Authentication: the problem that will not go away Prof. Ravi Sandhu Chief Scientist 703 283 3484 Protecting Online Identity.

Slides:



Advertisements
Similar presentations
Chapter ADCS CS262/0898/V1 Chapter 1 An Introduction To Computer Security TOPICS Introduction Threats to Computer Systems –Threats, Vulnerabilities.
Advertisements

Chapter 10 Encryption: A Matter of Trust. Awad –Electronic Commerce 1/e © 2002 Prentice Hall 2 OBJECTIVES What is Encryption? Basic Cryptographic Algorithm.
1 Trust Evidence in Heterogeneous Environments: Towards a Research Agenda Ravi Sandhu Executive Director and Endowed Professor May 2010
The Future: Evolution of the Technology Ravi Sandhu Chief Scientist TriCipher, Inc. Los Gatos, California Executive Director and Chaired Professor Institute.
Sandhus Laws of Cyber Security Prof. Ravi Sandhu Executive Director and Endowed Chair Institute for Cyber Security University of Texas at San Antonio Chief.
Institute for Cyber Security ASCAA Principles for Next- Generation Role-Based Access Control Ravi Sandhu Executive Director & Endowed Professor Institute.
ISA 662 Internet Security Protocols Kerberos Prof. Ravi Sandhu.
© 2006 Ravi Sandhu Secure Information Sharing Enabled by Trusted Computing and PEI * Models Ravi Sandhu (George Mason University and TriCipher)
Institute for Cyber Security ASCAA Principles for Next-Generation Role-Based Access Control Ravi Sandhu Executive Director and Endowed Chair Institute.
1 Laws of Cyber Security Ravi Sandhu Executive Director and Endowed Professor September 2010
SSL Trust Pitfalls Prof. Ravi Sandhu.
1 Ravi Sandhu Chief Scientist SingleSignOn.Net & Professor, George Mason University Mihir Bellare Chief Cryptographer SingleSignOn.Net & Professor, Univ.
© Ravi Sandhu Introduction to Information Security Ravi Sandhu.
© Ravi Sandhu Security Issues in P2P Systems Prof. Ravi Sandhu Laboratory for Information Security Technology George Mason University.
SSL Trust Pitfalls Prof. Ravi Sandhu. 2 © Ravi Sandhu 2002 THE CERTIFICATE TRIANGLE user attributepublic-key X.509 identity certificate X.509 attribute.
Security Issues In Mobile IP
Achieving online trust through Mutual Authentication.
1 ABCs of PKI TAG Presentation 18 th May 2004 Paul Butler.
MULT. INTEGERS 1. IF THE SIGNS ARE THE SAME THE ANSWER IS POSITIVE 2. IF THE SIGNS ARE DIFFERENT THE ANSWER IS NEGATIVE.
Addition Facts
B-CERB complete protection against phishing copyright 2008 by Wheel.
Smart Identity Protection That Works for You and Your Users 2 Petri Ala-Annala Senior Principal, CISSP-ISSAP, CISA, CISM.
Innovation Towards a next generation secure internet Private Application Ecosystems Sanjay Deshpande CEO and Chief Innovation Officer Center.
1 Cyber Security Research: A Personal Perspective Prof. Ravi Sandhu Executive Director and Endowed Chair January 18, 2013
1 | © 2012 V-Key.com – Proprietary and Confidential Bugatti Veyron Super SportBugatti Veyron Super Sport: 267 mph (429 km/h), 0-60 in 2.4 secs.
Chapter 10 Real world security protocols
Multi-factor Authentication Methods Taxonomy Abbie Barbir.
Selecting a Strong Authentication Solution Scott Mackelprang, V.P. of Security Digital Insight.
Addition 1’s to 20.
Week 1.
Securing Critical Unattended Systems with Identity Based Cryptography A Case Study Johannes Blömer, Peter Günther University of Paderborn Volker Krummel.
1 Cloud Computing Prof. Ravi Sandhu Executive Director and Endowed Chair April 12, © Ravi Sandhu World-Leading.
User Security for e-Post Applications Dr Chandana Gamage University of Moratuwa.
George Tubin Senior Analyst Consumer Banking © 2005 The Tower Group, Inc. May not be reproduced by any means without express permission. All rights reserved.
© 2014 wheresjenny.com Cyber crime CYBER CRIME. © 2014 wheresjenny.com Cyber crime Vocabulary Defacement : An attack on a website that changes the visual.
1 Federated Identity and Single-Sign On Prof. Ravi Sandhu Executive Director and Endowed Chair February 15, 2013
Identity Management Realities in Higher Education NET Quarterly Meeting January 12, 2005.
Kerberos Jean-Anne Fitzpatrick Jennifer English. What is Kerberos? Network authentication protocol Developed at MIT in the mid 1980s Available as open.
Mar 12, 2002Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities SSL/TLS.
Biometrics Technology Charlie Ahrens Director, DigitalPersona December 12, 2002.
Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.
Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.
Mar 4, 2003Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities.
Introduction to PKI Mark Franklin September 10, 2003 Dartmouth College PKI Lab.
COMPUTER CRIME AND TYPES OF CRIME Prepared by: NURUL FATIHAH BT ANAS.
Chapter 10: Authentication Guide to Computer Network Security.
每时每刻 可信安全 1The DES algorithm is an example of what type of cryptography? A Secret Key B Two-key C Asymmetric Key D Public Key A.
Security Update Vincent BRILLAULT HEPiX Spring 2014, Annecy.
GOLD UNIT 4 - IT SECURITY FOR USERS (2 CREDITS) Rebecca Pritchard.
Kerberos. What is Kerberos? Network authentication protocol Developed at MIT in the mid 1980s Available as open source or in supported commercial software.
Lecture 7 Page 1 CS 236, Spring 2008 Challenge/Response Authentication Authentication by what questions you can answer correctly –Again, by what you know.
0 1 WHAT KEEPS USERS AWAY? 2 47% 46% 43% 39% 40% 50% 45% 34% 21% 15% 20% 19% 13% 26% 20% 12% I fear that my account information will be viewed by an unauthorized.
Cyber Insecurity Under Attack Cyber Security Past, present and future Patricia Titus Chief Information Security Officer Unisys Corporation.
IT Security. What is Information Security? Information security describes efforts to protect computer and non computer equipment, facilities, data, and.
CIS 325: Data Communications1 Chapter Seventeen Network Security.
©2015 Check Point Software Technologies Ltd. 1 [Restricted] ONLY for designated groups and individuals CHECK POINT MOBILE THREAT PREVENTION.
Millions of Dollars Lost. MAN IN THE BROWSER. TABLE OF CONTENTS Introduction Brief Examples of Man in the middle Defining MitB From Infection to Pay Day.
Firewalls and Tunneling Firewalls –Acts as a barrier against unwanted network traffic –Blocks many communication channels –Can change the design space.
1 Understanding Which New Threats Operators Can Expect To Face Within The Next Two To Five Years To Improve The On- Going Management Of Security Systems.
Secure HTTP (HTTPS) Pat Morin COMP 2405.
System Access Authentication
What can Technologists learn from the History of the Internet?
Cyber Security in the Mortgage Industry
Authentication by Passwords
Protecting Online Identity™
Challenge-Response Authentication
The main cause for that are the famous phishing attacks, in which the attacker directs users to a fake web page identical to another one and steals the.
Cyber Security Trends and Challenges
Challenge-Response Authentication
ASCAA Principles for Next-Generation Role-Based Access Control
Presentation transcript:

Authentication: the problem that will not go away Prof. Ravi Sandhu Chief Scientist Protecting Online Identity

© Copyright Ravi Sandhu 2008 Page 2 The State of Cyber Security We are in the midst of big change Nobody knows where we are headed Conventional wisdom on where we are headed is likely wrong

© Copyright Ravi Sandhu 2008 Page 3 Security Schools of Thought OLD THINK: We had it figured out. If the industry had only listened to us our computers and networks today would be secure. REALITY: Todays and tomorrows cyber systems and their security needs are fundamentally different from the timesharing era of the early 1970s.

© Copyright Ravi Sandhu 2008 Page 4 Change Drivers Stand-alone mainframes and mini-computers InternetEnterprise security Mutually suspicious security with split responsibility VandalsCriminals Few and standard services Many and new innovative services

© Copyright Ravi Sandhu 2008 Page 5 Authentication is fundamental to security is hard Authentication can enable single sign on (or reduced sign on) digital signatures Authentication Characterized

© Copyright Ravi Sandhu 2008 Page 6 Something you know Passwords, Personal facts Something you have Smart card, One-Time-Password generator, PC … Something you are Fingerprint, Iris, DNA, Voiceprint, … Multifactor = 2 or more of these Leap to 2-factor from 1-factor provides biggest gain 2 factors typically from different categories above Authentication Sliced

© Copyright Ravi Sandhu 2008 Page 7 Shared secrets versus public-private keys Shared secrets do not scale, especially across administrative domains Shared secrets do not facilitate single sign-on The holy grail of public key infrastructure continues to offer the best hope for scalability and single sign-on Mostly true BUT dont forget Kerberos, symmetric key single sign-on within an enterprise ATM network Authentication Sliced Differently: Take 1

© Copyright Ravi Sandhu 2008 Page 8 One-way authentication versus mutual authentication One-way authentication is the norm It is particularly susceptible to phishing One-time passwords are susceptible to MITM attacks due to lack of mutual authentication Authentication Sliced Differently: Take 2

© Copyright Ravi Sandhu 2008 Page 9 Two-factor (or multi-factor) Mutual authentication Strong Authentication

© Copyright Ravi Sandhu 2008 Page 10 Existing Authentication Methods & Threats Strong User Authentication Weak User Authentication Transaction Authentication

© Copyright Ravi Sandhu 2008 Page 11 Why Are These Security Measures Vulnerable? Authentication technologies are vulnerable to MITM Phishing 2.0 attacks when: They rely on weak, easily spoofable information They rely on shared secrets They use only one-way SSL security Vulnerable Authentication Technologies : IP Geo, Device Fingerprint, OTP Tokens, Scratch Cards, Grid Cards, Cookies, Text, and Pictures

© Copyright Ravi Sandhu 2008 Page 12 Man-in-the-Middle Attacks Are Happening A man-in-the-middle attack (MITM): attacker is able to read, insert and modify transactions between two parties without either party knowing that the link between them has been compromised. CitiBank Attack: July 10 th, 2006 Defeated OTP Tokens 35 MITM Sites in Russia Amazon Attack: January 3rd, 2007 Defeated Username/Password Bank of America: April 10th, 2007 Defeats Sitekey Cookie/Picture (Movie)Movie ABN AMRO: April 20 th, 2007 Defeats OTP Token

© Copyright Ravi Sandhu 2008 Page 13 The Citibank Attack Decrypted Phishing Links to fake CitiBusiness login page, hosted in Russia by Tufel-Club.ru and routed through botnet. Inputs and steals users credentials (including Token code) in real time at the actual CitiBusiness.com site Attacker changes transaction or executes a new transaction

© Copyright Ravi Sandhu 2008 Page 14 IP Spoofing Story IP Spoofing predicted in Bell Labs report st Generation firewalls deployed 1992 IP Spoofing attacks proliferate in the wild 1993 VPNs emerge late 1990s Vulnerability shifts to accessing end-point Network Admission Control 2000s

© Copyright Ravi Sandhu 2008 Page 15 Evolution of Phishing Phishing 1.0 Attack: Capture reusable passwords Defense: user education, cookies, pictures Phishing 2.0 Attack: MITM in the 1-way SSL channel, breaks OTPs Defense: 2-way SSL Phishing 3.0 Attack: Browser-based MITB client in front of 2-way SSL Defense: Transaction authentication outside browser Phishing 4.0 Attack: PC-based MIPC client in front of 2-way SSL Defense: Transaction authentication outside PC, PC hardening

© Copyright Ravi Sandhu 2008 Page 16 Sandhus Laws of Attackers 1.Attackers exist You will be attacked 2.Attackers have sharply escalating incentive Money, terrorism, warfare, espionage, sabotage, … 3.Attackers are lazy (follow path of least resistance) Attacks will escalate BUT no faster than necessary 4.Attackers are innovative (and stealthy) Eventually all feasible attacks will manifest 5.Attackers are copycats Known attacks will proliferate widely 6.Attackers have asymmetrical advantage Need one point of failure

© Copyright Ravi Sandhu 2008 Page 17 Sandhus Laws of Defenders 1.Defenses are necessary 2.Defenses have escalating scope 3.Defenses raise barriers for attackers 4.Defenses will require new barriers over time 5.Defenses with better barriers have value 6.Defenses will be breached

© Copyright Ravi Sandhu 2008 Page 18 Sandhus Laws of Users 1.Users exist and are necessary 2.Users have escalating exposure 3.Users are lazy and expect convenience 4.Users are innovative and will bypass inconvenient security 5.Users are the weakest link 6.Users expect to be protected

© Copyright Ravi Sandhu 2008 Page 19 Operational Principles A.Prepare for tomorrows attacks, not just yesterdays Good defenders strive to stay ahead of the curve, bad defenders forever lag B.Take care of tomorrows attacks before next years attacks Researchers will and should pursue defense against attacks that will manifest far in the future BUT these solutions will deploy only as attacks catch up C.Use future-proof barriers Defenders need a roadmap and need to make adjustments D.Its all about trade-offs Security, Convenience, Cost