Implementation of a Biometric Solution Providing Strong Authentication To Gain Access To...

MARET Consulting | Boulevard Georges Favon 43 | CH 1204 Geneva | Tél +41 22 575 30 35 | [email protected] | www.maret-consulting.ch

Implementation of a biometric solution providing strong authentication to gain access to confidential data

Conseil en technologies

Sylvain Maret / Security Architect @ MARET Consulting17 march 2010

MARET Consulting 2010

Agenda

� Digital identity Security� Strong authentication?

Strong authentication technology� Applications for the Match on

Conseil en technologieswww.maret-consulting.ch

� Strong authentication technology

� Biometry and Match on Card� Digital certificate / PKI

Card technology

� Illustration with a project for the banking field

� Trends 2010

Security Summit Milano, march 2010

Who am I?

� Security Expert� 15 years of experience in ICT Security� CEO and Founder of MARET Consulting

Expert @ Engineer School of Yverdon & Geneva University


� Expert @ Engineer School of Yverdon & Geneva University� Swiss French Area delegate at OpenID Switzerland� Co-founder Geneva Application Security Forum� Author of the Blog: la Citadelle Electronique

� Chosen field� Digital Identity Security


Protection of digital identities: a topical issue…

Identification


Identification


Strong authentication: why?

� Keylogger (hard and Soft)� Malware� Man in the Middle


� Browser in the Midle� Password Sniffer� Social Engineering� Phishing / Pharming

� The number of identity thefts is increasing dramatically!


A major event in the world of strong authentication

� 12 October 2005: the Federal Financial Institutions Examination Council (FFIEC) issues a directive

� « Single Factor Authentication » is not enough for the web financial applications

� Before end 2006 it is compulsory to implement a strong authentication system


authentication system� http://www.ffiec.gov/press/pr101205.htm

� And the PCI DSS norm� Compulsory strong authentication for distant accesses

� And now European regulations� Payment Services (2007/64/CE) for banks


Identification and authentication ?

� Identification� Who are you?


� Authentication� Prove it!


Definition of strong authentication


Strong Authentication on Wikipedia


«Digital identity is the corner stone of trust»


More information on the subject



Strong authentication


Strong authentication technologies

Which strong authentication technology?



OTP PKI (HW) Biometry

Strongauthentication

Encryption

*


Encryption

Digital signature

Non repudiation

Strong link withthe user

* Biometry type Fingerprinting


Strong authentication: Technologies on the move

� Corporations

� eBanking� VPN

Web Applications

� Public


� Web Applications� Mobility� Electronic Document Mgt

� Project PIV FIPS-201� SAML� Adoption of OpenID

� Authentication as a Service� AaaS

� Social networks� Facebook

� Virtual World

� Cloud Computing� Google docs� Sales Forces


Technologies accessible to everyone

� Standards

� Open Authentication

� Open Source Solution

� Mobile One Time Passwords


� Open Authentication (OATH)

� OATH authentication algorithms

� HOTP (HMAC Event Based)

� OCRA (Challenge/Response)

� TOTP (Time Based)

� OATH Token Identifier Specification

� Mobile One Time Passwords� strong, two-factor authentication

with mobile phones



Biometry and


andMatch on Card

Which biometric technology for IT?



Biometry = strong authentication?

� The answer is clearly no� Requires a second factor


� Problem of security (usurpation)

� Only a convenience for the user

� More information on usurpation� Study Yokohama University


Technology Match on Card: your NIP code is your finger



Example of Match on Card technology for IT

� A reader� Biometry� SmartCard


� SmartCard

� A card with chip� Technology MOC� Crypto processor

� PC/SC� PKCS#11� Digital certificate X509


Stocking data?

� On an external medium

� Better security� « Offline » mode� MOC = Match On card

� Through an authentication server

� Security issue� Confidentiality issue� Availability issue


Federal law of 19 June 1992 on the

Protection of data (LPD)


Example of utilisation of the Match on Card technology

� Smart Card Logon of Microsoft

� PK-INIT (Kerberos)

� Web SSO Solution � SAML

Citrix


� Very Sensitive Web Applications

� Electronic Document Mgt� eBanking

� Data Encryption� Laptop encryption� Folder (Share) Encryption

� Citrix

� Remote access� VPN SSL� VPN IPSEC

� Digital Signature Solution

� Etc.


Mobility security with MOC technology

� Biometric strongauthentication

� Reader of the «swipe» type� X509 machine certificate


� Applications� Smart Card Logon� VPN (SSL, IPSEC)� Web Application� Citrix

� X509 machine certificate� Utilisation TPM� Authentication of the

machine

� Pre Boot Authentication� Full Disk Encryption


Authentication of a user with PKINIT (Smart Card Logon)

U Cert

1


U_Cert

2

2

Schema by Philippe Logeane-Xpert Solutions SA


Feedback from the


from the Banking field

The project: electronic management of documents

� Implementation of a Electronic Document Mgt solution � Access to very sensitive information� Classification of the information: Secret� Encryption of data (From BIA)


� Encryption of data (From BIA)� Authorization Access Control

� Project for a Private bank in Switzerland� Start of the project: 2005

� Population concerned� 500 persons (Phase I)� In the long run: 3000 persons (Phase II)


Business Impact Analysis (BIA)

Soft Impact

Loss of goodwi l l

Loss of credibi l i ty

Breach of the law

BIA

Bank Acme SA

ImpactData

Availability (in time)

Services

Confidentiality Integrity

Hard Impact

Reduced income

Increased cos t of

working

Los s of operationa l IT Applications


inconvenience quite serious critical

Electronic Documents

Mgt HIGH HIGH 30 min 1 H 2 H HIGH HIGH

Confidentiality Integrity Los s of operationa l

capabi l i ty

Breach of

contract/financia l

pena l ties


(Data Classification : Secret)

Implementation of a technology allowing strong authentication

– via a mechanism of irrefutable proof –


– via a mechanism of irrefutable proof –of the users accessing the bank’s information

system

Who accesses what, when and how?!

The technical constraints of the strong authentication project

Mandatory

� Integration with existing applications

� Web

Desired

� Integration with building security� Data encryption� Non fixed workstations


� Web� Microsoft Smart Card Logon� Laptop

� Separation of roles� Four eyes

� Digital signature� Auditing, proof� Proof management

� Non fixed workstations� Future applications

� Network and systems� Strong authentication


Issuer

App A cert

Identity Management Authorization

Management

Basic concept: a unique link


User

PHASE 1PHASE 1PHASE 1PHASE 1

Strong authenticationStrong authenticationStrong authenticationStrong authentication

PHASE 2PHASE 2PHASE 2PHASE 2

AuthorizationAuthorizationAuthorizationAuthorization

Link: cn


Components of the technical architecture

� Implementation of a PKI « intra muros »� Non Microsoft (Separation of duties)

� Implementation of the Online revocation


� Implementation of the Online revocation� OCSP protocol

� Utilisation of a Hardware Security Module� Security of the PKI architecture

� Shielding and Hardening� Firewall� IDS� FIA


Concept for the GED application security


The focus of biometric authentication



ProcessusHuman Process


Processus

Humain

Human Process

The weak link? Matters more than the technique…

� Definition of roles� Tasks and responsibilities� Purpose: separation of duties


� Purpose: separation of duties� Four eyes

� Implementation of identity management processes

� Implementation of operating procedures


Implementation of processes

� Processes for the identity management team� User enrollment� Revocation

Incident mangement


� Incident mangement� Loss, theft, forgotten card

� Renewal

� Process for Help Desk� Process for the Auditors� Process for the RSSI

� And the operating procedures!


The result

� A series of documents for the bank� Operating procedures� Description of processes


� Description of processes� Terms of use� Definition of roles and responsibilities� CP /CPS for the « in house » PKI


Training


Training

A crucial element!


� A crucial element!

� Training of the identity management team � Training of users� Training of Help Desk� Training for the technologies

� PKI� Biometry


Identity Management Team Training

� Very Important work

� How to enroll fingers


� How to enroll fingers� Match on Card Technology� Problem handling

� Technical� Human

� Coaching for 3 weeks


End User Training

� About 30 min per User

� Technology explication


� Technology explication� Match on Card

� Finger position� Try (Play with Biometry)

� Document for End Users

� Signature (Legal Usage)


Problems…


Some examples

� Enrollment with some Users


� End Users convocation

� Technical Problem on Validation Authority� OCSP Servers


Feedback?


Conclusion of the project

� Pure technique is a minor element in the success of such a large scale project

� Biometry is a mature technology

� Technology PKIOffers a safety kernel for the


� Never under estimate the organisational aspect

� CP / CPS for the PKI� Management process

� Ask for management support

� Offers a safety kernel for the future

� Encryption, signature� Rights management information � Data security

� A step towards convergence� Physical and logical security


Tendency Biometry Match on Card

� The PIV Fips-201 project is a leader!

� Convergence� Physical security and logical security


� Physical security and logical security

� Biometric sensor for laptops� UPEK (Solution FIPS-201)

� New biometric technologies

� Full Disk Encryption (Laptop)� Support of the Match on Card technology� McAfee Endpoint Encryption™ (formerly SafeBoot® Encryption)� Win Magic SecureDoc Disk Encryption


A very promising technology: Vascular Pattern Recognition


By SONY


When will the convergence happen?


A difficult convergence! Physical security and logical security


A few links to deepen the subject

� MARET Consulting� http://maret-consulting.ch/

� La Citadelle Electronique (blog on digital identities)� http://www.citadelle-electronique.net/

Banking and finance article


� Banking and finance article� Steal an identity? Impossible with biometry!

� http://www.banque-finance.ch/numeros/88/59.pdf

� Biometry and Mobility� http://www.banque-finance.ch/numeros/97/62.pdf

� Publique presentations� OSSIR Paris 2009: Feedback on the deployment of biometry on a large scale

� http://www.ossir.org/paris/supports/2009/2009-10-13/Sylvain_Maret_Biometrie.pdf

� ISACA, Clusis: Access to information : Roles and responsibilities� http://blog.b3b.ch/wp-content/uploads/mise-en-oeuvre-de28099une-solution-biometrique-

de28099authentification-forte.pdf



“The counseling and the expertise for the selection and

the implementation of innovative technologies

in the field of security of information systems and digital identity"


Annexes



ProcessusAuthentifiers


ProcessusHumain

Authentifiers in 2010

OTP Software using SmartPhone


OTP for iPhone: a feedbackSoftware OTP for iPhoneMobile One Time Passwords


Biometry Match on Card


Feedback on the deployment of biometry on a large scale


The focus of biometric authentication



USB Token



Internet Passport



Matrix cryptography



PKI: Digital certificate X509

Software Certificate Hardware Certificate



OTP via SMS

OTP via SMS


Enter OTP


State of the art in 2010 of the authentifiers: Synthesis

TechnologiesTechnologiesTechnologiesTechnologies ExplanationsExplanationsExplanationsExplanations

OTP SoftwareSmartPhone

One Time Password softwareEvent, Time or mode challenge responseMode not connected

Biometry Match on Card

Biometry and chip cardDigital certificateStocking of the Biometric pattern


Stocking of the Biometric pattern

USB Token One Time Password in mode connectedEvent, Time ou mode challenge response

Internet Passport Biometry One Time PasswordMode not connectedMode challenge response

Matrix cryptography One Time PasswordMode challenge response

PKI Certificate softwareCertificaet Hardware

OTP SMS One Time Password by SMS

ProcessusIntegration with


ProcessusHumain

Integration with web applications

Web application with a basic authentication



Web application towards a strong authentication?



“Shielding” approach - (Perimetric Authentication)



Approach by Module or Agents



Approach API / SDK



SSL PKI: how does it work?

ValidationAuthority

Valide

OCSP request


Web ServerAlice

ValidePas valideInconu

SSL / TLS Mutual Authentication


Approach federation of identitya change of paradigm



Approach federation of identity



Approaches for an integration of the strong authentication

Approaches Examples

Shielding(Perimetric Auth)

Utilisation of a protective third party compnentSuch as a Reverse Proxy (Web Application Firewall)

Module (Agents)

Utilisation of a software moduleSuch as an Apache module, a SecurID agent, etc.Utilisation of a protocol such as Radius


Utilisation of a protocol such as Radius

API (SDK)

Development via an APIFor instance by using the Web Services (SOAP)

SSL PKI Utilisation of a certificate X509Utilisation of SSL/TLS functionalitiesPKI Ready

Identity Federation Utilisation of a federation protocol such as SAML, OpenID,

Others PKI application, etc.

Implementation of a Biometric Solution Providing Strong Authentication To Gain Access To...

Documents

Transcript of Implementation of a Biometric Solution Providing Strong Authentication To Gain Access To...