Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

CIS 2015 Mobile Security, Identity & Authentication: Reasons for Optimism - Rajiv Dholakia

955 views

Published on

In an ever interconnected and inter-reliant world, the state of security has been a cause for deep pessimism. In the midst of all the gloom, there is good cause for optimism.
With some fits and starts, the building blocks for transforming mobile security are taking shape at every level from the processor, to the chipset to special purpose hardware to operating systems and protocols that address use cases from device integrity to user authentication to payments.
How do we think about security, privacy, identity and authentication in this world? This talk will provide a rapid overview of some selected building blocks and some practical examples that are now deployed at scale to illustrate the coming wave and how you as a practitioner or customer can participate and position yourself for maximum benefit.

Published in: Technology

CIS 2015 Mobile Security, Identity & Authentication: Reasons for Optimism - Rajiv Dholakia

  1. 1. 1 T FINGERPRINT SEC U FA BIOME TOKEN RBA ACTIVE FINGERPRINT SECURE ELEMENT NFC BIOMETRIC PIN RBA SILEFINGERPRINT ELEME NFFACE BIOMETRIC TOKENACTIVE SILE ELEMENT USB FACE PIN TOK RBA PASSIVE SILEN FINGERPRINT VOICEUSB BIOMETRIC TPM VOICE NFC FACE TPM FINGERPRINT NFC USB RBA ACTIV TP FINGERPRINT SECURE NFC FACE RBA PASSIVE SILENT TPM FINGERPRINT VOICE ELEMENT ACTIVE BIOMETRIC PIN PASSIVE SILENT TPM FINGERPRINT SECURE ELEMENT NFC PIN TOKEN PASSIVE FINGERPRINT VOICE SECURE E TOKEN R VOICE SECURE NFC TOKEN TPM PIN RBA FINGERPRINT SECURE NFC USB VOICE NFC PASSIVE USB TOKEN PASSIVE TPM SECURE ELE FACE BIOMETRIC ACTIVE SECURE USB ACTIVE TPM VOICE NFC USB FACE PIN RBA ACTIVE TPM SECURE ELEMENT PIN RBA SILENT USB PIN SILENT ELEMENT NFC FINGERPRINT USB TPM VOICE RBA PASSIVE ACTIVE TPM SECURE USB FACE ACTIVE VOICE PIN PASSIVE TPM FINGERPRINT RBA ACTIVE TPM ELEMENT ACTIVE SILENT TPM USB RBA SECURE BIOMETRIC PIN SILENT TPM VOICE USB PIN USB FACE BIOMETRIC NFC TOKEN RBA PIN RBA SILENT FACE RBA PASSIVE ACTIVE SILENT TPM FINGERPRINT RBA ACTIVE TPM TOKEN ACTIVE SILENT VOICE USB FACE PIN RBA ACTIVE SILENT RBA VOICE NFC USB ACTIVE TPM BIOMETRIC TOKENTPM FACE TOKEN PASSIVE PIN TPM TPM FACE TPM FACE PASSIVE SILENT BIOMETRIC SECURE PIN PASSIVE SILENT VOICE USB PIN TOKEN PASSIVE NFC BIOMETRIC RBA SILENT TPM SECURE VOICE USB USB FACE SILENT SECURE PIN SILENT ELEMENT USB FACE VOICE USB SECURE FACE PIN FINGERPRINT SILENT PIN BIOMETRIC TPM USB FACE ELEMENT TPM VOICE SILENT USB RBA SILENT TPM VOICE FACE PASSIVE PIN TOKEN ACTIVE USB PASSIVE USB FACE TPM PASSIVE SECURE USB TPM FACE PIN RBA NFC USB RBA ACTIVE NFC USB PIN NFC SILENT VOICE FACE PIN RBA PASSIVE NFC USB PIN TPM PASSIVE PIN USB TPM NFC USB FACE SILENT FINGERPRINT USB USB USB TPM FACE TPM USB PIN FACE USB FACE USB NFC FACE TPM PIN FACE FACE USB TPM NFC RBA USB PIN PIN TPM USB RBA RBA PIN USB USB USB USB NFC FACE PIN NFC VOICE USB USB USB TPM USB USB TPM FACE NFC RBA USB FACE PIN VOICE USB USB USB RBA TPM NFC USB TPM USB USB USB TPM FACE USB FACE USB TPM USB USB USB USB USB USB USB USB USB USB USB USB USB USB USB USB USB USB USB USB USB USB USB MOBILESECURITY,IDENTITY&AUTHENTICATION REASONSFOROPTIMISM RAJIVDHOLAKIA VPPRODUCTS RAJIV@NOKNOK.COM
  2. 2. SECURITY IN PERSPECTIVE: Its like drinking water from the tap in 1800s NOK NOK LABS 2 Pills, Potions & Spells vs. Chlorination
  3. 3. PURPOSE OF SECURITY Device Integrity Network Integrity OS & App Integrity User Integrity Data & Transaction Integrity (and Privacy where appropriate) 3
  4. 4. SECURITY NEEDS TO SPAN LINKS 4 Integrity User Hardware OS/App Network Service NOK NOK LABS
  5. 5. USERINTEGRITY:THEGLOBALAUTHENTICATIONPROBLEM 5 Fear Frustration and Friction 40#million#credit#cards## Cost:#$148M#USD# The problem continues to get BIGGER and more EXPENSIVE Fraud Stolen / hacked passwords leading cause of identity theft Passwords DO NOT WORK, especially on Mobile Devices Too many accounts and passwords to remember Significant commerce abandonment by users Personal and Corporate Damage $# 56#million#credit#cards## Nok Nok Labs
  6. 6. IDENTITY SERVICES AUTHENTICATIONINCONTEXT NOK NOK LABS 6 Physical>to>digital#iden@ty## User#Management## Authen@ca@on# Federa@on# # #Single Sign-On E>Gov# Payments# Security# Passwords# Risk>Based#Strong# MODERN AUTHENTICATION Personaliza@on#
  7. 7. Mobile Security Stacks 7
  8. 8. Device&Integrity& & & & & & LAYERED SECURITY MODELS NOK NOK LABS 8 Device#Keys#&# Cer@ficates# Crypto#Engines# Trusted#Execu@on#Environments# # Ç√# Secure#Elements# Trustlet# Trustlet# Trustlet# Rich&Opera2ng&System&(e.g.&Android)& # # # # # # #OS#Par@@on# User#Par@@on# # # # App# Sandbox# User# Par@@on# # # # App# Sandbox# App# Sandbox# Overlay&Services& # # # # # # App#Stores# OS#Integrity#Services#(e.g.#Android# Safety#Net)# Site#and#App##Reputa@on/Integrity# Device#and#Cloud#Data#Managers# Filter#what#gets#on# the#device…# Isolate#the#apps…# Harden#the#device…##
  9. 9. INTEGRITY MECHANISMS – I •  TPMs •  Backwardscompatibility requirements •  SEs •  Limitedduetooperatorcontrols •  TEEs(TrustedExecutionEnvironments) •  Thirdtimeisacharm? •  Secureboot - Verificationofimage •  Virtualization - Hardwareassistedisolation •  Anti-virus •  DeviceTheftResponse - Standardonmobiledevices 9 TEE SE TPM Hardware OS NOK NOK LABS
  10. 10. INTEGRITY MECHANISMS – II 10 App User •  Appverification - RiseOfTheAppStore •  AppIsolation - Appcontainers - RestrictedIPC •  ProtectingData&Content - On-devicedataencryption - DRM •  IdentityProofing - Knowyourcustomer •  StrongAuthentication - Explicit&implicit -  Firstmile&Secondmile NOK NOK LABS
  11. 11. ISOLATION ARCHITECTURE ARMTRUSTZONE 11 Secure OS Boot FP Sensor Touchscreen Storage 1.7 B ARM Cortex SoCs Shipped 18 Month Phone Refresh Rate NOK NOK LABS
  12. 12. SECURITY NEEDS TO SPAN LINKS 12 Integrity Hardware OS App Network User NOK NOK LABS
  13. 13. So how are doing? 13
  14. 14. SOME EXAMPLES FROM 2014 NOK NOK LABS 14 Infrastructure/Relying#Party# (Payments#or#other)# Opera@ng#System# Hardware#
  15. 15. HOWFIDOWORKSTOSIMPLIFYANDSCALEAUTHENTICATION userauthenticatestodevice,deviceauthenticatestonetwork 15 Standardized Protocols Local authentication unlocks app specific key Key used to authenticate to server (unique key per site) Nok Nok Labs server&client& Decoupled&User&Verifica2on&from&Authen2ca2on&Protocol&
  16. 16. ATTACKS MITIGATED Remotely#a_acking#central#servers## steal&data#for#impersona@on# 1# Physically#a_acking#user#devices## misuse&them#for#impersona@on# 6# Physically#a_acking#user#devices# steal&data#for#impersona@on# 5# Remotely#a_acking# lots#of#user#devices# & steal&data#for# impersona@on# Remotely#a_acking# lots#of#user#devices# & misuse&them#for# impersona@on# Remotely#a_acking# lots#of#user#devices# & misuse& authen-cated& sessions! 2# 3# 4# Scalable#a_acks# Physical#a_acks## possible#on#lost#or# stolen#devices# (≈3%#in#the#US#in#2013)# User&Coercion# Not#Scalable# With#hardening#of# FIDO## Authen@cator## Implementa@ons#–# mi@gate#remote/ scalable#a_acks# NOK NOK LABS
  17. 17. SECURITYPROFILESFORAUTHENTICATION 17 Strong Stronger Security Hardware Integration Spectrum Software Only ID TPM/SE ID TEE + SE ID Protects Keys Protects Keys Protects Crypto Protects Keys Protects Crypto Protects Code Protects Display Strongest NOK NOK LABS
  18. 18. BUILDING AUTHENTICATORS: THREE PROFILES 18 RichOS# Trusted# Execu@on# Environment# Secure#Element# Soeware#and#Tamper>Resistant#Hardware# Cost#to#Acquire#and#Manage#Tokens# Stronger# Soeware#&#Hardware# Cost#to#Acquire#and#Manage#Mobile#Device# Stronger# Soeware#Only# No#extra#cost# Strong# NOK NOK LABS
  19. 19. A UNIQUE OPPORTUNITY 19 Hardware Integrity OS Integrity App Integrity Network Integrity User Integrity Re-Architect Computing Using Hardware-Based Trust Chain of Trust Trusted Platform for Authentication NOK NOK LABS
  20. 20. SUPPORT IN THE FABRIC • QualcommshippingFIDOsupportinSnapDragon chipsetsstartingDec2014 • Microsoftdeclares inFeb2015FIDOsupportcoming toWindows10andaffiliatedservices • GoogleintendstobringbiometricAPIs&system keychaintoAndroidM–June2015 • ApplecontinuingtosupportTouchID&system keychaininiOS–2014-2015 NOK NOK LABS 20
  21. 21. FIDO-CAPABLEMOBILE,TABLET+PCFORECAST Non-FIDO FIDO iOS FIDO Android FIDO Windows 35#Million,#Aug.#2014# 2.5&Billion,&Dec.&2019&User#Growth#of#70.43%#over#5# Years# 2016 201920182017 86.73% 93.43% 96.98% 98.61% 6.57% 3.02% 1.39% 2.6BTotal Devices 2.5B Fido Capable 331M iOS Devices 1.1B Android Devices 1.16B Windows Devices 2.08B Total Devices 1.8B Fido Capable 281M iOS Devices 793M Android Devices 724M Windows Devices 2.19B Total Devices 2.05B Fido Capable 298M iOS Devices 945M Android Devices 805M Windows Devices 2.36B Total Devices 2.29B Fido Capable 315M iOS Devices 942M Android Devices 1.04B Windows Devices 13.27% NOK NOK LABS
  22. 22. PULLINGITALLTOGETHER: NTTDOCOMOLIVEWITHFIDOAUTHENTICATION:May2015 22 Many FIDO Ecosystem Firsts: First Carrier, Multiple OEM Launch at Same Time, First Federated Identity Solution, First Carrier Billing System, First Iris Sensor, First Chipset Support NOK NOK LABS
  23. 23. ONLINEAUTHENTICATIONFORDOCOMOSERVICES Biometric Authentication from DOCOMO, May 26, 2015 Online#authen@ca@on#using#biometric#informa@on:# Authen@ca@on#for#docomo#ID#and#carrier#billing#payments Password>less#biometric# authen@ca@on Iris Fingerprint login Unlock# devices# payments#
  24. 24. 24 Everything Authenticates 50 Billion Connected Devices by 2020: Internet of Things People Devices Ecosystems + + Corporate Networks Mobile Commerce Mobile Payments Social Networks eHealth Consumer Use Cases Enterprise Use Cases HOPEFORSCALINGAHIGHLYCONNECTEDWORLD NOK NOK LABS
  25. 25. Any Device. Any Application. Any Authenticator. 25 T FINGERPRINT SEC U FA BIOME TOKEN RBA ACTIVE FINGERPRINT SECURE ELEMENT NFC BIOMETRIC PIN RBA SILEFINGERPRINT ELEME NFFACE BIOMETRIC TOKENACTIVE SILE ELEMENT USB FACE PIN TOK RBA PASSIVE SILEN FINGERPRINT VOICEUSB BIOMETRIC TPM VOICE NFC FACE TPM FINGERPRINT NFC USB RBA ACTIV TP FINGERPRINT SECURE NFC FACE RBA PASSIVE SILENT TPM FINGERPRINT VOICE ELEMENT ACTIVE BIOMETRIC PIN PASSIVE SILENT TPM FINGERPRINT SECURE ELEMENT NFC PIN TOKEN PASSIVE FINGERPRINT VOICE SECURE E TOKEN R VOICE SECURE NFC TOKEN TPM PIN RBA FINGERPRINT SECURE NFC USB VOICE NFC PASSIVE USB TOKEN PASSIVE TPM SECURE ELE FACE BIOMETRIC ACTIVE SECURE USB ACTIVE TPM VOICE NFC USB FACE PIN RBA ACTIVE TPM SECURE ELEMENT PIN RBA SILENT USB PIN SILENT ELEMENT NFC FINGERPRINT USB TPM VOICE RBA PASSIVE ACTIVE TPM SECURE USB FACE ACTIVE VOICE PIN PASSIVE TPM FINGERPRINT RBA ACTIVE TPM ELEMENT ACTIVE SILENT TPM USB RBA SECURE BIOMETRIC PIN SILENT TPM VOICE USB PIN USB FACE BIOMETRIC NFC TOKEN RBA PIN RBA SILENT FACE RBA PASSIVE ACTIVE SILENT TPM FINGERPRINT RBA ACTIVE TPM TOKEN ACTIVE SILENT VOICE USB FACE PIN RBA ACTIVE SILENT RBA VOICE NFC USB ACTIVE TPM BIOMETRIC TOKENTPM FACE TOKEN PASSIVE PIN TPM TPM FACE TPM FACE PASSIVE SILENT BIOMETRIC SECURE PIN PASSIVE SILENT VOICE USB PIN TOKEN PASSIVE NFC BIOMETRIC RBA SILENT TPM SECURE VOICE USB USB FACE SILENT SECURE PIN SILENT ELEMENT USB FACE VOICE USB SECURE FACE PIN FINGERPRINT SILENT PIN BIOMETRIC TPM USB FACE ELEMENT TPM VOICE SILENT USB RBA SILENT TPM VOICE FACE PASSIVE PIN TOKEN ACTIVE USB PASSIVE USB FACE TPM PASSIVE SECURE USB TPM FACE PIN RBA NFC USB RBA ACTIVE NFC USB PIN NFC SILENT VOICE FACE PIN RBA PASSIVE NFC USB PIN TPM PASSIVE PIN USB TPM NFC USB FACE SILENT FINGERPRINT USB USB USB TPM FACE TPM USB PIN FACE USB FACE USB NFC FACE TPM PIN FACE FACE USB TPM NFC RBA USB PIN PIN TPM USB RBA RBA PIN USB USB USB USB NFC FACE PIN NFC VOICE USB USB USB TPM USB USB TPM FACE NFC RBA USB FACE PIN VOICE USB USB USB RBA TPM NFC USB TPM USB USB USB TPM FACE USB FACE USB TPM USB USB USB USB USB USB USB USB USB USB USB USB USB USB USB USB USB USB USB USB USB USB USB
  26. 26. Appendix 26NOK NOK LABS
  27. 27. BENEFITSOFTHEFIDOAPPROACH 27 PrivacySecurityUser Experience AuthenticateAuthenticate Requirements for next generation authentication Public/private keys instead of passwords Fraud Reduction Unified Auth Infrastructure# Natural and faster authentication Use authentication method of choice User& Device& Service& User information stays on device Not stored on servers that can be compromised Cost Standards -Based Adaptable infrastructure Future-proofed and flexible Scalability NOK NOK LABS

×