MARET Consulting | Boulevard Georges Favon 43 | CH 1204 Geneva | Tél +41 22 575 30 35 | info@maret-consulting.ch | www.mar...
Agenda




                    Digital identity Security
                          Strong authentication?

               ...
Who am I?




                    Security Expert
                          15 years of experience in ICT Security
       ...
Protection of digital identities: a topical issue…




                                                                   ...
Strong authentication: why?




                    Keylogger (hard and Soft)
                    Malware
                ...
A major event in the world of strong authentication




                 12 October 2005: the Federal Financial Institutio...
Identification and authentication ?




                    Identification
                          Who are you?


      ...
Definition of strong authentication




                          Strong Authentication on Wikipedia

www.maret-consulting...
«Digital identity is the corner stone of trust»




                          More information on the subject

www.maret-c...
MARET Consulting | Boulevard Georges Favon 43 | CH 1204 Geneva | Tél +41 22 575 30 35 | info@maret-consulting.ch | www.mar...
Which strong authentication technology?




www.maret-consulting.ch                                             Conseil en...
OTP                 PKI (HW)     Biometry
         Strong                                                                 ...
Strong authentication:
            Technologies on the move




                    Corporations                          ...
Technologies accessible to everyone




                    Standards                                   Open Source Soluti...
MARET Consulting | Boulevard Georges Favon 43 | CH 1204 Geneva | Tél +41 22 575 30 35 | info@maret-consulting.ch | www.mar...
Which biometric technology for IT?




www.maret-consulting.ch                                             Conseil en tech...
Biometry = strong authentication?




                    The answer is clearly no
                          Requires a se...
Technology Match on Card: your NIP code is your finger




www.maret-consulting.ch                                        ...
Example of Match on Card technology for IT




                    A reader
                          Biometry
           ...
Stocking data?




                           On an external                          Through an
                         ...
Example of utilisation of the Match on Card technology




                    Smart Card Logon of                        ...
Mobility security with MOC technology




                    Biometric strong
                    authentication
        ...
Authentication of a user with PKINIT (Smart Card Logon)




                          1




                U_Cert
       ...
Feedback
                            from the
                          Banking field
www.maret-consulting.ch             ...
The project: electronic management of documents




                    Implementation of a Electronic Document Mgt soluti...
Business Impact Analysis (BIA)

                                                               BIA
                       ...
(Data Classification : Secret)

   Implementation of a technology allowing
            strong authentication
   – via a me...
The technical constraints of the strong authentication project



Mandatory                                             De...
Basic concept: a unique link

            Identity Management                                              Authorization
 ...
Components of the technical architecture




                    Implementation of a PKI « intra muros »
                 ...
Concept for the GED application security




www.maret-consulting.ch                                Conseil en technologies
The focus of biometric authentication




www.maret-consulting.ch                                              Conseil en ...
Processus
Human Process
    Humain
www.maret-consulting.ch   Conseil en technologies
The weak link? Matters more than the technique…




                    Definition of roles
                          Task...
Implementation of processes




                    Processes for the identity management team
                          U...
The result




                    A series of documents for the bank
                          Operating procedures
     ...
Training

www.maret-consulting.ch              Conseil en technologies
A crucial element!

                          Training of the identity management team
                          Training ...
Identity Management Team Training




                    Very Important work

                          How to enroll fin...
End User Training




                    About 30 min per User

                          Technology explication
        ...
Problems…


www.maret-consulting.ch               Conseil en technologies
Some examples




                    Enrollment with some Users

                    End Users convocation

             ...
Feedback?


www.maret-consulting.ch               Conseil en technologies
Conclusion of the project




                    Pure technique is a minor                   Biometry is a mature technol...
Tendency Biometry Match on Card




                          The PIV Fips-201 project is a leader!

                     ...
A very promising technology: Vascular Pattern Recognition




                By SONY




www.maret-consulting.ch         ...
When will the convergence happen?




A difficult convergence! Physical security and logical security
  www.maret-consulti...
A few links to deepen the subject




                    MARET Consulting
                          http://maret-consulti...
“The counseling and the expertise for the selection and

                              the implementation of innovative te...
MARET Consulting | Boulevard Georges Favon 43 | CH 1204 Geneva | Tél +41 22 575 30 35 | info@maret-consulting.ch | www.mar...
Processus
                          Authentifiers
                            inHumain
                              2010
...
OTP Software using SmartPhone




OTP for iPhone: a feedback
Software OTP for iPhone
Mobile One Time Passwords
 www.maret-...
Biometry Match on Card




Feedback on the deployment of biometry on a large scale
  www.maret-consulting.ch              ...
The focus of biometric authentication




www.maret-consulting.ch                                              Conseil en ...
USB Token




www.maret-consulting.ch                                        Conseil en technologies

                    ...
Internet Passport




www.maret-consulting.ch                                              Conseil en technologies

      ...
Matrix cryptography




www.maret-consulting.ch                                                Conseil en technologies

  ...
PKI: Digital certificate X509



          Software Certificate                           Hardware Certificate




www.mar...
OTP via SMS




                                                               OTP via SMS




                           ...
State of the art in 2010 of the authentifiers: Synthesis


          Technologies                                 Explanat...
Processus
                           Integration with
                          web applications
                         ...
Web application with a basic authentication




www.maret-consulting.ch                                              Conse...
Web application towards a strong authentication?




www.maret-consulting.ch                                             C...
“Shielding” approach - (Perimetric Authentication)




www.maret-consulting.ch                                            ...
Approach by Module or Agents




www.maret-consulting.ch                                            Conseil en technologie...
Approach API / SDK




www.maret-consulting.ch                                           Conseil en technologies

        ...
SSL PKI: how does it work?

                                      Validation
                                      Authori...
Approach federation of identity
            a change of paradigm




www.maret-consulting.ch                              ...
Approach federation of identity
            a change of paradigm




www.maret-consulting.ch                              ...
Approach federation of identity




www.maret-consulting.ch                                              Conseil en techno...
Approaches for an integration of the strong authentication

         Approaches                                    Example...
Upcoming SlideShare
Loading in …5
×

Implementation of a Biometric Solution Providing Strong Authentication To Gain Access To Confidential Da

1,962 views

Published on

First- hand feedback on the implementation of identity management within a bank.
Technological choices ? Issues ? Concept and design, implementation, training and human aspects. A hands-on experience.

0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,962
On SlideShare
0
From Embeds
0
Number of Embeds
14
Actions
Shares
0
Downloads
69
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Implementation of a Biometric Solution Providing Strong Authentication To Gain Access To Confidential Da

  1. 1. MARET Consulting | Boulevard Georges Favon 43 | CH 1204 Geneva | Tél +41 22 575 30 35 | info@maret-consulting.ch | www.maret-consulting.ch Implementation of a biometric solution providing strong authentication to gain access to confidential data Sylvain Maret / Security Architect @ MARET Consulting 17 march 2010 MARET Consulting 2010 Conseil en technologies
  2. 2. Agenda Digital identity Security Strong authentication? Applications for the Match on Strong authentication technology Card technology Biometry and Match on Card Digital certificate / PKI Illustration with a project for the banking field Trends 2010 www.maret-consulting.ch Conseil en technologies Security Summit Milano, march 2010
  3. 3. Who am I? Security Expert 15 years of experience in ICT Security CEO and Founder of MARET Consulting Expert @ Engineer School of Yverdon & Geneva University Swiss French Area delegate at OpenID Switzerland Co-founder Geneva Application Security Forum Author of the Blog: la Citadelle Electronique Chosen field Digital Identity Security www.maret-consulting.ch Conseil en technologies Security Summit Milano, march 2010
  4. 4. Protection of digital identities: a topical issue… Identification www.maret-consulting.ch Conseil en technologies Security Summit Milano, march 2010
  5. 5. Strong authentication: why? Keylogger (hard and Soft) Malware Man in the Middle Browser in the Midle Password Sniffer Social Engineering Phishing / Pharming The number of identity thefts is increasing dramatically! www.maret-consulting.ch Conseil en technologies Security Summit Milano, march 2010
  6. 6. A major event in the world of strong authentication 12 October 2005: the Federal Financial Institutions Examination Council (FFIEC) issues a directive « Single Factor Authentication » is not enough for the web financial applications Before end 2006 it is compulsory to implement a strong authentication system http://www.ffiec.gov/press/pr101205.htm And the PCI DSS norm Compulsory strong authentication for distant accesses And now European regulations Payment Services (2007/64/CE) for banks www.maret-consulting.ch Conseil en technologies Security Summit Milano, march 2010
  7. 7. Identification and authentication ? Identification Who are you? Authentication Prove it! www.maret-consulting.ch Conseil en technologies Security Summit Milano, march 2010
  8. 8. Definition of strong authentication Strong Authentication on Wikipedia www.maret-consulting.ch Conseil en technologies Security Summit Milano, march 2010
  9. 9. «Digital identity is the corner stone of trust» More information on the subject www.maret-consulting.ch Conseil en technologies Security Summit Milano, march 2010
  10. 10. MARET Consulting | Boulevard Georges Favon 43 | CH 1204 Geneva | Tél +41 22 575 30 35 | info@maret-consulting.ch | www.maret-consulting.ch Strong authentication technologies Conseil en technologies
  11. 11. Which strong authentication technology? www.maret-consulting.ch Conseil en technologies Security Summit Milano, march 2010
  12. 12. OTP PKI (HW) Biometry Strong * authentication Encryption Digital signature Non repudiation Strong link with the user * Biometry type Fingerprinting www.maret-consulting.ch Conseil en technologies Security Summit Milano, march 2010
  13. 13. Strong authentication: Technologies on the move Corporations Public eBanking VPN Web Applications Mobility Electronic Document Mgt Social networks Facebook Project PIV FIPS-201 SAML Virtual World Adoption of OpenID Authentication as a Service Cloud Computing AaaS Google docs Sales Forces www.maret-consulting.ch Conseil en technologies Security Summit Milano, march 2010
  14. 14. Technologies accessible to everyone Standards Open Source Solution Open Authentication Mobile One Time Passwords (OATH) strong, two-factor authentication with mobile phones OATH authentication algorithms HOTP (HMAC Event Based) OCRA (Challenge/Response) TOTP (Time Based) OATH Token Identifier Specification www.maret-consulting.ch Conseil en technologies Security Summit Milano, march 2010
  15. 15. MARET Consulting | Boulevard Georges Favon 43 | CH 1204 Geneva | Tél +41 22 575 30 35 | info@maret-consulting.ch | www.maret-consulting.ch Biometry and Match on Card Conseil en technologies
  16. 16. Which biometric technology for IT? www.maret-consulting.ch Conseil en technologies Security Summit Milano, march 2010
  17. 17. Biometry = strong authentication? The answer is clearly no Requires a second factor Problem of security (usurpation) Only a convenience for the user More information on usurpation Study Yokohama University www.maret-consulting.ch Conseil en technologies Security Summit Milano, march 2010
  18. 18. Technology Match on Card: your NIP code is your finger www.maret-consulting.ch Conseil en technologies Security Summit Milano, march 2010
  19. 19. Example of Match on Card technology for IT A reader Biometry SmartCard A card with chip Technology MOC Crypto processor PC/SC PKCS#11 Digital certificate X509 www.maret-consulting.ch Conseil en technologies Security Summit Milano, march 2010
  20. 20. Stocking data? On an external Through an medium authentication server Better security Security issue « Offline » mode Confidentiality issue MOC = Match On card Availability issue Federal law of 19 June 1992 on the Protection of data (LPD) www.maret-consulting.ch Conseil en technologies Security Summit Milano, march 2010
  21. 21. Example of utilisation of the Match on Card technology Smart Card Logon of Web SSO Solution Microsoft SAML PK-INIT (Kerberos) Citrix Very Sensitive Web Applications Remote access Electronic Document Mgt VPN SSL eBanking VPN IPSEC Data Encryption Digital Signature Solution Laptop encryption Folder (Share) Encryption Etc. www.maret-consulting.ch Conseil en technologies Security Summit Milano, march 2010
  22. 22. Mobility security with MOC technology Biometric strong authentication Reader of the «swipe» type X509 machine certificate Utilisation TPM Authentication of the machine Applications Pre Boot Authentication Smart Card Logon Full Disk Encryption VPN (SSL, IPSEC) Web Application Citrix www.maret-consulting.ch Conseil en technologies Security Summit Milano, march 2010
  23. 23. Authentication of a user with PKINIT (Smart Card Logon) 1 U_Cert U Cert 2 2 Schema by Philippe Logean e-Xpert Solutions SA www.maret-consulting.ch Conseil en technologies Security Summit Milano, march 2010
  24. 24. Feedback from the Banking field www.maret-consulting.ch Conseil en technologies
  25. 25. The project: electronic management of documents Implementation of a Electronic Document Mgt solution Access to very sensitive information Classification of the information: Secret Encryption of data (From BIA) Authorization Access Control Project for a Private bank in Switzerland Start of the project: 2005 Population concerned 500 persons (Phase I) In the long run: 3000 persons (Phase II) www.maret-consulting.ch Conseil en technologies Security Summit Milano, march 2010
  26. 26. Business Impact Analysis (BIA) BIA Bank Acme SA Data Services Impact Hard Impact Soft Impact Availability (in time) Reduced i ncome Los s of goodwi l l Increa s ed cos t of Los s of credi bi l i ty IT Applications worki ng Breach of the l aw Confidentiality Integrity Los s of opera ti ona l ca pabi l i ty inconvenience quite serious critical Brea ch of contra ct/fi na nci a l pena l ti es Electronic Documents Mgt HIGH HIGH 30 min 1H 2H HIGH HIGH www.maret-consulting.ch Conseil en technologies Security Summit Milano, march 2010
  27. 27. (Data Classification : Secret) Implementation of a technology allowing strong authentication – via a mechanism of irrefutable proof – of the users accessing the bank’s information system Who accesses what, when and how?! www.maret-consulting.ch Conseil en technologies
  28. 28. The technical constraints of the strong authentication project Mandatory Desired Integration with existing Integration with building security applications Data encryption Web Non fixed workstations Microsoft Smart Card Logon Future applications Laptop Network and systems Separation of roles Strong authentication Four eyes Digital signature Auditing, proof Proof management www.maret-consulting.ch Conseil en technologies Security Summit Milano, march 2010
  29. 29. Basic concept: a unique link Identity Management Authorization Management Issuer App A cert Link: cn User PHASE 1 PHASE 2 Strong authentication Authorization www.maret-consulting.ch Conseil en technologies Security Summit Milano, march 2010
  30. 30. Components of the technical architecture Implementation of a PKI « intra muros » Non Microsoft (Separation of duties) Implementation of the Online revocation OCSP protocol Utilisation of a Hardware Security Module Security of the PKI architecture Shielding and Hardening Firewall IDS FIA www.maret-consulting.ch Conseil en technologies Security Summit Milano, march 2010
  31. 31. Concept for the GED application security www.maret-consulting.ch Conseil en technologies
  32. 32. The focus of biometric authentication www.maret-consulting.ch Conseil en technologies Security Summit Milano, march 2010
  33. 33. Processus Human Process Humain www.maret-consulting.ch Conseil en technologies
  34. 34. The weak link? Matters more than the technique… Definition of roles Tasks and responsibilities Purpose: separation of duties Four eyes Implementation of identity management processes Implementation of operating procedures www.maret-consulting.ch Conseil en technologies Security Summit Milano, march 2010
  35. 35. Implementation of processes Processes for the identity management team User enrollment Revocation Incident mangement Loss, theft, forgotten card Renewal Process for Help Desk Process for the Auditors Process for the RSSI And the operating procedures! www.maret-consulting.ch Conseil en technologies Security Summit Milano, march 2010
  36. 36. The result A series of documents for the bank Operating procedures Description of processes Terms of use Definition of roles and responsibilities CP /CPS for the « in house » PKI www.maret-consulting.ch Conseil en technologies Security Summit Milano, march 2010
  37. 37. Training www.maret-consulting.ch Conseil en technologies
  38. 38. A crucial element! Training of the identity management team Training of users Training of Help Desk Training for the technologies PKI Biometry www.maret-consulting.ch Conseil en technologies Security Summit Milano, march 2010
  39. 39. Identity Management Team Training Very Important work How to enroll fingers Match on Card Technology Problem handling Technical Human Coaching for 3 weeks www.maret-consulting.ch Conseil en technologies Security Summit Milano, march 2010
  40. 40. End User Training About 30 min per User Technology explication Match on Card Finger position Try (Play with Biometry) Document for End Users Signature (Legal Usage) www.maret-consulting.ch Conseil en technologies Security Summit Milano, march 2010
  41. 41. Problems… www.maret-consulting.ch Conseil en technologies
  42. 42. Some examples Enrollment with some Users End Users convocation Technical Problem on Validation Authority OCSP Servers www.maret-consulting.ch Conseil en technologies Security Summit Milano, march 2010
  43. 43. Feedback? www.maret-consulting.ch Conseil en technologies
  44. 44. Conclusion of the project Pure technique is a minor Biometry is a mature technology element in the success of such a large scale project Technology PKI Offers a safety kernel for the future Never under estimate the Encryption, signature organisational aspect Rights management information CP / CPS for the PKI Data security Management process A step towards convergence Ask for management support Physical and logical security www.maret-consulting.ch Conseil en technologies Security Summit Milano, march 2010
  45. 45. Tendency Biometry Match on Card The PIV Fips-201 project is a leader! Convergence Physical security and logical security Biometric sensor for laptops UPEK (Solution FIPS-201) New biometric technologies Full Disk Encryption (Laptop) Support of the Match on Card technology McAfee Endpoint Encryption™ (formerly SafeBoot® Encryption) Win Magic SecureDoc Disk Encryption www.maret-consulting.ch Conseil en technologies Security Summit Milano, march 2010
  46. 46. A very promising technology: Vascular Pattern Recognition By SONY www.maret-consulting.ch Conseil en technologies Security Summit Milano, march 2010
  47. 47. When will the convergence happen? A difficult convergence! Physical security and logical security www.maret-consulting.ch Conseil en technologies Security Summit Milano, march 2010
  48. 48. A few links to deepen the subject MARET Consulting http://maret-consulting.ch/ La Citadelle Electronique (blog on digital identities) http://www.citadelle-electronique.net/ Banking and finance article Steal an identity? Impossible with biometry! http://www.banque-finance.ch/numeros/88/59.pdf Biometry and Mobility http://www.banque-finance.ch/numeros/97/62.pdf Publique presentations OSSIR Paris 2009: Feedback on the deployment of biometry on a large scale http://www.ossir.org/paris/supports/2009/2009-10-13/Sylvain_Maret_Biometrie.pdf ISACA, Clusis: Access to information : Roles and responsibilities http://blog.b3b.ch/wp-content/uploads/mise-en-oeuvre-de28099une-solution-biometrique- de28099authentification-forte.pdf www.maret-consulting.ch Conseil en technologies Security Summit Milano, march 2010
  49. 49. “The counseling and the expertise for the selection and the implementation of innovative technologies in the field of security of information systems and digital identity" www.maret-consulting.ch Conseil en technologies
  50. 50. MARET Consulting | Boulevard Georges Favon 43 | CH 1204 Geneva | Tél +41 22 575 30 35 | info@maret-consulting.ch | www.maret-consulting.ch Annexes Conseil en technologies Security Summit Milano, march 2010
  51. 51. Processus Authentifiers inHumain 2010 www.maret-consulting.ch Conseil en technologies
  52. 52. OTP Software using SmartPhone OTP for iPhone: a feedback Software OTP for iPhone Mobile One Time Passwords www.maret-consulting.ch Conseil en technologies Security Summit Milano, march 2010
  53. 53. Biometry Match on Card Feedback on the deployment of biometry on a large scale www.maret-consulting.ch Conseil en technologies Security Summit Milano, march 2010
  54. 54. The focus of biometric authentication www.maret-consulting.ch Conseil en technologies Security Summit Milano, march 2010
  55. 55. USB Token www.maret-consulting.ch Conseil en technologies Security Summit Milano, march 2010
  56. 56. Internet Passport www.maret-consulting.ch Conseil en technologies Security Summit Milano, march 2010
  57. 57. Matrix cryptography www.maret-consulting.ch Conseil en technologies Security Summit Milano, march 2010
  58. 58. PKI: Digital certificate X509 Software Certificate Hardware Certificate www.maret-consulting.ch Conseil en technologies Security Summit Milano, march 2010
  59. 59. OTP via SMS OTP via SMS Enter OTP www.maret-consulting.ch Conseil en technologies Security Summit Milano, march 2010
  60. 60. State of the art in 2010 of the authentifiers: Synthesis Technologies Explanations OTP Software One Time Password software SmartPhone Event, Time or mode challenge response Mode not connected Biometry Match on Biometry and chip card Card Digital certificate Stocking of the Biometric pattern USB Token One Time Password in mode connected Event, Time ou mode challenge response Internet Passport Biometry One Time Password Mode not connected Mode challenge response Matrix cryptography One Time Password Mode challenge response PKI Certificate software Certificaet Hardware OTP SMS One Time Password by SMS www.maret-consulting.ch Conseil en technologies
  61. 61. Processus Integration with web applications Humain www.maret-consulting.ch Conseil en technologies
  62. 62. Web application with a basic authentication www.maret-consulting.ch Conseil en technologies Security Summit Milano, march 2010
  63. 63. Web application towards a strong authentication? www.maret-consulting.ch Conseil en technologies Security Summit Milano, march 2010
  64. 64. “Shielding” approach - (Perimetric Authentication) www.maret-consulting.ch Conseil en technologies Security Summit Milano, march 2010
  65. 65. Approach by Module or Agents www.maret-consulting.ch Conseil en technologies Security Summit Milano, march 2010
  66. 66. Approach API / SDK www.maret-consulting.ch Conseil en technologies Security Summit Milano, march 2010
  67. 67. SSL PKI: how does it work? Validation Authority OCSP request Valide Pas valide Inconu SSL / TLS Mutual Authentication Alice Web Server www.maret-consulting.ch Conseil en technologies Security Summit Milano, march 2010
  68. 68. Approach federation of identity a change of paradigm www.maret-consulting.ch Conseil en technologies Security Summit Milano, march 2010
  69. 69. Approach federation of identity a change of paradigm www.maret-consulting.ch Conseil en technologies Security Summit Milano, march 2010
  70. 70. Approach federation of identity www.maret-consulting.ch Conseil en technologies Security Summit Milano, march 2010
  71. 71. Approaches for an integration of the strong authentication Approaches Examples Shielding Utilisation of a protective third party compnent (Perimetric Auth) Such as a Reverse Proxy (Web Application Firewall) Module Utilisation of a software module (Agents) Such as an Apache module, a SecurID agent, etc. Utilisation of a protocol such as Radius API Development via an API (SDK) For instance by using the Web Services (SOAP) SSL PKI Utilisation of a certificate X509 Utilisation of SSL/TLS functionalities PKI Ready Identity Federation Utilisation of a federation protocol such as SAML, OpenID, Others PKI application, etc. www.maret-consulting.ch Conseil en technologies

×