Upload
shannon-chambers
View
213
Download
0
Tags:
Embed Size (px)
Citation preview
CertAnon
The feasibility of an anonymous WAN authentication service
Red GroupCS410
March 1, 2007
Our Team
3/1/2007 Red Group 2
Threatening News
• 1/5/2007: In an Instant, Retirement Savings Vanish
• 2/15/2007: Online Identity Stolen• 2/20/2007: Phishers Targeting MySpace• 2/23/2007: Free Wi-Fi scam hitting airports• 2/26/2007: Trojan Horse Designed to Steal
Usernames and Passwords
3/1/2007 Red Group 3
How About You?
• How many online accounts do you have?
• How many passwords do you have to remember?
• How do you manage them?
3/1/2007 Red Group 4
The Problem
• Single-factor password authentication is easily compromised and endangers the security of online accounts.– Username/Password paradigm is insecure1
– Management of multiple strong passwords is difficult for individuals
– Fraudulent online account access is increasing
3/1/2007 Red Group 5
1. http://www.schneier.com/crypto-gram-0503.html#2
The Endangered Password
• More online accounts = more passwords• Complexity of passwords is limited by the
human factor2
• Vulnerability is enhanced by the technology factor
• Dissemination is too easy• Once compromised, a password is no longer
effective for authentication
3/1/2007 Red Group 6
2. http://www.schneier.com/blog/archives/2006/12/realworld_passw.html
Going Phishing
• Phishing sites are on the rise3
• Over 7 million phishing attempts per day
3/1/2007 Red Group 7
3. Anti-Phishing Working Group - http://www.antiphishing.org/
CertAnon - A New Proposal
• Anonymous WAN authentication service– Used for any and all online accounts– Strong two-factor authentication– Limited information sharing
• Partner with online businesses
• Initial customers are Internet users
3/1/2007 Red Group 8
Goal and Objectives
• Build a WAN authentication service that permits customers to securely access all of their online accounts using a single access method– Build our website– Write software modules for partner sites– Develop testing portal– Install authentication servers– Distribute tokens– Beta-testing, then go live!
3/1/2007 Red Group 9
What Would It Look Like?
3/1/2007 Red Group 10
Data
Website Host
US East CoastRSA ACE server
Data
USA West CoastRSA ACE server
Data
UK RSAACE server
Data
AustraliaRSA ACE
server
Data
Login attempt
Login response
Auth request
Auth response
CertAnon website
Account setup Database update
Internet user withCertAnon token
Two-factor Authentication4
• Something you know– A single PIN
• Plus something you have– Hardware token generating pseudo-
random numbers
• Effectively changes your password every 60 seconds
3/1/2007 Red Group 11
4. RSA - http://www.rsasecurity.com/node.asp?id=1156
3/1/2007 Red Group 12
4. Bob goes to E*Trade's website to sign in.
Username: TraderBob
Password: 1a2b3c234836
His E*Trade usernameis TraderBob, so hetypes that as usual.
He looks at the codeon his token display.He types his PIN andthat token code in thePassword field.
5. And now he's in his E*Trade account!
SpamBob
1a2b3c184675
His Yahoo! usernameis SpamBob, so hetypes that as usual.
He looks at the codeon his token display.He types his PIN andthat token code in thePassword field.
Username:
Password:
7. And now he's in his Yahoo! account!
6. One minute later, he jumps to the Yahoo!mail page to check e-mail.
3/1/2007 Red Group 13
Visit CertAnonwebsite Create CertAnon
username and PIN
Valid serialnumber andtoken codes?
Yes
No
Enter token serialnumber and two
consecutive tokencodes
3rd badattempt?
No
CertAnon supportintervention
Yes
Set up securityquestions/answers
Buy CertAnontoken
Log out ofCertAnon account
Token Setup Process
3/1/2007 Red Group 14
Use CertAnon forauthentication? Create account
password
Choose temporarypassword
Log into CertAnonwebsite with
CertAnonusername and
passcode (PIN +token code)
Does domainsupport
CertAnon?
Automated login toaccount using temppassword to verify
ownership
No
Yes
YesSuccessful
login?
Yes
No
Add online accountusername and
domain to CertAnonaccount
Return to accountwebsite
Temporarypassword cancelled
3rd badattempt?
No
CertAnon supportintervention
Yes
No
Red - 3rd party account processBlue - CertAnon processGreen - Interaction between them
Color Scheme
Open onlineaccount and create
username
Change passwordfor existing online
account
Authenticate withCertAnon passcode
Account Setup Process
Who is Our Customer?
• Individual Internet User– Purchases CertAnon token for one-time fee
of $50
• Obtaining a critical mass of customers makes CertAnon a must have for online vendors– Could give leverage to charge vendors in
the future
3/1/2007 Red Group 15
About the Customer
3/1/2007 Red Group 16
0
10
20
30
40
50
60
70
Consumers Profess.
Bank Online
TravelReservations
Commerce &Communicate
6-15passwords
Over 15passwords
%
5. Internet World Stats - http://www.internetworldstats.com/stats2.htm 6. Clickz.com - http://www.clickz.com/showPage.html?page=3481976#table 7. Clickz.com - http://www.clickz.com/showPage.html?page=3587781#table2 8. RSA Security Password Management Survey - http://www.rsa.com/products/SOM/whitepapers/PASSW_WP_0906.pdf
Why Will The Customer Care?
• Reduce/eliminate need for multiple passwords
• Avoid password theft and unauthorized account access
• No information stored on a card that can be lost
• No password database to be hacked
3/1/2007 Red Group 17
What’s in it for a business?
3/1/2007 Red Group 18
• It’s free• No need to implement a costly proprietary
solution• Improves security of customer base by
moving more people away from passwords• Snaps into existing infrastructure with minimal
development• Customers who don't switch will be unaffected
Competition Matrix
3/1/2007 Red Group 19
Cons
• Still not perfectly secure
• Token trouble– Forgotten– Broken– Lost or stolen
• Inadequate for sight-impaired users
3/1/2007 Red Group 20
Risks & Mitigation
3/1/2007 Red Group 21
Impact
5 5 2 1
4
3 6 3
2 7 4
1
1 2 3 4 5
Probability
(1-Low to 5-High)
# Risk Mitigation
1 Trust Beta-testing
2 Customerunderstanding
Tutorials on website
3 Reliance on token sales revenue
Encourage early partner site adoption
4 Viable alternatives Single source two-factor
5
Token loss Provide temporary password access
6 Token availability Offer online and through retail outlets
7 Government vs. Anonymity
Follow the lead of encryption products
Costs & Revenue
3/1/2007 Red Group 22
Servers $16,000
RSA training $1,600
1.5 developers (3yr) $600,000
Server/application admin (3yr) $414,000
Co-location and access costs (3yr) $144,000
RSA Authentication Manager (3yr)* $3,600,000
Tokens* and packaging @$30 $30,000,000
Total* $34,775,600
Revenue* $50,000,000
*Based on sales of one million tokens
Conclusion
• Available, affordable, and proven technology
• Targets a large and growing market
• Benefits consumers and online businesses
• Manageable project scope, scaleable product
3/1/2007 Red Group 23
References
• “Failure of Two-Factor Authentication.” Schneier on Security. 12 Jul. 2006. Bruce Schneier. 28 Jan. 2007 <http://www.schneier.com/blog/archives/2006/07/failure_of_twof.html>.
• “Internet Penetration and Impact.” Pew/Internet. April 2006. Pew Internet & American Life Project. 28 Jan. 2007 <http://www.pewinternet.org/pdfs/PIP_Internet_Impact.pdf>.
• “Internet Statistics Compendium - Sample.” E-consultancy.com. 9 Jan. 2007. E-consultancy.com LTD. 28 Jan. 2007 <http://www.e-consultancy.com/publications/download/91130/internet-stats-compendium/internet-stats-compendium-January-2007-SAMPLE.doc>.
• “Internet World Stats.” Internet World Stats. 11 Jan. 2007. Internet World Stats. 15 Feb. 2007 <http://www.internetworldstats.com/stats2.htm >.
• “Online Banking Increased 47% since 2002.” ClickZ Stats. 9 Feb. 2007. The ClickZ Network. 15 Feb. 2007 <http://www.clickz.com/showPage.html?page=3481976#table>.
3/1/2007 Red Group 24
References (cont.)
• “Phishing Activity Trends: Report for the Month of November, 2006.” Anti-Phishing Working Group. Nov. 2006. Anti-Phishing Working Group. 28 Jan. 2007 <http://www.antiphishing.org/reports/apwg_report_november_2006.pdf>.
• “Real-World Passwords.” Schneier on Security. 14 Dec. 2006. Bruce Schneier. 28 Jan. 2007 <http://www.schneier.com/blog/archives/2006/12/realworld_passw.html>.
• “RSA SecurID Authentication.” RSA Security. 2007. RSA Security, Inc. 28 Jan. 2007 <http://www.rsasecurity.com/node.asp?id=1156>.
• “RSA Security Password Management Survey.” RSA Security. Sep. 2006. Wikipedia. 15 Feb. 2007 <http://www.rsa.com/products/SOM/whitepapers/PASSW_WP_0906.pdf >.
• “Rural America Slow to Adopt Broadband.” ClickZ Stats. 27 Feb. 2007. The ClickZ Network. 28 Feb. 2007 <http://www.clickz.com/showPage.html?page=3587781#table2>.
3/1/2007 Red Group 25