WHITE PAPER | AUGUST 2014 Preventing Security Breaches by Eliminating the Need to Transmit and Store Passwords 2 | WHITE PAPER: PREVENTING SECURITY BREACHES Table of Contents ca.com 3 3 3 Preventing Security Breaches by Eliminating the Need to Store Passwords 4 Additional Resources 6 Conclusion 6 3 | WHITE PAPER: PREVENTING SECURITY BREACHES ca.com Don’t Become the Next Headline It seems like every day we see in the news that another breach has occurred. In fact, the New York Times recently reported on a security breach that involved over a billion online account passwords. Why does this keep happening? One reason is that many websites continue to use simple passwords for authentication and choose to store them as hashes. Another reason is that identity theft and fraud is a big business. According to a Ponemon Study , U.S. organizations experienced the highest total average cost at more than $5.4 million for a data breach. Part of the reason for this is that—according to this study—the United States companies had data breaches that resulted in the greatest number of exposed and compromised records. This is a real money cost, but the cost to your brand and customer confidence can have an even bigger impact on your business. Make the “Breachable” Unbreachable What would happen if hackers got hold of the database of credentials, but discovered that it didn’t contain any passwords that were hashed or encrypted? Implementing CA Advanced Authentication can help solve the problem of compromised passwords. The strong authentication credentials help prevent security breaches by eliminating the password hash file, thus making the “breachable” unbreachable. Why Passwords Are Susceptible to Attacks One attack point for a security breach is the stored repository of passwords, for example, the password hash file. Common practice is to protect passwords using hash algorithms. But the databases where they are stored are still the subject of many successful hacks, using “brute force” to reveal the passwords. Many brute-force attacks exist today that can decode these files in realistic times. The continued use of simple passwords for authentication, stored hashes (often adding “salt” for extra protection), makes these attacks possible. Hashing turns a bit of data, like your password, into another bit of data that looks random or unrecognizable. For example, the password “MiloPug,” when hashed, might become “xh^21hdgXEOUD76@%@d” Hashing is one-way. It’s easy to create the hash from the original text but impossible to start with the hash and get back to the original text. While there’s no algorithm to reverse a good hash function, they can be attacked using brute-force techniques. Given current advanced hacking techniques, this is not so hard to accomplish. 4 | WHITE PAPER: PREVENTING SECURITY BREACHES ca.com Preventing Security Breaches by Eliminating the Need to Store Passwords The concept is simple. Many systems today authenticate by comparing the hash of the user’s entered password to the hash value that they have stored on their server. CA Technologies takes a different approach and does not store the password anywhere, not even as a hash. Using patented “cryptographic camouflage” (U.S. Patent 6,170,058), CA Advanced Authentication uses the password to protect or “lock” a secret key. The protected key is sent to the browser or application from the server, where it is unlocked using the password. The unlocked key then is used to sign a random challenge, with the resulting signature sent back to the server. The password and unlocked key only appear briefly in memory at the browser. Camouflage technology ensures that the protected key, if obtained by an attacker, cannot be unlocked. Because the password is only stored permanently in the user’s mind, there is no password file for the attacker to steal. The password is used during the credential creation and the authentication process, but is never stored anywhere. It is not stored in a repository. It is not stored on the client. It is not stored anywhere that hackers could target. How CA Advanced Authentication Works As part of the enrollment process, the end user is asked to select a PIN or password when they set up the CA Auth ID. Each end user is assigned a key pair, consisting of a private key and a public key. Using patented cryptographic camouflage technology from CA, the private key is camouflaged based on the user’s PIN or password. Camouflage is a way of protecting data, based on standard encryption algorithms that prevent brute-force attacks. The effect of this process is that decryption, even using an incorrect password, will always produce a result that, while looking correct to the attacker, will not produce a valid signature. This is detected by the server when the signature is returned. In the case of a simple six-digit password (using letters, numbers and ten special characters), a brute-force attack on a camouflaged key will produce 726 = 139,314,069,504 plausible keys. Only one of these will generate a valid signature, and the attacker has nothing to indicate which one it is—they all look equally valid. The attacker has no recourse but to try the keys individually by sending signatures to the server—that is, by trying to authenticate. After a few failures the server will detect the attack. 5 | WHITE PAPER: PREVENTING SECURITY BREACHES ca.com This diagram shows how CA Advanced Authentication uses a password but doesn’t pass it to the server or need to validate it against a password repository. The Technology that Enables the Solution The CA Auth ID credential is available to anyone who asks for it by username—even bad guys. The bad guys can’t use it because they can’t brute force the key, so it does them no good. The ID is provided by the server at login time, so it can work from any device, anywhere. It works on any device with a browser that has JavaScript® and can work with any mobile app developed using our software development toolkit (SDK). The user sees no changes to the existing enrollment process, “forgot your password” (FYP) steps or other password flows. Any existing risk and secondary authentication processes are preserved. Login flows and the familiar login sequence (single page or double page) remain unchanged. Users can be migrated “behind the scenes” from their current credentials to these “look alike, yet protected” credentials. While the CA AuthID can also be used for meeting two-factor authentication compliance requirements, this implementation uses the proven credential to eliminate the organization’s need to create, manage and secure a password database. In doing so, it removes the most attractive attack vector for hackers: large, credential repositories that are vulnerable to brute force. 6 | WHITE PAPER: PREVENTING SECURITY BREACHES ca.com Benefits of CA Advanced Authentication include: • Immunizes against server-side hash file attacks • Protects from man-in-the-middle attacks that occur when passwords are transmitted • Keeps the familiar username/password login process • Reduces the need for password complexity and storage • Works with a variety of risk-based solutions • Works on any browser or device. No client footprint required. Simple SDK for mobile apps. Conclusion The CA Advanced Authentication suite of products can help keep an organization’s name out of the headlines for a security breach. This solution, which can be easily integrated into existing applications, helps eliminate the weak point that many systems possess—the password hash file. CA Advanced Authentication provides a “password-like” credential that doesn’t store passwords on the server, so there are no passwords for an attacker to steal for a security breach. Additional Resources: • ”Be Smarter Than a Hacker” webcast (http://bit.ly/1s38Ygj) • The eduCAte Channel for CA Advanced Authentication (http://bit.ly/1xErzQh) 7 | WHITE PAPER: PREVENTING SECURITY BREACHES Connect with CA Technologies at ca.com CA Technologies (NASDAQ: CA) creates software that fuels transformation for companies and enables them to seize the opportunities of the application economy. Software is at the heart of every business, in every industry. From planning to development to management and security, CA is working with companies worldwide to change the way we live, transact and communicate – across mobile, private and public cloud, distributed and mainframe environments. Learn more at ca.com. 1 Cost of a Data Breach Study: Global Analysis, Ponemon Institute, May 2013 © CA 2014. All rights reserved. All trademarks, trade names, service marks and logos referenced herein belong to their respective companies. This document is for your informational purposes only, and does not form any type of warranty. CS200-200-86850_0814