Presentation is loading. Please wait.

Presentation is loading. Please wait.

9/11/2012Pomcor 1 Techniques for Implementing Derived Credentials Francisco Corella Karen Lewison Pomcor (http://pomcor.com/)

Published byMarisol Ruiz Modified over 9 years ago

Similar presentations

Presentation on theme: "9/11/2012Pomcor 1 Techniques for Implementing Derived Credentials Francisco Corella Karen Lewison Pomcor (http://pomcor.com/)"— Presentation transcript:

1 9/11/2012Pomcor 1 Techniques for Implementing Derived Credentials Francisco Corella (fcorella@pomcor.com) Karen Lewison (kplewison@pomcor.com) Pomcor (http://pomcor.com/)

2 9/11/2012Pomcor 2 Derived Credential Electronic Authentication Guideline: “ A credential issued based on a proof of possession of a PIV credential ” Motivation Store credential in a mobile device Use it instead of PIV card for logical access (authentication to information systems) http://csrc.nist.gov/groups/SMA/ispab/document s/minutes/2012- 02/feb1_der_cred_ferraiolo_h_fips_201-2.pdf http://csrc.nist.gov/groups/SMA/ispab/document s/minutes/2012- 02/feb1_der_cred_ferraiolo_h_fips_201-2.pdf

3 9/11/2012Pomcor 3 Challenges Complexity of cryptographic and biometric processing for app developers No FIPS 140-2 Level 3 tamper resistant storage in mobile devices

4 9/11/2012Pomcor 4 Techniques for Addressing Challenges 1. Public key cryptography without certificates 2. Key pair regeneration as an alternative to tamper resistance 3. Encapsulation of cryptographic and biometric processing in black boxes

5 9/11/2012Pomcor 5 1. Public Key Cryptography without Certificates Mobile device  application (back-end): Database handle of a device record that contains the hash of public key and refers to user record Public key Proof of knowledge of private key Application  directory Database handle of device record Hash of public key Directory  application User identifier(s) and/or attribute(s)

6 User identifiers and/or attributes Device handle Hash of public key Directory User record Tablet recordPhone record Device handle Hash of public key Mobile device (e.g. smart phone) with application front-end or web browser Key pair Device handle Public key Proof of knowledge of private key Application back-end

7 9/11/2012Pomcor 7 2. Key Pair Regeneration as an Alternative to Tamper Resistance PIV card stores credentials in tamper-resistant storage But mobile devices do not have tamper-resistant storage  Encrypt private key under key derived from PIN? That would allow offline attack against PIN Instead we propose to regenerate the key pair from the PIN (or from a biometric key)  All PINs produce well-formed key pairs, so PINs cannot be tested and offline attack is not possible

8 9/11/2012Pomcor 8 RSA Key Pair Regeneration from a PIN Idea Store p, q in device, but not e or d Generate d as a randomized hash of the PIN, of same length as the modulus Compute e such that 1 < e < φ and ed  1 (mod φ) Problem: what if gcd(d,φ)  1? Solution: Remove from d all prime factors r < 100 shared with φ. During initial key generation, if d has prime factors r ’ > 100 shared with φ, we start over with different p and q (probability: 0.2%)

9 9/11/2012Pomcor 9 Non-problem: Retaining p and q does not reduce security (they could be computed from the key pair) Non-problem: d not vulnerable to small-decryption-exponent attacks RSA Key Pair Regeneration from a PIN (Continued)

10 Regeneration from Biometric Key Biometric key generated from an iris image (to be taken by device camera) and an auxiliary string F. Hao, R. Anderson, and J. Daugman. Combining Cryptography with Biometric Effectively. IEEE Trans. Comput., 55(9):1081-1088, 2006. Biometric template not at risk because not used Biometric key generation Key pair regeneration Biometric key Key pair Iris image Aux. string pq

11 9/11/2012Pomcor 11 Three-Factor Authentication Key pair + PIN + iris image Biometric key used to regenerate key pair PIN used to Encrypt auxiliary string, or Scramble the biometric key generation algorithm (suggested by Hao et al.)

12 9/11/2012Pomcor 12 3. Encapsulation of Cryptographic and Biometric Processing Application outsources cryptographic and biometric complexities to a Prover Black Box (PBB) and a Verifier Black Box (VBB) PBB is in mobile device VBB online, trusted by application Could be implemented as a generic server appliance Many possible configurations In some configurations, outsourcing protocol uses “ native URLs ” (available in iOS and Android) for interapp communications within the device

13 Native front-end, native PBB, generic VBB Mobile device App front-end VBB PBB App back-end p, q, s, S, a Device record Dev. handle Hash of PK Directory User record

14 Mobile device App front-end VBB PBB App back-end p, q, s, S, a PIN and/or iris image Device record Dev. handle Hash of PK Directory User record

15 Mobile device App front-end Auth token Hash of PK VBB PBB App back-end p, q, s, S, a Public key + proof of knowledge of private key Device record Dev. handle Hash of PK Directory User record

16 Mobile device App front-end Auth token Hash of PK VBB PBB App back-end p, q, s, S, a Auth token Device record Dev. handle Hash of PK Directory User record

17 Mobile device App front-end Auth token Hash of PK VBB PBB App back-end p, q, s, S, a Auth token + device handle Device record Dev. handle Hash of PK Directory User record Dev. handle

18 Mobile device App front-end Auth token Hash of PK VBB PBB App back-end Auth token + device handle Device record Dev. handle Hash of PK Directory User record p, q, s, S, a Dev. handle

19 Mobile device App front-end Auth token Hash of PK VBB PBB App back-end Auth token Device record Dev. handle Hash of PK Directory User record p, q, s, S, a Dev. handle

20 Mobile device App front-end VBB PBB App back-end Hash of public key Device record Dev. handle Hash of PK Directory User record p, q, s, S, a Dev. handle

21 Mobile device App front-end VBB PBB App back-end Device record Dev. handle Hash of PK DirectoryDevice handle + hash of public key User record p, q, s, S, a Dev. handle

22 Mobile device App front-end VBB PBB App back-end User ID(s) and/or attribute(s) Device record Dev. handle Hash of PK Directory User record p, q, s, S, a Dev. handle

23 9/11/2012Pomcor 23 Many Possible Configurations App May have native front-end (as shown), or May be accessed through a web browser PBB One credential for multiple apps Different credentials for different apps May be embedded in application front-end Browser plug-in  works on desktops and laptops VBB May be a generic server appliance May be app- or enterprise-specific, and access the directory Multiple security domains

24 Web-based app, native PBB, generic VBB Mobile device Web browser VBB PBB App back-end Device record Dev. handle Hash of PK Directory User record p, q, s, S, a Dev. handle

25 Native front-end, native PBB, app-specific or enterprise-specific VBB Mobile device App front-end VBB PBB App back-end Device record Dev. handle Hash of PK Directory User record p, q, s, S, a Dev. handle

26 Native front-end, PBB embedded in app front-end, generic VBB Mobile device App front-end VBB PBB App back-end Device record Dev. handle Hash of PK Directory User record p, q, s, S, a Dev. handle

27 Web-based app, PBB as browser plug-in, generic VBB Mobile device Web browser VBB PBB App back-end Device record Dev. handle Hash of PK Directory User record p, q, s, S, a Dev. handle

28 Mobile device Web browser PBB App back-end Device record Directory User record VBB Device record Directory User record Security domain mapper S E C U R I T Y D O M A I N # 2 Device handler augmented by Security Domain ID S E C U R I T Y D O M A I N # 2 1 Attributes Mapped attributes Multiple security domains Credential

29 9/11/2012Pomcor 29 Beyond Derived Credentials Password elimination on the Web at large without sacrificing privacy Social login without passwords Effective data protection for locked phones

30 9/11/2012Pomcor 30 Eliminating Passwords without Sacrificing Privacy Authentication by userid-password provides anonymity, unlinkability and unobservability Alternatives being proposed (OpenID, SAML, etc.) redirect to a third party Third party identifies user  no anonymity Authentication to different relying parties can be linked via the third party identifier Third party observes the transaction Our techniques eliminate passwords and preserves privacy (anonymity, unlinkability and unobservability) because they do not involve a third party

31 Mobile device App front-end VBB PBB App back-end Device record Dev. handle Hash of PK User database User record Token Social ID Social login without passwords Social ID User data User database User record Social ID Social network (e.g. Facebook) Relying party Social IDToken p, q, s, S, a Dev. handle

32 9/11/2012Pomcor 32 Data Protection Problem Data protection in iPhone locked by a PIN Data encrypted by key hierarchy including a key derived from PIN and a “ hardware key ” that cannot be extracted from the silicon by a casual user PIN protected against offline attack by hardware key But: Vulnerabilities  hardware key used for offline attack using the phone ’ s own processor; exhaustive attack on 4-digit PIN takes 40 min Hardware key could be extracted by probing the silicon

33 9/11/2012Pomcor 33 Data Protection Solution Encrypt data under symmetric key Store symmetric key in online server, or split it over several servers using Shamir ’ s k-of-n secret sharing technique Retrieve key over secure connection(s), authenticating with a key pair regenerated from a PIN and/or a biometric, so that tampering with phone does not help attacker

34 9/11/2012Pomcor 34 Risks of Mobile Applications? Mobile computing architecture potentially more secure Apps are sandboxed But vulnerabilities allow rooting Routinely used for jailbreaking and by forensic tools GMU, NIST, NSA working on hardened Android kernel Hardening should include interapp communications Our data protection technique … Protects data against exploitation of vulnerabilities after seizing device But malware running while legitimate user is using the device could capture PIN or biometric data

35 9/11/2012Pomcor 35 For more information … Whitepapers http://pomcor.com/whitepapers/DerivedCredentials.pdf http://pomcor.com/whitepapers/MobileAuthentication.pdf fcorella@pomcor.com kplewison@pomcor.com

Download ppt "9/11/2012Pomcor 1 Techniques for Implementing Derived Credentials Francisco Corella Karen Lewison Pomcor (http://pomcor.com/)"

Similar presentations

Chapter 10 Encryption: A Matter of Trust. Awad –Electronic Commerce 1/e © 2002 Prentice Hall 2 OBJECTIVES What is Encryption? Basic Cryptographic Algorithm.

Chapter 10 Encryption: A Matter of Trust. Awad –Electronic Commerce 1/e © 2002 Prentice Hall 2 OBJECTIVES What is Encryption? Basic Cryptographic Algorithm.
Kerberos 1 Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530–520 BC. From Italy (?).

Kerberos 1 Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530–520 BC. From Italy (?).
Virtual Tamper Resistance for a TEE Francisco Corella Karen Lewison 9/30/141 Presentation to the GlobalPlatform.

Virtual Tamper Resistance for a TEE Francisco Corella Karen Lewison 9/30/141 Presentation to the GlobalPlatform.
SPEKE S imple Password-authenticated Exponential Key Exchange Robert Mol Phoenix Technologies.

SPEKE S imple Password-authenticated Exponential Key Exchange Robert Mol Phoenix Technologies.
1 Pascal URIEN, IETF 61th, Washington DC, 10th November 2004 “draft-urien-eap-smartcard-type-00.txt” EAP Smart Card Protocol (EAP-SC)

1 Pascal URIEN, IETF 61th, Washington DC, 10th November 2004 “draft-urien-eap-smartcard-type-00.txt” EAP Smart Card Protocol (EAP-SC)
Hardware Cryptographic Coprocessor Peter R. Wihl Security in Software.

Hardware Cryptographic Coprocessor Peter R. Wihl Security in Software.
Digital Signatures and Hash Functions. Digital Signatures.

Digital Signatures and Hash Functions. Digital Signatures.
7/11/2011Pomcor 1 Pros and Cons of U-Prove, Idemix and Other Privacy-Enhancing Technologies Francisco Corella Karen Lewison Pomcor.

7/11/2011Pomcor 1 Pros and Cons of U-Prove, Idemix and Other Privacy-Enhancing Technologies Francisco Corella Karen Lewison Pomcor.
1 Supplement III: Security Controls What security services should network systems provide? Confidentiality Access Control Integrity Non-repudiation Authentication.

1 Supplement III: Security Controls What security services should network systems provide? Confidentiality Access Control Integrity Non-repudiation Authentication.
COEN 350: Network Security Authentication. Between human and machine Between machine and machine.

COEN 350: Network Security Authentication. Between human and machine Between machine and machine.
Payment Systems 1. Electronic Payment Schemes Schemes for electronic payment are multi-party protocols Payment instrument modeled by electronic coin that.

Payment Systems 1. Electronic Payment Schemes Schemes for electronic payment are multi-party protocols Payment instrument modeled by electronic coin that.
10/20/2011Pomcor 1 Deployment and Usability of Cryptographic Credentials Francisco Corella Karen Lewison Pomcor.

10/20/2011Pomcor 1 Deployment and Usability of Cryptographic Credentials Francisco Corella Karen Lewison Pomcor.
1 © NOKIA MitM.PPT/ 6/2/2015 / Kaisa Nyberg (NRC/MNW), N.Asokan (NRC/COM) The Insecurity of Tunnelled Authentication Protocols N. ASOKAN, VALTTERI NIEMI,

1 © NOKIA MitM.PPT/ 6/2/2015 / Kaisa Nyberg (NRC/MNW), N.Asokan (NRC/COM) The Insecurity of Tunnelled Authentication Protocols N. ASOKAN, VALTTERI NIEMI,
Mar 12, 2002Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities SSL/TLS.

Mar 12, 2002Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities SSL/TLS.
 Key exchange o Kerberos o Digital certificates  Certificate authority structure o PGP, hierarchical model  Recovery from exposed keys o Revocation.

 Key exchange o Kerberos o Digital certificates  Certificate authority structure o PGP, hierarchical model  Recovery from exposed keys o Revocation.
Mobile Mobile OS and Application Team: Kwok Tak Chi Law Tsz Hin So Ting Wai.

Mobile Mobile OS and Application Team: Kwok Tak Chi Law Tsz Hin So Ting Wai.
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.

It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.

Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.
FIT3105 Smart card based authentication and identity management Lecture 4.

FIT3105 Smart card based authentication and identity management Lecture 4.
Dr. Sarbari Gupta Electrosoft Services Tel: (703)757-9096 Security Characteristics of Cryptographic.

Dr. Sarbari Gupta Electrosoft Services Tel: (703) Security Characteristics of Cryptographic.

Similar presentations

Ads by Google