Giesecke & Devrient Presentation OASIS – Identity Management Conference DC, Sept 27th 2010
19
1 Giesecke & Devrient Presentation OASIS – Identity Management Conference DC, Sept 27th 2010
description
Giesecke & Devrient Presentation OASIS – Identity Management Conference DC, Sept 27th 2010. Security solutions. Government solutions. Cards for payment and telecommunications. Banknote processing. Banknote and security paper. Banknote and security printing. 1964. 1977. 1852. 2007. - PowerPoint PPT Presentation
Transcript of Giesecke & Devrient Presentation OASIS – Identity Management Conference DC, Sept 27th 2010
1
Giesecke & Devrient Presentation
OASIS – Identity Management Conference
DC, Sept 27th 2010
2
Giesecke & Devrient ―From Printing Paper Securities to Providing High-Tech Solutions
Government solutions
Banknote and security paper
Banknote processing
1964 1852 1977 2007
Banknote and security printing
Cards for payment and telecommunications
Security solutions
3
…Stepping into the shoes of an evangelist
Thorsten Roeske(Head of Products & Marketing for Giesecke & Devrient’s eIDentity Business Unit)
For two decades security experts have been persuading us that a move away from passwords, in favor of utilizing multifactor authentication technologies, will bring the necessary level of security for online systems
This paradigm may have been true with typical attacks although in recent years a close look at active attack vectors (exploited by malware like ZEUS) together with visible trends in malware development question their true effectiveness
This presentation will highlight why hardware technology alone fails to provide identity assurance in today’s threat and attack environment
4
What You Know - What You Have - What You AreThe Role of Hardware Technologies to Provide Identity Assurance
What is the best role for hardware-based authentication solutions(such as smart cards, smart
phones, RFID devices and other hardware tokens) in identity
management systems?How scalable are they, what
deployments today have been successful, and what does the
future hold for their use?
What is the best role for hardware-based authentication solutions(such as smart cards, smart
phones, RFID devices and other hardware tokens) in identity
management systems?How scalable are they, what
deployments today have been successful, and what does the
future hold for their use?
5
Changing Attack Vectors
6
Changing Attack Vectors
7
man-in-the-middle
man-in-the-PC
man-in-thebrowser
Changing Attack Vectors
8
Emerging Attack Example – It’s real…
9
0
1
2
3
4
5eBanking Server
Connection to Server
User's PC
User's BrowserPassword
OTP Token
SmartCards
… very real….
0
1
2
3
4
5eBanking Server
Connection to Server
User's PC
User's BrowserPassword
OTP Token
SmartCards
10
The nature of online Fraud
Ross Anderson, Prof. Security Engineering, Computer Labs, University of Cambridge:
"Computer criminals differ from ordinary criminals in that they're more rational. The bulk of street crime is done by disadvantaged young men, often illiterate and with drug or alcohol problems. The bulk of e-crime is done by technically sophisticated people… So while preventing normal crime is about sociology, preventing online crime is about economics. Malware writers are rational, as are botnet herders…. "
Standard Browser (e.g. Standard Browser (e.g. Firefox) with 2-Factor Firefox) with 2-Factor Authentication like Authentication like OTP, SMART CARD orOTP, SMART CARD orEMV CardEMV Card
>$100k
<$2k
…..preventing online crime is about economics!
HIGH HACKING ROI
LOW HACKING ROI
11
The nature of online Fraud
Ross Anderson, Prof. Security Engineering, Computer Labs, University of Cambridge:
"Computer criminals differ from ordinary criminals in that they're more rational. The bulk of street crime is done by disadvantaged young men, often illiterate and with drug or alcohol problems. The bulk of e-crime is done by technically sophisticated people… So while preventing normal crime is about sociology, preventing online crime is about economics. Malware writers are rational, as are botnet herders…. "
0
1
2
3
4
5eBanking Server
Connection to Server
User's PC
User's BrowserPassword
OTP Token
SmartCards
Highest ROI
12
BROWSERKERNEL
USERDATA
USERINTERFACE
EXTENSIONS
PLUGINS
RENDERINGENGINE
NETWORKNETWORK
PWDMGRPWDMGR
FLASHFLASH
SSLTLSSSLTLS
PDFPDF
ACTIVE XACTIVE X
JAVAJAVA
JAVASCRIPTJAVA
SCRIPT
HTMLXML
HTMLXML
LAYOUTLAYOUT
DOMDOM
KEYBOARDKEYBOARD
DISPLAYDISPLAY
PWDSPWDS
BOOK-MARKSBOOK-MARKS
SESSIONSESSION
CERTSTORECERTSTORE
EXT. CERTSTOREEXT. CERTSTORE
COOKIESCOOKIESHISTORYHISTORY
CACHECACHE
MOUSEMOUSE
BROWSERKERNEL
USERDATA
USERINTERFACE
EXTENSIONS
PLUGINS
RENDERINGENGINE
MEM-PATCHMEM-PATCHMEM-PATCH
REV-ENGREV-ENG
MEM-DUMPMEM-DUMP
CODE-INJCODE-INJ
MDW SPOOF MDW
SPOOF MDW
SPOOF MDW
SPOOF
BROW-CERTBROW-CERT
BROW-DNSBROW-DNS
BROW-SSLBROW-SSL
CH-BREAKCH-BREAKCH-BREAK
KEY-LOGKEY-LOG
INFACE-MANINFACE-MAN SCREEN-CSCREEN-C
MOUSE-LOGMOUSE-LOG
APP-STEERAPP-STEER
SCRIPTSCRIPT
BUFF-OVFLWBUFF-
OVFLW
SCRIPTSCRIPT
DATA SNIFF DATA SNIFF DATA SNIFF
DOM-MANIPUDOM-MANIPUCOMP-MAN
COMP-MAN
COMP-MAN
COMP-MANCOMP-MAN
Robert G. Ferrell, Information Systems Security Specialist, U.S.A. Dept. of Defense:
"….. Far more relevant to security are the browser clients a consumer is using irrespective of the operating system or hardware platform.
Even more critical from a safety standpoint is the level of security awareness exhibited by that consumer. If you haphazardly visit every Web link …sooner or later you're going to get nailed. Period."
The nature of online Fraud
13
Attacks focusing on the OS and/or the Browser provide the greatest return on investment (for the bad guys!)
APP-STEER = Application SteeringBROW-CERT = Browser Certificate Store CompromiseBROW-DNS = Browser DNS Library CompromiseBROW-SSL = Browser SSL Library CompromiseCERT-SPOOF = Certificate SpoofingCH-BREAK = Channel BreakingCODE-INJ = Code InjectionDNS-SPOOF = DNS Spoofing/PoisoningDOM-CAPTCH = DOM Data Capturing/PatchingHFILE-MAN = Hosts File ManipulationINFACE-MAN = Interface ManipulationIP-RROUTE = IP ReroutingKEY-LOG = Keystroke LoggingMOUSE-LOG = Mouse Event LoggingMEM-DUMP = Memory DumpingMEM-PATCH = Memory PatchingOS-CERT = OS Certificate Store CompromiseOS-DNS = OS DNS Library CompromiseOS-SSL = OS SSL Library CompromiseREV-ENG = Reverse EngineeringSCREEN-C = Screen CapturingSCRIPT = Script InjectionSOC-ENG = Social EngineeringDATA-SNIFF = User Data SniffingWIND-OVER = Window Overlay
Examples of MITPC and MITB Current Attacks:Examples of MITPC and MITB Current Attacks:
14
Versatile Authentication Methods – The Reality TodayB
arri
er t
o E
ntr
y /
Co
mp
lexi
ty
Assurance Strength
PasswordPassword AdvancedAdvancedPasswordPassword
Knowledge-Based Knowledge-Based AuthenticationAuthentication
AdaptiveAdaptiveAuthenticationAuthentication
Lightweight Lightweight OTPOTP
Out-of-BandOut-of-BandAuthenticationAuthentication
OTP OTP Token / EMVToken / EMV
BiometricsBiometrics(Behavioral)(Behavioral)
BiometricsBiometrics(Biological)(Biological)
Soft Token Soft Token
Smart Card Smart Card (PKI)(PKI)
15
Versatile Authentication Methods – With Hardened Browser
Assurance Strength
Bar
rier
to
En
try
/ C
om
ple
xity
PasswordPasswordAdvancedAdvancedPasswordPassword
Knowledge-Based Knowledge-Based AuthenticationAuthentication
AdaptiveAdaptiveAuthenticationAuthentication
Lightweight Lightweight OTPOTP
Out-of-BandOut-of-BandAuthenticationAuthentication
OTP OTP Token / EMVToken / EMV
BiometricsBiometrics(Behavioral)(Behavioral)
BiometricsBiometrics(Biological)(Biological)
Soft Token Soft Token
Smart Card Smart Card (PKI)(PKI)
16
Addressing the Weakest Link: The Browser
A Hardened Web browser protecting the user against new attack vectors by
using code OBFUSCATION POLYMORPHIC and VIRTUALIZATION
techniques PERIODIC UPDATES of the executable
code (confuses hackers forcing them to renew efforts when developing code to attack the hardened application)
No Installation nor special rights required of the user
Optimized for online transactions Easy integration into Application Servers at
the back end (such as eBanking Portals) Operates without changes to existing IT
infrastructure Constant updates to mitigate the ever
increasing attack landscape
17
What You Know - What You Have - What You AreThe Role of Hardware Technologies to Provide Identity Assurance
Indications are that the use of traditional HW technology continues to increase
Used in combination with a Trusted UI (such as a Hardened Browser), HW Technology plays a key role in user authentication
New B2C markets are looking to embrace HW Technology for strong authentication
…but the ecosystem is evolving
18
Looking Forward - Vendors are paying close attention...
Application Processor
A Trusted Execution Environment (TEE) can be utilized in parallel to any rich OS in the mobile device (inc. Netbooks and Tablets)
TEE’s can be considered as “virtual smart cards” deeply embedded in the mobile device
TEE applications, so called Trustlets, execute security critical processes in isolated processing space on the controller
TEE’s can integrate with other security technologies such as SIM cards and/or Secure MicroSD cards
Applications and Credentials can be securely provisioned over the air (OTA)
19
“Creating Confidence”
Thank You!!
