Next Steps toward More Trustworthy Interfaces Burt Kaliski, RSA Laboratories 1 st Workshop on Trustworthy Interfaces for Passwords and Personal Information.

Slides:

Advertisements

Similar presentations

© Copyrights 1998 Algorithmic Research Ltd. All rights Reserved D a t a S e c u r i t y A c r o s s t h e E n t e r p r i s e Algorithmic Research a company.

Advertisements

Passwords Don’t Get No Respect – Or, How to Make the Most of Weak Shared Secrets Burt Kaliski, RSA Laboratories DIMACS Workshop on Theft in E-Commerce.

EDUCAUSE 2001, Indianapolis IN Securing e-Government: Implementing the Federal PKI David Temoshok Federal PKI Policy Manager GSA Office of Governmentwide.

PKCS #15 v1.1 Magnus Nyström RSA Laboratories PKCS Workshop, 1999.

SINGLE SIGN-ON. Definition - SSO Single sign-on (SSO) is a session/user authentication process that permits a user to enter one name and password in order.

Cross Platform Single Sign On using client certificates Emmanuel Ormancey, Alberto Pace Internet Services group CERN, Information Technology department.

Identity Management Based on P3P Authors: Oliver Berthold and Marit Kohntopp P3P = Platform for Privacy Preferences Project.

CS426Fall 2010/Lecture 81 Computer Security CS 426 Lecture 8 User Authentication.

Windows CardSpace and the Identity Metasystem Glen Gordon Developer Evangelist, Microsoft

Some New Applications of One-Time Passwords Burt Kaliski, RSA Laboratories October 2006.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

User Managed Privacy Using Distributed Trust Privacy and Security Research Workshop Carnegie Mellon University May 29-30, 2002 Lark M. Allen / Wave Systems.

FIT3105 Smart card based authentication and identity management Lecture 4.

The Laws of Identity and Cardspace Charles Young Solidsoft.

Alcatel Identity Server Alcatel SEL AG. Alcatel Identity Server — 2 All rights reserved © 2004, Alcatel What is an Identity Provider?  

Secure Element Access from a Web browser W3C Workshop on Authentication, Hardware Tokens and Beyond 11 September Oberthur Technologies – Identity.

User Authentication Recommendations Transport & Security Standards Workgroup December 10, 2014.

Certificate and Key Storage Tokens and Software

Health IT RESTful Application Programming Interface (API) Security Considerations Transport & Security Standards Workgroup March 18, 2015.

A Robust Health Data Infrastructure P. Jon White, MD Director, Health IT Agency for Healthcare Research and Quality

RIVERA SÁNCHEZ-1 CSE 5810 User Authentication in Mobile Healthcare Applications Yaira K. Rivera Sánchez Computer Science & Engineering Department University.

Bill Gates’ RSA 2006 Keynote presentation Questions and answers.

RSA Security Validating Users and Devices to Protect Network Assets Endpoint Solutions for Cisco Environments.

Access and Identity Management System (AIMS) Federal Student Aid PESC Fall 2009 Data Summit October 20, 2009 Balu Balasubramanyam.

1st MODINIS workshop Identity management in eGovernment Frank Robben General manager Crossroads Bank for Social Security Strategic advisor Federal Public.

LEVERAGING UICC WITH OPEN MOBILE API FOR SECURE APPLICATIONS AND SERVICES Ran Zhou 1 9/3/2015.

Internet 2 Corporate Value Proposition Stuart Kippelman (J&J) Jeff Lemmer (Ford) December 12, 2005.

Introduction to Secure Messaging The Open Group Messaging Forum April 30, 2003.

Solutions for Secure and Trustworthy Authentication Ramesh Kesanupalli

Special Publication : Interfaces for Personal Identity Verification Jim Dray NIST NPIVP Workshop March 3, 2006.

EMBEDDED SECURITY EEN 417 Fall /6/13, Dr. Eric Rozier, V1.0, ECE Thanks to Edward Lee and Sanjit Seshia of UC Berkeley.

The Protection of Information in Computer Systems Part I. Basic Principles of Information Protection Jerome Saltzer & Michael Schroeder Presented by Bert.

Tippecanoe 4-H Computer Project Mikel BergerBret Madsen Ed Evans

“Stronger” Web Authentication: A Security Review Cory Scott.

ELECTRONIC CONVEYANCING WORKSHOPS 2009 Simon Libbis Executive Director Ann Kinnear Operations Manager.

Levels of Assurance in Authentication Tim Polk April 24, 2007.

Security PS Evaluating Password Alternatives Bruce K. Marshall, CISSP, IAM Senior Security Consultant

Identity Management: A Technical Perspective Richard Cissée DAI-Labor; Technische Universität Berlin

SOA-39: Securing Your SOA Francois Martel Principal Solution Engineer Mitigating Security Risks of a De-coupled Infrastructure.

© 2008 by Matt Flaherty & Mary Ruddy; made available under the EPL v1.0 Security & Identity : From present to future Matt Flaherty, IBM Mary Ruddy, Meristic.

Commission on 2020 Public Services Open Government and Online Public Services Charlotte Alldritt.

Copyright© 2002 Avaya Inc. All rights reserved Anna Dorcey Director, Avaya DeveloperConnection Program August 4, 2004 Partnering in the VOIP World Anna.

The privacy risks and rewards of distributed identity Conference Presentation (8 September 2003) Surveillance and Privacy 2003, University of New South.

Grid Middleware Tutorial / Grid Technologies IntroSlide 1 /14 Grid Technologies Intro Ivan Degtyarenko ivan.degtyarenko dog csc dot fi CSC – The Finnish.

Federal Cybersecurity Research Agenda June 2010 Dawn Meyerriecks

Next Steps toward More Trustworthy Interfaces, continued Burt Kaliski, RSA Security 2 nd TIPPI Workshop June 19, 2006 Also includes presentations from.

Towards a Unified Authentication, Authorisation and Accounting Infrastructure Patrick Kirk Chief Technical Officer (YHGfL) Lifelong Learning Infrastructure.

2015 NetSymm Overview NETSYMM OVERVIEW December

High Assurance Products in IT Security Rayford B. Vaughn, Mississippi State University Presented by: Nithin Premachandran.

Evolving Security in WLCG Ian Collier, STFC Rutherford Appleton Laboratory Group info (if required) 1 st February 2016, WLCG Workshop Lisbon.

Case Study: Applying Authentication Technologies as Part of a HIPAA Compliance Strategy.

EUAIN 1 European Accessible Information Network George Ioannidis, TZI Bremen April 2005 JTC 1 SWG-A N 003.

Hardware-based secure services past and future Olivier POTONNIEE, Aurélien COUVERT, Virginie GALINDO April 2016.

1© Copyright 2012 EMC Corporation. All rights reserved. Next Generation Authentication Bring Your Own security impact Tim Dumas – Technology Consultant.

A l a d d I n. c o m Strong Authentication and Beyond Budai László, IT Biztonságtechnikai tanácsadó.

The Federal E-Authentication Initiative David Temoshok Director, Identity Policy GSA Office of Governmentwide Policy February 12, 2004 The E-Authentication.

1 Pascal URIEN, IETF 61th, Washington DC, 10th November 2004 draft-urien-eap-smartcard-06.txt “EAP-Support in Smartcard”

Identity and Access Management

Update from the Faster Payments Task Force

Deployment Planning Services

Data and Applications Security Developments and Directions

Control system network security issues and recommendations

Radius, LDAP, Radius used in Authenticating Users

Module 8: Securing Network Traffic by Using IPSec and Certificates

Laws for Secure Credentialing

Public Key Infrastructure from the Most Trusted Name in e-Security

Architecture Competency Group

Module 8: Securing Network Traffic by Using IPSec and Certificates

Preparing for the Windows 8. 1 MCSA Module 6: Securing Windows 8

Microsoft Virtual Academy

Presentation transcript:

Next Steps toward More Trustworthy Interfaces Burt Kaliski, RSA Laboratories 1 st Workshop on Trustworthy Interfaces for Passwords and Personal Information June 13, 2005

Market Problem Users don’t have a convenient way of gaining confidence that the applications they’re interacting with are the correct ones —especially when entering passwords and personal information User interface is typically not trustworthy, so can’t tell if application can be trusted —“WYSINWYG” – what you see isn’t necessarily what you get An important and relatively separable part of the broader trustworthy computing issue

Not Just Passwords … More trustworthy interfaces benefit other authentication types besides traditional passwords, e.g.: —PIN entry for smart cards and other security tokens —one-time passwords (challenge-response, event-sync, time-sync) —passwords to unlock software credentials Trustworthy interfaces can be a platform for transitioning to stronger authentication, starting with passwords

Multiple Stakeholders Market problem brings together multiple parties involved in the interfaces and supporting protocols: —Application developers —Browser, OS and desktop software vendors —Identity providers and certificate authorities —User experience designers —Research community None can address the full problem alone – stakeholders must work together

Some Related Work All of this workshop, of course … Kim Cameron’s “Laws of Identity,” at the system level Carl Ellison and Jesse Walker’s “Ceremonies” —protocol interaction involving humans 1.User control and consent 2.Minimal disclosure for a constrained use 3.Justifiable parties 4.Directed identity 5.Pluralism of operators and technologies 6.Human integration 7.Consistent experience across contexts

Proposed Criteria for a Trustworthy Interface for Passwords and Personal Information 1. User can tell when interacting with an application through a trustworthy interface (e.g., via reserved “real estate”) 2. Interface provides a “trusted path” for data entry, protecting against other software 3. User can activate interface, or it can be activated automatically 4. User can verify identity of application through interface 5. Authentication is mutual – application must also demonstrate knowledge of password (or other authentication credential) 6. Personal information is protected – trusted interface won’t provide to incorrect application

Presumptions 1. Market problem is important 2. Collaboration of multiple stakeholders is essential to solve it Industry goal: Provide trustworthy interfaces that give users confidence that their online interactions are with parties they trust, especially when entering passwords and personal information

Potential Collaborations: Putting TIPPI into Practice 1. Publish workshop summaries and propose concepts in other forums 2. Prepare an open letter challenging the industry to improve interfaces 3. Promote industry standards efforts: user interface criteria and specific user experience designs supporting protocols and APIs 4. Provide reference implementations browser plug-ins, OS extensions 5. Plan on 2 nd TIPPI Workshop, June 2006!

For More Information Burt Kaliski Chief Scientist, RSA Laboratories VP Research, RSA Security Magnus Nyström Technical Director, Office of the CTO RSA Security (Stockholm Office)