ibm strongauth

7/25/2019 IBM StrongAuth

1/35

IBM Software Group, Tivoli Software

2007 IBM Corporation

New Alternatives in Strong AuthenticationFebruary 19, 2007

Jose BravoTivoli Security Sales Leader [email protected]


2/35


3/35

IBM Tivoli Software

3 2007 IBM Corporation

Authentication today

Passwords and passwords alone remain the main channel of authentication.

We have seen PKI, Hard Tokens, Soft Token, and Biometrics try to improveauthentication however, reality is that passwords still are the sole moatsthat fortify most of our systems.

No matter what rules we follow to change passwords periodically,synchronize or reset them; fact is, password can be guessed and passwordsare shared.

This makes passwords incovenient and when a security issue causes difficulttechnological changes, people often reject it either by subverting or by notusing that technology.

If encryption with keys less than 128 bits is unacceptable, so is an eightcharacter password.


4/35

IBM Tivoli Software


What has been the best security for many years?

Something that you have (a key) or,

Something that you know (a combination)

If you do not have the option of using a key, but still want itsecured, you would need a longer combination, changed frequentlyfor improved security.

Most people find this bothersome and thats how passwords can bedescribed today.


5/35

IBM Tivoli Software


Password strength

LengthLength AlphaAlpha AlphanumericAlphanumeric Mixed AlphaMixed AlphaMixed Alphanumeric &Mixed Alphanumeric &

specialspecial

11 2626 3636 5252 9494

22 676676 1,2961,296 2,7042,704 8,8368,836

33 17,57617,576 46,65646,656 140,608140,608 830,584830,584

44 456,976456,976 1,679,6161,679,616 7,311,6167,311,616 78,074,89678,074,896

55 11,881,37611,881,376 60,466,17660,466,176 380,204,032380,204,032 7,339,040,2247,339,040,224

66 308,915,776308,915,776 2,176,782,3362,176,782,336 19,770,609,66419,770,609,664 689,869,781,056689,869,781,056

77 8,031,810,1768,031,810,176 78,364,164,09678,364,164,096 1,028,071,702,5281,028,071,702,528 64,847,759,419,26464,847,759,419,264

88 208,827,064,576208,827,064,576 2,821,109,907,4562,821,109,907,456 53,459,728,531,45653,459,728,531,456 6,095,689,385,410,8206,095,689,385,410,820

99 5,429,503,678,9765,429,503,678,976101,559,956,668,41101,559,956,668,41

66 2,779,905,883,635,7102,779,905,883,635,710 572,994,802,228,617,000572,994,802,228,617,000

1010 141,167,095,653,37141,167,095,653,3766 3,656,158,440,062,93,656,158,440,062,98080 144,555,105,949,057,000144,555,105,949,057,000 53,861,511,409,490,000,00053,861,511,409,490,000,000


6/35

IBM Tivoli Software


Security and convenience


7/35

IBM Tivoli Software


Passwords

2 out of 3 Web users use < 5 passwords for all access toelectronic information

15% use a single password

Password is best described as a toothbrush. As rightly saidby Cliff Stoll, Treat your passwordlike a toothbrush. Dontshare it with anyone elseand get a new one everysix months.


8/35

IBM Tivoli Software


Why passwords arent secure

Problems:

Trivial passwords

Easy to remember easy to guess

Yellow sticky pads

Password cracking

Some crackers claim 30% success rate

PASSWORD

QWERTY

A1B2

C3


9/35

IBM Tivoli Software


Keystroke loggers


10/35

IBM Tivoli Software


The end of passwords?

Passwords have reached the end of their useful life.Today, they only work for low-security applications.

-- Bruce Schneier*

* The Curse of the Secret Question,ComputerWorld, 9 Feb 2005


11/35

IBM Tivoli Software


Overburdened passwords

Remember the safe box model?

What we are missing is the key OR, are we missing something key?

If we find a way to combine what you know (password) with somethingthat you have, we can make strong authentication a convenient and

inexpensive reality!


12/35

IBM Tivoli Software


Finding the key: PKI & Digital certificates

Very clever and strong

Very costly to deploy and maintain

Not conveniently portable (this is probably its main disadvantage) Can be subverted if access to the workstation is obtained

Restricted (mostly) to web based applications

Has worked really well for server side Authentication (first phase of SSL

handshake)

Today very few companies use PKI in large scale implementations


13/35

IBM Tivoli Software


Finding the key: Hard tokens

Very strong security

Very costly to deploy and maintain (replace)

Need to carry one of these per each authenticating entity (sometimesthey come ready for a true key chain)

No access if you forget them (this is probably its main disadvantage)since, these are portable, but not wearable

Cost and convenience restrict hard token deployment

IBM Ti li S ft


14/35

IBM Tivoli Software


Subverting security

IBM Ti li S ft


15/35

IBM Tivoli Software


Main-in-the-middle: like many other technologies

Source Arcott protection against MITM Attacks

IBM Tivoli Software


16/35

IBM Tivoli Software


Finding the key: coordinate or Grid Cards

Stronger than passwords but, weak authentication

Quick answer to FFIEC requirement

A large number of keys/pins, the user is asked to look for one

specific key by giving him a coordinate (i.e.D3) Not very convenient, since the card can be forgotten

Not very secure since the card can be photocopied

One card per authenticating entity

Too costly for SMB

Can be defeated with a man-in-the-middle attack

IBM Tivoli Software


17/35

IBM Tivoli Software


Subverting security


18/35

IBM Tivoli Software


19/35

IBM Tivoli Software


Some additional alternatives (source Gartner)

Virtual Keypads

Knowledge Based Authentication (cognitive password)

Transaction Number List (one-time-pad) Typing Rhythm

And more

IBM Tivoli Software


20/35

IBM Tivoli Software


What is Biometrics? Something that you are

Source: Automated Biometrics, Nalini K. Ratha, IBM Corp.

IBM Tivoli Software


21/35

IBM Tivoli Software


Comparing Biometrics

FingerIris

VoiceFace

Effortless

Non-intrusiveInexpensive

From: Samir Nanavati(Zephyr Analysis)

Accurate

Source: Automated Biometrics, Nalini K. Ratha, IBM Corp.

IBM Tivoli Software


22/35


Biometrics: strengths and weaknesses

Strongest of them all (fingerprint reader, retina scan, palmdimensions, voice, signature, etc)

Requires costly sensors and software to function, also requirespainful, lengthy and very costly deployments (requires a centralized

database with the biometric data) But even when implemented right, people reject it, because

biometrics is more a form of identification than authentication (avery fine line but equally important differentiation

IBM Tivoli Software


23/35


More about Biometrics

Governmental security is a different issue but, not everyone would becomfortable handing out fingerprints or retina scans at their financialinstitutions that could be likely to change in future.

Difficult for large deployments since the collection of the biometric datais hard to manage.

If for some reason the central database is compromised, one cannotproduce an alternative finger print.

Best when used in combination with physical security (to avoid remoteor replay attacks)

A lot of health care concerns are associated to Biometrics and a bodypart like a finger can be considered as transmission vehicle for viruseslike HIV, tuberculosis and other easily transmitted diseases.

IBM Tivoli Software


24/35


Gummy fingers, a funny note

http://cryptome.org/gummy.htm

IBM Tivoli Software


25/35


Out of band mechanisms: authentication using caller id,SMS, call back?

Caller-id on land line can be easily hacked. Restricted numbers wouldnot work in these instances.

Land lines number can and are forwarded (it is a feature not a

weakness). SMS can be easily spoofed and is not very personal innature.

SMS, while popular and free in Europe, it is not free not popular here.

Latency: Some SMS authentication requires a request and a reply tothe cell phone making it slow, cumbersome and therefore not suitable

for frequent authentication. Has been attempted in other countries likeNew Zealand, without much success


26/35

IBM Tivoli Software


27/35


The customer has already entered his userid and passwordand will now perform an operation that requires step-

up/strong authentication

In this example, the Banking Application generates a four-digit pseudo random,on-time token: 6036. And simultaneosly sends over https a message to the

customer and to an aplication at the cellphone provider

The message at the customers browser reads: Dear customer, please use yourcell phone to dial *88 followed by this one-time token: 6036

The message to the cell provider reads: please reply to this message oncecellphone 914-588-9992 inputs token 6036. The message has a message idnumber as well as a expiration time.

CustomersBrowser

BankingApplication

Application at

the cellularprovider

Please input token using yourcell phone1

1

Users cellphone914-588-9992

Objective: Prove to the

Bank you are inpossession of your veryown cell phone

1

1

1

Reply once 914-588-9992

inputs 6036

IBM Tivoli Software


28/35


Once the customer enters the one time token the strongauthentication is completed

As instructed, the customer dials *88 ( + send/call) and then 6036. This is anout-bound message traveling over the wireless network between the cell phoneand the cell that is serving him (no cell routing/roaming required, thereforeminimal delay is added to the transaction).

Immediately, the application at the cell provider detects that there is a matchfor one of the requests it received and sends a reply back to the bank

The Bank knows the customer is in possesion of their cell phone. The strong

authentication has completed and the customer is authorized to perfom thesecure operation.

Users cell phone914-588-9992

2

3

4

BankingApplication

2

3

Application atthe cellularprovider (Webservice/SOA)

4

Customers Browser

RANWireless

CoreNetwork

This can be implemented asa EAI application to TAMeb

IBM Tivoli Software


29/35


This idea is not restricted to a browser. In this case the customer isrequired to authenticate during an ATM withdrawal above the

normal daily limit

Like before, the customer reads on the ATM screen: Dear user,please use your cell phone to dial *88 ( + send/call) and then

inmediatly input this one-time token: 6036

The message to the cell provider reads: please reply to thismessage once cellphone 914-588-9992 inputs token 2359.

User at anATM

ATMApplication

Application at thecellular provider

Please input token using yourcell phone

1


1

Reply once914-588-9992inputs 2359

1

1

IBM Tivoli Software


30/35


Once the customer enters the one time token the strongauthentication is completed

As instructed the user dials *88 ( + send/call) and then 2359.

Immediately the application at the cell provider detects that there is a match

for one of the requests it received and sends a reply back to the bankThe Bank knows the customer is in possesion of his very own cell phone. Thestrong authentication has completed and the user is given the large amountcash requested. Or even Point Of Sale.

BankingApplication

2


3


4

2

3

4

This can also beimplemented as a EAIapplication to TAMeb

IBM Tivoli Software


31/35


This idea can also be used to authenticate employees when loggingin to the corporate intranet

User at hisdesktop

Windows Loginapplication


Please input token using your

cell phone

1


1Reply once914-588-9992 inputs6036

Like before the employee reads on the PC login screen: Dear employee, please

use your cell phone to dial *88 ( + send/call) and the immediately input thisone-time token: 6036

The message to the cell provider reads: please reply to this message oncecellphone 914-588-9992 inputs token 6036.

1

1

IBM Tivoli Software


32/35


Once the employee enteres the one time token the strongauthentication is completed

BankingApplication

2


3


4

This could be implemented

as a TAMES Adapter

2

3

4

As instructed the user dials *88 ( + send/call) and then 6036.

Immediately the application at the cell provider detects that there is a match

for one of the requests it received and send a relpy bank to bank

The Bank knows the employee is in possesion of his very own cell phone. Thestrong authentication has completed and the user is allowed into the Bankscoorporate network

IBM Tivoli Software


33/35


The customer has already entered his userid and passwordand will now perform an operation that requires step-

up/strong authentication (Similar as the first scenario butusing an IVR)

On this example the Banking Application generates a four-digit psudo ramdom, on-time token: 6036. The application waits for the IVR to send the cell phone number andtoken entered

The message at the customers browser reads: Dear customer, please use your cellphone to dial *myBank (*CITI) and the inmediatly after input this one-time token:6036. The Bank subcontract a service with the 3 mayor carriers where *myBankroutes a message to the Bank passing on the number that dialed the service and theone time password input.

When the application receives from the IVR that 914-588-9992 has input token 6036,it detects a match and the strong authentication is completed

Customers

Browser

BankingApplication

IVRprogrammed

at the cellprovider

Please input token using yourcell phone

1

1


1

1

1

Once 914-588-9992 inputs6036 an SSL message is sent

to the Bank that has the IVRservice subcontracted.

This approach could be moreappealing to large banks andorganizations that can afford

subcontract an IVR service witheach major wireless provider

IBM Tivoli Software


34/35


IBM Tivoli Software


35/35


zzzz

zz

z

Questions?

ibm strongauth

Documents