart card technology, through HSPD 12, FIPS 201, SP800 73, and OMB 11 11. Of course, the challenge with smart cards is the form factor and the fact that a reader of some type is required for a computing device to be able to read the card. This introduces the challenge of the last inch which is made significantly more difficult in a mobile environment. As they say, there ain t no smart card reader on an ipad. Because of these facts, the US government has some challenges on its hands right now, and the answer to those challenges is a new idea called Derived Credentials. Derived Credentials The concept of derived credentials is very simple. Start with a high grade credential that is trusted, and use that credential to authenticate and authorize the issuance of additional credentials that are in form factors, on platforms, or use interfaces that are more useful than the original high grade credential. The policy for this is still under development, but the theory behind the concept is quite simple. Using derived credentials, the government is hoping to make strong authentication capabilities and digital signature and encryption capabilities as well available on the myriad of endpoint, mobile and BYOD devices that are out there, and enable them to interface with cloud services for the next decade. The key thing with the derived credential is the integration of the identity lifecycle so that the derived credentials and other devices can be managed according to the same lifecycle as the parent credential, and so that the entire credential issuance process has the required level of assurance. Page 2 of 5

Figure 2: Derived credentials concepts. The Great Cryptography Evolution At the same time that all of this is going on, we are in the middle of a tremendous transition with regard to cryptography on the Internet. As the Heartbleed debacle showed, even widespread cryptography implementations are subject to flaws and vulnerabilities, but what it failed to emphasize is the fact that a large percentage of Internet cryptography is inadequate to begin with. In particular, the following five transitions are all taking place right now: 1. SSL: SSL 3.0 to TLS 1.0, then 1.1, then 1.2 2. Digital Signature: MD5 to SHA 1 to SHA 256 3. Encryption: Triple DES to AES 4. RSA Key size: 1024 bits to 2048 bits and larger 5. Asymmetric Algorithms: RSA to Elliptic Curve or alternatives Mostly, what this transition shows us is that for strong authentication based on cryptography, constant change must be assumed. The secure cryptographic standard of yesterday is going to be the Achilles heel of tomorrow, and organizations and protocols need to be prepared for this change to continue and perhaps even accelerate in the future. Implications for the W3C What does all this mean for the W3C? It means that there is no one size fits all for strong authentication. It means that the concepts and processes for strong authentication are going to get more complex most likely much more complex before they get simpler. It means that authentication protocols need to flexible and modular to accommodate a variety of technology plugins, and to allow users to authenticate with whatever strong authentication method they have at their fingertips at that moment. It means that the strong authentication method that you used five minutes ago may not be the one that you want to use now, and you need your web applications to be flexible enough to accommodate that reality. Page 3 of 5

Implications for Web Authentication At SAIC/Leidos, we have found that one size does not fit all. At SAIC, we deployed a strong authentication web portal that supported up to eight different strong authentication technologies, all side by side: Figure 3: SAIC Strong Authentication logon portal We custom developed this portal technology to meet our needs, but we really would like to see capabilities like this out of the box, and fully integrated with federated authentication as well as legacy back end authentication technologies. The fact is that authentication is terribly complex, involving large numbers of technologies and protocols, and we need to make this simpler across the board if we are going to make it simpler, cheaper, more secure and more robust for everyone. Requirements for Web Authentication Leidos would like to ask the W3C to ensure that future web authentication protocols are designed from the start to accommodate the following requirements: 1. Pluggable architecture for strong authentication, with no assumptions about how the authentication protocol is to be performed. 2. Integration with legacy protocols, such as LDAP and RADIUS, as well as future protocols such as SAML. 3. Enable the user to have the same authentication experience whether they are accessing a local application, one in the enterprise network, or one in the cloud. 4. Support for step up authentication where the user can get basic capability with basic authentication, but then require additional authentication to gain greater privileges later on in the session. 5. Support for a variety of multi factor authentication methods and allowing the user to select which method they want to use. Have this user selection capability built in to the protocol, rather than having to be built by the owner of the system. Page 4 of 5

6. Have the protocol enforce good security practice and security policies by default, but give system owners control to customize those policies where required. 7. Have the protocol ensure an intuitive experience for the user, regardless of their platform or form factor (PC, Mac, Linux, ios, Android, desktop, tablet, mobile, etc.). Roll as much of the user experience into the standard as possible, so that the experience is consistent and secure. Don t trust system owners to do this right. It s hard to do well. Conclusion We would like to thank the W3C for soliciting input on these difficult challenges. Strong authentication on the Internet is extremely difficult to do well, but in the age of mobile, BYOD and cloud, it has become more important than ever before. The technologies exist to do this well, but those technologies are difficult to deploy, difficult to use, unintuitive, and constantly changing. Leidos would like to ask that the W3C do what it can to solve these problems once, solve them reasonably well, and engineer those solutions in a way that they can benefit the full Internet community. A lot is at stake, and this is a tremendous opportunity for us all to help each other and the Internet become more secure and more successful for the decade to come. Page 5 of 5

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information