Protect Your Client Software and Identification Security
•Download as PPT, PDF•
1 like•762 views
"Software clients can't be secured" is an axiom of computer security. True, but not helpful. How do you incorporate security into a client and address the key issues of Identity. For the more information or if you need any security help, visit http://free2secure.com/.
Recommended
Recommended
More Related Content
Similar to Protect Your Client Software and Identification Security
Similar to Protect Your Client Software and Identification Security (20)
Recently uploaded
Recently uploaded (20)
Protect Your Client Software and Identification Security
- 1. Security eBooks Client Anatomy and Identification Security Inside the Client – Part 1 Steven Davis steve@free2secure.com Games, iGaming, and Gambling +1.650.278.7416
- 2. Security eBooks Most Useless Security Axiom: You Can’t Secure the Client steve@free2secure.com Games, iGaming, and Gambling +1.650.278.7416
- 3. Security eBooks … but you need the Client to be part of your security… so, how do you build a secure system with unsecure components? steve@free2secure.com Games, iGaming, and Gambling +1.650.278.7416
- 4. Security eBooks • Security decisions are built on different forms of identity – Service account – Person – Platform – Payment account – Email Uniqueness and Identity steve@free2secure.com Games, iGaming, and Gambling +1.650.278.7416
- 5. Security eBooks REMEMBER: People are not Accounts Neither are Computers steve@free2secure.com Games, iGaming, and Gambling +1.650.278.7416
- 6. Security eBooks Identity and Uniqueness are Tenuous Online • Online Identity is simply pieces of data presented over a network • The connection between the data and the underlying entity is weak • Bits are bits steve@free2secure.com Games, iGaming, and Gambling +1.650.278.7416
- 7. Security eBooks Client Components • Computer (tablet, cell phone) – Hardware Components • (Game) Application – Program – Persistent Data – State & Session Information • Operating System • Other Programs • Other Data steve@free2secure.com Games, iGaming, and Gambling +1.650.278.7416
- 8. Security eBooks Device Fingerprinting ord g aw tr on os a r to g is f n tin r pri ge Fin • Collection of a large number of hardware and software identities to create a “fingerprint” • getXXXXID() is just a program that can be spoofed • Better as a “white list” than a “black list”… maybe • Questionable in a world of active adversaries steve@free2secure.com Games, iGaming, and Gambling +1.650.278.7416
- 9. Security eBooks Basic Identity Toolkit Multiple platform identity sources Hardware Extracted Platform Serial Number Other Applications Player Identity Information Input Stored Application Data Stored Registration Keys Input Once Hashes & Splits & Passwords Tools steve@free2secure.com Games, iGaming, and Gambling +1.650.278.7416
- 10. Security eBooks Registering a Platform 1. Collect Platform ID information License Key Local IDs Local Data 2. Server Seed or Local Seed (optional) 3. Hash (optional) Seed (optional) 4. Split (optional) 5. Build Platform ID 6. Build Platform Platform ID Authentication Data 7. Store Locally Platform Authentication Data 8. Exchange with Server Local Split steve@free2secure.com Games, iGaming, and Gambling +1.650.278.7416
- 11. Security eBooks Essential Platform Identification & Authentication • Retrieve Platform ID • Reconstruct or Retrieve Platform Authentication Data • Verify (Locally or Remotely) Verification can be bypassed, spoofed, etc., of course, as can IDs and authentication data steve@free2secure.com Games, iGaming, and Gambling +1.650.278.7416
- 12. Security eBooks Security Tokens • Can be effective • Identify themselves, not people • Need to be linked with platform identity • Only as strong as registration process • PART of a security solution – a Node of trust, not a trusted system steve@free2secure.com Games, iGaming, and Gambling +1.650.278.7416
- 13. Security eBooks Platform Identity is “Polite” Identity • Useful, if you understand its limitations • Can be used for basic fraud detection and white listing • Black listing limited by virtualization and effort of foes • Challenge – Design Your System using weak identity • Do you need identity at all? – Gratuitous Strong Passwords • Use external channels for positive identification steve@free2secure.com Games, iGaming, and Gambling +1.650.278.7416
- 14. Security eBooks What next? • Don’t give up! • More security presentations at: http://free2secure.com/ • Check out my book “Protecting Games” – Additional information at http://playnoevil.com/ • You can “win” the security game steve@free2secure.com Games, iGaming, and Gambling +1.650.278.7416
- 15. Security eBooks About Me • Steven Davis – 25+ Years of Security Expertise – I have worked on everything from online games and satellite TV to Nuclear Command and Control and military communications • http://www.linkedin.com/in/playnoevil – Author, “Protecting Games” • Why Free2Secure? – Security is too expensive and isn’t working. There has to be a better way. I’m exploring these issues for IT security, ebooks, games, and whatever else strikes my fancy at http://free2secure.com/ – Join me there, ask questions, challenge assumptions, let’s make things better steve@free2secure.com Games, iGaming, and Gambling +1.650.278.7416
Editor's Notes
- http://www.mdgadvertising.com/blog/wp-content/uploads/2011/03/blog-device_fingerprinting.jpg http://docs.oracle.com/cd/E12057_01/doc.1014/e12054/img/fngrprt.gif
- http://upload.wikimedia.org/wikipedia/commons/thumb/d/db/SecurityTokens.CryptoCard.agr.jpg/800px-SecurityTokens.CryptoCard.agr.jpg