CertAnon
Anonymous WAN Authentication Service
Approval Presentation
Red GroupCS410
May 1, 2007
May 1, 2007 Red Group 2
Our Team
May 1, 2007 Red Group 3
Presentation Outline
• Problem Description• Solution Description• Process Description• Solution Characteristics• Marketing Plan, ROI• Management Plan• Milestones, Deliverables, Budgets• Risk Management• Conclusion
May 1, 2007 Red Group 4
Who is Chockalingam Ramanathan?
• Part of a group using stolen passwords to empty investors’ accounts1
• Hit prominent brokers such as TD Ameritrade, E*Trade, and Charles Schwab
• Resulted in more than $2 million in losses, which were absorbed by the brokers
• Fourth tech-intrusion case filed by the SEC since December 2006
1. http://www.washingtonpost.com/wp-dyn/content/article/2007/03/12/AR2007031201558.html
May 1, 2007 Red Group 5
Fraud Stats
• From 2005 – 20062
– 8.9 million victims of online fraud or identity theft
– Total losses to identity theft and online fraud jumped from $54.4 billion to $56.6 billion
– Mean resolution time per incident skyrocketed from 28 to 40 hours per victim
2. http://www.verisignsecured.com/content/Default.aspx?edu_stats_body.html
May 1, 2007 Red Group 6
• Phishing sites are on the rise3
• Over 7 million phishing attempts per day
3. Anti-Phishing Working Group - http://www.antiphishing.org/
Going Phishing
May 1, 2007 Red Group 7
Consumers’ Online Activities
0
10
20
30
40
50
60
70
% of InternetUsers
% Time spentonline
Bank online
Make travelreservations
Communication
Commerce
%
4. Clickz.com - http://www.clickz.com/showPage.html?page=3481976#table 5. Clickz.com - http://www.clickz.com/img/Share_of_Time.html
May 1, 2007 Red Group 8
0
5
10
15
20
25
30
35
% of Surveyed Professionals
Have 6-15passwords
Have over 15passwords
%
6. RSA Security Password Management Survey - http://www.rsa.com/products/SOM/whitepapers/PASSW_WP_0906.pdf
Password Overload
May 1, 2007 Red Group 9
• Single-factor password authentication is easily compromised and endangers the security of online accounts.– Username/Password paradigm is insecure7
– Management of multiple strong passwords is difficult for individuals
– Fraudulent online account access and associated costs are increasing
7. http://www.schneier.com/crypto-gram-0503.html#2
The Problem
May 1, 2007 Red Group 10
• More online accounts = more passwords• Complexity of passwords is limited by the
human factor8
• Vulnerability is enhanced by the technology factor
• Dissemination is too easy• Once compromised, a password is no
longer effective for authentication
8. http://www.schneier.com/blog/archives/2006/12/realworld_passw.html
The Endangered Password
May 1, 2007 Red Group 11
• Anonymous WAN authentication service– Used for any and all online accounts– Strong two-factor authentication– Limited information sharing
• Partner with online businesses
• Initial customers are Internet users
CertAnon – A New Proposal
May 1, 2007 Red Group 12
• Something you know– A single PIN
• Plus something you have– Hardware token generating pseudo-
random numbers
• Effectively changes your password every 60 seconds
9. RSA - http://www.rsasecurity.com/node.asp?id=1156
Two-Factor Authentication9
May 1, 2007 Red Group 13
RSA SecurID Users
May 1, 2007 Red Group 14
• Rolls Royce & Bentley Motor Cars– Uses RSA SecurID authentication– Enables them to use the Internet securely as a cost-effective
and efficient extension to their corporate network
• E*Trade Financial– Provides retail customers the option to add Digital Security
ID to their Internet security solution– Helps guard against unauthorized account access
Two-Factor Acceptance
May 1, 2007 Red Group 15
Reaching the Goal
• Build a WAN authentication service that permits customers to securely access all of their online accounts using a single access method– Build our website– Write software modules for partner sites– Develop testing portal– Install authentication servers– Distribute tokens– Beta-testing, then go live!
May 1, 2007 Red Group 16
Data
Website Host
US East CoastRSA ACE server
Data
USA West CoastRSA ACE server
Data
UK RSAACE server
Data
AustraliaRSA ACE
server
Data
Login attempt
Login response
Auth request
Auth response
CertAnon website
Account setup Database update
Internet user withCertAnon token
What Would It Look Like?
May 1, 2007 Red Group 17
4. Bob goes to E*Trade's website to sign in.
Username: TraderBob
Password: 1a2b3c234836
His E*Trade usernameis TraderBob, so hetypes that as usual.
He looks at the codeon his token display.He types his PIN andthat token code in thePassword field.
5. And now he's in his E*Trade account!
SpamBob
1a2b3c184675
His Yahoo! usernameis SpamBob, so hetypes that as usual.
He looks at the codeon his token display.He types his PIN andthat token code in thePassword field.
Username:
Password:
7. And now he's in his Yahoo! account!
6. One minute later, he jumps to the Yahoo!mail page to check e-mail.
May 1, 2007 Red Group 18
• Two sales channels• Individual Internet user (211 million of them!)10
– Purchases CertAnon token for one-time fee of $50– Obtaining a critical mass of customers makes
CertAnon a must have for online vendors– Could provide leverage to charge vendors on a
transaction basis in the future
• Security-conscious businesses– Purchase batches of tokens for redistribution to
their customers– Focus on those without proprietary solutions
Who is Our Customer?
10. Internet World Stats - http://www.internetworldstats.com/stats2.htm
May 1, 2007 Red Group 19
Marketing Strategy
• Offer software modules for customer integration– Freely available to encourage adoption of the service
• Approach financial companies not already using a two-factor authentication method– Bulk token sales– Enable them to offer the same customer security as larger
competitors without the infrastructure expense– Token reusability will encourage faster customer adoption
• Advertising strategies– Internet advertising– Computer shows/trade shows– Promotional token giveaways
May 1, 2007 Red Group 20
• Reduce/eliminate need for multiple passwords
• Avoid password theft, unauthorized account access, and fraud
• Information isn’t stored on a card or device that can be lost
• Full passcodes not stored in a hackable database that is a single point of failure
TBD RU Marketing StrategyROI for Consumers
May 1, 2007 Red Group 21
• Very low cost• Avoid implementing a costly proprietary
solution• Improves security of customer base by moving
more people away from passwords• Reduces losses from fraud reimbursement• Snaps into existing infrastructure with minimal
development• Customers who don't use CertAnon will be
unaffected
ROI for Businesses
May 1, 2007 Red Group 22
• Reliance on a physical token– Forgotten– Broken– Lost or stolen
• Inadequate for sight-impaired users
• Customer service coordination will need to be handled carefully
Cons
May 1, 2007 Red Group 23
Competition Matrix
May 1, 2007 Red Group 24
Management Plan
May 1, 2007 Red Group 25
Team Communications
• Team meetings (via AOL AIM):– Sunday/Tuesday 8:00 P.M.– Additional meetings as needed– Meetings with Professor Brunelle as
needed– Meetings with Technical Advisors as
needed
• Google Group for document management and messaging
May 1, 2007 Red Group 26
Phase 0 Gantt Chart
May 1, 2007 Red Group 27
Phase 1 Gantt Chart
May 1, 2007 Red Group 28
Phase 1 Major Components
Data
Simulated Partner Web Site
Login attempt
Login response
Auth request
Auth response
CertAnon website
Account setup Auth Server Update
Test user on workstationwith token simulation software
Workstation
Data
Workstation runningsimulated
authentication managersoftware
May 1, 2007 Red Group 29
Phase 1 Development WBS
May 1, 2007 Red Group 30
Phase 1 Organizational Chart
May 1, 2007 Red Group 31
Phase 1 Staffing Budget
Position Type Quantity Hours Rate TotalDocumentation Specialist Student 1 30 15$ 452$ Financial Director Student 1 24 15$ 362$ Hardware Manager Student 1 92 15$ 1,377$ Project Manager Student 1 64 15$ 960$ Risk Director Student 1 52 15$ 785$ Software Manager Student 1 500 15$ 7,497$ Web Developer Student 1 486 15$ 7,292$
Total Cost 18,723$ 40% Overhead 7,489$
Total Phase 1 Staffing Budget 26,212$
May 1, 2007 Red Group 32
Phase 1 Resource Budget
Description Quantity Cost
Dell Servers -Web site & DB hosting 4 $11,632
Dell Workstations -Dedicated PC’s for team use 5 $6,990
MySQL -Web site back end database -- $0
PHP -Web sites and plug-in modules -- $0
Website -Hosting by ODU 1 $0
Total Cost: $18,622
40% Overhead: $7,449
Total Phase 1 Resource Cost: $26,071
May 1, 2007 Red Group 33
Phase 2 Gantt Chart
May 1, 2007 Red Group 34
Phase 2 Organizational Chart
May 1, 2007 Red Group 35
Phase 2 Staffing BudgetPosition Type Quantity Hours Rate TotalDocumentation Specialist Staff 1 552 18$ 9,713$ Financial Director Staff 1 94 68$ 6,372$ Hardware Manager Staff 1 200 20$ 3,901$ HR Manager Staff 1 172 29$ 5,053$ Project Manager Staff 1 136 29$ 3,883$ QA Engineer Staff 1 774 21$ 16,009$ Risk Director Staff 1 8 18$ 140$ Software Engineer 1 Staff 1 440 22$ 9,718$ Software Manager Staff 1 334 42$ 13,961$ Technical Director Staff 1 136 50$ 6,835$ Web Developer Staff 1 790 28$ 22,143$
Total Cost 97,728$ 40% Overhead 39,091$
Total Phase 2 Staffing Budget 136,819$
May 1, 2007 Red Group 36
Phase 2 Resource Budget
Description Quantity Cost
RSA Authentication Manager Server License 4 $12,000
Dell Servers -Running RSA Authentication Mgr software 4 $11,632
Dell Workstations -PC’s for additional staff 4 $5,592
RSA Training -- $1,600
Visual Studio Professional 2005 -Used for additional plug-in development 2 $1,338
RSA Tokens 10 $500
Total Cost: $32,622
40 % Overhead: $13,065
Total Phase 2 Resource Cost: $45,687
May 1, 2007 Red Group 37
Phase 3 Gantt Chart
May 1, 2007 Red Group 38
Phase 3 Organizational Chart
May 1, 2007 Red Group 39
Phase 3 Staffing BudgetPosition Type Quantity Hours Salary TotalCustomer Service Reps Staff 5 2,080 30,400$ 152,000$ Documentation Specialist Staff 1 440 36,600$ 7,742$ Financial Director Staff 1 278 140,500$ 18,778$ Hardware Manager Staff 1 200 40,600$ 3,899$ HR Manager Staff 1 528 61,100$ 15,510$ Marketing Director Staff 1 1,161 99,900$ 55,763$ Project Manager Staff 1 1,391 59,600$ 39,866$ QA Engineer Staff 1 350 43,000$ 7,233$ Sales Representative Staff 3 2,080 40,488$ 121,464$ Software Engineer 1 Staff 1 320 45,900$ 7,062$ Software Manager Staff 1 345 87,000$ 14,443$ Technical Director Staff 1 1,280 104,400$ 64,268$ Web Developer Staff 1 320 58,300$ 8,969$
Total Cost 516,997$ 40% Overhead 206,799$
Total Phase 3 Staffing Budget 723,796$
May 1, 2007 Red Group 40
Phase 3 Resource Budget
Description Quantity Cost
Secure Server Hosting -Hosting authentication servers remotely -- $48,000
Dell Workstations -PC’s for additional staff 9 $12,582
Dell Servers -Web site database servers with RAID arrays 2 $5,816
Total Cost: $66,398
40% Overhead $26,560
Total Phase 3 Resource Cost: $92,958
May 1, 2007 Red Group 41
Total Project Cost
Item Marginal Cost Per # of Customers Cost per CustomerToken 30$ 1 30.00$ Authentication Server 2,908$ 250,000 0.01$ RSA Auth Mgr License 3,000$ 250,000 0.01$ Secure Hosting (3 Years) 36,000$ 250,000 0.14$
Total Cost 30.17$ 40% Overhead 12.07$
Total Marginal Cost Per Customer 42.23$ Marginal Revenue Per Customer 50.00$
Profit Per Customer 7.77$
Staffing Resources Phase TotalPhase 1 26,212$ 26,071$ 52,283$ Phase 2 136,819$ 45,687$ 182,506$ Phase 3 (One Year) 723,796$ 92,958$ 816,754$ Total Phases 1-3 886,827$ 164,716$ 1,051,543$
Out Years (Annual) 629,776$ 67,200$ 696,976$
May 1, 2007 Red Group 42
Break Even Analysis
Year Tokens Sold Total Revenue Total Cost Profit0 - -$ 816,754$ (816,754)$ 1 150,000 7,500,000$ 7,848,933$ (348,933)$ 2 500,000 25,000,000$ 23,328,049$ 1,671,951$ 3 1,000,000 50,000,000$ 45,142,368$ 4,857,632$
Cumulative Break Even Analysis(Year 0 = Phase 3)
$-
$10,000,000
$20,000,000
$30,000,000
$40,000,000
$50,000,000
$60,000,000
0 1 2 3Year
Re
ve
nu
e
Total Revenue
Total Cost
May 1, 2007 Red Group 43
Funding Plan
• SBIR Funding Agency: National Science Foundation – Phase 1: $100,000 max, $52k planned– Phase 2: $750,000 or two years, $183k
planned
• Phase 3– Venture capital investment– Small business loan– Revenue from token sales
May 1, 2007 Red Group 44
Risk Management Plan
• Identify project risks • Determine the phase that the risk is in• Categorize risks according to probability
and impact• Reduce risks before or as they happen
with mitigation actions• Continue to reevaluate risks during all
phases• Watch for new risks
May 1, 2007 Red Group 45
Impact
5 5 2 1
4
3 6 3
2 7 4
1
1 2 3 4 5
Probability
# Risk Mitigation
1 Trust Beta-testing
2 Customerunderstanding
Tutorials on website
3 Reliance on token sales revenue
Encourage early partner site adoption
4 Viable alternatives Single source two-factor
5
Token loss Provide temporary password access
6 Token availability Offer online and through retail outlets
7 Government vs. Anonymity
Follow the lead of encryption products (1-Low to 5-High)
Risks and Mitigation
May 1, 2007 Red Group 46
Evaluation Plan
• Time– Measured against baseline project plan
• Cost– Measured against budget plan by phase
• Scope– Measured against requirement document
• Quality– Measured by customer adoption rate and
satisfaction
May 1, 2007 Red Group 47
Evaluation Phases
• Phase 0– Idea developed– Project website developed– Funding secured
• Phase 2– Product design– Software module
development– Software module testing– Integration testing– Finished product
• Phase 1– Prototype design– Working prototype– Initial customer
demonstration
• Phase 3– First sale completed– Product released– Marketing plan developed– Successful marketing– New contracts acquired
May 1, 2007 Red Group 48
• Available, affordable, and proven technology
• Targets a large and growing market
• Benefits consumers and online businesses
• Scaleable service
• Manageable project scope, achievable milestones
Conclusion
May 1, 2007 Red Group 49
• “3 Indicted in Online Brokerage Hacking Scheme.” Washington Post. 13 Mar. 2007. Carrie Johnson. 2 Apr. 2007 <http://www.washingtonpost.com/wp-dyn/content/article/2007/03/12/AR2007031201558.html>.
• “Internet Penetration and Impact.” Pew/Internet. April 2006. Pew Internet & American Life Project. 28 Jan. 2007 <http://www.pewinternet.org/pdfs/PIP_Internet_Impact.pdf>.
• “Internet Statistics Compendium - Sample.” E-consultancy.com. 9 Jan. 2007. E-consultancy.com LTD. 28 Jan. 2007 <http://www.e-consultancy.com/publications/download/91130/internet-stats-compendium/internet-stats-compendium-January-2007-SAMPLE.doc>.
• “Internet World Stats.” Internet World Stats. 10 Mar. 2007. Internet World Stats. 22 Apr. 2007 <http://www.internetworldstats.com/stats2.htm >.
• “Online Banking Increased 47% since 2002.” ClickZ Stats. 9 Feb. 2007. The ClickZ Network. 15 Feb. 2007 <http://www.clickz.com/showPage.html?page=3481976#table>.
References
May 1, 2007 Red Group 50
References (cont.)• “Phishing Activity Trends: Report for the Month of November, 2006.”
Anti-Phishing Working Group. Nov. 2006. Anti-Phishing Working Group. 28 Jan. 2007 <http://www.antiphishing.org/reports/apwg_report_november_2006.pdf>.
• “Real-World Passwords.” Schneier on Security. 14 Dec. 2006. Bruce Schneier. 28 Jan. 2007 <http://www.schneier.com/blog/archives/2006/12/realworld_passw.html>.
• “RSA SecurID Authentication.” RSA Security. 2007. RSA Security, Inc. 28 Jan. 2007 <http://www.rsasecurity.com/node.asp?id=1156>.
• “RSA Security Password Management Survey.” RSA Security. Sep. 2006. Wikipedia. 15 Feb. 2007 <http://www.rsa.com/products/SOM/whitepapers/PASSW_WP_0906.pdf >.
• “Share of Time Spent Online.” ClickZ Stats. 27 Feb. 2007. The ClickZ Network. 28 Feb. 2007 <http://www.clickz.com/img/Share_of_Time.html>.
May 1, 2007 Red Group 51
Appendix
• Abstract• SBIR Document• Management Plan• Evaluation Plan• Resource Plan• Marketing Plan• Funding Plan• Staffing Plan• Risk Management Plan• Hardware Specifications• Work Breakdown Structure• Additional Diagrams