CertAnon Anonymous WAN Authentication Service Approval Presentation Red Group CS410 May 1, 2007.

CertAnon

Anonymous WAN Authentication Service

Approval Presentation

Red GroupCS410

May 1, 2007

May 1, 2007 Red Group 2

Our Team


Presentation Outline

• Problem Description• Solution Description• Process Description• Solution Characteristics• Marketing Plan, ROI• Management Plan• Milestones, Deliverables, Budgets• Risk Management• Conclusion


Who is Chockalingam Ramanathan?

• Part of a group using stolen passwords to empty investors’ accounts1

• Hit prominent brokers such as TD Ameritrade, E*Trade, and Charles Schwab

• Resulted in more than $2 million in losses, which were absorbed by the brokers

• Fourth tech-intrusion case filed by the SEC since December 2006

1. http://www.washingtonpost.com/wp-dyn/content/article/2007/03/12/AR2007031201558.html


Fraud Stats

• From 2005 – 20062

– 8.9 million victims of online fraud or identity theft

– Total losses to identity theft and online fraud jumped from $54.4 billion to $56.6 billion

– Mean resolution time per incident skyrocketed from 28 to 40 hours per victim

2. http://www.verisignsecured.com/content/Default.aspx?edu_stats_body.html


• Phishing sites are on the rise3

• Over 7 million phishing attempts per day

3. Anti-Phishing Working Group - http://www.antiphishing.org/

Going Phishing


Consumers’ Online Activities

0

10

20

30

40

50

60

70

% of InternetUsers

% Time spentonline

Bank online

Make travelreservations

Communication

Commerce

%

4. Clickz.com - http://www.clickz.com/showPage.html?page=3481976#table 5. Clickz.com - http://www.clickz.com/img/Share_of_Time.html


0

5

10

15

20

25

30

35

% of Surveyed Professionals

Have 6-15passwords

Have over 15passwords

%

6. RSA Security Password Management Survey - http://www.rsa.com/products/SOM/whitepapers/PASSW_WP_0906.pdf

Password Overload


• Single-factor password authentication is easily compromised and endangers the security of online accounts.– Username/Password paradigm is insecure7

– Management of multiple strong passwords is difficult for individuals

– Fraudulent online account access and associated costs are increasing

7. http://www.schneier.com/crypto-gram-0503.html#2

The Problem


• More online accounts = more passwords• Complexity of passwords is limited by the

human factor8

• Vulnerability is enhanced by the technology factor

• Dissemination is too easy• Once compromised, a password is no

longer effective for authentication

8. http://www.schneier.com/blog/archives/2006/12/realworld_passw.html

The Endangered Password


• Anonymous WAN authentication service– Used for any and all online accounts– Strong two-factor authentication– Limited information sharing

• Partner with online businesses

• Initial customers are Internet users

CertAnon – A New Proposal


• Something you know– A single PIN

• Plus something you have– Hardware token generating pseudo-

random numbers

• Effectively changes your password every 60 seconds

9. RSA - http://www.rsasecurity.com/node.asp?id=1156

Two-Factor Authentication9


RSA SecurID Users


• Rolls Royce & Bentley Motor Cars– Uses RSA SecurID authentication– Enables them to use the Internet securely as a cost-effective

and efficient extension to their corporate network

• E*Trade Financial– Provides retail customers the option to add Digital Security

ID to their Internet security solution– Helps guard against unauthorized account access

Two-Factor Acceptance


Reaching the Goal

• Build a WAN authentication service that permits customers to securely access all of their online accounts using a single access method– Build our website– Write software modules for partner sites– Develop testing portal– Install authentication servers– Distribute tokens– Beta-testing, then go live!


Data

Website Host

US East CoastRSA ACE server

Data

USA West CoastRSA ACE server

Data

UK RSAACE server

Data

AustraliaRSA ACE

server

Data

Login attempt

Login response

Auth request

Auth response

CertAnon website

Account setup Database update

Internet user withCertAnon token

What Would It Look Like?


4. Bob goes to E*Trade's website to sign in.

Username: TraderBob

Password: 1a2b3c234836

His E*Trade usernameis TraderBob, so hetypes that as usual.

He looks at the codeon his token display.He types his PIN andthat token code in thePassword field.

5. And now he's in his E*Trade account!

SpamBob

1a2b3c184675

His Yahoo! usernameis SpamBob, so hetypes that as usual.

He looks at the codeon his token display.He types his PIN andthat token code in thePassword field.

Username:

Password:

7. And now he's in his Yahoo! account!

6. One minute later, he jumps to the Yahoo!mail page to check e-mail.


• Two sales channels• Individual Internet user (211 million of them!)10

– Purchases CertAnon token for one-time fee of $50– Obtaining a critical mass of customers makes

CertAnon a must have for online vendors– Could provide leverage to charge vendors on a

transaction basis in the future

• Security-conscious businesses– Purchase batches of tokens for redistribution to

their customers– Focus on those without proprietary solutions

Who is Our Customer?

10. Internet World Stats - http://www.internetworldstats.com/stats2.htm


Marketing Strategy

• Offer software modules for customer integration– Freely available to encourage adoption of the service

• Approach financial companies not already using a two-factor authentication method– Bulk token sales– Enable them to offer the same customer security as larger

competitors without the infrastructure expense– Token reusability will encourage faster customer adoption

• Advertising strategies– Internet advertising– Computer shows/trade shows– Promotional token giveaways


• Reduce/eliminate need for multiple passwords

• Avoid password theft, unauthorized account access, and fraud

• Information isn’t stored on a card or device that can be lost

• Full passcodes not stored in a hackable database that is a single point of failure

TBD RU Marketing StrategyROI for Consumers


• Very low cost• Avoid implementing a costly proprietary

solution• Improves security of customer base by moving

more people away from passwords• Reduces losses from fraud reimbursement• Snaps into existing infrastructure with minimal

development• Customers who don't use CertAnon will be

unaffected

ROI for Businesses


• Reliance on a physical token– Forgotten– Broken– Lost or stolen

• Inadequate for sight-impaired users

• Customer service coordination will need to be handled carefully

Cons


Competition Matrix


Management Plan


Team Communications

• Team meetings (via AOL AIM):– Sunday/Tuesday 8:00 P.M.– Additional meetings as needed– Meetings with Professor Brunelle as

needed– Meetings with Technical Advisors as

needed

• Google Group for document management and messaging


Phase 0 Gantt Chart


Phase 1 Gantt Chart


Phase 1 Major Components

Data

Simulated Partner Web Site

Login attempt

Login response

Auth request

Auth response

CertAnon website

Account setup Auth Server Update

Test user on workstationwith token simulation software

Workstation

Data

Workstation runningsimulated

authentication managersoftware


Phase 1 Development WBS


Phase 1 Organizational Chart


Phase 1 Staffing Budget

Position Type Quantity Hours Rate TotalDocumentation Specialist Student 1 30 15$ 452$ Financial Director Student 1 24 15$ 362$ Hardware Manager Student 1 92 15$ 1,377$ Project Manager Student 1 64 15$ 960$ Risk Director Student 1 52 15$ 785$ Software Manager Student 1 500 15$ 7,497$ Web Developer Student 1 486 15$ 7,292$

Total Cost 18,723$ 40% Overhead 7,489$

Total Phase 1 Staffing Budget 26,212$


Phase 1 Resource Budget

Description Quantity Cost

Dell Servers -Web site & DB hosting 4 $11,632

Dell Workstations -Dedicated PC’s for team use 5 $6,990

MySQL -Web site back end database -- $0

PHP -Web sites and plug-in modules -- $0

Website -Hosting by ODU 1 $0

Total Cost: $18,622

40% Overhead: $7,449

Total Phase 1 Resource Cost: $26,071


Phase 2 Gantt Chart


Phase 2 Staffing BudgetPosition Type Quantity Hours Rate TotalDocumentation Specialist Staff 1 552 18$ 9,713$ Financial Director Staff 1 94 68$ 6,372$ Hardware Manager Staff 1 200 20$ 3,901$ HR Manager Staff 1 172 29$ 5,053$ Project Manager Staff 1 136 29$ 3,883$ QA Engineer Staff 1 774 21$ 16,009$ Risk Director Staff 1 8 18$ 140$ Software Engineer 1 Staff 1 440 22$ 9,718$ Software Manager Staff 1 334 42$ 13,961$ Technical Director Staff 1 136 50$ 6,835$ Web Developer Staff 1 790 28$ 22,143$






RSA Authentication Manager Server License 4 $12,000

Dell Servers -Running RSA Authentication Mgr software 4 $11,632

Dell Workstations -PC’s for additional staff 4 $5,592

RSA Training -- $1,600

Visual Studio Professional 2005 -Used for additional plug-in development 2 $1,338

RSA Tokens 10 $500

Total Cost: $32,622

40 % Overhead: $13,065



Phase 3 Gantt Chart


Phase 3 Staffing BudgetPosition Type Quantity Hours Salary TotalCustomer Service Reps Staff 5 2,080 30,400$ 152,000$ Documentation Specialist Staff 1 440 36,600$ 7,742$ Financial Director Staff 1 278 140,500$ 18,778$ Hardware Manager Staff 1 200 40,600$ 3,899$ HR Manager Staff 1 528 61,100$ 15,510$ Marketing Director Staff 1 1,161 99,900$ 55,763$ Project Manager Staff 1 1,391 59,600$ 39,866$ QA Engineer Staff 1 350 43,000$ 7,233$ Sales Representative Staff 3 2,080 40,488$ 121,464$ Software Engineer 1 Staff 1 320 45,900$ 7,062$ Software Manager Staff 1 345 87,000$ 14,443$ Technical Director Staff 1 1,280 104,400$ 64,268$ Web Developer Staff 1 320 58,300$ 8,969$






Secure Server Hosting -Hosting authentication servers remotely -- $48,000

Dell Workstations -PC’s for additional staff 9 $12,582

Dell Servers -Web site database servers with RAID arrays 2 $5,816

Total Cost: $66,398

40% Overhead $26,560



Total Project Cost

Item Marginal Cost Per # of Customers Cost per CustomerToken 30$ 1 30.00$ Authentication Server 2,908$ 250,000 0.01$ RSA Auth Mgr License 3,000$ 250,000 0.01$ Secure Hosting (3 Years) 36,000$ 250,000 0.14$

Total Cost 30.17$ 40% Overhead 12.07$

Total Marginal Cost Per Customer 42.23$ Marginal Revenue Per Customer 50.00$

Profit Per Customer 7.77$

Staffing Resources Phase TotalPhase 1 26,212$ 26,071$ 52,283$ Phase 2 136,819$ 45,687$ 182,506$ Phase 3 (One Year) 723,796$ 92,958$ 816,754$ Total Phases 1-3 886,827$ 164,716$ 1,051,543$

Out Years (Annual) 629,776$ 67,200$ 696,976$


Break Even Analysis

Year Tokens Sold Total Revenue Total Cost Profit0 - -$ 816,754$ (816,754)$ 1 150,000 7,500,000$ 7,848,933$ (348,933)$ 2 500,000 25,000,000$ 23,328,049$ 1,671,951$ 3 1,000,000 50,000,000$ 45,142,368$ 4,857,632$

Cumulative Break Even Analysis(Year 0 = Phase 3)

$-

$10,000,000

$20,000,000

$30,000,000

$40,000,000

$50,000,000

$60,000,000

0 1 2 3Year

Re

ve

nu

e

Total Revenue

Total Cost


Funding Plan

• SBIR Funding Agency: National Science Foundation – Phase 1: $100,000 max, $52k planned– Phase 2: $750,000 or two years, $183k

planned

• Phase 3– Venture capital investment– Small business loan– Revenue from token sales


Risk Management Plan

• Identify project risks • Determine the phase that the risk is in• Categorize risks according to probability

and impact• Reduce risks before or as they happen

with mitigation actions• Continue to reevaluate risks during all

phases• Watch for new risks


Impact

5 5 2 1

4

3 6 3

2 7 4

1

1 2 3 4 5

Probability

# Risk Mitigation

1 Trust Beta-testing

2 Customerunderstanding

Tutorials on website

3 Reliance on token sales revenue

Encourage early partner site adoption

4 Viable alternatives Single source two-factor

5

Token loss Provide temporary password access

6 Token availability Offer online and through retail outlets

7 Government vs. Anonymity

Follow the lead of encryption products (1-Low to 5-High)

Risks and Mitigation


Evaluation Plan

• Time– Measured against baseline project plan

• Cost– Measured against budget plan by phase

• Scope– Measured against requirement document

• Quality– Measured by customer adoption rate and

satisfaction


Evaluation Phases

• Phase 0– Idea developed– Project website developed– Funding secured

• Phase 2– Product design– Software module

development– Software module testing– Integration testing– Finished product

• Phase 1– Prototype design– Working prototype– Initial customer

demonstration

• Phase 3– First sale completed– Product released– Marketing plan developed– Successful marketing– New contracts acquired


• Available, affordable, and proven technology

• Targets a large and growing market

• Benefits consumers and online businesses

• Scaleable service

• Manageable project scope, achievable milestones

Conclusion


• “3 Indicted in Online Brokerage Hacking Scheme.” Washington Post. 13 Mar. 2007. Carrie Johnson. 2 Apr. 2007 <http://www.washingtonpost.com/wp-dyn/content/article/2007/03/12/AR2007031201558.html>.

• “Internet Penetration and Impact.” Pew/Internet. April 2006. Pew Internet & American Life Project. 28 Jan. 2007 <http://www.pewinternet.org/pdfs/PIP_Internet_Impact.pdf>.

• “Internet Statistics Compendium - Sample.” E-consultancy.com. 9 Jan. 2007. E-consultancy.com LTD. 28 Jan. 2007 <http://www.e-consultancy.com/publications/download/91130/internet-stats-compendium/internet-stats-compendium-January-2007-SAMPLE.doc>.

• “Internet World Stats.” Internet World Stats. 10 Mar. 2007. Internet World Stats. 22 Apr. 2007 <http://www.internetworldstats.com/stats2.htm >.

• “Online Banking Increased 47% since 2002.” ClickZ Stats. 9 Feb. 2007. The ClickZ Network. 15 Feb. 2007 <http://www.clickz.com/showPage.html?page=3481976#table>.

References


References (cont.)• “Phishing Activity Trends: Report for the Month of November, 2006.”

Anti-Phishing Working Group. Nov. 2006. Anti-Phishing Working Group. 28 Jan. 2007 <http://www.antiphishing.org/reports/apwg_report_november_2006.pdf>.

• “Real-World Passwords.” Schneier on Security. 14 Dec. 2006. Bruce Schneier. 28 Jan. 2007 <http://www.schneier.com/blog/archives/2006/12/realworld_passw.html>.

• “RSA SecurID Authentication.” RSA Security. 2007. RSA Security, Inc. 28 Jan. 2007 <http://www.rsasecurity.com/node.asp?id=1156>.

• “RSA Security Password Management Survey.” RSA Security. Sep. 2006. Wikipedia. 15 Feb. 2007 <http://www.rsa.com/products/SOM/whitepapers/PASSW_WP_0906.pdf >.

• “Share of Time Spent Online.” ClickZ Stats. 27 Feb. 2007. The ClickZ Network. 28 Feb. 2007 <http://www.clickz.com/img/Share_of_Time.html>.


Appendix

• Abstract• SBIR Document• Management Plan• Evaluation Plan• Resource Plan• Marketing Plan• Funding Plan• Staffing Plan• Risk Management Plan• Hardware Specifications• Work Breakdown Structure• Additional Diagrams

CertAnon Anonymous WAN Authentication Service Approval Presentation Red Group CS410 May 1, 2007.

Documents

Transcript of CertAnon Anonymous WAN Authentication Service Approval Presentation Red Group CS410 May 1, 2007.