CertAnon A Proposal for an Anonymous WAN Authentication Service David Mirra CS410 January 30, 2007
A Wired World Who is online? 1 –73% of American adults –88% of year-olds –91% of college-educated adults What are they doing? 2 –Communicating –Shopping –Banking 1.US users, April UK users, Q compendium/
The Identity Issue Strong authentication needed for online accounts –Permit remote access for authorized users –Allow the good guys in –Keep the bad guys out Typically done via username/password mechanism
The Problem with Passwords More online accounts = more passwords Complexity of passwords is limited by the human factor 3 Vulnerability is enhanced by the technology factor Password control is difficult 4 –Dissemination is too easy Once compromised, a password is no longer effective for authentication
The Risk of Theft Phishing attempts are on the rise 5 –Social engineering tricks users into divulging info –Crimeware steals account credentials directly 5. Anti-Phishing Working Group -
What’s Been Tried? Microsoft.NET Passport 6 and Sun Liberty Alliance 7 –Single sign-on services for web commerce –Privacy concerns –Relied on username/password paradigm Company-specific token authentication –A token for every site 6. Wikipedia Wikipedia -
A New Proposal Anonymous WAN authentication service –Used for any and all online accounts –Strong two-factor authentication –Limited information sharing Initial customers are Internet users Ultimate customers are online businesses
Two-factor Authentication 8 Something you know –A single PIN Plus something you have –Hardware token generating pseudo-random numbers Effectively changes your password every 60 seconds 8. RSA -
CertAnon Hardware Four global servers running RSA Authentication Manager RSA SecurID tokens available for retail purchase
CertAnon Software Public web service –Encrypted authentication request/response Free software modules for download by web site operators –Encourages adoption of CertAnon authentication
How Does It Work for Me? Buy a token –Anonymous purchase Register it with CertAnon –Anonymous registration Create a web account anywhere –Check the box “I use CertAnon” Link that account to your token –And off you go!
How About the Web Sites? Register servers with CertAnon Receive key to encrypt requests Make CertAnon authentication available to customers Authentication requests are sent to all CertAnon servers –First to respond is accepted
Benefits Consumers –Only one pin to remember –Authenticate without sharing identity –Increased security –Pay once, protect forever Businesses –Free for early adopters –No more password management –Close the “trust gap”
Pitfalls Requires adoption by consumers and businesses –Establish trust –Make it easy to get and easy to use Not a silver bullet –Part of defense-in-depth strategy Governmental resistance to anonymity –Similar hurdles faced by encryption products
It Can Be Done Available, affordable, and proven technology Targets a large and growing market Benefits consumers and online businesses Manageable project scope, scaleable product Build it and they will come!
Works Cited “Failure of Two-Factor Authentication.” Schneier on Security. 12 Jul Bruce Schneier. 28 Jan “Internet Penetration and Impact.” Pew/Internet. April Pew Internet & American Life Project. 28 Jan “Internet Statistics Compendium - Sample.” E-consultancy.com. 9 Jan E-consultancy.com LTD. 28 Jan “Liberty Alliance.” Wikipedia. 25 Jan Wikipedia. 28 Jan
Works Cited (cont.) “Phishing Activity Trends: Report for the Month of November, 2006.” Anti-Phishing Working Group. Nov Anti- Phishing Working Group. 28 Jan “Real-World Passwords.” Schneier on Security. 14 Dec Bruce Schneier. 28 Jan “RSA SecurID Authentication.” RSA Security RSA Security, Inc. 28 Jan “Windows Live ID.” Wikipedia. 23 Jan Wikipedia. 28 Jan