1 / 19

Authentication: the problem that will not go away

Protecting Online Identity™. Authentication: the problem that will not go away. Prof. Ravi Sandhu Chief Scientist sandhu@tricipher.com 703 283 3484. The State of Cyber Security. We are in the midst of big change Nobody knows where we are headed

jalena
Download Presentation

Authentication: the problem that will not go away

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Protecting Online Identity™ Authentication: the problem that will not go away Prof. Ravi Sandhu Chief Scientist sandhu@tricipher.com 703 283 3484

  2. The State of Cyber Security • We are in the midst of big change • Nobody knows where we are headed • Conventional wisdom on where we are headed is likely wrong

  3. Security Schools of Thought • OLD THINK: We had it figured out. If the industry had only listened to us our computers and networks today would be secure. • REALITY: Today’s and tomorrow’s cyber systems and their security needs are fundamentally different from the timesharing era of the early 1970’s.

  4. Stand-alone mainframes and mini-computers Internet Mutually suspicious security with split responsibility Enterprise security Few and standard services Many and new innovative services Vandals Criminals Change Drivers

  5. Authentication Characterized Authentication • is fundamental to security • is hard Authentication can enable • single sign on (or reduced sign on) • digital signatures

  6. Authentication Sliced • Something you know • Passwords, Personal facts • Something you have • Smart card, One-Time-Password generator, PC … • Something you are • Fingerprint, Iris, DNA, Voiceprint, … • Multifactor = 2 or more of these • Leap to 2-factor from 1-factor provides biggest gain • 2 factors typically from different categories above

  7. Authentication Sliced Differently: Take 1 • Shared secrets versus public-private keys • Shared secrets do not scale, especially across administrative domains • Shared secrets do not facilitate single sign-on • The holy grail of public key infrastructure continues to offer the best hope for scalability and single sign-on • Mostly true BUT don’t forget • Kerberos, symmetric key single sign-on within an enterprise • ATM network

  8. Authentication Sliced Differently: Take 2 • One-way authentication versus mutual authentication • One-way authentication is the norm • It is particularly susceptible to phishing • One-time passwords are susceptible to MITM attacks due to lack of mutual authentication

  9. Strong Authentication • Two-factor (or multi-factor) • Mutual authentication

  10. Weak User Authentication Strong User Authentication Transaction Authentication Existing Authentication Methods & Threats

  11. Why Are These Security Measures Vulnerable? • Authentication technologies are vulnerable to MITM Phishing 2.0 attacks when: • They rely on weak, easily spoofable information • They rely on ‘shared secrets’ • They use only one-way SSL security • Vulnerable Authentication Technologies : • IP Geo, Device Fingerprint, OTP Tokens, Scratch Cards, Grid Cards, Cookies, Text, and Pictures

  12. Man-in-the-Middle Attacks Are Happening A man-in-the-middle attack (MITM): attacker is able to read, insert and modify transactions between two parties without either party knowing that the link between them has been compromised. • CitiBank Attack: • July 10th, 2006 • Defeated OTP Tokens • 35 MITM Sites in Russia • Amazon Attack: • January 3rd, 2007 • Defeated Username/Password • Bank of America: • April 10th, 2007 • Defeats Sitekey Cookie/Picture (Movie) • ABN AMRO: • April 20th, 2007 • Defeats OTP Token

  13. The Citibank Attack Decrypted  Links to fake CitiBusiness login page, hosted in Russia by Tufel-Club.ru and routed through botnet.  Phishing email  Inputs and steals users’ credentials (including Token code) in real time at the actual CitiBusiness.com site  Attacker changes transaction or executes a new transaction

  14. IP Spoofing Story • IP Spoofing predicted in Bell Labs report ≈ 1985 • 1st Generation firewalls deployed ≈ 1992 • IP Spoofing attacks proliferate in the wild ≈ 1993 • VPNs emerge ≈ late 1990’s • Vulnerability shifts to accessing end-point • Network Admission Control ≈ 2000’s

  15. Evolution of Phishing • Phishing 1.0 • Attack: Capture reusable passwords • Defense: user education, cookies, pictures • Phishing 2.0 • Attack: MITM in the 1-way SSL channel, breaks OTPs • Defense: 2-way SSL • Phishing 3.0 • Attack: Browser-based MITB client in front of 2-way SSL • Defense: Transaction authentication outside browser • Phishing 4.0 • Attack: PC-based MIPC client in front of 2-way SSL • Defense: Transaction authentication outside PC, PC hardening

  16. Sandhu’s Laws of Attackers • Attackers exist • You will be attacked • Attackers have sharply escalating incentive • Money, terrorism, warfare, espionage, sabotage, … • Attackers are lazy (follow path of least resistance) • Attacks will escalate BUT no faster than necessary • Attackers are innovative (and stealthy) • Eventually all feasible attacks will manifest • Attackers are copycats • Known attacks will proliferate widely • Attackers have asymmetrical advantage • Need one point of failure

  17. Sandhu’s Laws of Defenders • Defenses are necessary • Defenses have escalating scope • Defenses raise barriers for attackers • Defenses will require new barriers over time • Defenses with better barriers have value • Defenses will be breached

  18. Sandhu’s Laws of Users • Users exist and are necessary • Users have escalating exposure • Users are lazy and expect convenience • Users are innovative and will bypass inconvenient security • Users are the weakest link • Users expect to be protected

  19. Operational Principles • Prepare for tomorrow’s attacks, not just yesterday’s • Good defenders strive to stay ahead of the curve, bad defenders forever lag • Take care of tomorrow’s attacks before next year’s attacks • Researchers will and should pursue defense against attacks that will manifest far in the future BUT these solutions will deploy only as attacks catch up • Use future-proof barriers • Defenders need a roadmap and need to make adjustments • It’s all about trade-offs • Security, Convenience, Cost

More Related