Identity, Payments , and Bitcoin : Big Changes Ahead. Steve Kirsch CEO, OneID March 3, 2014. My Focus Today. Secure Payment Authorization. Authentication = Payment Authorization ( if you do them securely). “Log me into HSBC.com” - Signed, Steve
Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.
Steve KirschCEO, OneID
March 3, 2014
“Log me into HSBC.com”
- Signed, Steve
“Pay 5 Euros to Amazon for Invoice #234343”
- Signed, Steve
Same protocol for authN and authZ; onlythe requested action is different
The IETF Edition15 MYTHS
The Problem is Shared Secrets
50% of users use the same password EVERYWHERE
Once and For All?
What was NOT said:
“We will give you an option in the future to loginwithout using any shared secrets.”
Even for a Billion Dollars!
AFAIKNot one company which has been breached has EVER offered consumers the option of logging in (or storing their credit card info) without using any shared secrets.
Pick an Excuse for Inaction from this Handy “Feel Good” List
Like signing a blank check
Re-hashed and signed here…
(never leaves user’s device)
Why would we want to eliminate that?!?
WRONG (as a shared secret)
On your device
Challenge=transaction + nonce
“Password1”+salt=ECDSA signing key
Combine password (or PIN) with local high entropy salt and use that as private ECDSA signing key. Password/PIN NEVER leaves your device. NEVER!
MYTH #7 Secrets)
Not end-to-end secure.
Proof: DigiNotar. QED.
May be broken soon
Use ECC and ECDSA
Not end-to-end secure
You do not know what you are approving
MYTH #8 Secrets)
FIDO will fix
all of This
FIDO (Fast IDentity Online) Alliance http://www.fidoalliance.org/
No device, key management
If you have 10 devices and 500 RPs, painful
If you lose a device, how register the replacement everywhere?
Lots of issues left open
MYTH #9 Secrets)
Test: New device requires an existing device?
•Security Guaranteed by Architecture,
not Operational Policy
•ECDSA Digital Signatures Replace
all Shared Secrets
•Simple protocols (complexity is the enemy of security)
•No Single Point of Compromise
Uses multiple digital signatures
2A trustable federated identity: OneID
Patents granted and pending
MYTH #10 Secrets)
MYTH #11 Secrets)
BITCOIN MYTH #1 Secrets)
New Mt. Gox logo
It may or may not be THE winner
Digitally signed end-to-end secure transactions
Open APIs, simple money transfer protocol
Send(1.32, “BTC”, “Amazon”, “Invoice 123”)
BITCOIN MYTH #3 Secrets)Bitcoin Can’t be Regulated
BITCOIN MYTH #4 Secrets)
Steve Kirsch on LinkedIn