Connected Smart Card Q&A

chocolatehookSecurity

Nov 30, 2013 (3 years and 11 months ago)

111 views



Connected Smart Card Q&A



Connect ed Smar t Car d Q&A


October

201
3





Q.

Who
is Tyfone?

A.

Tyfone, Inc. is a secure ID and transaction company focused on providing the most complete solution t
o
rapidly growing cyber threats,
especially a mobile environment that depends on the
cloud
. The new threats
predominantly
stem from c
riminals
compromising people’s credentials used to gain

access to enterprise
networks from remotely located desktops, laptops, tablets, and especially mobil
e phones.
Tyfone’s solution is
geared to enable secure ID and transactions for a
ny industry vertical including government, health c
are,
critical i
nfrastructure
, as well as banking and payments.
Founded in 2004, Tyfone is headquartered in
Portland, Oregon

with research and development and business development offices in India and Taiwan.



Q.

How is Tyfone
funded / who are its investors?

A.

Tyfone is privately funded with investors that are both individuals and institutional in nature
,
including

Ojas
Venture Partners, HDFC Holdings, Polaris Software
Lab
s

and

In
-
Q
-
Tel (IQT).


Q.

Who are Tyfone’s customers?

A.

Tyfone’s internatio
nal roster of customers
represents

financial institutions and governmental departments. In
the U.S., Tyfone counts
2

of the top 10 member
-
owned financial institutions, Security Service Federal Credit
Union and Star One Credit Union, among its bank and credit union customers.
Tyfone recently signed a
strategic agreement with In
-
Q
-
Tel (IQT
) to

bring Tyfone’s mobile securi
ty solutions to
address the needs of the
U.S. Intelligence Community
. Tyfone also has

a customer in Abu Dhabi and

significant working relationships
with entities around the globe,
including in

India
, Indonesia
, Spain

and China.


Q.

What is the
Tyfone CSC
solution
?

A.

The Connected Smart Card
(CSC)
is Tyfone’s security
solution,
enabling

identity
storage and management
locally
on
end
-
user
devices
for
the most
secure

access to any
server
and to
data stored centrally

in
the
cloud
.
Such a "local ID with central data"
segregation
is becoming increasingly
critical
as
it is very common for users
to access email, bank accounts, ecommerce portals, health records and other important digital information
stored in

cyber space
using

only a

user
-
generated password

to gain access
.
More and more

these digital
assets are stored centrally in the
cloud
,
but
so
too
are all the passwords that control access to these assets
,
making valuable data more attractive to hackers.
The reason why passwords

are also stored in the
cloud

is
because when a user requests access with a password the server has to have a representation of the password
to respond Yes/No to the access request.
Typically
,

when this request
-
r
esponse

o
ne
-
sided
” verification
is
used,
the

sessions require the
verification of the
server but
not the
end user
.


The increasing

power and lower
cost of computing create
s

a

paradigm
that
is increasingly vulnerable to
cybercrime, a situation that
is rapidly
getting worse

(interrelated, see
Moore’s Law for Hacking graph

on page 2
)
.








Connected Smart Card Q&A



Connect ed Smar t Car d Q&A


October

201
3






According to Wired Magazine, i
n just the last 18 months,
280 million passwords

have been compromised, and
Deloitte predicts
90 percent of all user
-
generated passwords are vulnerable this year
.

Tyfone’s
CS
C
solution
(
http://youtu.be/fkdZmKitSIA
)
mitigates

existing
cyber security
vulnerabilities
through
a
unique combination of hardware products, software solutions and
hosted services that enable

financial,
government, healthcare and other enterprises to ensure that passwords
, biometrics
, credit cards

and other
user ID
s
,

as well as the
access
to
sensitive
server
-
based
information
,

are
never
compromised.

Moreover, the
r
apidly growing threat aided
by “
Moore’s Law for Hacking”


the ever increasing power and cheaper hardware
enabled by Moore’s Law that criminals can use for hacking


requires a solution in the form of hardware based
ID and transaction security. Interrelated, the National Institute o
f Standards and Technology (NIST), a federal
technology agency under the Department of Commerce recently issued draft standards 800
-
164 calling for
hardware based solutions for mobile devices.

At its core, Tyfone’s CSC technology enables

t
wo
-
sided

cert
ificate
verification
, where not only the server
being accessed is verified, but also verifies the identity of the person seeking access.

CSC creates an
impenetrable safe to
locally
store ID
s

in
side

hardware

that
protect
s

the use

of passwords,
credit card

numbers,
biometrics and other
access
credentials
,
thereby

creating the best possible defense against cyber

criminals and hackers.

Tyfone's CSC solution
puts this safe


actually called a secure element


onto the ubiquitously used smart card,
so

people can conveniently and securely
carry all their digital IDs, while leaving
access to

information and data
centrally stored in the
cloud
.
Because smart cards are used in everything from mobile phones to credit cards
to identity cards, the proliferatio
n of this security solution will not require fundamental changes in technology
or user behavior. Tyfone has also put this CSC technology on a microSD card
and wearable form factors
,

such
as Key chain and Wrist band
,

to bring even greater convenience, and
extend its use across a wider number of
devices

(see related illustration on page 3)
.





Connected Smart Card Q&A



Connect ed Smar t Car d Q&A


October

201
3







Q.

How does Moore’s Law apply to security and why should
we all be concerned
?

A.

Moore’s Law speaks to the rapid growth and reduced cost of comp
uting power. When
applied to “o
ne
-
Sided”
security methods requiring the storage of user identities in the
cloud
, the ability for cyber criminals to hack
and compromise access credentials will outpace the practical ability for user passwords to grow in size and
complexity fo
r those methods to be used. The cyber world is near or already at the “point of no return” where
storing any access credentials in the
cloud

is safe.


Q.

I want to make sure I understand “Moore's Law for Hacking.” Why should my readers care?


A.

As mentioned,
Moore’s Law speaks to the rapid growth and reduced cost of computing power.


When applied
to

the
r
e
quest
-
r
esponse security paradigm requiring the storage of user IDs (Passwords or OTPs) in the
cloud
,
the ability for cyber criminals to hack
and compromise access credentials will outpace the practical ability for
user passwords to grow in size and complexity for

those methods to be used.


This is what Tyfone refers to
with “Moore’s Law for Hacking.”
Reiterating, the
cyber world is near or alr
eady at the “point of no return”
where storing any access credentials in the
cloud

is safe.

Q.

How does Tyfone’s CSC solution c
hange everything
?

A.

The inherent flaw in password
(both static password and dynamic one
-
time password)
authentication systems

th
at today use a “o
ne
-
Sided” verification
method
ology

is

that when the user submits
his or her
password, the
centralized server has to instantly decide
whether or not
the user
should
gain access to the system. For this
“request
-
response” feature to work, the centralized service must store, in bulk, information about ALL
its
users’ passwords. This
need
makes central password storage an increasingly lucrative target
that
has become
eve
r easier and cheaper to compromise by unauthorized users.


The only way to
eliminate
this
vulnerability
is to
prevent

access based
solely
on
the
validation of centrally
stored passwords by migrating from
a
“request
-
response” to
a
“request
-
challenge
-
respo
nse”
paradigm. In
this paradigm, no end
-
user “
secrets


are
stored on
the enterprise
server;

rather
they are
with the user

inside
that secure element in the smart card
. Tyfone’s CSC solution enables this paradigm supporting storage of
digital certificates
in a sec
ure hardware thereby enabling “t
wo
-
sided”

certificate validation
.




Connected Smart Card Q&A



Connect ed Smar t Car d Q&A


October

201
3






T
yfone’s CSC solution operates much like the traditional plastic smart

card systems already in widespread use,
but has a much smaller

footprint and has the unique
ability to
operate with

any mobile device, tablet or PC.
By leveraging the use of Smart Card Chip standards,
Tyfone’s CSC hardware works with all existing software,
smart

card applets, password schemes and digital certificates, making it the first truly interoperabl
e
framework
that
can
secure

all

device
s a
u
ser may have
, the
ir

identit
ies

and the
ir

transaction
s
,

and

controlling
access to ID information in a unique combination of distributed and local (on device)
storage
. This
unprecedented approach allows for
seamless integration with organizations’ existing smart

card
-
driven
security solutions, maximizing investments
already made
in security infrastructure. Tyfone’s CSC solution
ensures that employees, consumers and other end
-
users can securely access

authori
zed
servers
for

their
email, pay online

and even

enter building
s

without
any of
the vulnerabilit
ies

that come with today’s
centralized storing of passwords or biometric IDs.




Q.

Why is request
-
challenge
-
response better than request
-
r
esponse?

A.

Unlike the request
-
r
esponse security paradigm where all of our secrets are stored in the
cloud
, the request
-
challenge
-
r
esponse paradigm
is
whe
n

the secret for remote access is with the user.
So each user carries
his or
her

secret and no more central locati
on available for bulk hacking.
This secret is called a digital certificate that
includes a public key known

to

everyone and a private key that is stored securely in a secure physical
hardware and never disclosed. Public key is used to

lock

information whic
h only the corresponding private key
can unlock. This certificate mechanism that is already used by the enterprise server to identify itself is now
extended to the user, making both the user and the server that can trust each other without the involvement
of any third party. This method is already used in plastic smart cards in various industries
-

CAC/PIV in
government, PKCS for enterprises, N
SS in browsers (e.g.
,

Firefox) and
EMV in Payments.




Connected Smart Card Q&A



Connect ed Smar t Car d Q&A


October

201
3





Q.

What is a better alternative to One Time Passwords (OTP
)

or Passwords?


A.

Instead of request
-
r
esponse based OTP or Passwords a better alternative is to use user
-
side digital certificates
that can enable Request
-
Challenge
-
Response. By using client
-
side digital certificate
s

in conjunction with the
already avail
able server
-
side digital certificates
,

a "t
wo
-
sided" trust can be enabled;
this will not only prevents
bulk loss of IDs
,

it also enables a solution that is independent of third party compromises since the private
keys are never disclosed to anyone includin
g the issuer.


Q.

Are

passwords

becoming null and void
?

A.

Passwords, as we know them today and how they are used to gain access to Servers in the
cloud

are dead.
This is due to passwords in today’s world
being

stored in the
cloud

right along with the Server and its data that
are being accesse
d
. Passwords (or biometrics) may still play a minor role in the “new world” of verification
and access, but ONLY when they are stored locally in hardware with the user and ONLY to unlock and
device,
app or CSC
,

and not to verify with a
cloud

based Server.



Q.

What happens if my secure ID is removed from the device?

A.

Same actions would be taken by a user, just as if the CSC was lost, stolen or damaged. If CSC is removed from
the device, a
thief would still need a PIN, password or biometric to “unlock” access to the CSC. CSC’s use of
smart card chip technology prevents unauthorized “unlocking
,
” especially through brute force guessing, as
smart card chip technology is designed to permanently

inactivate itself after a predetermined number of
unauthorized attempts.


Q.

What happens if the device with the “Secure ID” is stolen?

A.

Same as above
.


Q.

What happens if the mobile device with
the “Secure ID” is damaged, such as the device is dropped
and the
s
creen shatters, it gets wet and so on
?

A.

One of the benefits of CSC is that if the hardware is lost, stolen or damaged, the user will quickly realize the
problem, unlike passwords in the
cloud

that may be stolen WITHOUT the knowledge of the user. When such
an even
t

occurs, just like a lost plastic credit card today, a user can take action to deactivate and obtain a
replacement.


Q.

Does carrying around all of your passwords/account/unique

identifiers on your own device increase your
vulnerability in any way?

A.

No, carrying your identities locally is orders of magnitude safer where today your identities are stored in
centralized databases in the
cloud

with multiple providers that are acces
sible by remote cyber criminals where
you may NEVER kn
ow your ID has been compromised!







Connected Smart Card Q&A



Connect ed Smar t Car d Q&A


October

201
3





Q.

Why is secure ID important? / What makes secure ID more important today than it was before?

A.

Cyber security is a critical and growing concern for government and businesses as access to sensitive
information and financial transactions are increasingly done via mobile devices and websites, which utilize
password protection.
Think of this dilemma as

the
Moore’s Law of Hacking
:
a
s power of computing increases
and cost decreases, passwords must grow in length and complexity to stay ahead of
the
cyber criminals

quickly improving capabilities
. Just in the last 18 months, we have crossed the point of no

return

where these
realities
should
make the use of passwords

and “o
ne
-
sided
” verification methods obsolete.
Of particular
concern is the security of these passwords, increasingly
stored
in the
cloud
,

making

centralized ID
databases
tempting
and
vulnerable
targ
ets for hackers.
S
toring ID
s

in a software database on the
phone can’t solve
this
problem, as the
server
still needs to s
tore the same information for “o
ne
-
sided
” verification
.

In addition, some solutions attempt to store IDs locally on the

device, but in unsecured memory.
Think of it
this way:
storing software
-
based IDs
in the
cloud

is like storing
your car
keys with a parking lot attendant
who’s subject to t
he theft of many
drivers’
keys at once
,

and storing software
-
based IDs on an electronic
device is like hiding
your

keys under the
door
mat, an obvious
location
for many burglars
. In all,
software
-
only
security is too weak to mitigate hacking and
the
hi
-
jacking of digital identities. It is only

through the
implementation of
software
with
hardware
-
based solution
s
, such as Tyfone’s CSC
,

that
the most critical
threat
models
are

sufficiently addressed.


Q.

Aren’t there many secure ID solutions out there? Why is the
CSC
solution
better?

A.

Until
Tyfone’s CSC, t
here
were no

solutions
in the mobile space
that incorporate
d

both software
with
hardware

to

enable “t
wo
-
sided
” verification
.

Remember the
Moore’s Law of Hacking
:
a
ny ID solution that
incorporates

only “o
ne
-
sided” verification will be continuously running to stay ahead of the advancing
computational power employed by cyber criminals.
The use of smart

card technol
ogy
,

as
in Tyfone’s CSC
hardware
security framework
,

allows for a non
-
proprietary solution

whi
le
leveraging the billions of dollars
already invested in plastic smart card based solutions
that
deployed
worldwide

today.


“One
-
Sided”
verification in today’s world for remote access into Servers is a security risk that is recognized in ALL industries.
At present, entities have industry groups that tend to attempt to address the SAME issues on an industry
specific basis. Us
ers that interact with multiple industries should not be face
d

with multiple methods for
secure access.

Tyfone’s
CSC
solution

and framework

will be
a
foundational technology, like Wi
-
Fi or
Bluetooth
,

enabling

similar
security and authentication
methods a
nd processes
across ALL industries

and ALL
devices (e.g.
,

smart phones
,

tablets

and PCs
)
that are increasingly adopted and utilized i
n everyday lives,
and
not
bound by the
control
of
device manufacturers, OS providers or
mobile network operators
.


Q.

Technically, how does
CSC work?

A.

Tyfone’s incorporation of globally recognized Smart Card Chip technology solves the
inherent risks of current
“o
ne
-
sided
” password (or software token) verification that use
s

“request
-
response” methods that necessitate
storing User IDs centrally (the Server may be validated, but the User is not). In today’s environment, central
storage of IDs creates massive repositories for cyber criminals to targe
t. Tyfone’s CSC enables fu
ll “t
wo
-
sided

verification or
“request
-
challenge
-
response
” that results in both end
-
points, Server and User, to be validated
without storing User ID centrally. It is only through the addition of a “challenge” that the party at each end
-
point can
verify t
he other party. This “t
wo
-
sided
” verification also enables the creation of a unique encrypted
connection that is not subject to the security interdependencies of multiple entities in the
cloud
, such as:
Mobile Network Operators, Transport Entities, Domain

Name Registrants or 3
rd

Party Certificate Authorities.
Tyfone’s CSC solutions bring local storage of IDs to Users; with the highest methods of security, in a manner
that is convenient for Users. While the methods deployed are complex, their use is simpl
e.




Connected Smart Card Q&A



Connect ed Smar t Car d Q&A


October

201
3





A common misconception is that biometrics (fingerprint or iris scan) will “solve” the ID dilemma. In their
simplest form, without a “challenge” security method, a biometric is only a substitute for a “password” that a
user does not have to remember and
re
tains

only “One
-
sided
” verification
that
m
ay necessitate centralized
storage

of those highly individualized, sensitive and unchangeable IDs centrally in the
cloud
. Just imagine
what would happen if your fingerprints or iris scans were stolen by hackers?


Q.

CSC sounds similar to how the new iPhone 5S uses fingerprints. How is it different/better?

A.


Instead of passwords, biometric markers like fingerprints are promoted as a solution. While biometrics may
eliminate the need to remember passwords
,

their
use creates a host of new privacy issues.
S
toring

biometrics
risk
s

fingerprints or other unchangeable biometric
s such as iris scans,
or
their

digital representation
s,

become
misappropriated for improper purposes.
Based on

the limited biometrics a person has, it is not practical to
use different fingerprint sets
,

as an example
,

for different services
.
Should

one centrally stored service
become

compromised
,

your fingerprint cannot be used anywhere else.
Unlike
a digital ce
rtificate
,
a biometric
cannot be changed, so
biometrics

cannot be an exclusive solution to the remote authentication problem.

Tyfone’s CSC does not introduce privacy issues and
can
be

easily

changed
if
lost. Tyfone CSC
also
allows local
validation for
gain
ing
access to remote assets.
The
iPhone 5S fingerprint reader
is simply a stronger version of
the previously used

4 digit PIN.


Q.

Who needs Tyfone’s
CSC solution
?

A.

Ultimately, all users
(both enterprise and consumer)
of devices

that are either mob
ile and/or connect to the
cloud
, or who must
communicate securely for physical world transactions
,

will
require
the
hardware
-
based
security that
Tyfone’s
Connected Smart Card enables. It is expected that
adoption of
these solutions will
commence at the
g
o
vernmental
l
evel, moving
next
to
enterprise and

access to critical infrastructure

(SCADA,
system control and data acquisition
)

before
eventually be
coming

available to consumer
s

for
securing a wide
range of services,

from online
interactions
to contactless

payments
. Overall, Tyfone’s Connected Smart Card
-
based security framewo
rk
will be
necessary for all issuers

and users of
d
igital
i
dentities

and independently
secure connections

to address emerging issues around cybercrime, privacy and financial transacti
ons
.


Q.

How will the p
eople who need it

get the CSC solution
? / Who will buy the
CSC solution
?

A.

Initially, ID Issuers, such as
g
overnment and
c
orporat
ions
,

will acquire the “Connected Smart Card”
technology
for issuance to their ID community. As
deployment scales and as cost
s

are driven lower, the cost for
consumers to adopt will be immaterial in relationship to their other technology purchases.


Q.

Is
cybercrime

really the only “security” related issues consumers are concerned about as their transactions
become increasingly digital and mobile?

A.

While CSC mitigates “cyber
-
crime
,
” the issues are not just about “crime” in the legal sense, but the more
broad enfor
cement of “authorized access” only by “authorized users
,
” whereby access policies can be
enforced, such as between two employees within the same organization.

Apart from securing online cyber
transactions CSC also helps protect offline transactions at plac
es like the Point
-
of
-
Sale and infrastructure
access readers.





Connected Smart Card Q&A



Connect ed Smar t Car d Q&A


October

201
3







Q.

Can I use CSC with my existing smartphone, tablet or PC?

How?

A.

Due to the multitude of form factors produced and envisioned by Tyfone for CSC, users will have access to CSC
through the
selection of form factors that can be inserted into devices, such as: a microSD Card, USB plug or
iPhone plug or external devices that communicate with devices via NFC or Bluetooth, such a
s a

key fob,
wristband or other wearable form factors.


Q.

What comp
anies / entities are currently custom
ers of the CSC solution
?

A.

Tyfone’s CSC solution is currently in pilot developments with strategic customers with general
deployments to
begin
in the fourth quarter of 2013

and first quarter of 2014
. Organizations
interested in

becoming leaders in
the evolution of CSC by

joining pilot
s

or integrating Tyfone’s CSC solution with their own security products can
contact Tyfone at
csc@tyfone.com
.


Q.

How much
will the CSC solution
cost
?

A.

There will be different licensing agreements and cost models for enterprises and consumers.
More
information
will
follow
on pricing
with general availability
, however, Tyfone believes life cycle pricing will
ultimately be less than existing plastic smart card systems
in
use with non
-
mobile systems today
.