Securing Electronic Commerce:Securing Electronic Commerce:Identification & AuthenticationIdentification & Authentication

Douglas GrahamDouglas GrahamUK Channel Technical ManagerUK Channel Technical Manager

Security Dynamics Technologies, IncSecurity Dynamics Technologies, Inc

Security Dynamics Technologies Inc.Security Dynamics Technologies Inc.

3 million users of 3 million users of SecurID SecurID

3,000 companies 3,000 companies

9,000 installations9,000 installations

300 million 300 million copies installed copies installed & in use & in use worldwideworldwide

110,000 BoKS 110,000 BoKS usersusers

Major OEM Major OEM relationshipsrelationships

SecuritySecurityDynamicsDynamicsRSARSA

2,000 companies2,000 companies

250 + of the 250 + of the Fortune 500Fortune 500

Key Business TrendsKey Business Trends• Enhanced outreach and collaboration with employees, Enhanced outreach and collaboration with employees,

customers, partners, distributors and supplierscustomers, partners, distributors and suppliers

• Emergence of the “virtual enterprise”Emergence of the “virtual enterprise”

• ““Market of One” interactive customer relationshipMarket of One” interactive customer relationship

eBusiness is no longer a competitive eBusiness is no longer a competitive advantage, it is a necessityadvantage, it is a necessity

$$$$$$

Moving rapidly to the Moving rapidly to the Internet-enabled enterpriseInternet-enabled enterprise

Key Technology TrendsKey Technology Trends• Rapid deployment of intranets and extranets Rapid deployment of intranets and extranets

• New generation of inexpensive, high-speed, IP-ready New generation of inexpensive, high-speed, IP-ready network capacity coming onlinenetwork capacity coming online

• Broad adoption and continued evolution of mission-Broad adoption and continued evolution of mission-critical ERP applicationscritical ERP applications

• Continued outsourcing of network transport, Web Continued outsourcing of network transport, Web hosting and application deploymenthosting and application deployment

Enterprise security is the key Enterprise security is the key enabler for eBusiness enabler for eBusiness

Key Security TrendsKey Security Trends

• Enterprises supplementing perimeter defense with Enterprises supplementing perimeter defense with protection of applications and informationprotection of applications and information

• Increasing requirements for user authentication, Increasing requirements for user authentication, authorization and intrusion monitoring and detectionauthorization and intrusion monitoring and detection

• PKI emerging as a common architectural foundation PKI emerging as a common architectural foundation for multiple security applicationsfor multiple security applications

• Security decisions driven by line-of-business needsSecurity decisions driven by line-of-business needs

What is Electronic Commerce ?What is Electronic Commerce ?

• Electronic Commerce is the temporary extension of a computer network over a Public or Electronic Commerce is the temporary extension of a computer network over a Public or Private connection to facilitate business transactions.Private connection to facilitate business transactions.– PSTN, ISDN, InternetPSTN, ISDN, Internet

• Can be used by Individual users or to connect two or more networks together.Can be used by Individual users or to connect two or more networks together.– Notebook dial-in for email, small office to HQ connectionNotebook dial-in for email, small office to HQ connection

Mobile User

Head Office

Public Network

Remote AccessRemote Access

Electronic Commerce ApplicationsElectronic Commerce Applications

• Home BankingHome Banking

• Quick Easy access to corporate information and servicesQuick Easy access to corporate information and services

• Sharing information between Business Partners & CustomersSharing information between Business Partners & Customers

• Telecommuters (Home working) Day ExtendersTelecommuters (Home working) Day Extenders

• IT Support StaffIT Support Staff

Remote Access BenefitsRemote Access Benefits

• ProductivityProductivity

• Cost SavingsCost Savings

• Easy Information AccessEasy Information Access

• High Availability of InformationHigh Availability of Information

• Competitive AdvantageCompetitive Advantage

Remote Access GrowthRemote Access Growth

0

10,000,000

20,000,000

30,000,000

40,000,000

50,000,000

60,000,000

1997 1998 1999 2000

USUS

56 million56 million

Source: Giga, September 1997Source: Giga, September 1997

W. European e*Commerce, 1996-2001W. European e*Commerce, 1996-2001Commerce Revenue/Year, Year EndingCommerce Revenue/Year, Year Ending

214214 681681

1,7951,795

4,3434,343

8,8098,809

136136 421421

14,79414,794

1,2781,278

3,1233,123

11,11511,115

6,4696,469

-

2,0002,000

4,0004,000

6,0006,000

8,0008,000

10,00010,000

12,00012,000

14,00014,000

16,00016,000

19961996 19971997 19981998 19991999 20002000 20012001

BusinessBusinessConsumerConsumer

$Million$Million

Source: IDC, July ‘97Source: IDC, July ‘97

CAGR = 137 %

CAGR = 137 %

What are the risks?What are the risks?

• Protecting the network and data from abuse by Protecting the network and data from abuse by authorised usersauthorised users

• Protecting the network and data from abuse by Protecting the network and data from abuse by unauthorised usersunauthorised users

• Data PrivacyData Privacy

• Data ConfidentialityData Confidentiality

• Complexity of service operation and deliveryComplexity of service operation and delivery

Attacks from Inside & OutAttacks from Inside & Out

Source: 1998 CSI/FBI Computer Crime and Security Survey

0%5%

10%15%20%25%30%35%40%45%

Unauthorized access by employees

System penetration from outside

Reported Security BreachesReported Security Breaches

Cost of Security BreachesCost of Security Breaches

Source: 1998 CSI/FBI Computer Crime and Security Survey

$0

$500

$1,000

$1,500

$2,000

$2,500

$3,000

Financial fraud

Theft of proprietary information

Unauthorized access by employees

Reported Security BreachesReported Security Breaches

Average loss (000)

““Casual Intruder - Disgruntled Employee”Casual Intruder - Disgruntled Employee”

• Shoulder surfing co-workersShoulder surfing co-workers

• Finding written passwordFinding written password– Post-It NotesPost-It Notes– DayTimerDayTimer

• Guessing password Guessing password – ““password”password”– Spouse/Dog/Kid’s nameSpouse/Dog/Kid’s name– UsernameUsername

““Serious Hacker”Serious Hacker”

• All of the “casual” All of the “casual” approaches approaches

• ““Social engineering”Social engineering”

• Password crackingPassword cracking– ““Crack”Crack”– ““L0phtCrack”L0phtCrack”– ““Cracker Jack”Cracker Jack”

• Network sniffingNetwork sniffing

Passwords Are Passwords Are NotNot Secure Secure

• Tools for defeating passwords aboundTools for defeating passwords abound

• Compromise is not detectableCompromise is not detectable

• Passwords can be snooped off the NetPasswords can be snooped off the Net

• Passwords & files are diverted off desktopsPasswords & files are diverted off desktopsor serversor servers

• Password protected credentialsPassword protected credentialsare compromised off-lineare compromised off-line

“ “Privacy” is NOT “Security”Privacy” is NOT “Security”

Encrypted Tunnel Through Encrypted Tunnel Through Public NetworkPublic Network

Who’s at the Who’s at the other end of other end of the line?the line?

Identification & Authentication Identification & Authentication

IdentificationIdentification Who are you? ……. “John Smith”Who are you? ……. “John Smith”

AuthenticationAuthentication …….…….proveprove that that youyou are John Smith are John Smith

AuthenticationAuthenticationIdentificationIdentification

ProveProve It!It!

Methods of Methods of UserUser Authentication Authentication

• Something you Something you knowknow

– Password, PIN, “mother’s maiden Password, PIN, “mother’s maiden name” name”

• Something you Something you havehave

– magnetic card, smart card, token, magnetic card, smart card, token, Physical keyPhysical key

• Something Something unique about youunique about you

– Finger print, voice, retina, irisFinger print, voice, retina, iris

“1059”

Bank 1234 5678 9010

+ PIN+ PIN

Two Factor “Strong” AuthenticationTwo Factor “Strong” Authentication

One Time Passcode One Time Passcode SecurID Passcodes can only be used ONCE! SecurID Passcodes can only be used ONCE!

Passcode AcceptedPasscode Accepted

Passcode Accepted Passcode Accepted

Passcode Accepted Passcode Accepted

Access Denied Access Denied

345656 Locked345656 Locked

879845 Already Used879845 Already Used

Shoulder Surfing and Snoop will NOT work !Shoulder Surfing and Snoop will NOT work !

568787 Locked568787 Locked

879845 Locked879845 Locked

Traditional Authentication OptionsTraditional Authentication Options

Identification & Identification & Weakest Weakest

AuthenticationAuthentication

Passwords

Leve

l of S

ecur

ityLe

vel o

f Sec

urity

Identification & Weak Identification & Weak AuthenticationAuthentication

Software Token

Hardware Token Identification & Strong Identification & Strong User AuthenticationUser Authentication

New Authentication OptionsNew Authentication Options

Hardware Token

Identification & Identification & Weakest Weakest

AuthenticationAuthentication

Identification & Strong Identification & Strong User AuthenticationUser Authentication

Identification & Weak Identification & Weak AuthenticationAuthentication

Passwords

Leve

l of S

ecur

ityLe

vel o

f Sec

urity

Biometric

Software Token

Digital Certificate

Smart Card

Secure Remote AccessSecure Remote Access

• Let’s look at reducing the risks and complexityLet’s look at reducing the risks and complexity

Remote Access ComplexityRemote Access Complexity

The Internet Simplifies Remote AccessThe Internet Simplifies Remote Access

InternetInternet

Global AccessGlobal Accessdelivered by ISPdelivered by ISP

Reducing The Risks?Reducing The Risks?

• The Internet is a collection of unsecured The Internet is a collection of unsecured networks!networks!

• Strong Authentication and Encryption can Strong Authentication and Encryption can provide a solutionprovide a solution

• New TechnologyNew Technology– VPNVPN

What is a VPN?What is a VPN?

• VPN - “Virtual Private Network”VPN - “Virtual Private Network”

• Transport encrypted information via the Internet and Transport encrypted information via the Internet and public networkspublic networks

• Offer benefits of private network using “free” Offer benefits of private network using “free” Internet infrastructure Internet infrastructure

• Encryption means privacy not securityEncryption means privacy not security

• A VPN can be owned and run locally, or delivered as A VPN can be owned and run locally, or delivered as a service from a Telco or ISPa service from a Telco or ISP

Firewall or RAS server

Request Connection

Request Passcode

PIN + Send Passcode

Send Session Key

ACE/Server

Secure VPNSecure VPN

Creating a Secure VPNCreating a Secure VPN

InternetInternet

InternetInternet

VPNs Reduce Cost and ComplexityVPNs Reduce Cost and Complexity• Reduce leased line costs Reduce leased line costs

and dial access chargesand dial access charges

• Reduce user supportReduce user support

• Simplify remote access Simplify remote access architecturearchitecture

Reduce help desk Reduce help desk servicesservices

Allow tracking / Allow tracking / billing for usagebilling for usage

Reduce equip. costs Reduce equip. costs for remote accessfor remote access

Increased Use of Authenticators Increased Use of Authenticators

Source: Giga EST., Sept. 1997Source: Giga EST., Sept. 1997

00

5,000,0005,000,000

10,000,00010,000,000

15,000,00015,000,000

20,000,00020,000,000

19961996 19971997 19981998 19991999 20002000

Internet users Internet users (177%(177% CAGR)CAGR)

VAN users VAN users (132%(132% CAGR)CAGR)

Dial-in users Dial-in users (52%(52%CAGR)CAGR)

VPNs Offer Estimated 60% Cost SavingsVPNs Offer Estimated 60% Cost Savings

AccessAccess

AccessAccess

$-$- $500$500 $1,000$1,000 $1,500$1,500 $2,000$2,000 $2,500$2,500 $3,000$3,000 $3,500$3,500

Traitional RemoteTraitional Remote

Internet RemoteInternet Remote

Remote Access Cost Comparisons for 2000 Remote Users - ($000's)Remote Access Cost Comparisons for 2000 Remote Users - ($000's)

User SupportUser SupportPhone/ISP ChargesPhone/ISP ChargesRouters/ServersRouters/ServersT1 LinesT1 Lines

Source: Forrester Research 7/97Source: Forrester Research 7/97

Secure Web ApplicationsSecure Web Applications

• Home BankingHome Banking

• Business to Business CommunicationBusiness to Business Communication

• Price Lists to PartnersPrice Lists to Partners

• Human ResourcesHuman Resources

• Product Support and UpdatesProduct Support and Updates

Using the WWW to share sensitive informationUsing the WWW to share sensitive information

Secure Web Authentication & PrivacySecure Web Authentication & Privacy

• Issues Similar to Remote Access Issues Similar to Remote Access – User Identification & AuthenticationUser Identification & Authentication

• Passwords are not enough!Passwords are not enough!– Data Privacy during connectionData Privacy during connection

• Prevent snoopingPrevent snooping– Granular Access Granular Access

• Grant access rights based upon service levelGrant access rights based upon service level

Web Applications Security Web Applications Security

SecurWorld

SecurCareReseller

SecurWorld OnlineSecurWorld Online

Passcode********************

Customer

Passcode********************

What about Certificates for Authentication?What about Certificates for Authentication?

• A Digital Certificate is a unique electronic identifier (complex A Digital Certificate is a unique electronic identifier (complex password) associated with a userpassword) associated with a user

• Browsers use certificates widely for establishing a level of Browsers use certificates widely for establishing a level of authenticationauthentication

• More and more applications will use certificatesMore and more applications will use certificates– Email, SSSO, E-commerceEmail, SSSO, E-commerce

• A user’s certificate can be used to check a Digital Signature A user’s certificate can be used to check a Digital Signature - a unique electronic signature associated with the owner of - a unique electronic signature associated with the owner of the certificatethe certificate– essential for non-repudiation of messages and transactionsessential for non-repudiation of messages and transactions

?

How can we be sure of a Certificate?How can we be sure of a Certificate?• A certificate is usually ‘signed for’ electronically by a A certificate is usually ‘signed for’ electronically by a

Trusted Third party, e.g. VerisignTrusted Third party, e.g. Verisign– I.e. Two companies trust the integrity of a certificate I.e. Two companies trust the integrity of a certificate

issued by a jointly trusted external organisationissued by a jointly trusted external organisation

• Today most Certificates are stored electronically on Today most Certificates are stored electronically on servers (e.g. LDAP)servers (e.g. LDAP)– So how can we be sure that the person who is using a So how can we be sure that the person who is using a

certificate is who they say they are!certificate is who they say they are!• We Cannot unless they use Strong We Cannot unless they use Strong

Authentication!Authentication!

Smartcards for SecuritySmartcards for Security

• Benefits Benefits – Two Factor ‘Strong Authentication’Two Factor ‘Strong Authentication’– Secure storage of Private CredentialsSecure storage of Private Credentials– Building AccessBuilding Access– Photograph Photograph – Other ApplicationsOther Applications

• DownsideDownside– ReadersReaders– InfrastructureInfrastructure

Soft SmartcardsSoft Smartcards

• Host based secure electronic ‘wallets’ (or files) that Host based secure electronic ‘wallets’ (or files) that contain a users security credentialscontain a users security credentials

• Downloaded to the user on successful authenticationDownloaded to the user on successful authentication

• Two Factor Authentication to access Soft SmartcardTwo Factor Authentication to access Soft Smartcard

• Excellent transitional solution to help companies Excellent transitional solution to help companies migrate to smartcards for network accessmigrate to smartcards for network access

• Available todayAvailable today

Soft Smartcards for Secure Applications Soft Smartcards for Secure Applications AccessAccess

PIN +

User dials-inRequest for Passcode

User Sends PasscodeAuthenticates and Credentials downloaded

SummarySummary

• Local and Global Electronic Commerce can Local and Global Electronic Commerce can – increase productivity and communicationincrease productivity and communication– reduce costs of doing businessreduce costs of doing business– deliver competitive advantagedeliver competitive advantage

• Suffers from risk of abuse and fraud if not prudently Suffers from risk of abuse and fraud if not prudently securedsecured

• User Authentication, Encryption of traffic and use of User Authentication, Encryption of traffic and use of Certificates can deliver very secure applications Certificates can deliver very secure applications including E-Commerceincluding E-Commerce