Add to collection(s) Add to saved
  1. Arts & Humanities
  2. Communications
  3. Marketing

CertAnon The feasibility of an anonymous WAN authentication service Red Group

advertisement 
CertAnon
The feasibility of an anonymous
WAN authentication service
Red Group
CS410
March 1, 2007
Our Team
3/1/2007
Red Group
2
Threatening News
• 1/5/2007: In an Instant, Retirement Savings
Vanish
• 2/15/2007: Online Identity Stolen
• 2/20/2007: Phishers Targeting MySpace
• 2/23/2007: Free Wi-Fi scam hitting airports
• 2/26/2007: Trojan Horse Designed to Steal
Usernames and Passwords
3/1/2007
Red Group
3
How About You?
• How many online accounts do you
have?
• How many passwords do you have to
remember?
• How do you manage them?
3/1/2007
Red Group
4
The Problem
• Single-factor password authentication is
easily compromised and endangers the
security of online accounts.
– Username/Password paradigm is insecure1
– Management of multiple strong passwords
is difficult for individuals
– Fraudulent online account access is
increasing
1. http://www.schneier.com/crypto-gram-0503.html#2
3/1/2007
Red Group
5
The Endangered Password
• More online accounts = more passwords
• Complexity of passwords is limited by the
human factor2
• Vulnerability is enhanced by the technology
factor
• Dissemination is too easy
• Once compromised, a password is no longer
effective for authentication
2. http://www.schneier.com/blog/archives/2006/12/realworld_passw.html
3/1/2007
Red Group
6
Going Phishing
• Phishing sites are on the rise3
• Over 7 million phishing attempts per day
3. Anti-Phishing Working Group - http://www.antiphishing.org/
3/1/2007
Red Group
7
CertAnon - A New Proposal
• Anonymous WAN authentication service
– Used for any and all online accounts
– Strong two-factor authentication
– Limited information sharing
• Partner with online businesses
• Initial customers are Internet users
3/1/2007
Red Group
8
Goal and Objectives
• Build a WAN authentication service that
permits customers to securely access all of
their online accounts using a single access
method
–
–
–
–
–
–
3/1/2007
Build our website
Write software modules for partner sites
Develop testing portal
Install authentication servers
Distribute tokens
Beta-testing, then go live!
Red Group
9
What Would It Look Like?
3/1/2007
Red Group
10
Two-factor Authentication4
• Something you know
– A single PIN
• Plus something you have
– Hardware token generating pseudorandom numbers
• Effectively changes your password
every 60 seconds
4. RSA - http://www.rsasecurity.com/node.asp?id=1156
3/1/2007
Red Group
11
4. Bob goes to E*Trade's website to sign in.
Username: TraderBob
His E*Trade username
is TraderBob, so he
types that as usual.
Password: 1a2b3c234836
He looks at the code
on his token display.
He types his PIN and
that token code in the
Password field.
5. And now he's in his E*Trade account!
6. One minute later, he jumps to the Yahoo!
mail page to check e-mail.
Username: SpamBob
His Yahoo! username
is SpamBob, so he
types that as usual.
Password: 1a2b3c184675
7. And now he's in his Yahoo! account!
3/1/2007
Red Group
He looks at the code
on his token display.
He types his PIN and
that token code in the
Password field.
12
Token Setup Process
Buy CertAnon
token
Visit CertAnon
website
Enter token serial
number and two
consecutive token
codes
Valid serial
number and
token codes?
Yes
Create CertAnon
username and PIN
No
No
3rd bad
attempt?
Set up security
questions/answers
Yes
CertAnon support
intervention
3/1/2007
Red Group
Log out of
CertAnon account
13
Open online
account and create
username
Use CertAnon for
authentication?
Change password
for existing online
account
No
Create account
password
Account Setup
Process
Yes
Color Scheme
Choose temporary
password
Red - 3rd party account process
Blue - CertAnon process
Green - Interaction between them
Log into CertAnon
website with
CertAnon
username and
passcode (PIN +
token code)
CertAnon support
intervention
Yes
Add online account
username and
domain to CertAnon
account
No
3rd bad
attempt?
No
No
Does domain
support
CertAnon?
Yes
Automated login to
account using temp
password to verify
ownership
Successful
login?
Yes
Authenticate with
CertAnon passcode
3/1/2007
Red Group
Return to account
website
Temporary
password cancelled
14
Who is Our Customer?
• Individual Internet User
– Purchases CertAnon token for one-time
fee of $50
• Obtaining a critical mass of customers
makes CertAnon a must have for online
vendors
– Could give leverage to charge vendors in
the future
3/1/2007
Red Group
15
About the Customer
%
70
60
Bank Online
50
Travel
Reservations
Commerce &
Communicate
6-15
passwords
Over 15
passwords
40
30
20
10
0
Consumers
Profess.
5. Internet World Stats - http://www.internetworldstats.com/stats2.htm
6. Clickz.com - http://www.clickz.com/showPage.html?page=3481976#table
7. Clickz.com - http://www.clickz.com/showPage.html?page=3587781#table2
8. RSA Security Password Management Survey http://www.rsa.com/products/SOM/whitepapers/PASSW_WP_0906.pdf
3/1/2007
Red Group
16
Why Will The Customer Care?
• Reduce/eliminate need for multiple
passwords
• Avoid password theft and unauthorized
account access
• No information stored on a card that can
be lost
• No password database to be hacked
3/1/2007
Red Group
17
What’s in it for a business?
• It’s free
• No need to implement a costly proprietary
solution
• Improves security of customer base by
moving more people away from passwords
• Snaps into existing infrastructure with minimal
development
• Customers who don't switch will be unaffected
3/1/2007
Red Group
18
Competition Matrix
3/1/2007
Red Group
19
Cons
• Still not perfectly secure
• Token trouble
– Forgotten
– Broken
– Lost or stolen
• Inadequate for sight-impaired users
3/1/2007
Red Group
20
Risks & Mitigation
#
5
I
m
p
a
c
t
5
2
6
2
3
7
4
1
1
2
3
4
Probability
(1-Low to 5-High)
3/1/2007
Mitigation
1 Trust
Beta-testing
2 Customer
understanding
Tutorials on website
3 Reliance on token
sales revenue
Encourage early partner
site adoption
4 Viable alternatives
Single source two-factor
5 Token loss
Provide temporary
password access
6 Token availability
Offer online and through
retail outlets
7 Government vs.
Anonymity
Follow the lead of
encryption products
1
4
3
Risk
5
Red Group
21
Costs & Revenue
*Based on sales of one million tokens
Servers
$16,000
RSA training
$1,600
1.5 developers (3yr)
$600,000
Server/application admin (3yr)
$414,000
Co-location and access costs (3yr)
$144,000
RSA Authentication Manager (3yr)*
Tokens* and packaging @$30
$3,600,000
$30,000,000
Total*
$34,775,600
Revenue*
$50,000,000
3/1/2007
Red Group
22
Conclusion
• Available, affordable, and proven
technology
• Targets a large and growing market
• Benefits consumers and online
businesses
• Manageable project scope, scaleable
product
3/1/2007
Red Group
23
References
•
•
•
•
•
3/1/2007
“Failure of Two-Factor Authentication.” Schneier on Security. 12 Jul.
2006. Bruce Schneier. 28 Jan. 2007
<http://www.schneier.com/blog/archives/2006/07/failure_of_twof.html>.
“Internet Penetration and Impact.” Pew/Internet. April 2006. Pew
Internet & American Life Project. 28 Jan. 2007
<http://www.pewinternet.org/pdfs/PIP_Internet_Impact.pdf>.
“Internet Statistics Compendium - Sample.” E-consultancy.com. 9 Jan.
2007. E-consultancy.com LTD. 28 Jan. 2007 <http://www.econsultancy.com/publications/download/91130/internet-statscompendium/internet-stats-compendium-January-2007-SAMPLE.doc>.
“Internet World Stats.” Internet World Stats. 11 Jan. 2007. Internet
World Stats. 15 Feb. 2007
<http://www.internetworldstats.com/stats2.htm >.
“Online Banking Increased 47% since 2002.” ClickZ Stats. 9 Feb.
2007. The ClickZ Network. 15 Feb. 2007
<http://www.clickz.com/showPage.html?page=3481976#table>.
Red Group
24
References (cont.)
•
•
•
•
•
3/1/2007
“Phishing Activity Trends: Report for the Month of November, 2006.”
Anti-Phishing Working Group. Nov. 2006. Anti-Phishing Working
Group. 28 Jan. 2007
<http://www.antiphishing.org/reports/apwg_report_november_2006.pdf
>.
“Real-World Passwords.” Schneier on Security. 14 Dec. 2006. Bruce
Schneier. 28 Jan. 2007
<http://www.schneier.com/blog/archives/2006/12/realworld_passw.html
>.
“RSA SecurID Authentication.” RSA Security. 2007. RSA Security, Inc.
28 Jan. 2007 <http://www.rsasecurity.com/node.asp?id=1156>.
“RSA Security Password Management Survey.” RSA Security. Sep.
2006. Wikipedia. 15 Feb. 2007
<http://www.rsa.com/products/SOM/whitepapers/PASSW_WP_0906.pd
f >.
“Rural America Slow to Adopt Broadband.” ClickZ Stats. 27 Feb. 2007.
The ClickZ Network. 28 Feb. 2007
<http://www.clickz.com/showPage.html?page=3587781#table2>.
Red Group
25
Related documents
CertAnon Anonymous WAN Authentication Service Milestone Presentation
CertAnon Anonymous WAN Authentication Service Milestone Presentation
CertAnon Anonymous WAN Authentication Service Approval Presentation
CertAnon Anonymous WAN Authentication Service Approval Presentation
Download
advertisement