Cartes Asia Dem 2010 V2
description
Transcript of Cartes Asia Dem 2010 V2
![Page 1: Cartes Asia Dem 2010 V2](https://reader033.fdocuments.in/reader033/viewer/2022061221/54bcf71c4a7959d3608b45ad/html5/thumbnails/1.jpg)
Initiative for Open Authentication
Interoperability without Sacrificing Security
Donald E. Malloy, Jr.
NagraID Security
Cartes Asia
March 18th 2010
![Page 2: Cartes Asia Dem 2010 V2](https://reader033.fdocuments.in/reader033/viewer/2022061221/54bcf71c4a7959d3608b45ad/html5/thumbnails/2.jpg)
The Open Authentication Reference Architecture (OATH) initiative is a group of companies working together to help drive the adoption of open strong authentication technology across all networks.
Q1
![Page 3: Cartes Asia Dem 2010 V2](https://reader033.fdocuments.in/reader033/viewer/2022061221/54bcf71c4a7959d3608b45ad/html5/thumbnails/3.jpg)
Why the need for OATH
Fraud continues to grow 10 Million Americans were victims of fraud
last year This amounts to over $300M of online fraud
last year alone Hacking into web sites and stealing
passwords continue to be a main focus of fraudsters
![Page 4: Cartes Asia Dem 2010 V2](https://reader033.fdocuments.in/reader033/viewer/2022061221/54bcf71c4a7959d3608b45ad/html5/thumbnails/4.jpg)
Issues Facing IT Managers
![Page 5: Cartes Asia Dem 2010 V2](https://reader033.fdocuments.in/reader033/viewer/2022061221/54bcf71c4a7959d3608b45ad/html5/thumbnails/5.jpg)
OATH History
Created 5 years ago to provide open source strong authentication.
It is an industry-wide collaboration that..
Leverages existing standards and creates an open reference architecture for strong authentication which users and service providers can rely upon, and leverage to interoperate.
Reduces the cost and complexity of adopting strong authentication solutions.
Q1
![Page 6: Cartes Asia Dem 2010 V2](https://reader033.fdocuments.in/reader033/viewer/2022061221/54bcf71c4a7959d3608b45ad/html5/thumbnails/6.jpg)
OATH : Background Networked entities face three major challenges today. Theft of or unauthorized access to confidential data. The inability to share data over a network without
an increased security risk limits organizations. The lack of a viable single sign-on framework
inhibits the growth of electronic commerce and networked operations.
Q1
![Page 7: Cartes Asia Dem 2010 V2](https://reader033.fdocuments.in/reader033/viewer/2022061221/54bcf71c4a7959d3608b45ad/html5/thumbnails/7.jpg)
OATH : Justification The Initiative for Open Authentication (OATH)
addresses these challenges with standard, open technology that is available to all.
OATH is taking an all-encompassing approach, delivering solutions that allow for strong authentication of all users on all devices, across all networks.
Q1
![Page 8: Cartes Asia Dem 2010 V2](https://reader033.fdocuments.in/reader033/viewer/2022061221/54bcf71c4a7959d3608b45ad/html5/thumbnails/8.jpg)
OATH Membership (Partial)
Q2
![Page 9: Cartes Asia Dem 2010 V2](https://reader033.fdocuments.in/reader033/viewer/2022061221/54bcf71c4a7959d3608b45ad/html5/thumbnails/9.jpg)
Standardized Authentication Algorithms
HOTP OCRA T-HOTP
-Open and royalty free specifications
-Proven security: reviewed by industry experts
-Choice: one size does not fit all
-Event-based OTP
-Based on HMAC, SHA-1
-IETF RFC 4226
-Based on HOTP
-Challenge-response authentication
-Short digital signatures
-Time-based HOTP
![Page 10: Cartes Asia Dem 2010 V2](https://reader033.fdocuments.in/reader033/viewer/2022061221/54bcf71c4a7959d3608b45ad/html5/thumbnails/10.jpg)
Token Innovation and Choice
Multi-Function Token (OTP & USB Smart Card)
Soft OTP
Token
OTP Token
OTP embedded in credit card
OTP soft token on mobile
phones
HOTP applets on SIM cards
and smart-cards
OTP embedded in flash devices
HOTP
50+ shipping products Q11
![Page 11: Cartes Asia Dem 2010 V2](https://reader033.fdocuments.in/reader033/viewer/2022061221/54bcf71c4a7959d3608b45ad/html5/thumbnails/11.jpg)
OATH Reference Architecture: Establishing ‘common ground’
Device Innovation & embedding
OATH Reference
Architecture
• Sets the technical vision for OATH
• 4 guiding principles– Open and royalty-free
specifications– Device Innovation &
embedding– Native Platform support– Interoperable modules
• v2.0– Risk based authentication– Authentication and Identity
Sharing
Q4
![Page 12: Cartes Asia Dem 2010 V2](https://reader033.fdocuments.in/reader033/viewer/2022061221/54bcf71c4a7959d3608b45ad/html5/thumbnails/12.jpg)
OATH Authentication Framework 2.0
ProvisioningProtocol
Authentication ProtocolsAuthentication
Methods
Token Interface
Validation Protocols
Client Framework
Provisioning Framework
Validation Framework
UserStore
TokenStore
Au
then
tica
tio
n T
oke
n
HOTP
Challenge/Response
Certificate
Clie
nt
Ap
plic
atio
ns
Applications(VPN, Web
Application, Etc.) Validation
Services
Provisioning Service
Credential Issuer(s)
TimeBased
Bulk ProvisioningProtocols
Risk Evaluation& Sharing
Risk Interface
Q4
Au
then
tication
and
Iden
tity S
harin
g M
od
els
![Page 13: Cartes Asia Dem 2010 V2](https://reader033.fdocuments.in/reader033/viewer/2022061221/54bcf71c4a7959d3608b45ad/html5/thumbnails/13.jpg)
Credential Provisioning
Token manufacturer offline model Portable Symmetric Key Container standard
format (PSKC Internet-Draft)
Dynamic real-time model Dynamic Symmetric Key Provisioning
Protocol (DSKPP Internet-Draft) OTA provisioning to mobile devices, or online
to PC/USB
IETF KeyProv WG Current RFC submissions
Q5
![Page 14: Cartes Asia Dem 2010 V2](https://reader033.fdocuments.in/reader033/viewer/2022061221/54bcf71c4a7959d3608b45ad/html5/thumbnails/14.jpg)
OATH Roadmap
CHOICE of AUTHENTICATION
METHODS
APPLICATION INTEGRATION &
ADOPTION
- HOTP- OCRA- T-HOTP
CREDENTIALPROVISIONING &
LIFECYCLE
- PSKC- DSKPP
- Certification program- WS Validation - Auth & Identity Sharing work
![Page 15: Cartes Asia Dem 2010 V2](https://reader033.fdocuments.in/reader033/viewer/2022061221/54bcf71c4a7959d3608b45ad/html5/thumbnails/15.jpg)
Objectives
Understand the full lifecycle support needed for strong authentication integration
Learn different approaches to supporting strong authentication in your applications
Take away with the best practices for enabling strong authentication in applications
![Page 16: Cartes Asia Dem 2010 V2](https://reader033.fdocuments.in/reader033/viewer/2022061221/54bcf71c4a7959d3608b45ad/html5/thumbnails/16.jpg)
Certification Program
The OATH Certification Program• Intended to provide assurance to customers that products
implementing OATH standards and technologies will function as expected and interoperate with each other.
• Enable customers to deploy ‘best of breed’ solutions consisting of various OATH ‘certified’ authentication devices such as tokens and servers from different providers.
Introduced 2 Draft Certification Profiles at RSA• Tokens – HOTP Standalone Client• Servers – HOTP Validation Server
10 Additional Profiles to be introduced throughout the year
![Page 17: Cartes Asia Dem 2010 V2](https://reader033.fdocuments.in/reader033/viewer/2022061221/54bcf71c4a7959d3608b45ad/html5/thumbnails/17.jpg)
One Time Password Devices
Initial Applications• Financial – Most
Governments have demanded more than static passwords
• Online Authentication• Physical Access
Subsequent Applications• Contactless Payment• Secure Network Access• E-wallet application
![Page 18: Cartes Asia Dem 2010 V2](https://reader033.fdocuments.in/reader033/viewer/2022061221/54bcf71c4a7959d3608b45ad/html5/thumbnails/18.jpg)
Layered Approach to Security
Applications• OTP• Pin Activation• Challenge/Response• Physical Access• Contactless Payment• Secure Network Access
Cards will be used for single sign on and multi applications
![Page 19: Cartes Asia Dem 2010 V2](https://reader033.fdocuments.in/reader033/viewer/2022061221/54bcf71c4a7959d3608b45ad/html5/thumbnails/19.jpg)
Typical Application Scenario
Transaction authentication & Signing
Log on to Bank’s web site Give user name and password Bank sends a challenge number used to create pin User enters number into card and new secure pass
code is generated User then submits this new number to the bank’s web
site Transaction is then authorized by the bank
![Page 20: Cartes Asia Dem 2010 V2](https://reader033.fdocuments.in/reader033/viewer/2022061221/54bcf71c4a7959d3608b45ad/html5/thumbnails/20.jpg)
Recommended Validation Framework
![Page 21: Cartes Asia Dem 2010 V2](https://reader033.fdocuments.in/reader033/viewer/2022061221/54bcf71c4a7959d3608b45ad/html5/thumbnails/21.jpg)
Authentication Integration Architecture
Direct authentication integration over standard protocol
Plugin based authentication integration
Application
User
Strong Auth
Server
$
Strong Authentication
AuthenticationModule
RADIUS /WS-Trust /
Others
Application
User
Strong Auth
Server
$
Existing Auth Server
Strong Authentication
AuthenticationPlugin
RADIUS /WS-Trust /
Others
![Page 22: Cartes Asia Dem 2010 V2](https://reader033.fdocuments.in/reader033/viewer/2022061221/54bcf71c4a7959d3608b45ad/html5/thumbnails/22.jpg)
Plugin Based
Enable two-factor authentication in your existing third party authentication server for user password• Your application codes don’t need to change• Out of box strong authentication support in your
existing third party authentication server– Integration Connectors available from authentication solution
vendors, e.g. RSA, VeriSign– e.g. CDAS plugin for IBM Tivoli Access Manager
• Develop your customized plugin for your existing third party authentication server
![Page 23: Cartes Asia Dem 2010 V2](https://reader033.fdocuments.in/reader033/viewer/2022061221/54bcf71c4a7959d3608b45ad/html5/thumbnails/23.jpg)
Open Source Implementation
RADIUS Client• Java
– http://wiki.freeradius.org/Radiusclient
• .NET• C/C++
Authentication Server with OTP Support• Radius server
– http://www.freeradius.org/
– Need to add OTP auth plugin
• Triplesec– http://cwiki.apache.org/DIRxTRIPLESEC/
![Page 24: Cartes Asia Dem 2010 V2](https://reader033.fdocuments.in/reader033/viewer/2022061221/54bcf71c4a7959d3608b45ad/html5/thumbnails/24.jpg)
References and Resources
Initiative for Open AuTHentication (OATH)• http://www.openauthentication.org
HOTP: An HMAC-Based One-Time Password Algorithm – RFC 4226• http://www.ietf.org/rfc/rfc4226.txt
OATH Reference Architecture• http://www.openauthentication.org
Other draft specifications• http://www.openauthentication.org
![Page 25: Cartes Asia Dem 2010 V2](https://reader033.fdocuments.in/reader033/viewer/2022061221/54bcf71c4a7959d3608b45ad/html5/thumbnails/25.jpg)
How to Get Involved
Visit the OATH website• Download Reference Architecture v2• Download and review draft specifications
Engage - contribute ideas, suggestions• Review public draft specifications• Get involved in developing specifications
Become a member!• 3 levels - Coordinating, Contributing, Adopting• Become an active participant
![Page 26: Cartes Asia Dem 2010 V2](https://reader033.fdocuments.in/reader033/viewer/2022061221/54bcf71c4a7959d3608b45ad/html5/thumbnails/26.jpg)
Driving a fundamental shift from Driving a fundamental shift from proprietary to open solutions!proprietary to open solutions!
An industry-wide problem mandates an industry wide solution
• Strong Authentication to stop identity theft across all the networks
A reference architecture based on open standards
• Foster innovation & lower cost
• Drive wider deployment across users and networks
Minimal bureaucracy to get the work done!
Summary
![Page 27: Cartes Asia Dem 2010 V2](https://reader033.fdocuments.in/reader033/viewer/2022061221/54bcf71c4a7959d3608b45ad/html5/thumbnails/27.jpg)
Questions & Answers
Thank You!
![Page 28: Cartes Asia Dem 2010 V2](https://reader033.fdocuments.in/reader033/viewer/2022061221/54bcf71c4a7959d3608b45ad/html5/thumbnails/28.jpg)
Backup Slides…
![Page 29: Cartes Asia Dem 2010 V2](https://reader033.fdocuments.in/reader033/viewer/2022061221/54bcf71c4a7959d3608b45ad/html5/thumbnails/29.jpg)
OATH Timeline
A humble beginning!
Common OTP Algorithm
HOTP
Steady Progress…
OATH Reference Architecture 1.0
- New HOTP devices - Membership expansion
- Public Roadmap release
Roadmap Advances
- Portable Symmetric Key Container
- Challenge-Response Mutual Authentication- Provisioning Protocol
- Risk-based Authentication
- Authentication Sharing- IETF KeyProv- Interop Demo
OATH Reference Architecture 2.0
Q3
![Page 30: Cartes Asia Dem 2010 V2](https://reader033.fdocuments.in/reader033/viewer/2022061221/54bcf71c4a7959d3608b45ad/html5/thumbnails/30.jpg)
Risk Based Authentication Architecture
Validationclient
Validationframework
Risk evaluation
and sharing
Fraud informationexchange network
Userstore
Authentication protocol
Validationprotocol
Riskinterface
FraudNetworkInterface(Thraud)
Validationclient
Validationframework
Risk evaluation
and sharing
Fraud informationexchange network
Userstore
Authentication protocol
Validationprotocol
Riskinterface
FraudNetworkInterface(Thraud)
• Risk-based authentication– Convenient
authentication for low risk transactions
– Stronger authentication for higher risk transactions
• OATH will define standardized interfaces– Risk Evaluation– Sharing fraud information
(ThraudReport)
Q7
![Page 31: Cartes Asia Dem 2010 V2](https://reader033.fdocuments.in/reader033/viewer/2022061221/54bcf71c4a7959d3608b45ad/html5/thumbnails/31.jpg)
Authentication and Identity Sharing
Promotes use of single credential across applications• Force multiplier!
Multiple approaches• One size does not fit all
Models that leverage identity sharing technologies• Liberty, SAML, OpenID, etc.
Models to enable sharing of 2nd factor authentication only• Simpler liability models
![Page 32: Cartes Asia Dem 2010 V2](https://reader033.fdocuments.in/reader033/viewer/2022061221/54bcf71c4a7959d3608b45ad/html5/thumbnails/32.jpg)
Authentication Sharing – Centralized Token Service model
2.
Va
lida
te
User uses same token to authenticate to multiple sites
Central Token Validation Service
(OATH Validation Framework)
Application Web Site(s)
Application Web Site(s)
Application Web Site(s)
1. Authenticate
Q8
Token is validated centrally in the validation service• Same token can be
activated at multiple sites
Easy integration for application web site(s). • Can leverage OATH
Validation Service work!
![Page 33: Cartes Asia Dem 2010 V2](https://reader033.fdocuments.in/reader033/viewer/2022061221/54bcf71c4a7959d3608b45ad/html5/thumbnails/33.jpg)
Authentication Sharing – Distributed Validation Model
TokenLook up Service
Authoritative Validation Nodes
(OATH Validation Framework)
Authoritative Validation Nodes
(OATH Validation Framework)
1. Publish Token Information
Application Web Site(s)
Application Web Site(s)
Application Web Site(s)
3. L
ook
up
Va
lidat
ion
node
info
rma
tion
2. Authenticate
User uses same token to authenticate to multiple sites
4. Validate
Q8
Inspired by ‘DNS’ Rich set of deployment
models• Standalone system can
join the network by publishing token discovery information
There needs to be a central Token Lookup Service. • OATH considering
developing Token Lookup protocol.
![Page 34: Cartes Asia Dem 2010 V2](https://reader033.fdocuments.in/reader033/viewer/2022061221/54bcf71c4a7959d3608b45ad/html5/thumbnails/34.jpg)
Authentication Sharing – Credential Wallet
Token Provisioning and Validation
(OATH Provisioning and Validation frameworks)
ApplicationWeb Site
1. Provision 2. A
uthe
ntica
te
3. Validate
User has multiple credentials provisioned on the smartphone
Q8
Shared device• Multiple
credentials
Credentials are dynamically provisioned onto the device. • Leverage OATH
Provisioning specifications.
![Page 35: Cartes Asia Dem 2010 V2](https://reader033.fdocuments.in/reader033/viewer/2022061221/54bcf71c4a7959d3608b45ad/html5/thumbnails/35.jpg)
Identity Federation & OATH
OATH: promote the user of strong authentication with these technologies!
Enables user to use same identity across website(s)• Traditional federation
(Liberty)• User-centric models
(OpenID, CardSpace)
Single Identity becomes more valuable• Needs to protected using
strong authentication