Implementation of a Biometric Solution Providing Strong Authentication To Gain Access To...
-
Upload
sylvain-maret -
Category
Documents
-
view
1.487 -
download
3
description
Transcript of Implementation of a Biometric Solution Providing Strong Authentication To Gain Access To...
MARET Consulting | Boulevard Georges Favon 43 | CH 1204 Geneva | Tél +41 22 575 30 35 | [email protected] | www.maret-consulting.ch
Implementation of a biometric solution providing strong authentication to gain access to confidential data
Conseil en technologies
Sylvain Maret / Security Architect @ MARET Consulting17 march 2010
MARET Consulting 2010
Agenda
� Digital identity Security� Strong authentication?
Strong authentication technology� Applications for the Match on
Conseil en technologieswww.maret-consulting.ch
� Strong authentication technology
� Biometry and Match on Card� Digital certificate / PKI
Card technology
� Illustration with a project for the banking field
� Trends 2010
Security Summit Milano, march 2010
Who am I?
� Security Expert� 15 years of experience in ICT Security� CEO and Founder of MARET Consulting
Expert @ Engineer School of Yverdon & Geneva University
Conseil en technologieswww.maret-consulting.ch
� Expert @ Engineer School of Yverdon & Geneva University� Swiss French Area delegate at OpenID Switzerland� Co-founder Geneva Application Security Forum� Author of the Blog: la Citadelle Electronique
� Chosen field� Digital Identity Security
Security Summit Milano, march 2010
Protection of digital identities: a topical issue…
Identification
Conseil en technologieswww.maret-consulting.ch
Identification
Security Summit Milano, march 2010
Strong authentication: why?
� Keylogger (hard and Soft)� Malware� Man in the Middle
Conseil en technologieswww.maret-consulting.ch
� Browser in the Midle� Password Sniffer� Social Engineering� Phishing / Pharming
� The number of identity thefts is increasing dramatically!
Security Summit Milano, march 2010
A major event in the world of strong authentication
� 12 October 2005: the Federal Financial Institutions Examination Council (FFIEC) issues a directive
� « Single Factor Authentication » is not enough for the web financial applications
� Before end 2006 it is compulsory to implement a strong authentication system
Conseil en technologieswww.maret-consulting.ch
authentication system� http://www.ffiec.gov/press/pr101205.htm
� And the PCI DSS norm� Compulsory strong authentication for distant accesses
� And now European regulations� Payment Services (2007/64/CE) for banks
Security Summit Milano, march 2010
Identification and authentication ?
� Identification� Who are you?
Conseil en technologieswww.maret-consulting.ch
� Authentication� Prove it!
Security Summit Milano, march 2010
Definition of strong authentication
Conseil en technologieswww.maret-consulting.ch
Strong Authentication on Wikipedia
Security Summit Milano, march 2010
«Digital identity is the corner stone of trust»
Conseil en technologieswww.maret-consulting.ch
More information on the subject
Security Summit Milano, march 2010
MARET Consulting | Boulevard Georges Favon 43 | CH 1204 Geneva | Tél +41 22 575 30 35 | [email protected] | www.maret-consulting.ch
Strong authentication
Conseil en technologies
Strong authentication technologies
Which strong authentication technology?
Conseil en technologieswww.maret-consulting.ch
Security Summit Milano, march 2010
OTP PKI (HW) Biometry
Strongauthentication
Encryption
*
Conseil en technologieswww.maret-consulting.ch
Encryption
Digital signature
Non repudiation
Strong link withthe user
* Biometry type Fingerprinting
Security Summit Milano, march 2010
Strong authentication: Technologies on the move
� Corporations
� eBanking� VPN
Web Applications
� Public
Conseil en technologieswww.maret-consulting.ch
� Web Applications� Mobility� Electronic Document Mgt
� Project PIV FIPS-201� SAML� Adoption of OpenID
� Authentication as a Service� AaaS
� Social networks� Facebook
� Virtual World
� Cloud Computing� Google docs� Sales Forces
Security Summit Milano, march 2010
Technologies accessible to everyone
� Standards
� Open Authentication
� Open Source Solution
� Mobile One Time Passwords
Conseil en technologieswww.maret-consulting.ch
� Open Authentication (OATH)
� OATH authentication algorithms
� HOTP (HMAC Event Based)
� OCRA (Challenge/Response)
� TOTP (Time Based)
� OATH Token Identifier Specification
� Mobile One Time Passwords� strong, two-factor authentication
with mobile phones
Security Summit Milano, march 2010
MARET Consulting | Boulevard Georges Favon 43 | CH 1204 Geneva | Tél +41 22 575 30 35 | [email protected] | www.maret-consulting.ch
Biometry and
Conseil en technologies
andMatch on Card
Which biometric technology for IT?
Conseil en technologieswww.maret-consulting.ch
Security Summit Milano, march 2010
Biometry = strong authentication?
� The answer is clearly no� Requires a second factor
Conseil en technologieswww.maret-consulting.ch
� Problem of security (usurpation)
� Only a convenience for the user
� More information on usurpation� Study Yokohama University
Security Summit Milano, march 2010
Technology Match on Card: your NIP code is your finger
Conseil en technologieswww.maret-consulting.ch
Security Summit Milano, march 2010
Example of Match on Card technology for IT
� A reader� Biometry� SmartCard
Conseil en technologieswww.maret-consulting.ch
� SmartCard
� A card with chip� Technology MOC� Crypto processor
� PC/SC� PKCS#11� Digital certificate X509
Security Summit Milano, march 2010
Stocking data?
� On an external medium
� Better security� « Offline » mode� MOC = Match On card
� Through an authentication server
� Security issue� Confidentiality issue� Availability issue
Conseil en technologieswww.maret-consulting.ch
Federal law of 19 June 1992 on the
Protection of data (LPD)
Security Summit Milano, march 2010
Example of utilisation of the Match on Card technology
� Smart Card Logon of Microsoft
� PK-INIT (Kerberos)
� Web SSO Solution � SAML
Citrix
Conseil en technologieswww.maret-consulting.ch
� Very Sensitive Web Applications
� Electronic Document Mgt� eBanking
� Data Encryption� Laptop encryption� Folder (Share) Encryption
� Citrix
� Remote access� VPN SSL� VPN IPSEC
� Digital Signature Solution
� Etc.
Security Summit Milano, march 2010
Mobility security with MOC technology
� Biometric strongauthentication
� Reader of the «swipe» type� X509 machine certificate
Conseil en technologieswww.maret-consulting.ch
� Applications� Smart Card Logon� VPN (SSL, IPSEC)� Web Application� Citrix
� X509 machine certificate� Utilisation TPM� Authentication of the
machine
� Pre Boot Authentication� Full Disk Encryption
Security Summit Milano, march 2010
Authentication of a user with PKINIT (Smart Card Logon)
U Cert
1
Conseil en technologieswww.maret-consulting.ch
U_Cert
2
2
Schema by Philippe Logeane-Xpert Solutions SA
Security Summit Milano, march 2010
Feedback from the
Conseil en technologieswww.maret-consulting.ch
from the Banking field
The project: electronic management of documents
� Implementation of a Electronic Document Mgt solution � Access to very sensitive information� Classification of the information: Secret� Encryption of data (From BIA)
Conseil en technologieswww.maret-consulting.ch
� Encryption of data (From BIA)� Authorization Access Control
� Project for a Private bank in Switzerland� Start of the project: 2005
� Population concerned� 500 persons (Phase I)� In the long run: 3000 persons (Phase II)
Security Summit Milano, march 2010
Business Impact Analysis (BIA)
Soft Impact
Loss of goodwi l l
Loss of credibi l i ty
Breach of the law
BIA
Bank Acme SA
ImpactData
Availability (in time)
Services
Confidentiality Integrity
Hard Impact
Reduced income
Increased cos t of
working
Los s of operationa l IT Applications
Conseil en technologieswww.maret-consulting.ch
inconvenience quite serious critical
Electronic Documents
Mgt HIGH HIGH 30 min 1 H 2 H HIGH HIGH
Confidentiality Integrity Los s of operationa l
capabi l i ty
Breach of
contract/financia l
pena l ties
Security Summit Milano, march 2010
(Data Classification : Secret)
Implementation of a technology allowing strong authentication
– via a mechanism of irrefutable proof –
Conseil en technologieswww.maret-consulting.ch
– via a mechanism of irrefutable proof –of the users accessing the bank’s information
system
Who accesses what, when and how?!
The technical constraints of the strong authentication project
Mandatory
� Integration with existing applications
� Web
Desired
� Integration with building security� Data encryption� Non fixed workstations
Conseil en technologieswww.maret-consulting.ch
� Web� Microsoft Smart Card Logon� Laptop
� Separation of roles� Four eyes
� Digital signature� Auditing, proof� Proof management
� Non fixed workstations� Future applications
� Network and systems� Strong authentication
Security Summit Milano, march 2010
Issuer
App A cert
Identity Management Authorization
Management
Basic concept: a unique link
Conseil en technologieswww.maret-consulting.ch
User
PHASE 1PHASE 1PHASE 1PHASE 1
Strong authenticationStrong authenticationStrong authenticationStrong authentication
PHASE 2PHASE 2PHASE 2PHASE 2
AuthorizationAuthorizationAuthorizationAuthorization
Link: cn
Security Summit Milano, march 2010
Components of the technical architecture
� Implementation of a PKI « intra muros »� Non Microsoft (Separation of duties)
� Implementation of the Online revocation
Conseil en technologieswww.maret-consulting.ch
� Implementation of the Online revocation� OCSP protocol
� Utilisation of a Hardware Security Module� Security of the PKI architecture
� Shielding and Hardening� Firewall� IDS� FIA
Security Summit Milano, march 2010
Concept for the GED application security
Conseil en technologieswww.maret-consulting.ch
The focus of biometric authentication
Conseil en technologieswww.maret-consulting.ch
Security Summit Milano, march 2010
ProcessusHuman Process
Conseil en technologieswww.maret-consulting.ch
Processus
Humain
Human Process
The weak link? Matters more than the technique…
� Definition of roles� Tasks and responsibilities� Purpose: separation of duties
Conseil en technologieswww.maret-consulting.ch
� Purpose: separation of duties� Four eyes
� Implementation of identity management processes
� Implementation of operating procedures
Security Summit Milano, march 2010
Implementation of processes
� Processes for the identity management team� User enrollment� Revocation
Incident mangement
Conseil en technologieswww.maret-consulting.ch
� Incident mangement� Loss, theft, forgotten card
� Renewal
� Process for Help Desk� Process for the Auditors� Process for the RSSI
� And the operating procedures!
Security Summit Milano, march 2010
The result
� A series of documents for the bank� Operating procedures� Description of processes
Conseil en technologieswww.maret-consulting.ch
� Description of processes� Terms of use� Definition of roles and responsibilities� CP /CPS for the « in house » PKI
Security Summit Milano, march 2010
Training
Conseil en technologieswww.maret-consulting.ch
Training
A crucial element!
Conseil en technologieswww.maret-consulting.ch
� A crucial element!
� Training of the identity management team � Training of users� Training of Help Desk� Training for the technologies
� PKI� Biometry
Security Summit Milano, march 2010
Identity Management Team Training
� Very Important work
� How to enroll fingers
Conseil en technologieswww.maret-consulting.ch
� How to enroll fingers� Match on Card Technology� Problem handling
� Technical� Human
� Coaching for 3 weeks
Security Summit Milano, march 2010
End User Training
� About 30 min per User
� Technology explication
Conseil en technologieswww.maret-consulting.ch
� Technology explication� Match on Card
� Finger position� Try (Play with Biometry)
� Document for End Users
� Signature (Legal Usage)
Security Summit Milano, march 2010
Problems…
Conseil en technologieswww.maret-consulting.ch
Some examples
� Enrollment with some Users
Conseil en technologieswww.maret-consulting.ch
� End Users convocation
� Technical Problem on Validation Authority� OCSP Servers
Security Summit Milano, march 2010
Feedback?
Conseil en technologieswww.maret-consulting.ch
Conclusion of the project
� Pure technique is a minor element in the success of such a large scale project
� Biometry is a mature technology
� Technology PKIOffers a safety kernel for the
Conseil en technologieswww.maret-consulting.ch
� Never under estimate the organisational aspect
� CP / CPS for the PKI� Management process
� Ask for management support
� Offers a safety kernel for the future
� Encryption, signature� Rights management information � Data security
� A step towards convergence� Physical and logical security
Security Summit Milano, march 2010
Tendency Biometry Match on Card
� The PIV Fips-201 project is a leader!
� Convergence� Physical security and logical security
Conseil en technologieswww.maret-consulting.ch
� Physical security and logical security
� Biometric sensor for laptops� UPEK (Solution FIPS-201)
� New biometric technologies
� Full Disk Encryption (Laptop)� Support of the Match on Card technology� McAfee Endpoint Encryption™ (formerly SafeBoot® Encryption)� Win Magic SecureDoc Disk Encryption
Security Summit Milano, march 2010
A very promising technology: Vascular Pattern Recognition
Conseil en technologieswww.maret-consulting.ch
By SONY
Security Summit Milano, march 2010
When will the convergence happen?
Conseil en technologieswww.maret-consulting.ch
A difficult convergence! Physical security and logical security
Security Summit Milano, march 2010
A few links to deepen the subject
� MARET Consulting� http://maret-consulting.ch/
� La Citadelle Electronique (blog on digital identities)� http://www.citadelle-electronique.net/
Banking and finance article
Conseil en technologieswww.maret-consulting.ch
� Banking and finance article� Steal an identity? Impossible with biometry!
� http://www.banque-finance.ch/numeros/88/59.pdf
� Biometry and Mobility� http://www.banque-finance.ch/numeros/97/62.pdf
� Publique presentations� OSSIR Paris 2009: Feedback on the deployment of biometry on a large scale
� http://www.ossir.org/paris/supports/2009/2009-10-13/Sylvain_Maret_Biometrie.pdf
� ISACA, Clusis: Access to information : Roles and responsibilities� http://blog.b3b.ch/wp-content/uploads/mise-en-oeuvre-de28099une-solution-biometrique-
de28099authentification-forte.pdf
Security Summit Milano, march 2010
Conseil en technologieswww.maret-consulting.ch
“The counseling and the expertise for the selection and
the implementation of innovative technologies
in the field of security of information systems and digital identity"
MARET Consulting | Boulevard Georges Favon 43 | CH 1204 Geneva | Tél +41 22 575 30 35 | [email protected] | www.maret-consulting.ch
Annexes
Conseil en technologies
Security Summit Milano, march 2010
ProcessusAuthentifiers
Conseil en technologieswww.maret-consulting.ch
ProcessusHumain
Authentifiers in 2010
OTP Software using SmartPhone
Conseil en technologieswww.maret-consulting.ch
OTP for iPhone: a feedbackSoftware OTP for iPhoneMobile One Time Passwords
Security Summit Milano, march 2010
Biometry Match on Card
Conseil en technologieswww.maret-consulting.ch
Feedback on the deployment of biometry on a large scale
Security Summit Milano, march 2010
The focus of biometric authentication
Conseil en technologieswww.maret-consulting.ch
Security Summit Milano, march 2010
USB Token
Conseil en technologieswww.maret-consulting.ch
Security Summit Milano, march 2010
Internet Passport
Conseil en technologieswww.maret-consulting.ch
Security Summit Milano, march 2010
Matrix cryptography
Conseil en technologieswww.maret-consulting.ch
Security Summit Milano, march 2010
PKI: Digital certificate X509
Software Certificate Hardware Certificate
Conseil en technologieswww.maret-consulting.ch
Security Summit Milano, march 2010
OTP via SMS
OTP via SMS
Conseil en technologieswww.maret-consulting.ch
Enter OTP
Security Summit Milano, march 2010
State of the art in 2010 of the authentifiers: Synthesis
TechnologiesTechnologiesTechnologiesTechnologies ExplanationsExplanationsExplanationsExplanations
OTP SoftwareSmartPhone
One Time Password softwareEvent, Time or mode challenge responseMode not connected
Biometry Match on Card
Biometry and chip cardDigital certificateStocking of the Biometric pattern
Conseil en technologieswww.maret-consulting.ch
Stocking of the Biometric pattern
USB Token One Time Password in mode connectedEvent, Time ou mode challenge response
Internet Passport Biometry One Time PasswordMode not connectedMode challenge response
Matrix cryptography One Time PasswordMode challenge response
PKI Certificate softwareCertificaet Hardware
OTP SMS One Time Password by SMS
ProcessusIntegration with
Conseil en technologieswww.maret-consulting.ch
ProcessusHumain
Integration with web applications
Web application with a basic authentication
Conseil en technologieswww.maret-consulting.ch
Security Summit Milano, march 2010
Web application towards a strong authentication?
Conseil en technologieswww.maret-consulting.ch
Security Summit Milano, march 2010
“Shielding” approach - (Perimetric Authentication)
Conseil en technologieswww.maret-consulting.ch
Security Summit Milano, march 2010
Approach by Module or Agents
Conseil en technologieswww.maret-consulting.ch
Security Summit Milano, march 2010
Approach API / SDK
Conseil en technologieswww.maret-consulting.ch
Security Summit Milano, march 2010
SSL PKI: how does it work?
ValidationAuthority
Valide
OCSP request
Conseil en technologieswww.maret-consulting.ch
Web ServerAlice
ValidePas valideInconu
SSL / TLS Mutual Authentication
Security Summit Milano, march 2010
Approach federation of identitya change of paradigm
Conseil en technologieswww.maret-consulting.ch
Security Summit Milano, march 2010
Approach federation of identitya change of paradigm
Conseil en technologieswww.maret-consulting.ch
Security Summit Milano, march 2010
Approach federation of identity
Conseil en technologieswww.maret-consulting.ch
Security Summit Milano, march 2010
Approaches for an integration of the strong authentication
Approaches Examples
Shielding(Perimetric Auth)
Utilisation of a protective third party compnentSuch as a Reverse Proxy (Web Application Firewall)
Module (Agents)
Utilisation of a software moduleSuch as an Apache module, a SecurID agent, etc.Utilisation of a protocol such as Radius
Conseil en technologieswww.maret-consulting.ch
Utilisation of a protocol such as Radius
API (SDK)
Development via an APIFor instance by using the Web Services (SOAP)
SSL PKI Utilisation of a certificate X509Utilisation of SSL/TLS functionalitiesPKI Ready
Identity Federation Utilisation of a federation protocol such as SAML, OpenID,
Others PKI application, etc.