Upload
florin-cretu
View
228
Download
0
Embed Size (px)
Citation preview
8/6/2019 Aladdin Beyond Passwords
http://slidepdf.com/reader/full/aladdin-beyond-passwords 1/30
a l a d d I n . c o m
Beyond Passwords
Ori Ammar, CISSP, ISSAPPre-sales Manager
8/6/2019 Aladdin Beyond Passwords
http://slidepdf.com/reader/full/aladdin-beyond-passwords 2/30
a l a d d I n . c o m
© Copyright 2008 Aladdin Knowledge Systems Ltd. All rights reserved.
Aladdin, Aladdin Knowledge Systems, HASP ® , eTokenTM and eSafe ® are only a few of Aladdin Knowledge Systems
Ltd.’s (“Aladdin”) proprietary trademarks. The Aladdin Knowledge Systems logo is also proprietary to Aladdin.
The information contained in this presentation is protected by international copyright laws. The copyrights are
owned by Aladdin or the original creator of the material. The information contained herein is provided to you for
informational purposes only, and except and to the extent specifically permitted, no portion of this presentation
may be copied, reproduced (or the like), distributed or used in any way whatsoever whether directly or indirectly.
In addition to Aladdin’s trademarks, logos, content and information, this presentation may contain references to
trademarks and/or logos owned by other entities. Aladdin expressly disclaims any proprietary interest in trademarks
and/or logos owned by other entities and makes no representation of any association, sponsorship, affiliation, orendorsement with or by the owners of such trademarks and/or logos.
This presentation may contain references and use of third party web sites for purposes of providing examples relevant
to this course. Aladdin assumes no responsibility and/or liability for any content and/or information contained in such
third party web sites. Aladdin further does not endorse the companies or contents of any referenced sites.
Aladdin does not assume any responsibility or liability for the accuracy of the information contained in this presentation.
The information contained in this presentation is provided "as is" and does not constitute a warranty of any kind, either
express or implied. Aladdin disclaims all warranties, expressed or implied, including but not limited to implied
warranties of merchantability, fitness for a particular purpose, and non-infringement.
a l a d d i n . c o m
Legal Notice
8/6/2019 Aladdin Beyond Passwords
http://slidepdf.com/reader/full/aladdin-beyond-passwords 3/30
a l a d d I n . c o m
• Authentication for Online Services
– Current risk landscape
– Key forces
• Multi-factor authentication
– What is two-factor authentication – Authentication methods
– What methods are being used in online services ?
• Emerging Directions
Beyond Passwords
STRONG
AUTHENTICATION
8/6/2019 Aladdin Beyond Passwords
http://slidepdf.com/reader/full/aladdin-beyond-passwords 4/30
a l a d d I n . c o m
Data is everywhere
Servers
Workstations(LAN)
Laptops
Mobile
8/6/2019 Aladdin Beyond Passwords
http://slidepdf.com/reader/full/aladdin-beyond-passwords 5/30
a l a d d I n . c o m
• Internal
– July 2007 - Subsidiary employee stole 2.3 million consumer recordsfrom Fidelity National Information Services containing credit card, bank
account and other personal information – July 2007 - Former Boeing employee accused of stealing 320,000 data
files
• Partners
– April 2005 – a total of $350,000 was stolen from Citibank customers by12 employees of an outsourced call center firm in India, who defraudedthe customers of their credentials
• Outsiders
– January 2007 – intruders infiltrate TJX and steal consumer credit and
debit card data affecting millions of consumers and costing $118 M – July 2006 - researchers spotted a phishing website targeting Citibank's
Citibusiness service that attempted to steal user names and passwordsas well as OTP values for user accounts
Attacks Come From All Directions
8/6/2019 Aladdin Beyond Passwords
http://slidepdf.com/reader/full/aladdin-beyond-passwords 6/30
a l a d d I n . c o m
Identity Theft
The TOTAL number of records containing sensitivepersonal information involved in security breaches in
the U.S. since January 2005.
236,529,278236,529,278
www.privacyrights.org
8/6/2019 Aladdin Beyond Passwords
http://slidepdf.com/reader/full/aladdin-beyond-passwords 7/30
a l a d d I n . c o m
Phishing – Citibank Scam
http:// 68.255.44.238:87/%63%69%74/%69%6E%64%65%78%2E%68%74%6D
8/6/2019 Aladdin Beyond Passwords
http://slidepdf.com/reader/full/aladdin-beyond-passwords 8/30
a l a d d I n . c o m
The Problem with Passwords
•Easy to crack, easy to guess
•Easy to steal: keystroke loggers, phishing
attacks
•Difficult to remember and use: high help-
desk costs
•Easy to crack, easy to guess
•Easy to steal: keystroke loggers, phishing
attacks
•Difficult to remember and use: high help-
desk costs
Memorized passwords are:
8/6/2019 Aladdin Beyond Passwords
http://slidepdf.com/reader/full/aladdin-beyond-passwords 9/30
a l a d d I n . c o m
Passwords
8/6/2019 Aladdin Beyond Passwords
http://slidepdf.com/reader/full/aladdin-beyond-passwords 10/30
a l a d d I n . c o m
Online Services: Forces In Action
8/6/2019 Aladdin Beyond Passwords
http://slidepdf.com/reader/full/aladdin-beyond-passwords 11/30
a l a d d I n . c o m
Multi-Factor Authentication
Strong authentication means using two or moreauthentication factors
What you are
Authentication – the three ‛what’s
What you haveWhat you know
User Name:
Password:
xxxx
8/6/2019 Aladdin Beyond Passwords
http://slidepdf.com/reader/full/aladdin-beyond-passwords 12/30
a l a d d I n . c o m
How do we Strongly Authenticate?
A wide set of technologies to choose from …..
USB tokens
OTP tokens
Hybrid tokens
Smart Cards
Biometrics
And more…
8/6/2019 Aladdin Beyond Passwords
http://slidepdf.com/reader/full/aladdin-beyond-passwords 13/30
a l a d d I n . c o m
One Time Passwords
• An OTP (one-time password) system generates aseries of passwords that are used to authenticate
• Once one of the passwords is used, it cannot beused again
• The logon system will always expect a new one-time
password at the next logon
8/6/2019 Aladdin Beyond Passwords
http://slidepdf.com/reader/full/aladdin-beyond-passwords 14/30
a l a d d I n . c o m
One Time Password - Tokens
• Password is generated on the device (token)
• Zero footprint, Platform independent
• Battery Operated (limited lifetime)
• Strong Authentication when combined with PIN code
8/6/2019 Aladdin Beyond Passwords
http://slidepdf.com/reader/full/aladdin-beyond-passwords 15/30
a l a d d I n . c o m
One Time Password – Soft OTP
• Software generated
• Variety of devices (Cell. Phone, PDA, Laptop, PC)
• Low cost solution (compared to token)
• Limited control
• Distribution Overhead (of the OTP program)
8/6/2019 Aladdin Beyond Passwords
http://slidepdf.com/reader/full/aladdin-beyond-passwords 16/30
a l a d d I n . c o m
One Time Password over SMS
• Challenge-Response system
• Generate the challenge on the Web, via SMS, etc’
• Main problem is reliability (usability concern)
• SMS Costs is also a concern (in large volumes)High TCO / Limited ROI
8/6/2019 Aladdin Beyond Passwords
http://slidepdf.com/reader/full/aladdin-beyond-passwords 17/30
a l a d d I n . c o m
Public-Private Key Pairs (Dig. Certificates)
• Digital Certificates contain the Public Key
• After trust is established, mathematical operationauthenticates
• Allows mutual authentication (protocol dependant)
• Private key must be protected
8/6/2019 Aladdin Beyond Passwords
http://slidepdf.com/reader/full/aladdin-beyond-passwords 18/30
a l a d d I n . c o m
Digital Certificates on Smart Cards
• Dedicated Hardware
• Secure – on-board key generation and storage
• Allows personalization
• Costly and less convenient – requires a reader
8/6/2019 Aladdin Beyond Passwords
http://slidepdf.com/reader/full/aladdin-beyond-passwords 19/30
a l a d d I n . c o m
Digital Certificates on USB based Smart Cards
• Dedicated Hardware
• Secure – on-board key generation and storage
• Reader-less
• Portable
8/6/2019 Aladdin Beyond Passwords
http://slidepdf.com/reader/full/aladdin-beyond-passwords 20/30
a l a d d I n . c o m
Biometrics
• Can provide both functions:Identification and Authentication
• Physiological / Behavioral
• Costly
• Complex to install (FAR/FRR)
• Privacy Issues
8/6/2019 Aladdin Beyond Passwords
http://slidepdf.com/reader/full/aladdin-beyond-passwords 21/30
a l a d d I n . c o m
OTP or PKI?
8/6/2019 Aladdin Beyond Passwords
http://slidepdf.com/reader/full/aladdin-beyond-passwords 22/30
a l a d d I n . c o m
Beyond Strong Authentication
• OTP Provides Strong Authentication
• Smart Tokens with PKI will take you beyond:
• Strong Authentication
• Signing• Encryption
8/6/2019 Aladdin Beyond Passwords
http://slidepdf.com/reader/full/aladdin-beyond-passwords 23/30
a l a d d I n . c o m
Roaming vs. Authentication Strength
Authentication Strength
E a s e o
f R o a m i n g
8/6/2019 Aladdin Beyond Passwords
http://slidepdf.com/reader/full/aladdin-beyond-passwords 24/30
a l a d d I n . c o m
The Tradeoff
Security
CostUsability
8/6/2019 Aladdin Beyond Passwords
http://slidepdf.com/reader/full/aladdin-beyond-passwords 25/30
a l a d d I n . c o m
Emerging Directions: “Clientless” USBTokens
• Key proposition
– Use proven secure technology that is highly accepted from userand regulatory perspective
• Early adopters
– Software based
• Software smartcard on a storage device – HD or USBremovable device
– Hardware based
• TPM in the PC
• Smartcard based token• No software client required – Roaming PKC
8/6/2019 Aladdin Beyond Passwords
http://slidepdf.com/reader/full/aladdin-beyond-passwords 26/30
a l a d d I n . c o m
Clientless USB Smart Card
Easy to deploy and simple to use
• “Plug and Play”
• No screen display or battery
• Application rich - use for secure network access, remote email access,password management and more
Security
• Certificate based authentication
• Highly secure - minimizes vulnerability to man-in-the-middle attacks• Smartcard based hardware device provides high level of security
Cost savings
• No battery• Reduced TCO by eliminating the cost of maintaining software clients
8/6/2019 Aladdin Beyond Passwords
http://slidepdf.com/reader/full/aladdin-beyond-passwords 27/30
a l a d d I n . c o m
Summary
• Risks levels will continue to rise
• Ease of use and roaming capability are key factor foruser acceptance and adoption
• Zero footprint technologies & architectures have agrowing appeal
• A drift to PKI based technologies from the traditional
OTP
8/6/2019 Aladdin Beyond Passwords
http://slidepdf.com/reader/full/aladdin-beyond-passwords 28/30
a l a d d I n . c o m
Is this only applicable to ‘online’ services?
• What is an online service?
• Is this different from the enterprise?
8/6/2019 Aladdin Beyond Passwords
http://slidepdf.com/reader/full/aladdin-beyond-passwords 29/30
a l a d d I n . c o m
Reliable Authentication Enables Business