Presentation is loading. Please wait.

Presentation is loading. Please wait.

CertAnon A Proposal for an Anonymous WAN Authentication Service David Mirra CS410 January 30, 2007.

Similar presentations


Presentation on theme: "CertAnon A Proposal for an Anonymous WAN Authentication Service David Mirra CS410 January 30, 2007."— Presentation transcript:

1 CertAnon A Proposal for an Anonymous WAN Authentication Service David Mirra CS410 January 30, 2007

2 A Wired World Who is online? 1 –73% of American adults –88% of 18-29 year-olds –91% of college-educated adults What are they doing? 2 –Communicating –Shopping –Banking 1.US users, April 2006 - http://www.pewinternet.org/pdfs/PIP_Internet_Impact.pdf 2.UK users, Q1 2005 - http://www.e-consultancy.com/publications/internet-stats- compendium/

3 The Identity Issue Strong authentication needed for online accounts –Permit remote access for authorized users –Allow the good guys in –Keep the bad guys out Typically done via username/password mechanism

4 The Problem with Passwords More online accounts = more passwords Complexity of passwords is limited by the human factor 3 Vulnerability is enhanced by the technology factor Password control is difficult 4 –Dissemination is too easy Once compromised, a password is no longer effective for authentication 3. http://www.schneier.com/blog/archives/2006/12/realworld_passw.htmlhttp://www.schneier.com/blog/archives/2006/12/realworld_passw.html 4. http://www.schneier.com/crypto-gram-0503.html#2http://www.schneier.com/crypto-gram-0503.html#2

5 The Risk of Theft Phishing attempts are on the rise 5 –Social engineering tricks users into divulging info –Crimeware steals account credentials directly 5. Anti-Phishing Working Group - http://www.antiphishing.org/

6 What’s Been Tried? Microsoft.NET Passport 6 and Sun Liberty Alliance 7 –Single sign-on services for web commerce –Privacy concerns –Relied on username/password paradigm Company-specific token authentication –A token for every site 6. Wikipedia - http://en.wikipedia.org/wiki/Microsoft_Passporthttp://en.wikipedia.org/wiki/Microsoft_Passport 7. Wikipedia - http://en.wikipedia.org/wiki/Liberty_Alliancehttp://en.wikipedia.org/wiki/Liberty_Alliance

7 A New Proposal Anonymous WAN authentication service –Used for any and all online accounts –Strong two-factor authentication –Limited information sharing Initial customers are Internet users Ultimate customers are online businesses

8 Two-factor Authentication 8 Something you know –A single PIN Plus something you have –Hardware token generating pseudo-random numbers Effectively changes your password every 60 seconds 8. RSA - http://www.rsasecurity.com/node.asp?id=1156

9 CertAnon Hardware Four global servers running RSA Authentication Manager RSA SecurID tokens available for retail purchase

10 CertAnon Software Public web service –Encrypted authentication request/response Free software modules for download by web site operators –Encourages adoption of CertAnon authentication

11 How Does It Work for Me? Buy a token –Anonymous purchase Register it with CertAnon –Anonymous registration Create a web account anywhere –Check the box “I use CertAnon” Link that account to your token –And off you go!

12 How About the Web Sites? Register servers with CertAnon Receive key to encrypt requests Make CertAnon authentication available to customers Authentication requests are sent to all CertAnon servers –First to respond is accepted

13 Benefits Consumers –Only one pin to remember –Authenticate without sharing identity –Increased security –Pay once, protect forever Businesses –Free for early adopters –No more password management –Close the “trust gap”

14 Pitfalls Requires adoption by consumers and businesses –Establish trust –Make it easy to get and easy to use Not a silver bullet –Part of defense-in-depth strategy Governmental resistance to anonymity –Similar hurdles faced by encryption products

15 It Can Be Done Available, affordable, and proven technology Targets a large and growing market Benefits consumers and online businesses Manageable project scope, scaleable product Build it and they will come!

16 Works Cited “Failure of Two-Factor Authentication.” Schneier on Security. 12 Jul. 2006. Bruce Schneier. 28 Jan. 2007. “Internet Penetration and Impact.” Pew/Internet. April 2006. Pew Internet & American Life Project. 28 Jan. 2007. “Internet Statistics Compendium - Sample.” E-consultancy.com. 9 Jan. 2007. E-consultancy.com LTD. 28 Jan. 2007. “Liberty Alliance.” Wikipedia. 25 Jan. 2007. Wikipedia. 28 Jan. 2007.

17 Works Cited (cont.) “Phishing Activity Trends: Report for the Month of November, 2006.” Anti-Phishing Working Group. Nov. 2006. Anti- Phishing Working Group. 28 Jan. 2007. “Real-World Passwords.” Schneier on Security. 14 Dec. 2006. Bruce Schneier. 28 Jan. 2007. “RSA SecurID Authentication.” RSA Security. 2007. RSA Security, Inc. 28 Jan. 2007. “Windows Live ID.” Wikipedia. 23 Jan. 2007. Wikipedia. 28 Jan. 2007.


Download ppt "CertAnon A Proposal for an Anonymous WAN Authentication Service David Mirra CS410 January 30, 2007."

Similar presentations


Ads by Google