Giesecke & Devrient
Presentation
OASIS – Identity Management Conference
DC, Sept 27th 2010
1
Giesecke & Devrient ―
From Printing Paper Securities to Providing High-Tech Solutions
Security
solutions
Government
solutions
Cards for payment and
telecommunications
Banknote
processing
Banknote and
security paper
Banknote and security
printing
1852
1964
1977
2
2007
…Stepping into the shoes of an evangelist
Thorsten Roeske
(Head of Products & Marketing for Giesecke & Devrient’s eIDentity Business Unit)
 For two decades security experts have been persuading us that a move away
from passwords, in favor of utilizing multifactor authentication technologies,
will bring the necessary level of security for online systems
 This paradigm may have been true with typical attacks although in recent
years a close look at active attack vectors (exploited by malware like ZEUS)
together with visible trends in malware development question their true
effectiveness
 This presentation will highlight why hardware technology alone fails to provide
identity assurance in today’s threat and attack environment
3
What You Know - What You Have - What You Are
The Role of Hardware Technologies to Provide Identity Assurance
What is the best role for hardwarebased authentication solutions
(such as smart cards, smart
phones, RFID devices and other
hardware tokens) in identity
management systems?
How scalable are they, what
deployments today have been
successful, and what does the
future hold for their use?
4
Changing Attack Vectors
5
Changing Attack Vectors
6
Changing Attack Vectors
man-inthe-PC
man-inthe-middle
man-in-the
browser
7
Emerging Attack Example – It’s real…
8
… very real….
eBanking Server
5
4
SmartCards
3
Connection to Server
2
1
0
OTP Token
User's PC
Password
9
User's Browser
The nature of online Fraud
Ross Anderson, Prof. Security
Engineering, Computer Labs, University
of Cambridge:
"Computer criminals differ from ordinary
criminals in that they're more rational.
The bulk of street crime is done by
disadvantaged young men, often
illiterate and with drug or alcohol
problems. The bulk of e-crime is done
by technically sophisticated people… So
while preventing normal crime is about
sociology, preventing online crime is
about economics. Malware writers are
rational, as are botnet herders…. "
10
>$100k
LOW
HACKING ROI
…..preventing
online crime is
about economics!
HIGH
HACKING ROI
<$2k
Standard Browser (e.g.
Firefox) with 2-Factor
Authentication like OTP,
SMART CARD or
EMV Card
The nature of online Fraud
Ross Anderson, Prof. Security
Engineering, Computer Labs, University
of Cambridge:
"Computer criminals differ from ordinary
criminals in that they're more rational.
The bulk of street crime is done by
disadvantaged young men, often
illiterate and with drug or alcohol
problems. The bulk of e-crime is done
by technically sophisticated people… So
while preventing normal crime is about
sociology, preventing online crime is
about economics. Malware writers are
rational, as are botnet herders…. "
11
eBanking Server
5
4
SmartCards
3
Connection to Server
2
1
0
OTP Token
User's PC
Password
User's Browser
Highest
ROI
The nature of online Fraud
INFACE-MAN
DISPLAY
MOUSE
SCREEN-C
KEY-LOG
KEYBOARD
MOUSE-LOG
HISTORY
USER
USER
INTERFACE
INTERFACE
ACTIVE X
EXT. CERT
STORE
COOKIES
APP-STEER
MDW
SPOOF
CACHE
COMP-MAN
MEM-PATCH
Robert G. Ferrell, Information Systems
Security Specialist, U.S.A. Dept. of Defense:
MEM-DUMP
PDF
CERT
BROW-CERT
STORE
USER
USER
DATA
SNIFF
EXTENSIONS
EXTENSIONS
PLUGINS
PLUGINS
DATA
DATA
BROWSER
BROWSER
KERNEL
KERNEL
FLASH
SESSION
REV-ENG
CODE-INJ
PWD
MGR
COMP-MAN
JAVA
BOOKMARKS
DOM
DOM-MANIPU
PWDS
CH-BREAK
RENDERING
RENDERING
ENGINE
ENGINE
SSL
TLS
LAYOUT
BUFFOVFLW
BROW-SSL
NETWORK
BROW-DNS
JAVA
SCRIPT
SCRIPT
SCRIPT
HTML
XML
12
"….. Far more relevant to security are the
browser clients a consumer is using
irrespective of the operating system or
hardware platform.
Even more critical from a safety standpoint is
the level of security awareness exhibited by
that consumer. If you haphazardly visit every
Web link …sooner or later you're going to get
nailed. Period."
Attacks focusing on the OS and/or the Browser provide the
greatest return on investment (for the bad guys!)
Examples of MITPC and MITB Current Attacks:
APP-STEER
= Application Steering
BROW-CERT
= Browser Certificate Store Compromise
BROW-DNS
= Browser DNS Library Compromise
BROW-SSL
= Browser SSL Library Compromise
CERT-SPOOF
= Certificate Spoofing
CH-BREAK
= Channel Breaking
CODE-INJ
= Code Injection
DNS-SPOOF
= DNS Spoofing/Poisoning
DOM-CAPTCH= DOM Data Capturing/Patching
HFILE-MAN
= Hosts File Manipulation
INFACE-MAN
= Interface Manipulation
IP-RROUTE
= IP Rerouting
KEY-LOG
= Keystroke Logging
MOUSE-LOG
= Mouse Event Logging
MEM-DUMP
= Memory Dumping
MEM-PATCH
= Memory Patching
OS-CERT
= OS Certificate Store Compromise
OS-DNS
= OS DNS Library Compromise
OS-SSL
= OS SSL Library Compromise
REV-ENG
= Reverse Engineering
SCREEN-C
= Screen Capturing
SCRIPT
= Script Injection
SOC-ENG
= Social Engineering
DATA-SNIFF
= User Data Sniffing
WIND-OVER
= Window Overlay
13
Versatile Authentication Methods – The Reality Today
Biometrics
(Biological)
Barrier to Entry / Complexity
Biometrics
(Behavioral)
Smart Card
(PKI)
OTP
Token / EMV
Soft Token
Out-of-Band
Authentication
Knowledge-Based
Authentication
Adaptive
Authentication
Password
Lightweight
OTP
Advanced
Password
Assurance Strength
14
Versatile Authentication Methods – With Hardened
Browser
Barrier to Entry / Complexity
Biometrics
(Biological)
Biometrics
(Behavioral)
Smart Card
(PKI)
OTP
Token / EMV
Soft Token
Out-of-Band
Authentication
Knowledge-Based
Authentication
Lightweight
Adaptive
OTP
Authentication
Advanced
Password
Password
Assurance Strength
15
Addressing the Weakest Link: The Browser
 A Hardened Web browser protecting the
user against new attack vectors by
 using code OBFUSCATION
 POLYMORPHIC and VIRTUALIZATION
techniques
 PERIODIC UPDATES of the executable
code (confuses hackers forcing them to
renew efforts when developing code to
attack the hardened application)
 No Installation nor special rights required of
the user
 Optimized for online transactions
 Easy integration into Application Servers at
the back end (such as eBanking Portals)
 Operates without changes to existing IT
infrastructure
 Constant updates to mitigate the ever
increasing attack landscape
16
What You Know - What You Have - What You Are
The Role of Hardware Technologies to Provide Identity Assurance




17
Indications are that the use of
traditional HW technology continues
to increase
Used in combination with a Trusted
UI (such as a Hardened Browser),
HW Technology plays a key role in
user authentication
New B2C markets are looking to
embrace HW Technology for strong
authentication
…but the ecosystem is evolving
Looking Forward - Vendors are paying close attention...





A Trusted Execution Environment (TEE)
can be utilized in parallel to any rich OS in
the mobile device (inc. Netbooks and
Tablets)
TEE’s can be considered as “virtual smart
cards” deeply embedded in the mobile
device
TEE applications, so called Trustlets,
execute security critical processes in
isolated processing space on the
controller
TEE’s can integrate with other security
technologies such as SIM cards and/or
Secure MicroSD cards
Applications and Credentials can be
securely provisioned over the air (OTA)
18
Application Processor
“Creating Confidence”
Thank You!!
19