CertAnon The feasibility of an anonymous WAN authentication service Red Group CS410 March 1, 2007 Our Team 3/1/2007 Red Group 2 Threatening News • 1/5/2007: In an Instant, Retirement Savings Vanish • 2/15/2007: Online Identity Stolen • 2/20/2007: Phishers Targeting MySpace • 2/23/2007: Free Wi-Fi scam hitting airports • 2/26/2007: Trojan Horse Designed to Steal Usernames and Passwords 3/1/2007 Red Group 3 How About You? • How many online accounts do you have? • How many passwords do you have to remember? • How do you manage them? 3/1/2007 Red Group 4 The Problem • Single-factor password authentication is easily compromised and endangers the security of online accounts. – Username/Password paradigm is insecure1 – Management of multiple strong passwords is difficult for individuals – Fraudulent online account access is increasing 1. http://www.schneier.com/crypto-gram-0503.html#2 3/1/2007 Red Group 5 The Endangered Password • More online accounts = more passwords • Complexity of passwords is limited by the human factor2 • Vulnerability is enhanced by the technology factor • Dissemination is too easy • Once compromised, a password is no longer effective for authentication 2. http://www.schneier.com/blog/archives/2006/12/realworld_passw.html 3/1/2007 Red Group 6 Going Phishing • Phishing sites are on the rise3 • Over 7 million phishing attempts per day 3. Anti-Phishing Working Group - http://www.antiphishing.org/ 3/1/2007 Red Group 7 CertAnon - A New Proposal • Anonymous WAN authentication service – Used for any and all online accounts – Strong two-factor authentication – Limited information sharing • Partner with online businesses • Initial customers are Internet users 3/1/2007 Red Group 8 Goal and Objectives • Build a WAN authentication service that permits customers to securely access all of their online accounts using a single access method – – – – – – 3/1/2007 Build our website Write software modules for partner sites Develop testing portal Install authentication servers Distribute tokens Beta-testing, then go live! Red Group 9 What Would It Look Like? 3/1/2007 Red Group 10 Two-factor Authentication4 • Something you know – A single PIN • Plus something you have – Hardware token generating pseudorandom numbers • Effectively changes your password every 60 seconds 4. RSA - http://www.rsasecurity.com/node.asp?id=1156 3/1/2007 Red Group 11 4. Bob goes to E*Trade's website to sign in. Username: TraderBob His E*Trade username is TraderBob, so he types that as usual. Password: 1a2b3c234836 He looks at the code on his token display. He types his PIN and that token code in the Password field. 5. And now he's in his E*Trade account! 6. One minute later, he jumps to the Yahoo! mail page to check e-mail. Username: SpamBob His Yahoo! username is SpamBob, so he types that as usual. Password: 1a2b3c184675 7. And now he's in his Yahoo! account! 3/1/2007 Red Group He looks at the code on his token display. He types his PIN and that token code in the Password field. 12 Token Setup Process Buy CertAnon token Visit CertAnon website Enter token serial number and two consecutive token codes Valid serial number and token codes? Yes Create CertAnon username and PIN No No 3rd bad attempt? Set up security questions/answers Yes CertAnon support intervention 3/1/2007 Red Group Log out of CertAnon account 13 Open online account and create username Use CertAnon for authentication? Change password for existing online account No Create account password Account Setup Process Yes Color Scheme Choose temporary password Red - 3rd party account process Blue - CertAnon process Green - Interaction between them Log into CertAnon website with CertAnon username and passcode (PIN + token code) CertAnon support intervention Yes Add online account username and domain to CertAnon account No 3rd bad attempt? No No Does domain support CertAnon? Yes Automated login to account using temp password to verify ownership Successful login? Yes Authenticate with CertAnon passcode 3/1/2007 Red Group Return to account website Temporary password cancelled 14 Who is Our Customer? • Individual Internet User – Purchases CertAnon token for one-time fee of $50 • Obtaining a critical mass of customers makes CertAnon a must have for online vendors – Could give leverage to charge vendors in the future 3/1/2007 Red Group 15 About the Customer % 70 60 Bank Online 50 Travel Reservations Commerce & Communicate 6-15 passwords Over 15 passwords 40 30 20 10 0 Consumers Profess. 5. Internet World Stats - http://www.internetworldstats.com/stats2.htm 6. Clickz.com - http://www.clickz.com/showPage.html?page=3481976#table 7. Clickz.com - http://www.clickz.com/showPage.html?page=3587781#table2 8. RSA Security Password Management Survey http://www.rsa.com/products/SOM/whitepapers/PASSW_WP_0906.pdf 3/1/2007 Red Group 16 Why Will The Customer Care? • Reduce/eliminate need for multiple passwords • Avoid password theft and unauthorized account access • No information stored on a card that can be lost • No password database to be hacked 3/1/2007 Red Group 17 What’s in it for a business? • It’s free • No need to implement a costly proprietary solution • Improves security of customer base by moving more people away from passwords • Snaps into existing infrastructure with minimal development • Customers who don't switch will be unaffected 3/1/2007 Red Group 18 Competition Matrix 3/1/2007 Red Group 19 Cons • Still not perfectly secure • Token trouble – Forgotten – Broken – Lost or stolen • Inadequate for sight-impaired users 3/1/2007 Red Group 20 Risks & Mitigation # 5 I m p a c t 5 2 6 2 3 7 4 1 1 2 3 4 Probability (1-Low to 5-High) 3/1/2007 Mitigation 1 Trust Beta-testing 2 Customer understanding Tutorials on website 3 Reliance on token sales revenue Encourage early partner site adoption 4 Viable alternatives Single source two-factor 5 Token loss Provide temporary password access 6 Token availability Offer online and through retail outlets 7 Government vs. Anonymity Follow the lead of encryption products 1 4 3 Risk 5 Red Group 21 Costs & Revenue *Based on sales of one million tokens Servers $16,000 RSA training $1,600 1.5 developers (3yr) $600,000 Server/application admin (3yr) $414,000 Co-location and access costs (3yr) $144,000 RSA Authentication Manager (3yr)* Tokens* and packaging @$30 $3,600,000 $30,000,000 Total* $34,775,600 Revenue* $50,000,000 3/1/2007 Red Group 22 Conclusion • Available, affordable, and proven technology • Targets a large and growing market • Benefits consumers and online businesses • Manageable project scope, scaleable product 3/1/2007 Red Group 23 References • • • • • 3/1/2007 “Failure of Two-Factor Authentication.” Schneier on Security. 12 Jul. 2006. Bruce Schneier. 28 Jan. 2007 <http://www.schneier.com/blog/archives/2006/07/failure_of_twof.html>. “Internet Penetration and Impact.” Pew/Internet. April 2006. Pew Internet & American Life Project. 28 Jan. 2007 <http://www.pewinternet.org/pdfs/PIP_Internet_Impact.pdf>. “Internet Statistics Compendium - Sample.” E-consultancy.com. 9 Jan. 2007. E-consultancy.com LTD. 28 Jan. 2007 <http://www.econsultancy.com/publications/download/91130/internet-statscompendium/internet-stats-compendium-January-2007-SAMPLE.doc>. “Internet World Stats.” Internet World Stats. 11 Jan. 2007. Internet World Stats. 15 Feb. 2007 <http://www.internetworldstats.com/stats2.htm >. “Online Banking Increased 47% since 2002.” ClickZ Stats. 9 Feb. 2007. The ClickZ Network. 15 Feb. 2007 <http://www.clickz.com/showPage.html?page=3481976#table>. Red Group 24 References (cont.) • • • • • 3/1/2007 “Phishing Activity Trends: Report for the Month of November, 2006.” Anti-Phishing Working Group. Nov. 2006. Anti-Phishing Working Group. 28 Jan. 2007 <http://www.antiphishing.org/reports/apwg_report_november_2006.pdf >. “Real-World Passwords.” Schneier on Security. 14 Dec. 2006. Bruce Schneier. 28 Jan. 2007 <http://www.schneier.com/blog/archives/2006/12/realworld_passw.html >. “RSA SecurID Authentication.” RSA Security. 2007. RSA Security, Inc. 28 Jan. 2007 <http://www.rsasecurity.com/node.asp?id=1156>. “RSA Security Password Management Survey.” RSA Security. Sep. 2006. Wikipedia. 15 Feb. 2007 <http://www.rsa.com/products/SOM/whitepapers/PASSW_WP_0906.pd f >. “Rural America Slow to Adopt Broadband.” ClickZ Stats. 27 Feb. 2007. The ClickZ Network. 28 Feb. 2007 <http://www.clickz.com/showPage.html?page=3587781#table2>. Red Group 25