Your SlideShare is downloading. ×
0
Implementation of a Biometric Solution Providing Strong Authentication To Gain Access To Confidential Da
Implementation of a Biometric Solution Providing Strong Authentication To Gain Access To Confidential Da
Implementation of a Biometric Solution Providing Strong Authentication To Gain Access To Confidential Da
Implementation of a Biometric Solution Providing Strong Authentication To Gain Access To Confidential Da
Implementation of a Biometric Solution Providing Strong Authentication To Gain Access To Confidential Da
Implementation of a Biometric Solution Providing Strong Authentication To Gain Access To Confidential Da
Implementation of a Biometric Solution Providing Strong Authentication To Gain Access To Confidential Da
Implementation of a Biometric Solution Providing Strong Authentication To Gain Access To Confidential Da
Implementation of a Biometric Solution Providing Strong Authentication To Gain Access To Confidential Da
Implementation of a Biometric Solution Providing Strong Authentication To Gain Access To Confidential Da
Implementation of a Biometric Solution Providing Strong Authentication To Gain Access To Confidential Da
Implementation of a Biometric Solution Providing Strong Authentication To Gain Access To Confidential Da
Implementation of a Biometric Solution Providing Strong Authentication To Gain Access To Confidential Da
Implementation of a Biometric Solution Providing Strong Authentication To Gain Access To Confidential Da
Implementation of a Biometric Solution Providing Strong Authentication To Gain Access To Confidential Da
Implementation of a Biometric Solution Providing Strong Authentication To Gain Access To Confidential Da
Implementation of a Biometric Solution Providing Strong Authentication To Gain Access To Confidential Da
Implementation of a Biometric Solution Providing Strong Authentication To Gain Access To Confidential Da
Implementation of a Biometric Solution Providing Strong Authentication To Gain Access To Confidential Da
Implementation of a Biometric Solution Providing Strong Authentication To Gain Access To Confidential Da
Implementation of a Biometric Solution Providing Strong Authentication To Gain Access To Confidential Da
Implementation of a Biometric Solution Providing Strong Authentication To Gain Access To Confidential Da
Implementation of a Biometric Solution Providing Strong Authentication To Gain Access To Confidential Da
Implementation of a Biometric Solution Providing Strong Authentication To Gain Access To Confidential Da
Implementation of a Biometric Solution Providing Strong Authentication To Gain Access To Confidential Da
Implementation of a Biometric Solution Providing Strong Authentication To Gain Access To Confidential Da
Implementation of a Biometric Solution Providing Strong Authentication To Gain Access To Confidential Da
Implementation of a Biometric Solution Providing Strong Authentication To Gain Access To Confidential Da
Implementation of a Biometric Solution Providing Strong Authentication To Gain Access To Confidential Da
Implementation of a Biometric Solution Providing Strong Authentication To Gain Access To Confidential Da
Implementation of a Biometric Solution Providing Strong Authentication To Gain Access To Confidential Da
Implementation of a Biometric Solution Providing Strong Authentication To Gain Access To Confidential Da
Implementation of a Biometric Solution Providing Strong Authentication To Gain Access To Confidential Da
Implementation of a Biometric Solution Providing Strong Authentication To Gain Access To Confidential Da
Implementation of a Biometric Solution Providing Strong Authentication To Gain Access To Confidential Da
Implementation of a Biometric Solution Providing Strong Authentication To Gain Access To Confidential Da
Implementation of a Biometric Solution Providing Strong Authentication To Gain Access To Confidential Da
Implementation of a Biometric Solution Providing Strong Authentication To Gain Access To Confidential Da
Implementation of a Biometric Solution Providing Strong Authentication To Gain Access To Confidential Da
Implementation of a Biometric Solution Providing Strong Authentication To Gain Access To Confidential Da
Implementation of a Biometric Solution Providing Strong Authentication To Gain Access To Confidential Da
Implementation of a Biometric Solution Providing Strong Authentication To Gain Access To Confidential Da
Implementation of a Biometric Solution Providing Strong Authentication To Gain Access To Confidential Da
Implementation of a Biometric Solution Providing Strong Authentication To Gain Access To Confidential Da
Implementation of a Biometric Solution Providing Strong Authentication To Gain Access To Confidential Da
Implementation of a Biometric Solution Providing Strong Authentication To Gain Access To Confidential Da
Implementation of a Biometric Solution Providing Strong Authentication To Gain Access To Confidential Da
Implementation of a Biometric Solution Providing Strong Authentication To Gain Access To Confidential Da
Implementation of a Biometric Solution Providing Strong Authentication To Gain Access To Confidential Da
Implementation of a Biometric Solution Providing Strong Authentication To Gain Access To Confidential Da
Implementation of a Biometric Solution Providing Strong Authentication To Gain Access To Confidential Da
Implementation of a Biometric Solution Providing Strong Authentication To Gain Access To Confidential Da
Implementation of a Biometric Solution Providing Strong Authentication To Gain Access To Confidential Da
Implementation of a Biometric Solution Providing Strong Authentication To Gain Access To Confidential Da
Implementation of a Biometric Solution Providing Strong Authentication To Gain Access To Confidential Da
Implementation of a Biometric Solution Providing Strong Authentication To Gain Access To Confidential Da
Implementation of a Biometric Solution Providing Strong Authentication To Gain Access To Confidential Da
Implementation of a Biometric Solution Providing Strong Authentication To Gain Access To Confidential Da
Implementation of a Biometric Solution Providing Strong Authentication To Gain Access To Confidential Da
Implementation of a Biometric Solution Providing Strong Authentication To Gain Access To Confidential Da
Implementation of a Biometric Solution Providing Strong Authentication To Gain Access To Confidential Da
Implementation of a Biometric Solution Providing Strong Authentication To Gain Access To Confidential Da
Implementation of a Biometric Solution Providing Strong Authentication To Gain Access To Confidential Da
Implementation of a Biometric Solution Providing Strong Authentication To Gain Access To Confidential Da
Implementation of a Biometric Solution Providing Strong Authentication To Gain Access To Confidential Da
Implementation of a Biometric Solution Providing Strong Authentication To Gain Access To Confidential Da
Implementation of a Biometric Solution Providing Strong Authentication To Gain Access To Confidential Da
Implementation of a Biometric Solution Providing Strong Authentication To Gain Access To Confidential Da
Implementation of a Biometric Solution Providing Strong Authentication To Gain Access To Confidential Da
Implementation of a Biometric Solution Providing Strong Authentication To Gain Access To Confidential Da
Implementation of a Biometric Solution Providing Strong Authentication To Gain Access To Confidential Da
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Implementation of a Biometric Solution Providing Strong Authentication To Gain Access To Confidential Da

1,517

Published on

First- hand feedback on the implementation of identity management within a bank. …

First- hand feedback on the implementation of identity management within a bank.
Technological choices ? Issues ? Concept and design, implementation, training and human aspects. A hands-on experience.

0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,517
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
63
Comments
0
Likes
1
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. MARET Consulting | Boulevard Georges Favon 43 | CH 1204 Geneva | Tél +41 22 575 30 35 | info@maret-consulting.ch | www.maret-consulting.ch Implementation of a biometric solution providing strong authentication to gain access to confidential data Sylvain Maret / Security Architect @ MARET Consulting 17 march 2010 MARET Consulting 2010 Conseil en technologies
  • 2. Agenda Digital identity Security Strong authentication? Applications for the Match on Strong authentication technology Card technology Biometry and Match on Card Digital certificate / PKI Illustration with a project for the banking field Trends 2010 www.maret-consulting.ch Conseil en technologies Security Summit Milano, march 2010
  • 3. Who am I? Security Expert 15 years of experience in ICT Security CEO and Founder of MARET Consulting Expert @ Engineer School of Yverdon & Geneva University Swiss French Area delegate at OpenID Switzerland Co-founder Geneva Application Security Forum Author of the Blog: la Citadelle Electronique Chosen field Digital Identity Security www.maret-consulting.ch Conseil en technologies Security Summit Milano, march 2010
  • 4. Protection of digital identities: a topical issue… Identification www.maret-consulting.ch Conseil en technologies Security Summit Milano, march 2010
  • 5. Strong authentication: why? Keylogger (hard and Soft) Malware Man in the Middle Browser in the Midle Password Sniffer Social Engineering Phishing / Pharming The number of identity thefts is increasing dramatically! www.maret-consulting.ch Conseil en technologies Security Summit Milano, march 2010
  • 6. A major event in the world of strong authentication 12 October 2005: the Federal Financial Institutions Examination Council (FFIEC) issues a directive « Single Factor Authentication » is not enough for the web financial applications Before end 2006 it is compulsory to implement a strong authentication system http://www.ffiec.gov/press/pr101205.htm And the PCI DSS norm Compulsory strong authentication for distant accesses And now European regulations Payment Services (2007/64/CE) for banks www.maret-consulting.ch Conseil en technologies Security Summit Milano, march 2010
  • 7. Identification and authentication ? Identification Who are you? Authentication Prove it! www.maret-consulting.ch Conseil en technologies Security Summit Milano, march 2010
  • 8. Definition of strong authentication Strong Authentication on Wikipedia www.maret-consulting.ch Conseil en technologies Security Summit Milano, march 2010
  • 9. «Digital identity is the corner stone of trust» More information on the subject www.maret-consulting.ch Conseil en technologies Security Summit Milano, march 2010
  • 10. MARET Consulting | Boulevard Georges Favon 43 | CH 1204 Geneva | Tél +41 22 575 30 35 | info@maret-consulting.ch | www.maret-consulting.ch Strong authentication technologies Conseil en technologies
  • 11. Which strong authentication technology? www.maret-consulting.ch Conseil en technologies Security Summit Milano, march 2010
  • 12. OTP PKI (HW) Biometry Strong * authentication Encryption Digital signature Non repudiation Strong link with the user * Biometry type Fingerprinting www.maret-consulting.ch Conseil en technologies Security Summit Milano, march 2010
  • 13. Strong authentication: Technologies on the move Corporations Public eBanking VPN Web Applications Mobility Electronic Document Mgt Social networks Facebook Project PIV FIPS-201 SAML Virtual World Adoption of OpenID Authentication as a Service Cloud Computing AaaS Google docs Sales Forces www.maret-consulting.ch Conseil en technologies Security Summit Milano, march 2010
  • 14. Technologies accessible to everyone Standards Open Source Solution Open Authentication Mobile One Time Passwords (OATH) strong, two-factor authentication with mobile phones OATH authentication algorithms HOTP (HMAC Event Based) OCRA (Challenge/Response) TOTP (Time Based) OATH Token Identifier Specification www.maret-consulting.ch Conseil en technologies Security Summit Milano, march 2010
  • 15. MARET Consulting | Boulevard Georges Favon 43 | CH 1204 Geneva | Tél +41 22 575 30 35 | info@maret-consulting.ch | www.maret-consulting.ch Biometry and Match on Card Conseil en technologies
  • 16. Which biometric technology for IT? www.maret-consulting.ch Conseil en technologies Security Summit Milano, march 2010
  • 17. Biometry = strong authentication? The answer is clearly no Requires a second factor Problem of security (usurpation) Only a convenience for the user More information on usurpation Study Yokohama University www.maret-consulting.ch Conseil en technologies Security Summit Milano, march 2010
  • 18. Technology Match on Card: your NIP code is your finger www.maret-consulting.ch Conseil en technologies Security Summit Milano, march 2010
  • 19. Example of Match on Card technology for IT A reader Biometry SmartCard A card with chip Technology MOC Crypto processor PC/SC PKCS#11 Digital certificate X509 www.maret-consulting.ch Conseil en technologies Security Summit Milano, march 2010
  • 20. Stocking data? On an external Through an medium authentication server Better security Security issue « Offline » mode Confidentiality issue MOC = Match On card Availability issue Federal law of 19 June 1992 on the Protection of data (LPD) www.maret-consulting.ch Conseil en technologies Security Summit Milano, march 2010
  • 21. Example of utilisation of the Match on Card technology Smart Card Logon of Web SSO Solution Microsoft SAML PK-INIT (Kerberos) Citrix Very Sensitive Web Applications Remote access Electronic Document Mgt VPN SSL eBanking VPN IPSEC Data Encryption Digital Signature Solution Laptop encryption Folder (Share) Encryption Etc. www.maret-consulting.ch Conseil en technologies Security Summit Milano, march 2010
  • 22. Mobility security with MOC technology Biometric strong authentication Reader of the «swipe» type X509 machine certificate Utilisation TPM Authentication of the machine Applications Pre Boot Authentication Smart Card Logon Full Disk Encryption VPN (SSL, IPSEC) Web Application Citrix www.maret-consulting.ch Conseil en technologies Security Summit Milano, march 2010
  • 23. Authentication of a user with PKINIT (Smart Card Logon) 1 U_Cert U Cert 2 2 Schema by Philippe Logean e-Xpert Solutions SA www.maret-consulting.ch Conseil en technologies Security Summit Milano, march 2010
  • 24. Feedback from the Banking field www.maret-consulting.ch Conseil en technologies
  • 25. The project: electronic management of documents Implementation of a Electronic Document Mgt solution Access to very sensitive information Classification of the information: Secret Encryption of data (From BIA) Authorization Access Control Project for a Private bank in Switzerland Start of the project: 2005 Population concerned 500 persons (Phase I) In the long run: 3000 persons (Phase II) www.maret-consulting.ch Conseil en technologies Security Summit Milano, march 2010
  • 26. Business Impact Analysis (BIA) BIA Bank Acme SA Data Services Impact Hard Impact Soft Impact Availability (in time) Reduced i ncome Los s of goodwi l l Increa s ed cos t of Los s of credi bi l i ty IT Applications worki ng Breach of the l aw Confidentiality Integrity Los s of opera ti ona l ca pabi l i ty inconvenience quite serious critical Brea ch of contra ct/fi na nci a l pena l ti es Electronic Documents Mgt HIGH HIGH 30 min 1H 2H HIGH HIGH www.maret-consulting.ch Conseil en technologies Security Summit Milano, march 2010
  • 27. (Data Classification : Secret) Implementation of a technology allowing strong authentication – via a mechanism of irrefutable proof – of the users accessing the bank’s information system Who accesses what, when and how?! www.maret-consulting.ch Conseil en technologies
  • 28. The technical constraints of the strong authentication project Mandatory Desired Integration with existing Integration with building security applications Data encryption Web Non fixed workstations Microsoft Smart Card Logon Future applications Laptop Network and systems Separation of roles Strong authentication Four eyes Digital signature Auditing, proof Proof management www.maret-consulting.ch Conseil en technologies Security Summit Milano, march 2010
  • 29. Basic concept: a unique link Identity Management Authorization Management Issuer App A cert Link: cn User PHASE 1 PHASE 2 Strong authentication Authorization www.maret-consulting.ch Conseil en technologies Security Summit Milano, march 2010
  • 30. Components of the technical architecture Implementation of a PKI « intra muros » Non Microsoft (Separation of duties) Implementation of the Online revocation OCSP protocol Utilisation of a Hardware Security Module Security of the PKI architecture Shielding and Hardening Firewall IDS FIA www.maret-consulting.ch Conseil en technologies Security Summit Milano, march 2010
  • 31. Concept for the GED application security www.maret-consulting.ch Conseil en technologies
  • 32. The focus of biometric authentication www.maret-consulting.ch Conseil en technologies Security Summit Milano, march 2010
  • 33. Processus Human Process Humain www.maret-consulting.ch Conseil en technologies
  • 34. The weak link? Matters more than the technique… Definition of roles Tasks and responsibilities Purpose: separation of duties Four eyes Implementation of identity management processes Implementation of operating procedures www.maret-consulting.ch Conseil en technologies Security Summit Milano, march 2010
  • 35. Implementation of processes Processes for the identity management team User enrollment Revocation Incident mangement Loss, theft, forgotten card Renewal Process for Help Desk Process for the Auditors Process for the RSSI And the operating procedures! www.maret-consulting.ch Conseil en technologies Security Summit Milano, march 2010
  • 36. The result A series of documents for the bank Operating procedures Description of processes Terms of use Definition of roles and responsibilities CP /CPS for the « in house » PKI www.maret-consulting.ch Conseil en technologies Security Summit Milano, march 2010
  • 37. Training www.maret-consulting.ch Conseil en technologies
  • 38. A crucial element! Training of the identity management team Training of users Training of Help Desk Training for the technologies PKI Biometry www.maret-consulting.ch Conseil en technologies Security Summit Milano, march 2010
  • 39. Identity Management Team Training Very Important work How to enroll fingers Match on Card Technology Problem handling Technical Human Coaching for 3 weeks www.maret-consulting.ch Conseil en technologies Security Summit Milano, march 2010
  • 40. End User Training About 30 min per User Technology explication Match on Card Finger position Try (Play with Biometry) Document for End Users Signature (Legal Usage) www.maret-consulting.ch Conseil en technologies Security Summit Milano, march 2010
  • 41. Problems… www.maret-consulting.ch Conseil en technologies
  • 42. Some examples Enrollment with some Users End Users convocation Technical Problem on Validation Authority OCSP Servers www.maret-consulting.ch Conseil en technologies Security Summit Milano, march 2010
  • 43. Feedback? www.maret-consulting.ch Conseil en technologies
  • 44. Conclusion of the project Pure technique is a minor Biometry is a mature technology element in the success of such a large scale project Technology PKI Offers a safety kernel for the future Never under estimate the Encryption, signature organisational aspect Rights management information CP / CPS for the PKI Data security Management process A step towards convergence Ask for management support Physical and logical security www.maret-consulting.ch Conseil en technologies Security Summit Milano, march 2010
  • 45. Tendency Biometry Match on Card The PIV Fips-201 project is a leader! Convergence Physical security and logical security Biometric sensor for laptops UPEK (Solution FIPS-201) New biometric technologies Full Disk Encryption (Laptop) Support of the Match on Card technology McAfee Endpoint Encryption™ (formerly SafeBoot® Encryption) Win Magic SecureDoc Disk Encryption www.maret-consulting.ch Conseil en technologies Security Summit Milano, march 2010
  • 46. A very promising technology: Vascular Pattern Recognition By SONY www.maret-consulting.ch Conseil en technologies Security Summit Milano, march 2010
  • 47. When will the convergence happen? A difficult convergence! Physical security and logical security www.maret-consulting.ch Conseil en technologies Security Summit Milano, march 2010
  • 48. A few links to deepen the subject MARET Consulting http://maret-consulting.ch/ La Citadelle Electronique (blog on digital identities) http://www.citadelle-electronique.net/ Banking and finance article Steal an identity? Impossible with biometry! http://www.banque-finance.ch/numeros/88/59.pdf Biometry and Mobility http://www.banque-finance.ch/numeros/97/62.pdf Publique presentations OSSIR Paris 2009: Feedback on the deployment of biometry on a large scale http://www.ossir.org/paris/supports/2009/2009-10-13/Sylvain_Maret_Biometrie.pdf ISACA, Clusis: Access to information : Roles and responsibilities http://blog.b3b.ch/wp-content/uploads/mise-en-oeuvre-de28099une-solution-biometrique- de28099authentification-forte.pdf www.maret-consulting.ch Conseil en technologies Security Summit Milano, march 2010
  • 49. “The counseling and the expertise for the selection and the implementation of innovative technologies in the field of security of information systems and digital identity" www.maret-consulting.ch Conseil en technologies
  • 50. MARET Consulting | Boulevard Georges Favon 43 | CH 1204 Geneva | Tél +41 22 575 30 35 | info@maret-consulting.ch | www.maret-consulting.ch Annexes Conseil en technologies Security Summit Milano, march 2010
  • 51. Processus Authentifiers inHumain 2010 www.maret-consulting.ch Conseil en technologies
  • 52. OTP Software using SmartPhone OTP for iPhone: a feedback Software OTP for iPhone Mobile One Time Passwords www.maret-consulting.ch Conseil en technologies Security Summit Milano, march 2010
  • 53. Biometry Match on Card Feedback on the deployment of biometry on a large scale www.maret-consulting.ch Conseil en technologies Security Summit Milano, march 2010
  • 54. The focus of biometric authentication www.maret-consulting.ch Conseil en technologies Security Summit Milano, march 2010
  • 55. USB Token www.maret-consulting.ch Conseil en technologies Security Summit Milano, march 2010
  • 56. Internet Passport www.maret-consulting.ch Conseil en technologies Security Summit Milano, march 2010
  • 57. Matrix cryptography www.maret-consulting.ch Conseil en technologies Security Summit Milano, march 2010
  • 58. PKI: Digital certificate X509 Software Certificate Hardware Certificate www.maret-consulting.ch Conseil en technologies Security Summit Milano, march 2010
  • 59. OTP via SMS OTP via SMS Enter OTP www.maret-consulting.ch Conseil en technologies Security Summit Milano, march 2010
  • 60. State of the art in 2010 of the authentifiers: Synthesis Technologies Explanations OTP Software One Time Password software SmartPhone Event, Time or mode challenge response Mode not connected Biometry Match on Biometry and chip card Card Digital certificate Stocking of the Biometric pattern USB Token One Time Password in mode connected Event, Time ou mode challenge response Internet Passport Biometry One Time Password Mode not connected Mode challenge response Matrix cryptography One Time Password Mode challenge response PKI Certificate software Certificaet Hardware OTP SMS One Time Password by SMS www.maret-consulting.ch Conseil en technologies
  • 61. Processus Integration with web applications Humain www.maret-consulting.ch Conseil en technologies
  • 62. Web application with a basic authentication www.maret-consulting.ch Conseil en technologies Security Summit Milano, march 2010
  • 63. Web application towards a strong authentication? www.maret-consulting.ch Conseil en technologies Security Summit Milano, march 2010
  • 64. “Shielding” approach - (Perimetric Authentication) www.maret-consulting.ch Conseil en technologies Security Summit Milano, march 2010
  • 65. Approach by Module or Agents www.maret-consulting.ch Conseil en technologies Security Summit Milano, march 2010
  • 66. Approach API / SDK www.maret-consulting.ch Conseil en technologies Security Summit Milano, march 2010
  • 67. SSL PKI: how does it work? Validation Authority OCSP request Valide Pas valide Inconu SSL / TLS Mutual Authentication Alice Web Server www.maret-consulting.ch Conseil en technologies Security Summit Milano, march 2010
  • 68. Approach federation of identity a change of paradigm www.maret-consulting.ch Conseil en technologies Security Summit Milano, march 2010
  • 69. Approach federation of identity a change of paradigm www.maret-consulting.ch Conseil en technologies Security Summit Milano, march 2010
  • 70. Approach federation of identity www.maret-consulting.ch Conseil en technologies Security Summit Milano, march 2010
  • 71. Approaches for an integration of the strong authentication Approaches Examples Shielding Utilisation of a protective third party compnent (Perimetric Auth) Such as a Reverse Proxy (Web Application Firewall) Module Utilisation of a software module (Agents) Such as an Apache module, a SecurID agent, etc. Utilisation of a protocol such as Radius API Development via an API (SDK) For instance by using the Web Services (SOAP) SSL PKI Utilisation of a certificate X509 Utilisation of SSL/TLS functionalities PKI Ready Identity Federation Utilisation of a federation protocol such as SAML, OpenID, Others PKI application, etc. www.maret-consulting.ch Conseil en technologies

×