Authentication and Beyond

collarlimabeansSécurité

23 févr. 2014 (il y a 3 années et 7 mois)

74 vue(s)

Authentication and Beyond

Judith Markowitz, PhD

President J. Markowitz, Consultants

August 8, 2006

Judith Markowitz J. Markowitz, Consultants

User Authentication

Security

User

Authentication

Biometrics

SIV

Judith Markowitz J. Markowitz, Consultants

Agenda



Why good UA is important



Levels of UA



Biometrics



SIV

Judith Markowitz J. Markowitz, Consultants

Why Should We Care about Authentication
?



Identity Theft



Industrial Espionage



National Security



Privacy

Judith Markowitz J. Markowitz, Consultants

Why Should We Care?



US Veterans Administration



US Dept. of Agriculture



Univ. of Ohio



Boston College



Chico State Univ



US Federal Trade Comm.



US Dept. of the Navy



Nat’l Nuclear Safety Admin.



FBI



ChoicePoint



LexisNexis



AIG



CitiBank



ING Financial Serv.



MasterCard Int’l.



ADP



Ernst & Young

Judith Markowitz J. Markowitz, Consultants

Identity Theft Factoids



In the past year, over half of all US companies doing business in the
technology, media and telecommunications sectors experienced data
breaches that potentially exposed their intellectual property or customer
information
.

(2006 Deloitte Touche Tohmatsu)




About 3% of US households (3.6 million families) suffered some sort
of ID theft in the first 6 months of 2004

(DOJ)




13 US governmental agencies are fighting it




Cost to businesses and financial institutions was $52.6 billion in not
counting the complex systems put in place to fight it.

(2004 Javelin
Strategy and Research)

Judith Markowitz J. Markowitz, Consultants

Identity Theft Factoids



Japan:

2006 data loss by KDDI for 4 million subscribers


2006 Chubu Electric Power plant info on Web



UK:

2004 120,000 reported cases (up 20%)



EU:

2004 credit card fraud ascribable to identity theft caused damages


of over $210 millions (Source: VISA)



2006 members of European Parliament demanded action against


this growing threat



Global:

2005 An average of 11% of bank customers in all regions


report having been subjected to some form of identity theft.


The figure for the U.S. is 17%. (Unisys)


2005 survey of consumers showed 66% are "a little worried."


In Mexico and Brazil 78% and 70% of people,


respectively, worry "a lot" about it.


Not Just a U.S. Problem

Judith Markowitz J. Markowitz, Consultants

User Authentication

User

Authentication

Judith Markowitz J. Markowitz, Consultants

User

Authentication

User authentication


The process of establishing confidence in user identities

Electronic user authentication


The process of establishing confidence in user identities
presented to an information system.

Definitions

Judith Markowitz J. Markowitz, Consultants

User

Authentication

User authentication employs one or more of
the following



What you have (token, key)



What you know (PIN, password)



Who you are (biometrics)



Where you are (GPS)

Judith Markowitz J. Markowitz, Consultants

Office of Management and Budget publication M04
-
04
E
-
Authentication Guidance for Federal Agencies
2003


NIST Special Publication 800
-
30
Risk Management
Guide for Information Technology Systems

Recommend a methodology for managing risk in
information systems. The focus is on authentication


User

Authentication

Resources

Judith Markowitz J. Markowitz, Consultants

Security/Assurance Levels

(OMB M04
-
04 & NIST SP800
-
63)

Impact Categories


Risk/Assurance Levels

1

2

3

4

Inconvenience, distress, or damage to
standing or reputation

Low

Mod

Mod

High

Financial loss or liability

Low

Mod

Mod

High

Harm to business programs or public
interests

N/A

Low

Mod

High

Release of sensitive information

N/A

Low

Mod

High

Threat to personal safety

N/A

N/A

Low

Mod
High

Civil or criminal violations

N/A

Low

Mod

High

User

Authentication

Judith Markowitz J. Markowitz, Consultants

Security/Assurance Level Examples

User

Authentication

Level

Confidence

Example

1

Little

or none

a. Visitor enters a multi
-
company office building

b. An individual applies to a Federal agency for a park visitor’s
permit

2

Some

a. Bank customer withdraws $300 from an ATM

b. Beneficiary changes her/his address of record through the
Social Security website

3

High

a. A physician accesses patient medical records

b. A patent attorney submits confidential patent information to
the US Patent & Trademark Office

4

Very high

a. Bank customer transfers $1 million to another account

b. A law
-
enforcement professional accesses a law enforcement
database containing criminal records

Judith Markowitz J. Markowitz, Consultants

Limits of OMB M04
-
04 & NIST SP 800
-
63


They only address authentication based on secrets

“This guidance addresses only traditional,

widely implemented methods for remote

authentication
based on secrets
.”


They don’t address biometrics


Biometrics do not constitute secrets suitable for use
in the conventional remote authentication
protocols addressed in this document
.”

User

Authentication

Judith Markowitz J. Markowitz, Consultants

Biometrics

Biometrics

Judith Markowitz J. Markowitz, Consultants

Biometrics



Who you are

user authentication



They are based in physiology and behavior



They are not secrets



High degree of uniqueness

What Are They?

“Biometrics provide a very high level of security
because the authentication is directly related to a
unique physical characteristic of the user which is
more difficult to counterfeit.
(NIST SP 800
-
32 Section 2.2)

Judith Markowitz J. Markowitz, Consultants

Biometrics



Add biometrics to e
-
authentication measures



Dispel misunderstandings about biometrics



Examine the vulnerabilities of biometrics

Study Report on Biometrics in E
-
Authentication


(ANSI/M1 Ad hoc committee on biometrics in e
-
authentication)


“What is the role of biometrics at the various security
levels and what architectures and surrounding
security mechanisms are appropriate for use in the
remote e
-
authentication environment?”

Judith Markowitz J. Markowitz, Consultants

Biometrics at Security/Assurance Levels

(Study Report on Biometrics in E
-
Authentication)

Level

Confidence

Applicability of Biometrics

1

Little

or none

It is likely biometric technologies used alone would be

stronger than the security SP 800
-
63 specifies for this level.

2

Some

There must be countermeasures put in place to mitigate
concerns about biometrics not being secrets. They include
using cryptography and monitoring for “replay” attacks. Most
likely this will actually result in two
-
factor authentication (e.g.,
PIN + SIV)

3

High

Requires two
-
factor authentication and specifically calls out the
use of biometrics as an option in order for the claimant to prove
that he or she controls the token.

4

Very high

Requires two
-
factor authentication and does not prohibit the
use of biometrics as an option in order for the claimant to
prove that he or she controls the token.

Biometrics

Judith Markowitz J. Markowitz, Consultants

Speaker Identification

and Verification

SIV

Judith Markowitz J. Markowitz, Consultants

SIV

SIV = Biometric authentication



Based on aspect of who you are



Requires enrollment



Lots of misunderstanding



Needs to be user friendly



Not perfect (nothing is perfect)



Vulnerable to attack

Judith Markowitz J. Markowitz, Consultants

SIV


Audio
-
based


Standard (non
-
proprietary) devices


The most multi
-
faceted of commercial biometrics



text
-
dependent, text
-
independent, challenge
-
response



works with ASR and TTS and lip movement



Cancelable

Uniqueness of SIV

Judith Markowitz J. Markowitz, Consultants

Authentication is just
part

of the challenge

Security

User

Authentication

Biometrics

SIV



Policies



Gateway Security



Backup



Usability

Summary

Judith Markowitz J. Markowitz, Consultants

Thank you

Judith Markowitz, PhD,
President

J. Markowitz, Consultants

5801 N. Sheridan Road, Suite 19A, Chicago, IL 60660

773
-
769
-
9243 judith@jmarkowitz.com