Understanding the Role of Smart Cards for Strong Authentication in Network Systems Bryan Ichikawa Deloitte Advisory
Overview This session will discuss the state of authentication today, identify some of the main vulnerabilities that exist, and introduce options to consider for strengthening authentication. This session will also look at technologies that support multi-factor authentication, talk about FIDO and how this specification brings a change to the world of online authentication, and discuss how smart card technology can be highly effective and how it is already being used in many places today. 2
Agenda What is authentication? Vulnerabilities Strengthening authentication Identifiers vs. authentication Multi-factor authentication FIDO Smart cards as authenticators Authentication futures 3
Authentication What is it? In information technology, logical access controls are tools and protocols used for identification, authentication, authorization, and accountability in computer information systems. Electronic authentication (e-authentication) is the process of establishing confidence in user identities electronically presented to an information system. I want to define and differentiate between plain old logical access and electronic authentication. Logical access is simply logging into a network, system, or application. E-authentication is YOU logging into a network, system, or application. In the physical access world, most systems allow the card to gain access, and allows whatever carbon life form attached to that card to tag along. The question is, how do you establish confidence that the carbon life form attached to that access request is the one you think it is? 4
Vulnerabilities the business drivers More and more transactions in our business and personal lives are being conducted online The connected universe is a target rich environment for bad actors It is the collective responsibility of organizations and individuals alike to protect personal and sensitive data Userid/passwords as the primary authentication mechanism is not sufficient Many of today s identifiers provide little or no identity assurance Criminal sophistication is increasing at an exponential rate (it is amazing what the devious mind can conjure) A first line of defense is to elevate the security for how we gain access to online resources 5
How does logical access control work? Initial registration / application (Optional) Identity proofing Establish an identity that the online system can uniquely recognize (e.g., userid) Establish a secret that only both parties know (e.g., password) Off you go. but How do you know you are logging into the right place? How do they know it is you? How do you prevent someone else from hijacking your account?..??? 6
Identifiers vs. authentication Identifiers by themselves simply identify an entity of sorts There is no identity assurance necessarily associated here Authentication is measurable assurance is the measuring stick A level of assurance can be established commensurate with the sensitivity of the information or transaction conducted 7
Tokens What are they? In plain English, a token is a secret that comes in a variety of formats. The format of the token has a direct relationship to its strength. For example, a simple password is a very weak token, one that could be easily cracked. A cryptographically protected smart card, on the other hand, is a very strong token. The following slides describe the different types of tokens From NIST Special Publication 800-63-2* Token - Something that the claimant possesses and controls (typically a cryptographic module or password) that is used to authenticate the claimant s identity. 8 * http://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-63-2.pdf
What are tokens? Tokens contain secrets: Shared secrets Public key cryptography The classic paradigm for authentication identifies three factors as the fundamentals for authentication: Something you know Something you have Something you are But not all factors are secrets. For example: KBA (something you know) Biometrics (something you are) Therefore, not all factors can be considered tokens 9
Factors Use of a single factor is referred to as single factor authentication Combining more than one factor is referred to as multifactor authentication But Combining multiple single factors (same factor types) is multiple single factor, NOT multi-factor 10
Something you know Typically these are User ID / Password combinations Sometimes only User IDs Sometimes only PIN/Password Finger patterns (drawing a Z on screen) 11
Something you have Hardware Token Device Phone (smart or not) PKI Certificates Smart Cards Grid Cards 12
OTP One Time Pad (Historic) OTP From One Time Pad, a cryptographic ciphering technique using pads of paper where the top sheet of keying material was torn off after using it one time Today, OTP refers to One Time Password One Time Pad Example 13
OTP One Time Password (today) Typically hardware (e.g., RSA SecurID or cards) Token (number) generated on smart phones Token can be delivered via SMS, email, phone message (IVR) 14
OTP protocol as 2nd factor User login with User ID / Password (1st factor) System asks for OTP token User queries device* and gets token User enters token into system (2nd factor) System allows access * OTP tokens can be delivered in many ways, including SMS text, emails, voice messages, computer-based applications, smartphone applications, and hardware devices. OTP tokens are also called verification codes, security codes, passwords, login codes, multi-factor authentication secrets, etc. 15
Something you are Biometrics: Fingerprint Face Voice Iris Other biometrics modalities are out there, but the above four are the predominant types in use today 16
Token types Memorized Secret Token (Password) Pre-registered Knowledge Token (Favorite Color) Look-up Secret Token (Grid Card) Out of Band Token (SMS OTP) Single Factor One-time Password Device (OTP Device) Single Factor Cryptographic Device (Transport Layer Security Hardware) Multi-factor Software Cryptographic Token (Soft Cert) Multi-factor One-time Password Device (Multi-factor OTP) Multi-factor Cryptographic Device (Smart Card) 17
Token types Memorized Secret Token: A secret shared between the Subscriber and the CSP. Memorized Secret Tokens are typically character strings (e.g., passwords and passphrases) or numerical strings (e.g., PINs.) Memorized secret tokens are something you know. Pre-registered Knowledge Token: A series of responses to a set of prompts or challenges. These responses may be thought of as a set of shared secrets. The set of prompts and responses are established by the Subscriber and CSP during the registration process. Pre-registered Knowledge Tokens are something you know. Look-up Secret Token: A physical or electronic token that stores a set of secrets shared between the claimant and the CSP. The claimant uses the token to look up the appropriate secret(s) needed to respond to a prompt from the verifier (the token input). For example, a specific subset of the numeric or character strings printed on a card in table format. Look-up secret tokens are something you have. 18
Token types Out of Band Token: A physical token that is uniquely addressable and can receive a verifierselected secret for one-time use. The device is possessed and controlled by the claimant and supports private communication over a channel that is separate from the primary channel for e-authentication. Out of Band Tokens are something you have. Single Factor One-time Password Device: A hardware device that supports the spontaneous generation of onetime passwords. This device has an embedded secret that is used as the seed for generation of one-time passwords and does not require activation through a second factor. Single Factor OTP devices are something you have. Single Factor Cryptographic Device: A hardware device that performs cryptographic operations on input provided to the device. This device does not require activation through a second factor of authentication. This device uses embedded symmetric or asymmetric cryptographic keys. Single Factor Cryptographic Devices are something you have. 19
20 Token types Multi-factor Software Cryptographic Token: A cryptographic key is stored on disk or some other soft media and requires activation through a second factor of authentication. The token authenticator is highly dependent on the specific cryptographic protocol, but it is generally some type of signed message. The multifactor software cryptographic token is something you have (plus something you know/are). Multi-factor One-time Password Device: A hardware device that generates one-time passwords for use in authentication and which requires activation through a second factor of authentication. The second factor of authentication may be achieved through some kind of integral entry pad, biometric reader or a direct computer interface (e.g., USB port). The multi-factor OTP device is something you have (plus something you know/are). Multi-factor Cryptographic Device: A hardware device that contains a protected cryptographic key that requires activation through a second authentication factor. The multifactor Cryptographic device is something you have (plus something you know/are).
Other authentication methods OOBA Out Of Band Authentication: The use of two separate networks to perform authentication Can be OTP, smartphone app that confirms query, biometrics, but typical OOBA apps do not cross over attributes or artifacts* Step-up Authentication: System asks for an additional factor when a security threshold has been crossed * OOBA Typically, a user tries to login on a computer and the OOBA app on the smart phone asks the user if the login attempt is authorized. The user says yes, and the login takes place on the computer. The authentication protocol on the phone does not interact with the computer login attempt. 21
Credentials and Credential Service Providers (CSP) Credentials are tokens that are bound to an identity Identity proofing becomes an integral element of credential issuance Credentials are issued and maintained by Credential Service Providers (CSP) Credentials are associated with a Level of Assurance (LOA); therefore all credentials are not created equal! 22
Relying parties Relying parties are those organizations that consume credentials. Some relying parties issue their own credentials, others simply trust credentials issue by other CSPs. If a relying party wants to trust a credential issued by a CSP other than themselves, how do they know how trustworthy that credential is? 23
Registration and assurance Identity Proofing proving you are who you claim to be In-person Proofing: Present one or two forms of government issued id Usually has a picture on it, plus relevant personal information (DOB, address, etc.) Perform address or telephone verification Remote Proofing: Submit valid government ID Submit financial or utility account numbers Identity proofing is the activity that binds an identity to a token to create a credential. There are 4 defined levels of assurance. 24
NIST SP 800-63-2 NIST Special Publication 800-63-2: Electronic Authentication Guideline Released August 2013 800-63-2 supplements OMB guidance, E-Authentication Guidance for Federal Agencies [OMB M-04-04*]: Specifically, provides guidelines for implementing step 3 of e- authentication process (next slide) 800-63-2 provides technical guidelines to agencies to allow an individual to remotely authenticate their identity to a Federal IT system. These guidelines address traditional methods for remote authentication based on secrets. 25 * https://www.whitehouse.gov/sites/default/files/omb/memoranda/fy04/m04-04.pdf
OMB M-04-04 OMB M-04-04: Defines 4 levels of assurance (Levels 1 to 4) Outlines 5-step process: Conduct a risk assessment of the government system Map identified risks to the appropriate assurance level Select technology based on e-authentication technical guidance Validate that the implemented system has met the required assurance level Periodically reassess the information system to determine technology refresh requirements 26
Authentication levels Level 1 Level 2 Level 3 Level 4 Little or no confidence in the asserted identity Some confidence in asserted identity High confidence in the asserted identity Very high confidence in the asserted identity Self-assertion Minimum records Online, instant qualification Out-of-band follow-up Remote proofing Online with outof-band verification or qualification Cryptographic solution In-person proofing Recording of a biometric Cryptographic solution Hardware token OMB M04-04 Levels of Assurance 27
FIDO Alliance* Fast IDentity Online An alliance whose mission is to change the nature of online identification. UAF and U2F UAF = Universal Authentication Framework (password-less experience) U2F = Universal Second Factor (two factor experience) 28 * https://fidoalliance.org/
FIDO Alliance Board level Alibaba Group ARM Bank of America CrucialTec Discover Egis Technology Google IdentityX ING Intel Lenovo MasterCard Microsoft Nok Nok Labs NTT DOCOMO NXP Oberthur Technologies PayPal Qualcomm RSA Samsung Synaptics USAA Visa Inc. Yubico 29
30 FIDO Alliance Sponsor level Aetna Ally Authasas Authentify BKM Blackberry CA Technologies UK Cabinet Office Certivox Chase Cherry Costco Crossmatch Cypress DDS Dell Duo E-Trade Early Warning Entersekt ETRI eyelock FacialNetwork Feitian FingerQ Forgerock Gemalto G&D Goldman Sachs Goodix Happlink Hoyos Labs IDEX Infineon Infoguard Intercede Intuit ISR KICA LG Electronics MedImpact Safran Netflix NXTID Netflix NIST NXTID nymi OSD Ping Identity Plantronics Rambus Redsys Samsung SDS SecureKey SecureAuth SK Telecom Sonavation ST Tendyron Usher Vanguard Vasco Visa Watchdata Wells Fargo WoSign Yahoo! Japan
FIDO Alliance Associate level 126 Additional organizations (as of 9/17/2015) Specification 1.0 is final and available for UAF and U2F https://fidoalliance.org 31
Authentication business drivers The business drivers among various industry sectors are very different Public sector and critical infrastructure are driven by policy and standards: FIPS 201 Commercial industry is driven by profitability: And slowly by security The general public is driven by convenience and reward: And slowly by increasing concern Everyone is slowly being driven by education 32
Other industries Banking, Payment and Investments Many financial businesses now offer multi-factor authentication as an additional security measure Email Most leading email providers support stronger authentication Gaming The gaming industry is becoming a leader in end-user security Visit www.twofactorauth.org for a comprehensive list of organizations that support stronger levels of authentication 33
Smart cards playing a role for strong authentication Mobility: Today s smart phones contain a smart card FIDO: U2F devices are smart card-based Financial: EMV cards are smart cards Transit: Transit cards are moving to smart card technology
Authentication futures The US federal government has defined standards and specifications for electronic authentication There is no consistency or standardization outside of the federal government Commercial and consumer requirements are much different Separation of token and identity assurance is a notion that is not defined by federal standards (this is where FIDO fits) But passwords alone are being recognized as insufficient for the future of online authentication Smart card technology already exists in many places use it! As more and more transactions are conducted online, federal and even state governments can require the binding of identities to tokens, but many commercial and consumer enterprises, for the most part, do not require strong identity proofing 35
Bryan Ichikawa Deloitte Advisory bichikawa@deloitte.com
This presentation contains general information only and Deloitte is not, by means of this presentation, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This presentation is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor. Deloitte shall not be responsible for any loss sustained by any person who relies on this presentation. As used in this document, Deloitte Advisory means Deloitte & Touche LLP, which provides audit and enterprise risk services; Deloitte Financial Advisory Services LLP, which provides forensic, dispute, and other consulting services; and its affiliate, Deloitte Transactions and Business Analytics LLP, which provides a wide range of advisory and analytics services. Deloitte Transactions and Business Analytics LLP is not a certified public accounting firm. These entities are separate subsidiaries of Deloitte LLP. Please see www.deloitte.com/us/about for a detailed description of the legal structure of Deloitte LLP and its subsidiaries. Certain services may not be available to attest clients under the rules and regulations of public accounting.