ibm strongauth
TRANSCRIPT
-
7/25/2019 IBM StrongAuth
1/35
IBM Software Group, Tivoli Software
2007 IBM Corporation
New Alternatives in Strong AuthenticationFebruary 19, 2007
Jose BravoTivoli Security Sales Leader [email protected]
-
7/25/2019 IBM StrongAuth
2/35
-
7/25/2019 IBM StrongAuth
3/35
IBM Tivoli Software
3 2007 IBM Corporation
Authentication today
Passwords and passwords alone remain the main channel of authentication.
We have seen PKI, Hard Tokens, Soft Token, and Biometrics try to improveauthentication however, reality is that passwords still are the sole moatsthat fortify most of our systems.
No matter what rules we follow to change passwords periodically,synchronize or reset them; fact is, password can be guessed and passwordsare shared.
This makes passwords incovenient and when a security issue causes difficulttechnological changes, people often reject it either by subverting or by notusing that technology.
If encryption with keys less than 128 bits is unacceptable, so is an eightcharacter password.
-
7/25/2019 IBM StrongAuth
4/35
IBM Tivoli Software
4 2007 IBM Corporation
What has been the best security for many years?
Something that you have (a key) or,
Something that you know (a combination)
If you do not have the option of using a key, but still want itsecured, you would need a longer combination, changed frequentlyfor improved security.
Most people find this bothersome and thats how passwords can bedescribed today.
-
7/25/2019 IBM StrongAuth
5/35
IBM Tivoli Software
5 2007 IBM Corporation
Password strength
LengthLength AlphaAlpha AlphanumericAlphanumeric Mixed AlphaMixed AlphaMixed Alphanumeric &Mixed Alphanumeric &
specialspecial
11 2626 3636 5252 9494
22 676676 1,2961,296 2,7042,704 8,8368,836
33 17,57617,576 46,65646,656 140,608140,608 830,584830,584
44 456,976456,976 1,679,6161,679,616 7,311,6167,311,616 78,074,89678,074,896
55 11,881,37611,881,376 60,466,17660,466,176 380,204,032380,204,032 7,339,040,2247,339,040,224
66 308,915,776308,915,776 2,176,782,3362,176,782,336 19,770,609,66419,770,609,664 689,869,781,056689,869,781,056
77 8,031,810,1768,031,810,176 78,364,164,09678,364,164,096 1,028,071,702,5281,028,071,702,528 64,847,759,419,26464,847,759,419,264
88 208,827,064,576208,827,064,576 2,821,109,907,4562,821,109,907,456 53,459,728,531,45653,459,728,531,456 6,095,689,385,410,8206,095,689,385,410,820
99 5,429,503,678,9765,429,503,678,976101,559,956,668,41101,559,956,668,41
66 2,779,905,883,635,7102,779,905,883,635,710 572,994,802,228,617,000572,994,802,228,617,000
1010 141,167,095,653,37141,167,095,653,3766 3,656,158,440,062,93,656,158,440,062,98080 144,555,105,949,057,000144,555,105,949,057,000 53,861,511,409,490,000,00053,861,511,409,490,000,000
-
7/25/2019 IBM StrongAuth
6/35
IBM Tivoli Software
6 2007 IBM Corporation
Security and convenience
-
7/25/2019 IBM StrongAuth
7/35
IBM Tivoli Software
7 2007 IBM Corporation
Passwords
2 out of 3 Web users use < 5 passwords for all access toelectronic information
15% use a single password
Password is best described as a toothbrush. As rightly saidby Cliff Stoll, Treat your passwordlike a toothbrush. Dontshare it with anyone elseand get a new one everysix months.
-
7/25/2019 IBM StrongAuth
8/35
IBM Tivoli Software
8 2007 IBM Corporation
Why passwords arent secure
Problems:
Trivial passwords
Easy to remember easy to guess
Yellow sticky pads
Password cracking
Some crackers claim 30% success rate
PASSWORD
QWERTY
A1B2
C3
-
7/25/2019 IBM StrongAuth
9/35
IBM Tivoli Software
9 2007 IBM Corporation
Keystroke loggers
-
7/25/2019 IBM StrongAuth
10/35
IBM Tivoli Software
10 2007 IBM Corporation
The end of passwords?
Passwords have reached the end of their useful life.Today, they only work for low-security applications.
-- Bruce Schneier*
* The Curse of the Secret Question,ComputerWorld, 9 Feb 2005
-
7/25/2019 IBM StrongAuth
11/35
IBM Tivoli Software
11 2007 IBM Corporation
Overburdened passwords
Remember the safe box model?
What we are missing is the key OR, are we missing something key?
If we find a way to combine what you know (password) with somethingthat you have, we can make strong authentication a convenient and
inexpensive reality!
-
7/25/2019 IBM StrongAuth
12/35
IBM Tivoli Software
12 2007 IBM Corporation
Finding the key: PKI & Digital certificates
Very clever and strong
Very costly to deploy and maintain
Not conveniently portable (this is probably its main disadvantage) Can be subverted if access to the workstation is obtained
Restricted (mostly) to web based applications
Has worked really well for server side Authentication (first phase of SSL
handshake)
Today very few companies use PKI in large scale implementations
-
7/25/2019 IBM StrongAuth
13/35
IBM Tivoli Software
13 2007 IBM Corporation
Finding the key: Hard tokens
Very strong security
Very costly to deploy and maintain (replace)
Need to carry one of these per each authenticating entity (sometimesthey come ready for a true key chain)
No access if you forget them (this is probably its main disadvantage)since, these are portable, but not wearable
Cost and convenience restrict hard token deployment
IBM Ti li S ft
-
7/25/2019 IBM StrongAuth
14/35
IBM Tivoli Software
14 2007 IBM Corporation
Subverting security
IBM Ti li S ft
-
7/25/2019 IBM StrongAuth
15/35
IBM Tivoli Software
15 2007 IBM Corporation
Main-in-the-middle: like many other technologies
Source Arcott protection against MITM Attacks
IBM Tivoli Software
-
7/25/2019 IBM StrongAuth
16/35
IBM Tivoli Software
16 2007 IBM Corporation
Finding the key: coordinate or Grid Cards
Stronger than passwords but, weak authentication
Quick answer to FFIEC requirement
A large number of keys/pins, the user is asked to look for one
specific key by giving him a coordinate (i.e.D3) Not very convenient, since the card can be forgotten
Not very secure since the card can be photocopied
One card per authenticating entity
Too costly for SMB
Can be defeated with a man-in-the-middle attack
IBM Tivoli Software
-
7/25/2019 IBM StrongAuth
17/35
IBM Tivoli Software
17 2007 IBM Corporation
Subverting security
-
7/25/2019 IBM StrongAuth
18/35
IBM Tivoli Software
-
7/25/2019 IBM StrongAuth
19/35
IBM Tivoli Software
19 2007 IBM Corporation
Some additional alternatives (source Gartner)
Virtual Keypads
Knowledge Based Authentication (cognitive password)
Transaction Number List (one-time-pad) Typing Rhythm
And more
IBM Tivoli Software
-
7/25/2019 IBM StrongAuth
20/35
IBM Tivoli Software
20 2007 IBM Corporation
What is Biometrics? Something that you are
Source: Automated Biometrics, Nalini K. Ratha, IBM Corp.
IBM Tivoli Software
-
7/25/2019 IBM StrongAuth
21/35
IBM Tivoli Software
21 2007 IBM Corporation
Comparing Biometrics
FingerIris
VoiceFace
Effortless
Non-intrusiveInexpensive
From: Samir Nanavati(Zephyr Analysis)
Accurate
Source: Automated Biometrics, Nalini K. Ratha, IBM Corp.
IBM Tivoli Software
-
7/25/2019 IBM StrongAuth
22/35
22 2007 IBM Corporation
Biometrics: strengths and weaknesses
Strongest of them all (fingerprint reader, retina scan, palmdimensions, voice, signature, etc)
Requires costly sensors and software to function, also requirespainful, lengthy and very costly deployments (requires a centralized
database with the biometric data) But even when implemented right, people reject it, because
biometrics is more a form of identification than authentication (avery fine line but equally important differentiation
IBM Tivoli Software
-
7/25/2019 IBM StrongAuth
23/35
23 2007 IBM Corporation
More about Biometrics
Governmental security is a different issue but, not everyone would becomfortable handing out fingerprints or retina scans at their financialinstitutions that could be likely to change in future.
Difficult for large deployments since the collection of the biometric datais hard to manage.
If for some reason the central database is compromised, one cannotproduce an alternative finger print.
Best when used in combination with physical security (to avoid remoteor replay attacks)
A lot of health care concerns are associated to Biometrics and a bodypart like a finger can be considered as transmission vehicle for viruseslike HIV, tuberculosis and other easily transmitted diseases.
IBM Tivoli Software
-
7/25/2019 IBM StrongAuth
24/35
24 2007 IBM Corporation
Gummy fingers, a funny note
http://cryptome.org/gummy.htm
IBM Tivoli Software
-
7/25/2019 IBM StrongAuth
25/35
25 2007 IBM Corporation
Out of band mechanisms: authentication using caller id,SMS, call back?
Caller-id on land line can be easily hacked. Restricted numbers wouldnot work in these instances.
Land lines number can and are forwarded (it is a feature not a
weakness). SMS can be easily spoofed and is not very personal innature.
SMS, while popular and free in Europe, it is not free not popular here.
Latency: Some SMS authentication requires a request and a reply tothe cell phone making it slow, cumbersome and therefore not suitable
for frequent authentication. Has been attempted in other countries likeNew Zealand, without much success
-
7/25/2019 IBM StrongAuth
26/35
IBM Tivoli Software
-
7/25/2019 IBM StrongAuth
27/35
27 2007 IBM Corporation
The customer has already entered his userid and passwordand will now perform an operation that requires step-
up/strong authentication
In this example, the Banking Application generates a four-digit pseudo random,on-time token: 6036. And simultaneosly sends over https a message to the
customer and to an aplication at the cellphone provider
The message at the customers browser reads: Dear customer, please use yourcell phone to dial *88 followed by this one-time token: 6036
The message to the cell provider reads: please reply to this message oncecellphone 914-588-9992 inputs token 6036. The message has a message idnumber as well as a expiration time.
CustomersBrowser
BankingApplication
Application at
the cellularprovider
Please input token using yourcell phone1
1
Users cellphone914-588-9992
Objective: Prove to the
Bank you are inpossession of your veryown cell phone
1
1
1
Reply once 914-588-9992
inputs 6036
IBM Tivoli Software
-
7/25/2019 IBM StrongAuth
28/35
28 2007 IBM Corporation
Once the customer enters the one time token the strongauthentication is completed
As instructed, the customer dials *88 ( + send/call) and then 6036. This is anout-bound message traveling over the wireless network between the cell phoneand the cell that is serving him (no cell routing/roaming required, thereforeminimal delay is added to the transaction).
Immediately, the application at the cell provider detects that there is a matchfor one of the requests it received and sends a reply back to the bank
The Bank knows the customer is in possesion of their cell phone. The strong
authentication has completed and the customer is authorized to perfom thesecure operation.
Users cell phone914-588-9992
2
3
4
BankingApplication
2
3
Application atthe cellularprovider (Webservice/SOA)
4
Customers Browser
RANWireless
CoreNetwork
This can be implemented asa EAI application to TAMeb
IBM Tivoli Software
-
7/25/2019 IBM StrongAuth
29/35
29 2007 IBM Corporation
This idea is not restricted to a browser. In this case the customer isrequired to authenticate during an ATM withdrawal above the
normal daily limit
Like before, the customer reads on the ATM screen: Dear user,please use your cell phone to dial *88 ( + send/call) and then
inmediatly input this one-time token: 6036
The message to the cell provider reads: please reply to thismessage once cellphone 914-588-9992 inputs token 2359.
User at anATM
ATMApplication
Application at thecellular provider
Please input token using yourcell phone
1
Users cell phone914-588-9992
1
Reply once914-588-9992inputs 2359
1
1
IBM Tivoli Software
-
7/25/2019 IBM StrongAuth
30/35
30 2007 IBM Corporation
Once the customer enters the one time token the strongauthentication is completed
As instructed the user dials *88 ( + send/call) and then 2359.
Immediately the application at the cell provider detects that there is a match
for one of the requests it received and sends a reply back to the bankThe Bank knows the customer is in possesion of his very own cell phone. Thestrong authentication has completed and the user is given the large amountcash requested. Or even Point Of Sale.
BankingApplication
2
Users cell phone914-588-9992
3
Application at thecellular provider
4
2
3
4
This can also beimplemented as a EAIapplication to TAMeb
IBM Tivoli Software
-
7/25/2019 IBM StrongAuth
31/35
31 2007 IBM Corporation
This idea can also be used to authenticate employees when loggingin to the corporate intranet
User at hisdesktop
Windows Loginapplication
Application at thecellular provider
Please input token using your
cell phone
1
Users cell phone914-588-9992
1Reply once914-588-9992 inputs6036
Like before the employee reads on the PC login screen: Dear employee, please
use your cell phone to dial *88 ( + send/call) and the immediately input thisone-time token: 6036
The message to the cell provider reads: please reply to this message oncecellphone 914-588-9992 inputs token 6036.
1
1
IBM Tivoli Software
-
7/25/2019 IBM StrongAuth
32/35
32 2007 IBM Corporation
Once the employee enteres the one time token the strongauthentication is completed
BankingApplication
2
Users cell phone914-588-9992
3
Application at thecellular provider
4
This could be implemented
as a TAMES Adapter
2
3
4
As instructed the user dials *88 ( + send/call) and then 6036.
Immediately the application at the cell provider detects that there is a match
for one of the requests it received and send a relpy bank to bank
The Bank knows the employee is in possesion of his very own cell phone. Thestrong authentication has completed and the user is allowed into the Bankscoorporate network
IBM Tivoli Software
-
7/25/2019 IBM StrongAuth
33/35
33 2007 IBM Corporation
The customer has already entered his userid and passwordand will now perform an operation that requires step-
up/strong authentication (Similar as the first scenario butusing an IVR)
On this example the Banking Application generates a four-digit psudo ramdom, on-time token: 6036. The application waits for the IVR to send the cell phone number andtoken entered
The message at the customers browser reads: Dear customer, please use your cellphone to dial *myBank (*CITI) and the inmediatly after input this one-time token:6036. The Bank subcontract a service with the 3 mayor carriers where *myBankroutes a message to the Bank passing on the number that dialed the service and theone time password input.
When the application receives from the IVR that 914-588-9992 has input token 6036,it detects a match and the strong authentication is completed
Customers
Browser
BankingApplication
IVRprogrammed
at the cellprovider
Please input token using yourcell phone
1
1
Users cell phone914-588-9992
1
1
1
Once 914-588-9992 inputs6036 an SSL message is sent
to the Bank that has the IVRservice subcontracted.
This approach could be moreappealing to large banks andorganizations that can afford
subcontract an IVR service witheach major wireless provider
IBM Tivoli Software
-
7/25/2019 IBM StrongAuth
34/35
34 2007 IBM Corporation
IBM Tivoli Software
-
7/25/2019 IBM StrongAuth
35/35
35 2007 IBM Corporation
zzzz
zz
z
Questions?