MARET Consulting Presents Strong Authentication Technologies

MARET Consulting | Boulevard Georges Favon 43 | CH 1204 Geneva | Tél +41 22 575 30 35 | info@maret-consulting.ch | www.maret-consulting.ch

Implementation of a biometric solution providing strong
authentication to gain access to confidential data

Sylvain Maret / Security Architect @ MARET Consulting
17 march 2010

MARET Consulting 2010
Conseil en technologies

Agenda

Digital identity Security
Strong authentication?

Applications for the Match on
Strong authentication technology Card technology

Biometry and Match on Card
Digital certificate / PKI
Illustration with a project for
the banking field

Trends 2010

www.maret-consulting.ch Conseil en technologies

Security Summit Milano, march 2010

Who am I?

Security Expert
15 years of experience in ICT Security
CEO and Founder of MARET Consulting
Expert @ Engineer School of Yverdon & Geneva University
Swiss French Area delegate at OpenID Switzerland
Co-founder Geneva Application Security Forum
Author of the Blog: la Citadelle Electronique

Chosen field
Digital Identity Security



Protection of digital identities: a topical issue…

Identification



Strong authentication: why?

Keylogger (hard and Soft)
Malware
Man in the Middle
Browser in the Midle
Password Sniffer
Social Engineering
Phishing / Pharming

The number of identity thefts is increasing dramatically!



A major event in the world of strong authentication

12 October 2005: the Federal Financial Institutions Examination
Council (FFIEC) issues a directive

« Single Factor Authentication » is not enough for the web financial
applications
Before end 2006 it is compulsory to implement a strong
authentication system
http://www.ffiec.gov/press/pr101205.htm

And the PCI DSS norm
Compulsory strong authentication for distant accesses

And now European regulations
Payment Services (2007/64/CE) for banks



Identification and authentication ?

Identification
Who are you?

Authentication
Prove it!



Definition of strong authentication

Strong Authentication on Wikipedia



«Digital identity is the corner stone of trust»

More information on the subject




Strong authentication
technologies


Which strong authentication technology?



OTP PKI (HW) Biometry
Strong *
authentication
Encryption

Digital signature

Non repudiation

Strong link with
the user

* Biometry type Fingerprinting


Strong authentication:
Technologies on the move

Corporations Public
eBanking
VPN
Web Applications
Mobility
Electronic Document Mgt Social networks
Facebook
Project PIV FIPS-201
SAML Virtual World
Adoption of OpenID

Authentication as a Service Cloud Computing
AaaS Google docs
Sales Forces


Technologies accessible to everyone

Standards Open Source Solution

Open Authentication Mobile One Time Passwords
(OATH) strong, two-factor authentication
with mobile phones
OATH authentication
algorithms
HOTP (HMAC Event
Based)
OCRA
(Challenge/Response)
TOTP (Time Based)
OATH Token Identifier
Specification



Biometry
and
Match on Card


Which biometric technology for IT?



Biometry = strong authentication?

The answer is clearly no
Requires a second factor

Problem of security (usurpation)

Only a convenience for the user

More information on usurpation
Study Yokohama University



Technology Match on Card: your NIP code is your finger



Example of Match on Card technology for IT

A reader
Biometry
SmartCard

A card with chip
Technology MOC
Crypto processor
PC/SC
PKCS#11
Digital certificate X509



Stocking data?

On an external Through an
medium authentication server
Better security Security issue
« Offline » mode Confidentiality issue
MOC = Match On card Availability issue

Federal law of 19 June 1992
on the
Protection of data (LPD)



Example of utilisation of the Match on Card technology

Smart Card Logon of Web SSO Solution
Microsoft SAML
PK-INIT (Kerberos)
Citrix
Very Sensitive Web
Applications Remote access
Electronic Document Mgt
VPN SSL
eBanking VPN IPSEC

Data Encryption Digital Signature Solution
Laptop encryption
Folder (Share) Encryption Etc.


Mobility security with MOC technology

Biometric strong
authentication
Reader of the «swipe» type
X509 machine certificate
Utilisation TPM
Authentication of the
machine

Applications
Pre Boot Authentication
Smart Card Logon
Full Disk Encryption
VPN (SSL, IPSEC)
Web Application
Citrix


Authentication of a user with PKINIT (Smart Card Logon)

1

U_Cert
U Cert

2

2

Schema by Philippe Logean
e-Xpert Solutions SA



Feedback
from the
Banking field

The project: electronic management of documents

Implementation of a Electronic Document Mgt solution
Access to very sensitive information
Classification of the information: Secret
Encryption of data (From BIA)
Authorization Access Control

Project for a Private bank in Switzerland
Start of the project: 2005

Population concerned
500 persons (Phase I)
In the long run: 3000 persons (Phase II)


Business Impact Analysis (BIA)

BIA
Bank Acme SA

Data Services Impact
Hard Impact Soft Impact
Availability (in time)
Reduced i ncome Los s of goodwi l l
Increa s ed cos t of Los s of credi bi l i ty
IT Applications worki ng Breach of the l aw
Confidentiality Integrity Los s of opera ti ona l
ca pabi l i ty
inconvenience quite serious critical
Brea ch of
contra ct/fi na nci a l
pena l ti es

Electronic Documents
Mgt HIGH HIGH 30 min 1H 2H HIGH HIGH



(Data Classification : Secret)

Implementation of a technology allowing
strong authentication
– via a mechanism of irrefutable proof –
of the users accessing the bank’s information
system

Who accesses what, when and how?!


The technical constraints of the strong authentication project

Mandatory Desired

Integration with existing Integration with building security
applications Data encryption
Web Non fixed workstations
Microsoft Smart Card Logon
Future applications
Laptop
Network and systems
Separation of roles Strong authentication
Four eyes
Digital signature
Auditing, proof
Proof management



Basic concept: a unique link

Identity Management Authorization
Management

Issuer
App A cert

Link: cn
User

PHASE 1 PHASE 2
Strong authentication Authorization



Components of the technical architecture

Implementation of a PKI « intra muros »
Non Microsoft (Separation of duties)
Implementation of the Online revocation
OCSP protocol
Utilisation of a Hardware Security Module
Security of the PKI architecture
Shielding and Hardening
Firewall
IDS
FIA


Concept for the GED application security


The focus of biometric authentication



Processus
Human Process
Humain

The weak link? Matters more than the technique…

Definition of roles
Tasks and responsibilities
Purpose: separation of duties
Four eyes

Implementation of identity management processes

Implementation of operating procedures



Implementation of processes

Processes for the identity management team
User enrollment
Revocation
Incident mangement
Loss, theft, forgotten card
Renewal
Process for Help Desk
Process for the Auditors
Process for the RSSI

And the operating procedures!


The result

A series of documents for the bank
Operating procedures
Description of processes
Terms of use
Definition of roles and responsibilities
CP /CPS for the « in house » PKI



Training


A crucial element!

Training of the identity management team
Training of users
Training of Help Desk
Training for the technologies
PKI
Biometry


Identity Management Team Training

Very Important work

How to enroll fingers
Match on Card Technology
Problem handling
Technical
Human

Coaching for 3 weeks



End User Training

About 30 min per User

Technology explication
Match on Card

Finger position
Try (Play with Biometry)

Document for End Users

Signature (Legal Usage)



Problems…


Some examples

Enrollment with some Users

End Users convocation

Technical Problem on Validation Authority
OCSP Servers



Feedback?


Conclusion of the project

Pure technique is a minor Biometry is a mature technology
element in the success of
such a large scale project Technology PKI
Offers a safety kernel for the
future
Never under estimate the
Encryption, signature
organisational aspect Rights management information
CP / CPS for the PKI Data security
Management process
A step towards convergence
Ask for management support Physical and logical security



Tendency Biometry Match on Card

The PIV Fips-201 project is a leader!

Convergence
Physical security and logical security

Biometric sensor for laptops
UPEK (Solution FIPS-201)

New biometric technologies

Full Disk Encryption (Laptop)
Support of the Match on Card technology
McAfee Endpoint Encryption™ (formerly SafeBoot® Encryption)
Win Magic SecureDoc Disk Encryption



A very promising technology: Vascular Pattern Recognition

By SONY



When will the convergence happen?

A difficult convergence! Physical security and logical security


A few links to deepen the subject

MARET Consulting
http://maret-consulting.ch/
La Citadelle Electronique (blog on digital identities)
http://www.citadelle-electronique.net/
Banking and finance article
Steal an identity? Impossible with biometry!
http://www.banque-finance.ch/numeros/88/59.pdf
Biometry and Mobility
http://www.banque-finance.ch/numeros/97/62.pdf
Publique presentations
OSSIR Paris 2009: Feedback on the deployment of biometry on a large scale
http://www.ossir.org/paris/supports/2009/2009-10-13/Sylvain_Maret_Biometrie.pdf
ISACA, Clusis: Access to information : Roles and responsibilities
http://blog.b3b.ch/wp-content/uploads/mise-en-oeuvre-de28099une-solution-biometrique-
de28099authentification-forte.pdf



“The counseling and the expertise for the selection and

the implementation of innovative technologies

in the field of security of information systems and digital identity"



Annexes



Processus
Authentifiers
inHumain
2010

OTP Software using SmartPhone

OTP for iPhone: a feedback
Software OTP for iPhone
Mobile One Time Passwords


Biometry Match on Card

Feedback on the deployment of biometry on a large scale


USB Token



Internet Passport



Matrix cryptography



PKI: Digital certificate X509

Software Certificate Hardware Certificate



OTP via SMS

OTP via SMS

Enter OTP



State of the art in 2010 of the authentifiers: Synthesis

Technologies Explanations

OTP Software One Time Password software
SmartPhone Event, Time or mode challenge response
Mode not connected
Biometry Match on Biometry and chip card
Card Digital certificate
Stocking of the Biometric pattern
USB Token One Time Password in mode connected
Event, Time ou mode challenge response
Internet Passport Biometry One Time Password
Mode not connected
Mode challenge response
Matrix cryptography One Time Password
Mode challenge response
PKI Certificate software
Certificaet Hardware
OTP SMS One Time Password by SMS

Processus
Integration with
web applications
Humain

Web application with a basic authentication



Web application towards a strong authentication?



“Shielding” approach - (Perimetric Authentication)



Approach by Module or Agents



Approach API / SDK



SSL PKI: how does it work?

Validation
Authority

OCSP request

Valide
Pas valide
Inconu

SSL / TLS Mutual Authentication
Alice
Web Server


Approach federation of identity
a change of paradigm



Approach federation of identity



Approaches for an integration of the strong authentication

Approaches Examples

Shielding Utilisation of a protective third party compnent
(Perimetric Auth) Such as a Reverse Proxy (Web Application Firewall)

Module Utilisation of a software module
(Agents) Such as an Apache module, a SecurID agent, etc.
Utilisation of a protocol such as Radius

API Development via an API
(SDK) For instance by using the Web Services (SOAP)

SSL PKI Utilisation of a certificate X509
Utilisation of SSL/TLS functionalities
PKI Ready
Identity Federation Utilisation of a federation protocol such as SAML, OpenID,

Others PKI application, etc.

MARET Consulting Presents Strong Authentication Technologies

Recommended

Recommended

More Related Content

What's hot

What's hot (14)

Similar to MARET Consulting Presents Strong Authentication Technologies

Similar to MARET Consulting Presents Strong Authentication Technologies (20)

More from Sylvain Maret

More from Sylvain Maret (20)

MARET Consulting Presents Strong Authentication Technologies