This document summarizes a presentation given by Sylvain Maret on implementing a biometric solution for strong authentication to access confidential banking data. The presentation discusses the need for strong authentication, biometric technologies like fingerprint recognition, and the Match on Card technology. It also provides a case study of a project implementing this technology for a Swiss bank to enable electronic document management for 500 users. Key aspects included a biometric reader, smart cards with crypto processors, training programs, and ensuring organizational processes and policies were defined to support the new system.
Protection Des Données avec la Biométrie Match On Card
MARET Consulting Presents Strong Authentication Technologies
1. MARET Consulting | Boulevard Georges Favon 43 | CH 1204 Geneva | Tél +41 22 575 30 35 | info@maret-consulting.ch | www.maret-consulting.ch
Implementation of a biometric solution providing strong
authentication to gain access to confidential data
Sylvain Maret / Security Architect @ MARET Consulting
17 march 2010
MARET Consulting 2010
Conseil en technologies
2. Agenda
Digital identity Security
Strong authentication?
Applications for the Match on
Strong authentication technology Card technology
Biometry and Match on Card
Digital certificate / PKI
Illustration with a project for
the banking field
Trends 2010
www.maret-consulting.ch Conseil en technologies
Security Summit Milano, march 2010
3. Who am I?
Security Expert
15 years of experience in ICT Security
CEO and Founder of MARET Consulting
Expert @ Engineer School of Yverdon & Geneva University
Swiss French Area delegate at OpenID Switzerland
Co-founder Geneva Application Security Forum
Author of the Blog: la Citadelle Electronique
Chosen field
Digital Identity Security
www.maret-consulting.ch Conseil en technologies
Security Summit Milano, march 2010
4. Protection of digital identities: a topical issue…
Identification
www.maret-consulting.ch Conseil en technologies
Security Summit Milano, march 2010
5. Strong authentication: why?
Keylogger (hard and Soft)
Malware
Man in the Middle
Browser in the Midle
Password Sniffer
Social Engineering
Phishing / Pharming
The number of identity thefts is increasing dramatically!
www.maret-consulting.ch Conseil en technologies
Security Summit Milano, march 2010
6. A major event in the world of strong authentication
12 October 2005: the Federal Financial Institutions Examination
Council (FFIEC) issues a directive
« Single Factor Authentication » is not enough for the web financial
applications
Before end 2006 it is compulsory to implement a strong
authentication system
http://www.ffiec.gov/press/pr101205.htm
And the PCI DSS norm
Compulsory strong authentication for distant accesses
And now European regulations
Payment Services (2007/64/CE) for banks
www.maret-consulting.ch Conseil en technologies
Security Summit Milano, march 2010
7. Identification and authentication ?
Identification
Who are you?
Authentication
Prove it!
www.maret-consulting.ch Conseil en technologies
Security Summit Milano, march 2010
8. Definition of strong authentication
Strong Authentication on Wikipedia
www.maret-consulting.ch Conseil en technologies
Security Summit Milano, march 2010
9. «Digital identity is the corner stone of trust»
More information on the subject
www.maret-consulting.ch Conseil en technologies
Security Summit Milano, march 2010
10. MARET Consulting | Boulevard Georges Favon 43 | CH 1204 Geneva | Tél +41 22 575 30 35 | info@maret-consulting.ch | www.maret-consulting.ch
Strong authentication
technologies
Conseil en technologies
11. Which strong authentication technology?
www.maret-consulting.ch Conseil en technologies
Security Summit Milano, march 2010
12. OTP PKI (HW) Biometry
Strong *
authentication
Encryption
Digital signature
Non repudiation
Strong link with
the user
* Biometry type Fingerprinting
www.maret-consulting.ch Conseil en technologies
Security Summit Milano, march 2010
13. Strong authentication:
Technologies on the move
Corporations Public
eBanking
VPN
Web Applications
Mobility
Electronic Document Mgt Social networks
Facebook
Project PIV FIPS-201
SAML Virtual World
Adoption of OpenID
Authentication as a Service Cloud Computing
AaaS Google docs
Sales Forces
www.maret-consulting.ch Conseil en technologies
Security Summit Milano, march 2010
14. Technologies accessible to everyone
Standards Open Source Solution
Open Authentication Mobile One Time Passwords
(OATH) strong, two-factor authentication
with mobile phones
OATH authentication
algorithms
HOTP (HMAC Event
Based)
OCRA
(Challenge/Response)
TOTP (Time Based)
OATH Token Identifier
Specification
www.maret-consulting.ch Conseil en technologies
Security Summit Milano, march 2010
15. MARET Consulting | Boulevard Georges Favon 43 | CH 1204 Geneva | Tél +41 22 575 30 35 | info@maret-consulting.ch | www.maret-consulting.ch
Biometry
and
Match on Card
Conseil en technologies
16. Which biometric technology for IT?
www.maret-consulting.ch Conseil en technologies
Security Summit Milano, march 2010
17. Biometry = strong authentication?
The answer is clearly no
Requires a second factor
Problem of security (usurpation)
Only a convenience for the user
More information on usurpation
Study Yokohama University
www.maret-consulting.ch Conseil en technologies
Security Summit Milano, march 2010
18. Technology Match on Card: your NIP code is your finger
www.maret-consulting.ch Conseil en technologies
Security Summit Milano, march 2010
19. Example of Match on Card technology for IT
A reader
Biometry
SmartCard
A card with chip
Technology MOC
Crypto processor
PC/SC
PKCS#11
Digital certificate X509
www.maret-consulting.ch Conseil en technologies
Security Summit Milano, march 2010
20. Stocking data?
On an external Through an
medium authentication server
Better security Security issue
« Offline » mode Confidentiality issue
MOC = Match On card Availability issue
Federal law of 19 June 1992
on the
Protection of data (LPD)
www.maret-consulting.ch Conseil en technologies
Security Summit Milano, march 2010
21. Example of utilisation of the Match on Card technology
Smart Card Logon of Web SSO Solution
Microsoft SAML
PK-INIT (Kerberos)
Citrix
Very Sensitive Web
Applications Remote access
Electronic Document Mgt
VPN SSL
eBanking VPN IPSEC
Data Encryption Digital Signature Solution
Laptop encryption
Folder (Share) Encryption Etc.
www.maret-consulting.ch Conseil en technologies
Security Summit Milano, march 2010
22. Mobility security with MOC technology
Biometric strong
authentication
Reader of the «swipe» type
X509 machine certificate
Utilisation TPM
Authentication of the
machine
Applications
Pre Boot Authentication
Smart Card Logon
Full Disk Encryption
VPN (SSL, IPSEC)
Web Application
Citrix
www.maret-consulting.ch Conseil en technologies
Security Summit Milano, march 2010
23. Authentication of a user with PKINIT (Smart Card Logon)
1
U_Cert
U Cert
2
2
Schema by Philippe Logean
e-Xpert Solutions SA
www.maret-consulting.ch Conseil en technologies
Security Summit Milano, march 2010
24. Feedback
from the
Banking field
www.maret-consulting.ch Conseil en technologies
25. The project: electronic management of documents
Implementation of a Electronic Document Mgt solution
Access to very sensitive information
Classification of the information: Secret
Encryption of data (From BIA)
Authorization Access Control
Project for a Private bank in Switzerland
Start of the project: 2005
Population concerned
500 persons (Phase I)
In the long run: 3000 persons (Phase II)
www.maret-consulting.ch Conseil en technologies
Security Summit Milano, march 2010
26. Business Impact Analysis (BIA)
BIA
Bank Acme SA
Data Services Impact
Hard Impact Soft Impact
Availability (in time)
Reduced i ncome Los s of goodwi l l
Increa s ed cos t of Los s of credi bi l i ty
IT Applications worki ng Breach of the l aw
Confidentiality Integrity Los s of opera ti ona l
ca pabi l i ty
inconvenience quite serious critical
Brea ch of
contra ct/fi na nci a l
pena l ti es
Electronic Documents
Mgt HIGH HIGH 30 min 1H 2H HIGH HIGH
www.maret-consulting.ch Conseil en technologies
Security Summit Milano, march 2010
27. (Data Classification : Secret)
Implementation of a technology allowing
strong authentication
– via a mechanism of irrefutable proof –
of the users accessing the bank’s information
system
Who accesses what, when and how?!
www.maret-consulting.ch Conseil en technologies
28. The technical constraints of the strong authentication project
Mandatory Desired
Integration with existing Integration with building security
applications Data encryption
Web Non fixed workstations
Microsoft Smart Card Logon
Future applications
Laptop
Network and systems
Separation of roles Strong authentication
Four eyes
Digital signature
Auditing, proof
Proof management
www.maret-consulting.ch Conseil en technologies
Security Summit Milano, march 2010
29. Basic concept: a unique link
Identity Management Authorization
Management
Issuer
App A cert
Link: cn
User
PHASE 1 PHASE 2
Strong authentication Authorization
www.maret-consulting.ch Conseil en technologies
Security Summit Milano, march 2010
30. Components of the technical architecture
Implementation of a PKI « intra muros »
Non Microsoft (Separation of duties)
Implementation of the Online revocation
OCSP protocol
Utilisation of a Hardware Security Module
Security of the PKI architecture
Shielding and Hardening
Firewall
IDS
FIA
www.maret-consulting.ch Conseil en technologies
Security Summit Milano, march 2010
31. Concept for the GED application security
www.maret-consulting.ch Conseil en technologies
32. The focus of biometric authentication
www.maret-consulting.ch Conseil en technologies
Security Summit Milano, march 2010
34. The weak link? Matters more than the technique…
Definition of roles
Tasks and responsibilities
Purpose: separation of duties
Four eyes
Implementation of identity management processes
Implementation of operating procedures
www.maret-consulting.ch Conseil en technologies
Security Summit Milano, march 2010
35. Implementation of processes
Processes for the identity management team
User enrollment
Revocation
Incident mangement
Loss, theft, forgotten card
Renewal
Process for Help Desk
Process for the Auditors
Process for the RSSI
And the operating procedures!
www.maret-consulting.ch Conseil en technologies
Security Summit Milano, march 2010
36. The result
A series of documents for the bank
Operating procedures
Description of processes
Terms of use
Definition of roles and responsibilities
CP /CPS for the « in house » PKI
www.maret-consulting.ch Conseil en technologies
Security Summit Milano, march 2010
38. A crucial element!
Training of the identity management team
Training of users
Training of Help Desk
Training for the technologies
PKI
Biometry
www.maret-consulting.ch Conseil en technologies
Security Summit Milano, march 2010
39. Identity Management Team Training
Very Important work
How to enroll fingers
Match on Card Technology
Problem handling
Technical
Human
Coaching for 3 weeks
www.maret-consulting.ch Conseil en technologies
Security Summit Milano, march 2010
40. End User Training
About 30 min per User
Technology explication
Match on Card
Finger position
Try (Play with Biometry)
Document for End Users
Signature (Legal Usage)
www.maret-consulting.ch Conseil en technologies
Security Summit Milano, march 2010
42. Some examples
Enrollment with some Users
End Users convocation
Technical Problem on Validation Authority
OCSP Servers
www.maret-consulting.ch Conseil en technologies
Security Summit Milano, march 2010
44. Conclusion of the project
Pure technique is a minor Biometry is a mature technology
element in the success of
such a large scale project Technology PKI
Offers a safety kernel for the
future
Never under estimate the
Encryption, signature
organisational aspect Rights management information
CP / CPS for the PKI Data security
Management process
A step towards convergence
Ask for management support Physical and logical security
www.maret-consulting.ch Conseil en technologies
Security Summit Milano, march 2010
45. Tendency Biometry Match on Card
The PIV Fips-201 project is a leader!
Convergence
Physical security and logical security
Biometric sensor for laptops
UPEK (Solution FIPS-201)
New biometric technologies
Full Disk Encryption (Laptop)
Support of the Match on Card technology
McAfee Endpoint Encryption™ (formerly SafeBoot® Encryption)
Win Magic SecureDoc Disk Encryption
www.maret-consulting.ch Conseil en technologies
Security Summit Milano, march 2010
46. A very promising technology: Vascular Pattern Recognition
By SONY
www.maret-consulting.ch Conseil en technologies
Security Summit Milano, march 2010
47. When will the convergence happen?
A difficult convergence! Physical security and logical security
www.maret-consulting.ch Conseil en technologies
Security Summit Milano, march 2010
48. A few links to deepen the subject
MARET Consulting
http://maret-consulting.ch/
La Citadelle Electronique (blog on digital identities)
http://www.citadelle-electronique.net/
Banking and finance article
Steal an identity? Impossible with biometry!
http://www.banque-finance.ch/numeros/88/59.pdf
Biometry and Mobility
http://www.banque-finance.ch/numeros/97/62.pdf
Publique presentations
OSSIR Paris 2009: Feedback on the deployment of biometry on a large scale
http://www.ossir.org/paris/supports/2009/2009-10-13/Sylvain_Maret_Biometrie.pdf
ISACA, Clusis: Access to information : Roles and responsibilities
http://blog.b3b.ch/wp-content/uploads/mise-en-oeuvre-de28099une-solution-biometrique-
de28099authentification-forte.pdf
www.maret-consulting.ch Conseil en technologies
Security Summit Milano, march 2010
49. “The counseling and the expertise for the selection and
the implementation of innovative technologies
in the field of security of information systems and digital identity"
www.maret-consulting.ch Conseil en technologies
50. MARET Consulting | Boulevard Georges Favon 43 | CH 1204 Geneva | Tél +41 22 575 30 35 | info@maret-consulting.ch | www.maret-consulting.ch
Annexes
Conseil en technologies
Security Summit Milano, march 2010
51. Processus
Authentifiers
inHumain
2010
www.maret-consulting.ch Conseil en technologies
52. OTP Software using SmartPhone
OTP for iPhone: a feedback
Software OTP for iPhone
Mobile One Time Passwords
www.maret-consulting.ch Conseil en technologies
Security Summit Milano, march 2010
53. Biometry Match on Card
Feedback on the deployment of biometry on a large scale
www.maret-consulting.ch Conseil en technologies
Security Summit Milano, march 2010
54. The focus of biometric authentication
www.maret-consulting.ch Conseil en technologies
Security Summit Milano, march 2010
58. PKI: Digital certificate X509
Software Certificate Hardware Certificate
www.maret-consulting.ch Conseil en technologies
Security Summit Milano, march 2010
59. OTP via SMS
OTP via SMS
Enter OTP
www.maret-consulting.ch Conseil en technologies
Security Summit Milano, march 2010
60. State of the art in 2010 of the authentifiers: Synthesis
Technologies Explanations
OTP Software One Time Password software
SmartPhone Event, Time or mode challenge response
Mode not connected
Biometry Match on Biometry and chip card
Card Digital certificate
Stocking of the Biometric pattern
USB Token One Time Password in mode connected
Event, Time ou mode challenge response
Internet Passport Biometry One Time Password
Mode not connected
Mode challenge response
Matrix cryptography One Time Password
Mode challenge response
PKI Certificate software
Certificaet Hardware
OTP SMS One Time Password by SMS
www.maret-consulting.ch Conseil en technologies
61. Processus
Integration with
web applications
Humain
www.maret-consulting.ch Conseil en technologies
62. Web application with a basic authentication
www.maret-consulting.ch Conseil en technologies
Security Summit Milano, march 2010
63. Web application towards a strong authentication?
www.maret-consulting.ch Conseil en technologies
Security Summit Milano, march 2010
64. “Shielding” approach - (Perimetric Authentication)
www.maret-consulting.ch Conseil en technologies
Security Summit Milano, march 2010
65. Approach by Module or Agents
www.maret-consulting.ch Conseil en technologies
Security Summit Milano, march 2010
66. Approach API / SDK
www.maret-consulting.ch Conseil en technologies
Security Summit Milano, march 2010
67. SSL PKI: how does it work?
Validation
Authority
OCSP request
Valide
Pas valide
Inconu
SSL / TLS Mutual Authentication
Alice
Web Server
www.maret-consulting.ch Conseil en technologies
Security Summit Milano, march 2010
68. Approach federation of identity
a change of paradigm
www.maret-consulting.ch Conseil en technologies
Security Summit Milano, march 2010
69. Approach federation of identity
a change of paradigm
www.maret-consulting.ch Conseil en technologies
Security Summit Milano, march 2010
70. Approach federation of identity
www.maret-consulting.ch Conseil en technologies
Security Summit Milano, march 2010
71. Approaches for an integration of the strong authentication
Approaches Examples
Shielding Utilisation of a protective third party compnent
(Perimetric Auth) Such as a Reverse Proxy (Web Application Firewall)
Module Utilisation of a software module
(Agents) Such as an Apache module, a SecurID agent, etc.
Utilisation of a protocol such as Radius
API Development via an API
(SDK) For instance by using the Web Services (SOAP)
SSL PKI Utilisation of a certificate X509
Utilisation of SSL/TLS functionalities
PKI Ready
Identity Federation Utilisation of a federation protocol such as SAML, OpenID,
Others PKI application, etc.
www.maret-consulting.ch Conseil en technologies