Securing electronic commerce identification authentication
This presentation is the property of its rightful owner.
Sponsored Links
1 / 45

Securing Electronic Commerce: Identification & Authentication PowerPoint PPT Presentation


  • 53 Views
  • Uploaded on
  • Presentation posted in: General

Securing Electronic Commerce: Identification & Authentication. Douglas Graham UK Channel Technical Manager Security Dynamics Technologies, Inc. Security Dynamics. RSA. 300 million copies installed & in use worldwide. Security Dynamics Technologies Inc. 110,000 BoKS users

Download Presentation

Securing Electronic Commerce: Identification & Authentication

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Securing electronic commerce identification authentication

Securing Electronic Commerce:Identification & Authentication

Douglas Graham

UK Channel Technical Manager

Security Dynamics Technologies, Inc


Security dynamics technologies inc

SecurityDynamics

RSA

300 million copies installed & in use worldwide

Security Dynamics Technologies Inc.

110,000 BoKS users

Major OEM relationships

3 million users of SecurID

3,000 companies

9,000 installations

2,000 companies

250 + of the

Fortune 500


Key business trends

$

$

$

Key Business Trends

  • Enhanced outreach and collaboration with employees, customers, partners, distributors and suppliers

  • Emergence of the “virtual enterprise”

  • “Market of One” interactive customer relationship

eBusiness is no longer a competitive advantage, it is a necessity


Key technology trends

Key Technology Trends

  • Rapid deployment of intranets and extranets

  • New generation of inexpensive, high-speed, IP-ready network capacity coming online

  • Broad adoption and continued evolution of mission-critical ERP applications

  • Continued outsourcing of network transport, Web hosting and application deployment

Moving rapidly to the Internet-enabled enterprise


Key security trends

Key Security Trends

  • Enterprises supplementing perimeter defense with protection of applications and information

  • Increasing requirements for user authentication, authorization and intrusion monitoring and detection

  • PKI emerging as a common architectural foundation for multiple security applications

  • Security decisions driven by line-of-business needs

Enterprise security is the key enabler for eBusiness


What is electronic commerce

What is Electronic Commerce ?

  • Electronic Commerce is the temporary extension of a computer network over a Public or Private connection to facilitate business transactions.

    • PSTN, ISDN, Internet

  • Can be used by Individual users or to connect two or more networks together.

    • Notebook dial-in for email, small office to HQ connection


Remote access

Remote Access

Head Office

Mobile User

Public Network


Electronic commerce applications

Electronic Commerce Applications

  • Home Banking

  • Quick Easy access to corporate information and services

  • Sharing information between Business Partners & Customers

  • Telecommuters (Home working) Day Extenders

  • IT Support Staff


Remote access benefits

Remote Access Benefits

  • Productivity

  • Cost Savings

  • Easy Information Access

  • High Availability of Information

  • Competitive Advantage


Remote access growth

56 million

60,000,000

50,000,000

40,000,000

30,000,000

US

20,000,000

10,000,000

0

1997

1998

1999

2000

Remote Access Growth

Source: Giga, September 1997


Securing electronic commerce identification authentication

Business

Consumer

W. European e*Commerce, 1996-2001Commerce Revenue/Year, Year Ending

$Million

16,000

14,794

14,000

12,000

11,115

CAGR = 137 %

10,000

8,809

8,000

6,469

6,000

4,343

4,000

3,123

1,795

2,000

1,278

681

214

421

136

-

1996

1997

1998

1999

2000

2001

Source: IDC, July ‘97


What are the risks

What are the risks?

  • Protecting the network and data from abuse by authorised users

  • Protecting the network and data from abuse by unauthorised users

  • Data Privacy

  • Data Confidentiality

  • Complexity of service operation and delivery


Securing electronic commerce identification authentication

45%

40%

35%

30%

25%

20%

15%

10%

5%

0%

Attacks from Inside & Out

Reported Security Breaches

Unauthorized access by employees

System penetration from outside

Source: 1998 CSI/FBI Computer Crime and Security Survey


Securing electronic commerce identification authentication

$3,000

$2,500

$2,000

$1,500

$1,000

$500

$0

Cost of Security Breaches

Average loss (000)

Reported Security Breaches

Financial fraud

Theft of proprietary information

Unauthorized access by employees

Source: 1998 CSI/FBI Computer Crime and Security Survey


Securing electronic commerce identification authentication

“Casual Intruder - Disgruntled Employee”

  • Shoulder surfing co-workers

  • Finding written password

    • Post-It Notes

    • DayTimer

  • Guessing password

    • “password”

    • Spouse/Dog/Kid’s name

    • Username


Securing electronic commerce identification authentication

“Serious Hacker”

  • All of the “casual” approaches

  • “Social engineering”

  • Password cracking

    • “Crack”

    • “L0phtCrack”

    • “Cracker Jack”

  • Network sniffing


Securing electronic commerce identification authentication

Passwords Are Not Secure

  • Tools for defeating passwords abound

  • Compromise is not detectable

  • Passwords can be snooped off the Net

  • Passwords & files are diverted off desktopsor servers

  • Password protected credentialsare compromised off-line


Securing electronic commerce identification authentication

“Privacy” is NOT “Security”

Encrypted Tunnel Through Public Network

?

Who’s at the other end of the line?


Securing electronic commerce identification authentication

Identification & Authentication

IdentificationWho are you? ……. “John Smith”Authentication…….prove that you are John Smith


Securing electronic commerce identification authentication

Identification

Authentication

ProveIt!


Securing electronic commerce identification authentication

Bank

1234 5678 9010

Methods of User Authentication

  • Something you know

    • Password, PIN, “mother’s maiden name”

  • Something you have

    • magnetic card, smart card, token, Physical key

  • Something unique about you

    • Finger print, voice, retina, iris

“1059”


Two factor strong authentication

Two Factor “Strong” Authentication

+ PIN


One time passcode

One Time Passcode

345656 Locked

SecurID Passcodes can only be used ONCE!

Passcode Accepted

568787 Locked

Passcode Accepted

Passcode Accepted

879845 Locked

879845 Already Used

Access Denied

Shoulder Surfing and Snoop will NOT work !


Securing electronic commerce identification authentication

Traditional Authentication Options

Identification & Strong User Authentication

Hardware Token

Level of Security

Software Token

Identification & Weak Authentication

Identification & Weakest Authentication

Passwords


Securing electronic commerce identification authentication

New Authentication Options

Biometric

Smart Card

Digital Certificate

Identification & Strong User Authentication

Hardware Token

Level of Security

Software Token

Identification & Weak Authentication

Identification & Weakest Authentication

Passwords


Secure remote access

Secure Remote Access

  • Let’s look at reducing the risks and complexity


Securing electronic commerce identification authentication

Remote Access Complexity


Securing electronic commerce identification authentication

Internet

The Internet Simplifies Remote Access

Global Access

delivered by ISP


Reducing the risks

Reducing The Risks?

  • The Internet is a collection of unsecured networks!

  • Strong Authentication and Encryption can provide a solution

  • New Technology

    • VPN


What is a vpn

What is a VPN?

  • VPN - “Virtual Private Network”

  • Transport encrypted information via the Internet and public networks

  • Offer benefits of private network using “free” Internet infrastructure

  • Encryption means privacy not security

  • A VPN can be owned and run locally, or delivered as a service from a Telco or ISP


Creating a secure vpn

Secure VPN

Send Session Key

Request Passcode

Request Connection

PIN +

Send Passcode

Creating a Secure VPN

ACE/Server

Firewall or RAS server

Internet


Vpns reduce cost and complexity

Internet

VPNs Reduce Cost and Complexity

  • Reduce leased line costs and dial access charges

  • Reduce user support

  • Simplify remote access architecture

  • Reduce help desk services

  • Allow tracking / billing for usage

  • Reduce equip. costs for remote access


Increased use of authenticators

Increased Use of Authenticators

Internet users (177%

CAGR)

20,000,000

VAN users (132%

CAGR)

15,000,000

Dial-in users (52%

CAGR)

10,000,000

5,000,000

0

1996

1997

1998

1999

2000

Source: Giga EST., Sept. 1997


Vpns offer estimated 60 cost savings

User Support

Phone/ISP Charges

Routers/Servers

T1 Lines

VPNs Offer Estimated 60% Cost Savings

Remote Access Cost Comparisons for 2000 Remote Users - ($000's)

Internet Remote

Access

Traitional Remote

Access

$-

$500

$1,000

$1,500

$2,000

$2,500

$3,000

$3,500

Source: Forrester Research 7/97


Secure web applications

Secure Web Applications

Using the WWW to share sensitive information

  • Home Banking

  • Business to Business Communication

  • Price Lists to Partners

  • Human Resources

  • Product Support and Updates


Secure web authentication privacy

Secure Web Authentication & Privacy

  • Issues Similar to Remote Access

    • User Identification & Authentication

      • Passwords are not enough!

    • Data Privacy during connection

      • Prevent snooping

    • Granular Access

      • Grant access rights based upon service level


Securing electronic commerce identification authentication

SecurWorld

Customer

Reseller

SecurCare

SecurWorld Online

Passcode

Passcode

**********

**********

Web Applications Security


What about certificates for authentication

What about Certificates for Authentication?

  • A Digital Certificate is a unique electronic identifier (complex password) associated with a user

  • Browsers use certificates widely for establishing a level of authentication

  • More and more applications will use certificates

    • Email, SSSO, E-commerce

  • A user’s certificate can be used to check a Digital Signature - a unique electronic signature associated with the owner of the certificate

    • essential for non-repudiation of messages and transactions


How can we be sure of a certificate

How can we be sure of a Certificate?

  • A certificate is usually ‘signed for’ electronically by a Trusted Third party, e.g. Verisign

    • I.e. Two companies trust the integrity of a certificate issued by a jointly trusted external organisation

  • Today most Certificates are stored electronically on servers (e.g. LDAP)

    • So how can we be sure that the person who is using a certificate is who they say they are!

      • We Cannot unless they use Strong Authentication!

?


Smartcards for security

Smartcards for Security

  • Benefits

    • Two Factor ‘Strong Authentication’

    • Secure storage of Private Credentials

    • Building Access

    • Photograph

    • Other Applications

  • Downside

    • Readers

    • Infrastructure


Soft smartcards

Soft Smartcards

  • Host based secure electronic ‘wallets’ (or files) that contain a users security credentials

  • Downloaded to the user on successful authentication

  • Two Factor Authentication to access Soft Smartcard

  • Excellent transitional solution to help companies migrate to smartcards for network access

  • Available today


Soft smartcards for secure applications access

PIN +

Soft Smartcards for Secure Applications Access

User dials-in

Request for Passcode

User Sends Passcode

Authenticates and Credentialsdownloaded


Summary

Summary

  • Local and Global Electronic Commerce can

    • increase productivity and communication

    • reduce costs of doing business

    • deliver competitive advantage

  • Suffers from risk of abuse and fraud if not prudently secured

  • User Authentication, Encryption of traffic and use of Certificates can deliver very secure applications including E-Commerce


  • Login