Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Networking

Presentation

advertisement 
ITU Workshop on “ICT Security Standardization
for Developing Countries”
(Geneva, Switzerland, 15-16 September 2014)
Step-up authentication a key enabler
of mobile on-line trust
Progress report of ITU-T and OASIS Trust Elevation work
Abbie Barbir Ph.D.,
Chair OASIS Trust Elevation TC
abarbir@live.ca
Geneva, Switzerland, 15-16 September 2014
Mobile Authentication
Talk/slides represents findings From OASIS and ITU work
Mobile going main stream
•
Adoption of mobile devices for business is on the rise
Organizations are rushing to mobile their applications
•
Mobile devices are used for providing authentication to applications
•
•
Threats to Mobile
•
•
•
•
•
•
•
•
Data exposure from lost, stolen, or returned devices
Mobile malware / Zero day attacks
Security risks from 3rd party applications
OS vulnerabilities
Network exposure (Wifi, NFC etc..)
App stores issues
Immature tools and debugging s/w
Mobile Authentication
•
Contextual based Authentication is emerging
Adoption of cloud based services continuous to grow
Biometric Authentication is on the rise
•
Using the device as a token
•
•
Geneva, Switzerland, 15-16 September 2014
2
Trends of Mobile Authentication
Emerging Needs and Capabilities
• Support of context based access
• Fine(r) access control
• Map user (including device) identity and (may be
per app) authentication credentials to SLA
• Need to understand and compare user behavior
across many devices
• Ability to categorize user access to different devices
• Be able to set access control based on degrees of
validated device identity
• Fine grain endpoint IdM
• Ability to identify, terminate and restrict access
per application/device and other factors.
Geneva, Switzerland, 15-16 September 2014
3
Challenges of Mobile Authentication
User
experience
Device
Profile
Authentication
Convenience
User
Behaviour
Profile
Risk based
polices
Possible
Fraud
Results
Risk
Analysis
Pass
Fail
Mobile App Considerations
•
Application architecture
•
Offline vs. online access
•
Storage of information on device
•
Various mobile OS
•
Device ownership: BYOD or Corp Liable
•
Challenges to SSO on Mobile
•
No standardized SSO
•
Native Mobile apps vs. Web
•
Better user experience
•
Leverage local device capabilities
•
SaaS vendor-provided apps
authenticate to SaaS backend
systems
•
Web App
•
Browsers lack access to native
device E.g. Camera,
•
Browsers tend to be
underpowered UI for small form
factor devices
Verify
Perform
Step up AuthN
Mobile app security challenges:
• Broader coverage beyond VPN needed
• Check for malicious behavior and threats
at app layer
• Continuous data monitoring and auth
OASIS Trust ElevationTC
• Defining a set of standardized protocols to elevate
trust in an electronic identity
Trust Elevation
Increasing the trust a relying party has that the online entity
accessing its resources is the (person or device) it claims to be
Reducing the risk that a relying party assumes that the online
entity accessing its resources is not the person or device it
claims to be
TC Deliverables
Deliverable One: Collect current and imminent trust elevation
methods
Deliverable Two: Analysis of collected methods
Deliverable Three: General principles and techniques to
elevate trust in a transaction
Deliverable Four: Trust Elevation Protocol and Markup
Language
Authentication Categories
• Physical Biometric
•
Browsing patterns
• immutable and unique
•
Time of access
what
•
Facial
recognition
•
Type of device
Who You
you
Trust
elevation
(step-up
Authentication):
•
Iris
Scan/Retinal
Scan
•
Used in Combination
Are
Do
•
Fingerprint
Palm
Scan/Voice
withfrom
other the
methods
•Biometric
Increasing the strength of trust (Auth) by adding factors
• Liveliness biometric factors
same
or different
categories
trust authentication
elevation methods
don’t
include:to
Pulse.
• It
is a big
mistake
assume thatofstrong
alwaysthat
result
when
•
CAPTCHA;
etc
share themultiple
same vulnerabilities
combining
authentication
attributes/factors.
• Location; Time of
• Behavioral
Biometric
•• Only
There
are
five
categories
of
trust
elevation
methods
access;
by combining
of different kinds (that is, different
factors) with
• based onattributes
person’s physical
behavioural
activity
patterns
• who(non-overlapping)
you are (biometrics,
attributes),
Subscriber identity
different
sets ofbehavioral
vulnerabilities
is there •a significant
increase
•
Keyboard
signature
module
(SIM)
•
what
you
know
(shared
secrets,
public
and
relationship
in resistance to
• attack
Voice and, thus, in authentication strength
• Frequency of access;
knowledge),
Context
what
• you
User
Name(devices,
and Password
• Source and endpoint
•
what
have
tokens
(UN/PW), A passphrase,
a PIN - hard, soft, OTP),
you
attributes
• what• you
typically
docombinations
(described by ITU-T x1254,identity
behavioral
Very
often used
know
with KBA
habits that
are methods.
independent of physical biometric attributes)a nd
• Knowledge Based
• the context
(location,
time, party, prior relationship, social
Authentication
(KBA)
Mostly used to provide
•
Static/Dynamic
relationship
and source).KBA
Secondary Attributes
• Elevation• can
be
within
the
classic
four
X.1254
ITU-T LoA
One Time Password (OTP)
what
• Smart card
you
• X.509 and PKI
• Rarely used alone
have
• Used in combination with
UN/PW and a PIN
6
Mobile Application Threat Model
External Services
(Can be Malicious)
Malicious user
bypassing Mobile
client
Mobile Device
Local App Storage
Local Key Chain
Mobile
App
User
Can be
Malicious
Malicious
Mobile App
Device
File System
Enterprise
Server and
Services
Spoofing Users to the Mobile App
•
Borrowed/Stolen Device
•
Other Malicious Application
Spoofing: Web Services to Mobile App
•
Borrowed Device
•
Other Malicious App
Tampering: Mobile App
•
Borrowed/Stolen Device
•
Other Malicious Application
Disclosure: Device Data Stores or Residual Data
•
Borrowed/Stolen Device
•
Malicious App Functionality
Attacks from Mobile Web Services
•
Disclosure: Mobile App to Web Service
•
Attacks from Local Network
Other Malicious App
•
Denial of Service: Mobile App
•
Elevation of Privilege: Mobile App or WS
Tackling mobile security risks
Device
•
•
•
•
Centric
MDM
Device Policy
Data Encryption
Containers
Data Centric
• Limit Data on
Device
• Traffic Encryption
• Virtualization
Application Centric
• Server Side
protection
• Development
• App Store
• Platforms
Balancing act between risk and convenience
Trust Elevation Core Model
User Accesses
Online
Resource with
identity
and/or
attribute data
(may consist
of credential)
Resource
Assesses
Trustworthiness
of Asserted
Identity
According to
Policy
Resource
Determines
Insufficient
Trustworthin
ess
rejection
Resource Engages PreviouslyDetermined Trust Elevation
Process
access resource for
the transaction
reapplication of yet
another trust elevation
cycle
9
4th Deliverable “TE” Protocol and Markup Language
What we considered so far?
•
OAuth, OpenID Connect, UMA, OATH, SAML
What we found

OAuth, OpenID and UMA are services that manage
authorization. These services may utilize Trust Elevation
before or after executing their service.

SAML can Support Step UP also

OATH is an open framework for strong authentication;
primarily focused on device credential and authentication
interfaces. It does not have a standard format for trust
elevation (or am I missing something?)
What we proposed
 Would support existing authentication and authorization
specification but will remain independent of them.
 Would ensure existing identity assertion frameworks are
supported
 Would be in XML and JSON formats
Trust Elevation Sequence
OASIS Trust Elevation Story
1. End-User accesses online resource using a device with an asserted identity
and/or attributes.
2. Device sends End-User’s identity and/or attribute data to Relying Party (RP)
3. RP requests an Identity Provider (IdP) to assess the asserted identity.
4. RP validates each and every asserted attributes, if they are available, using an
Attribute Provider (AP). The AP could be independent, part of RP or part of a
third party. RP may involve multiple APs in a single transaction to validate
various attributes.
5. RP engages LoA Assessor (LA) to assess LoA for the verified identity and/or
attributes strength.
6. RP determines if the asserted identity and attributes offer sufficient
trustworthiness. For sufficient trustworthiness, present the resource [13, 14].
For insufficient trustworthiness, follow Trust Elevation steps [7 - 12]. If there is
no opportunity to elevate trust, then reject the request [13, 14]
7. RP engages Trust-Elevation Method Determiner (MD) to determine the best
possible type of method be used for Trust Elevation. The MD is a repository of
predetermined Trust Elevation methods for transactions involving various
combinations of type of devices, RPs, IdPs, APs and LAs. The MD could be
independent, part of RP or part of a third party.
8. RP, based on feedback from MD, requests valid authentication factors through
the device. The device could provide factors with/without End-User
Intervention.
Trust Elevation Sequence - Story
9. RP requests an Identity Provider (IdP) to assess the asserted
identity.
10. RP validates each and every asserted attributes, if they are
available, using an Attribute Provider (AP). The AP could be
independent, part of RP or part of a third party. RP may
involve multiple APs in a single transaction to validate
various attributes.
11. RP engages LoA Assessor (LA) to assess LoA for the verified
identity and/or attributes strength.
12. RP determines if the asserted identity and attributes offer
sufficient trustworthiness. For sufficient trustworthiness,
present the resource . For insufficient trustworthiness, follow
Trust Elevation steps If there is no opportunity to elevate
trust, then reject the request
13. RP presents information to device
14. Device present information to End-User
Conclusions and Recommendations
Step up Authentication will play a critical role in mobile space
OASIS and ITU are working to Create a generalizable framework
for implementing non-credential-based, online authentication
best practices based on current and near-future implementations
Expands and extends options for multi-factor authentication
implementations
Mobility
It is all about App security
Application fine grain Auth N/Z for one or more Apps
Move from static to continuous Auth
Fine grain policy enforcement
Cloud … Cloud ….Cloud
Challenging but in progress
More opportunities for simplification and innovation
Geneva, Switzerland, 15-16 September 2014
14
Related documents
Big Brain Quiz
Big Brain Quiz
CS 2813 - Loyola College
CS 2813 - Loyola College
Name: : : World Geography Unit 5: Atlas Activity Pg. 382 & 383
Name: : : World Geography Unit 5: Atlas Activity Pg. 382 & 383
poster_Lets_go. - TU Delft Institutional Repository
poster_Lets_go. - TU Delft Institutional Repository
CCNA Security - Skill Exam 2012
CCNA Security - Skill Exam 2012
Chapter 11 HW
Chapter 11 HW
What are different types of maps and how are they used?
What are different types of maps and how are they used?
Topographic Map Skills Practice Sheet
Topographic Map Skills Practice Sheet
Download
advertisement