WIXLIB

Understanding the Role of Smart Cards forStrong Authentication in Network SystemsBryan IchikawaDeloitte Advisory

Overview This session will discuss the state of authentication today,identify some of the main vulnerabilities that exist, andintroduce options to consider for strengtheningauthentication. This session will also look at technologiesthat support multi-factor authentication, talk about FIDOand how this specification brings a change to the world ofonline authentication, and discuss how smart cardtechnology can be highly effective and how it is alreadybeing used in many places today.2

Agenda 3What is authentication?VulnerabilitiesStrengthening authenticationIdentifiers vs. authenticationMulti-factor authenticationFIDOSmart cards as authenticatorsAuthentication futures

Authentication – What is it?In information technology, logical access controls are tools and protocolsused for identification, authentication, authorization, and accountabilityin computer information systems.Electronic authentication (e-authentication) is the process of establishingconfidence in user identities electronically presented to an informationsystem. I want to define and differentiate between plain old logical accessand electronic authentication. Logical access is simply logging into anetwork, system, or application. E-authentication is YOU logging intoa network, system, or application. In the physical access world, most systems allow the card to gainaccess, and allows whatever carbon life form attached to that card totag along. The question is, how do you establish confidence that the carbon lifeform attached to that access request is the one you think it is?4

Vulnerabilities – the business drivers More and more transactions in our business and personallives are being conducted online The connected universe is a target rich environment for “badactors” It is the collective responsibility of organizations andindividuals alike to protect personal and sensitive data Userid/passwords as the primary authentication mechanismis not sufficient Many of today’s identifiers provide little or no identityassurance Criminal sophistication is increasing at an exponential rate (itis amazing what the devious mind can conjure)A first line of defense is to elevate the security forhow we gain access to online resources5

How does logical access control work? Initial registration / application (Optional) Identity proofing Establish an “identity” that the online system can uniquelyrecognize (e.g., userid) Establish a secret that only both parties know (e.g.,password) Off you go . but How do you know you are logging into the right place? How do they know it is you? How do you prevent someone else from hijacking your account? . ?6

Identifiers vs. authentication Identifiers by themselves simply identify an entity of sorts There is no identity assurance necessarily associated here Authentication is measurable – assurance is the measuringstick A level of assurance can be established commensurate withthe sensitivity of the information or transaction conducted7

Tokens – What are they? In plain English, a token is a secret that comes in a variety offormats. The format of the token has a direct relationship toits strength. For example, a simple password is a very weaktoken, one that could be easily cracked. A cryptographicallyprotected smart card, on the other hand, is a very strongtoken. The following slides describe the different types of tokensFrom NIST Special Publication 800-63-2*Token - Something that the claimant possesses andcontrols (typically a cryptographic module or password)that is used to authenticate the claimant’s identity.8* ns/NIST.SP.800-63-2.pdf

What are tokens? Tokens contain secrets: Shared secrets Public key cryptography The classic paradigm for authentication identifies threefactors as the fundamentals for authentication: Something you know Something you have Something you are But not all factors are secrets. For example: KBA (something you know) Biometrics (something you are) Therefore, not all factors can be considered tokens9

Factors Use of a single factor is referred to as “single factorauthentication” Combining more than one factor is referred to as “multifactor authentication” But Combining multiple single factors (same factor types) ismultiple single factor, NOT multi-factor10

Something you know 11Typically these are User ID / Password combinationsSometimes only User IDsSometimes only PIN/PasswordFinger patterns (drawing a “Z” on screen)

Something you have 12Hardware Token DevicePhone (smart or not)PKI CertificatesSmart CardsGrid Cards

OTP – One Time Pad (Historic) OTP – From “One Time Pad”, a cryptographic cipheringtechnique using pads of paper where the top sheet of keyingmaterial was torn off after using it one time Today, OTP refers to One TimePasswordOne Time Pad Example13

OTP – One Time Password (today) Typically hardware (e.g., RSA SecurID or cards) Token (number) generated on smart phones Token can be delivered via SMS, email, phone message (IVR)14

OTP protocol as 2nd factor User login with User ID / Password (1st factor)System asks for OTP tokenUser queries device* and gets tokenUser enters token into system (2nd factor)System allows access* OTP tokens can be delivered in many ways, including SMStext, emails, voice messages, computer-based applications,smartphone applications, and hardware devices.OTP tokens are also called verification codes, security codes,passwords, login codes, multi-factor authentication secrets, etc.15

Something you are Biometrics: FingerprintFaceVoiceIris Other biometrics modalities are out there, but the abovefour are the predominant types in use today16

Token types Memorized Secret Token (Password)Pre-registered Knowledge Token (Favorite Color)Look-up Secret Token (Grid Card)Out of Band Token (SMS OTP)Single Factor One-time Password Device (OTP Device)Single Factor Cryptographic Device (Transport Layer SecurityHardware) Multi-factor Software Cryptographic Token (Soft Cert) Multi-factor One-time Password Device (Multi-factor OTP) Multi-factor Cryptographic Device (Smart Card)17

Token types Memorized Secret Token: A secret shared between the Subscriber and the CSP. Memorized SecretTokens are typically character strings (e.g., passwords and passphrases)or numerical strings (e.g., PINs.) Memorized secret tokens aresomething you know. Pre-registered Knowledge Token: A series of responses to a set of prompts or challenges. Theseresponses may be thought of as a set of shared secrets. The set ofprompts and responses are established by the Subscriber and CSPduring the registration process. Pre-registered Knowledge Tokens aresomething you know. Look-up Secret Token: A physical or electronic token that stores a set of secrets sharedbetween the claimant and the CSP. The claimant uses the token to lookup the appropriate secret(s) needed to respond to a prompt from theverifier (the token input). For example, a specific subset of the numericor character strings printed on a card in table format. Look-up secrettokens are something you have.18

Token types Out of Band Token: A physical token that is uniquely addressable and can receive a verifierselected secret for one-time use. The device is possessed andcontrolled by the claimant and supports private communication over achannel that is separate from the primary channel for e-authentication.Out of Band Tokens are something you have. Single Factor One-time Password Device: A hardware device that supports the spontaneous generation of onetime passwords. This device has an embedded secret that is used as theseed for generation of one-time passwords and does not requireactivation through a second factor. Single Factor OTP devices aresomething you have. Single Factor Cryptographic Device: A hardware device that performs cryptographic operations on inputprovided to the device. This device does not require activation througha second factor of authentication. This device uses embeddedsymmetric or asymmetric cryptographic keys. Single FactorCryptographic Devices are something you have.19

Token types Multi-factor Software Cryptographic Token: A cryptographic key is stored on disk or some other “soft” media andrequires activation through a second factor of authentication. The tokenauthenticator is highly dependent on the specific cryptographicprotocol, but it is generally some type of signed message. The multifactor software cryptographic token is something you have (plussomething you know/are). Multi-factor One-time Password Device: A hardware device that generates one-time passwords for use inauthentication and which requires activation through a second factor ofauthentication. The second factor of authentication may be achievedthrough some kind of integral entry pad, biometric reader or a directcomputer interface (e.g., USB port). The multi-factor OTP device issomething you have (plus something you know/are). Multi-factor Cryptographic Device: A hardware device that contains a protected cryptographic key thatrequires activation through a second authentication factor. The multifactor Cryptographic device is something you have (plus something youknow/are).20

Other authentication methods OOBA – Out Of Band Authentication: The use of two separate networks to perform authentication Can be OTP, smartphone app that confirms query, biometrics, buttypical OOBA apps do not cross over attributes or artifacts* Step-up Authentication: System asks for an additional factor when a security threshold has beencrossed* OOBA – Typically, a user tries to login on a computer and theOOBA app on the smart phone asks the user if the loginattempt is authorized. The user says yes, and the login takesplace on the computer. The authentication protocol on thephone does not interact with the computer login attempt.21

Credentials and Credential Service Providers (CSP) Credentials are tokens that are bound to an identity Identity proofing becomes an integral element of credentialissuance Credentials are issued and maintained by Credential ServiceProviders (CSP) Credentials are associated with a Level of Assurance (LOA);therefore all credentials are not created equal!22

Relying parties Relying parties are those organizations that “consume”credentials. Some relying parties issue their own credentials, otherssimply trust credentials issue by other CSPs.If a relying party wants to trust a credential issuedby a CSP other than themselves, how do they knowhow trustworthy that credential is?23

Registration and assurance Identity Proofing – proving you are who you claim to be In-person Proofing: Present one or two forms of government issued id Usually has a picture on it, plus relevant personal information (DOB,address, etc.) Perform address or telephone verification Remote Proofing: Submit valid government ID Submit financial or utility account numbersIdentity proofing is the activity that binds an identity to a tokento create a credential. There are 4 defined levels of assurance.24

NIST SP 800-63-2 NIST Special Publication 800-63-2: Electronic Authentication Guideline Released August 2013 800-63-2 supplements OMB guidance, E-Authentication Guidance forFederal Agencies [OMB M-04-04*]: Specifically, provides guidelines for implementing step 3 of eauthentication process (next slide)800-63-2 provides technical guidelines to agencies to allow anindividual to remotely authenticate their identity to a Federal ITsystem. These guidelines address traditional methods for remoteauthentication based on secrets.25* /memoranda/fy04/m04-04.pdf