NERC September 2, 2014 PresentationA discussion of emerging authentication paradigms and their application in advanced policy definition and enforcement systems.

Presentation Goals:.

1. Provide an overview of next-generation authentication models and understand their benefits and drawbacks relative to the general current methods of authentication.

2. Discuss a framework for considering these next-generation authentication models in the broader context of our cyber-security frameworks.

3. Present ideas on adopting these new tools and their impact on security policies within your organization.

During this presentation, we’ll:

● Present a baseline overview on the common methods of authentication, policy definition and policy enforcement.

● Discuss the pro’s & con’s of current approaches to authentication as well as new forms of authentication leveraging different branches of mathematics and science.

● Make it clear that we’re not moving to an “either this or that” approach to authentication and cyber-security, but instead trying to enable an adaptable and fluid approach to dealing with evolving threat profiles and new technologies/approaches to mitigating these risks.

● Understand differences, and the associated benefits/drawbacks, between modular and statistical approaches to addressing authentication statements.

Presentation Objectives

Authentication - Is the process of making a statement and then providing proof that the statement made is true. For example, when I log in to a computer, I’m making the statement that “I am David Hanna and to prove it, my password is XYZ”.

Authentication Confidence Factors - The level of confidence that the authentication statement actually relates to the thing being authenticated. For example, identifying a user through a username and password may have a lower authentication confidence than authenticating a user through 3-D facial recognition and DNA testing.

Authorization - Is the process of allowing or denying an action based on established authentication characteristics. For example, a systems may say “You have proved you are David Hanna so I will allow you access to ABC.” Authorization is about policy. An important point throughout this presentation is that the flexibility we have in defining policy (and subsequently in mitigating risk) is directly proportional to the types of authentication mechanisms we have at our disposal and their associated confidence factors.

Terms and Definitions

Static Policy Definition - Defining, in business terms when something is either allowed or denied access to something. E.g. “Members of the group ‘Human Resources’ are allowed to view files in the Salaries folder, all other people should be denied any access to this folder.”

Dynamic Policy Definition - The ability to use real-time information to create or update policy definitions within an enterprise. E.g. “An increased number of failed authentication attempts has been attempted in the last 30 minutes. Accounts will now be locked out after 2 failed attempts and all users must establish new passwords upon their next successful login.”

Policy Enforcement - The hardware and software which understands policy definitions and is able to enforce those definitions. E.g. “Authenticated User Jones has made a request to read the file BossesSalary.doc, but Authenticated User Jones is not a member of the group ‘Human Resources’, so I will not allow that file to be read”

Additional Terms and Definitions

Algorithms based on modular arithmetic have been around for 40+ years and have the benefit of being “easy” to understand as the math involved is straightforward and easy to reproduce which makes it an excellent choice as a security tool for computers.

● Most authentication and key exchange statements are validated using some form of Modular Arithmetic. Examples include:o Username / Passwordo RSA Tokenso DSA - 2048o ECDSA - 256o IKE (Internet Key Exchange)o PKI

● Benefits of Modular Arithmetico Fasto Answers are always absolute. I.e., the answer is either correct or not correcto Strength is based on the strength of one-way functions. These are functions which are

easy to solve in one direction, but computationally impossible to solve in reverse.● Drawbacks of Modular Arithmetic

o Continued advances in areas such as Number Theory, Quantum Computing and Advanced Algorithm Research are shrinking the window in which one-way functions will retain any value.

o Easy to spoof authentication statements when algorithm keys are discovered.

Current State - Modular Arithmetic Based Authentication

Context is about observing an environment and how the things in that environment impact each other. Contextual based authentication is about using these context-based observations and establishing a confidence factor that the thing(s) being observed is/are appropriate at that point in time.

● Examples of Contextual Authentication:o RF-Spectrum Analysis for Location Fingerprintingo Triangulationo 3-D Imagingo Biometric

● Benefits of Contextual Authentication o Can be time dependent. Authentication challenges given at different times, may have

different challenge responses which are only relevant for that time. In this way, they have a strength closer to one-time passwords when compared to modular-based authentication approaches.

o Almost anything has the potential to become a contextual authentication source if that source has the potential mitigate security risks.

● Drawbacks of Contextual Authenticationo Generally slower than modular-based authentication approaches. Currently, it’s better

used for session establishment and out-of-band heartbeat authentication models.o Statistics based, which means we deal in confidence factors and not absolute

comparisons. Generally best if we combine contextual authentication approaches in order to establish a higher confidence threshold.

Future State - Inclusive of Contextual Based Authentication

Comparing Authentication Models

Positive Negative

True 100% 100%

False 0% 0%

Modular-Based Authentication Formulas

Positive Negative

True maximize maximize

False minimize minimize

Contextual-Based Authentication Formulas

Modular Based Contextual Based

Speed

Spoof Resistant

Guaranteed Correctness

Varied and Adaptable

Current authentication models not only lack in terms of variety, but the current policy definition and enforcement systems are largely static in the controls available to administrators within organizations.

With limited variety and static policy controls, the challenge of implementing a strong, deny-first policy increases because business “exceptions” often outweigh operational risks.

So Why Is This Important?

When we introduce new methods of authentication and the ability for dynamic risk calculation, we now have the means to modify policy in real-time. This allows us to deal with current realities, not just those defined when a particular tool was implemented.

It’s important to understand that not all authentication types need to be used all the time. There’s a simple equation to be enabled:

If current_risk_of_action > current_auth then [establish additional auth]else [proceed with action]

Alternative Model, with Dynamic Policy and Contextual Authentication Options

The following represent a sampling of projects where contextual authentication has been engaged to compliment classical authentication and security measures.

● OSI Layer 2 and Layer 4 network traffic decorationo Special network appliances would provide a contextual authentication envelope around

specific network traffic which had been associated with additional security policy definitions.

● PAM modules for services such as VPN channel establishmento Allows contextual authentication modules to be used in existing software environments.

● Integration with proximity services to share contextual authentication credentialso Allows contextual authentication to happen out-of-band. New sessions established based

on the contextual authentication can be shared with users or machines in a fixed proximity to the thing being authenticated.

Sample Work Leveraging Contextual Authentication

Things to take away from this presentation:

1. Anything can become an authentication factor if there’s value in that factor relative to risk management.

2. Cyber-security programs are more than just authentication. We also need to include policy definition, policy enforcement as well as static and dynamic risk modeling into a cohesive formula to be able to deal with criminal counter efforts to our own efforts.

3. 100% prevention of cyber security events may not be possible, but we can be fluid and adaptable in our defense through coordinated frameworks and a continual eye towards all types of emerging technologies which can benefit our cyber-security solution stacks.

4. Don’t wait for the future to get here before you begin to adapt the policies and tools which will become part of tomorrow's security solutions.

Things we can do:

5. Partner with technology vendors and government agencies engaged in developing these next generation tools, hardware and software. There are opportunities to use pooled resources from for-profit sectors as well as government resources from organizations like IARPA, DARPA and NIST to establish pilot programs and path-to-market opportunities which can help all parties refine the technologies and policies to deal with dynamic risk calculations and contextual authentication paradigms.

6. Provide guidance to technology vendors with next generation solutions so that they are better educated on the use cases, threat concerns and operational constraints which exist within your organizations.

Summary and Call To Action