Internet Security and Authentication Issues (for a Machine with a Fruit on the Front) Rodney Thayer.

Internet Security and Authentication Issues

(for a Machine with a Fruit on the Front)

Rodney Thayer

Security/Auth for Mac's 2

Topics

• What’s the question?

• Security Applications

• Platform Dreams

• Security Considerations


What’s the Question?


Security and Authentication

• Features required for applications

• Features required for users

• No bone-implant computing devices, yet

• Opportunites for Mac applications

• Real world requirements


Security Applications


Applications

• Secure Web path• VPN Client• Secure Email• Secure client applications (e.g. router manager)• Credit Cards• Payment technologies• Identification schemes


Why Security or Authentication?

• Money• Intellectual Property• Regulation• Privacy• Insurance• Property Protection


What’s Mac Specific?

• Opportunity to exploit capabilities

• Application set (e.g. multimedia)

• Platform design opportunities

• Other platforms suck, Macs could suck less


Secure Web Applications

• Browsers, Java applications, Custom applications• Bulk encryption of data link• Authentication of end entities• Browser protocols using legacy SSL or TLS or

beyond• light performance load


VPN Applications

• Remote access to work group network

• Road Warriors

• Telecommuting

• Wireless Networks

• IPsec/SSH/Other Tunnels

• Authentication and Bulk encryption

• light to heavy performance load


Secure Email

• Signed and/or Encrypted email among users and entities

• Various standards, some even work ;-)• We wish we had authentication• authentication and limited bulk encryption• light to medium load


Media Applications

• Post-Napster post-Superbowl audio/video• Payment applications• If encrypting, high performance load• Heavy performance load


Secure Client/Server

• Applications that are security-aware• Network Management• Hard core commerce applications• all sorts of performance requirements


Platform Dreams


What do you want to encrypt today?

• Any data I have

• At any speed

• Securely

• Easily, from any application

• Standards-based

• Provided by vendor(?)


User Requirements

• Zero extra blobs to carry

• Practically interface to single package

• No extra power requirements

• No cost increase

• Common interface

• No extra steps (e.g. mouse wiggling)


Application Requirements

• Access to authentication protocols

• Access to encryption protocols

• Token capabilities (key rings)

• Hardware encryption capability

• Secure memory

• Two-factor capability (fingerprint, retinal, etc.


Crypto Requirements

• Public key cryptography (RSA, EC, DSA)

• Large keys -- 1024/2048/etc.

• Symmentric Ciphers (3DES, AES)

• Hardware tokens

• Zeroization capability

• Physical/Electrical security


What about the Mac?

• Opportunities to design in features

• Token access

• Hardware crypto

• Entropy Generation

• Biometric devices

• Suck Less


Security Considerations


Issues

• Crypto Issues

• Non-crypto issues

• Human factors

• Packaging


Crypto Issues

• Parameters: key size, etc.

• Design choices of algorithms -- licensing, embedded software issues

• Installed base intertia

• Human error


Non-crypto issues

• Many security failures are not the crypto

• Protocol implementation issues

• User Interface issues

• New implementations->bugs

• Additional hardware and software needed


Human factors

• Trouble getting people to do extra work

• Entropy generation is hard

• pass phrases can be forgotten

• stigma issues

• fear issues


Threat Issues

• Fancy screens -- information leakage

• Fancy plastic -- case hacking

• Risk of using hardware tokens

• Misuse of hardware acceleration

• Wide use -- better target


Rodney Thayer

[email protected]

Presentation is at: http://www.pkiclue.com/presentations

Internet Security and Authentication Issues (for a Machine with a Fruit on the Front) Rodney Thayer.

Documents

Transcript of Internet Security and Authentication Issues (for a Machine with a Fruit on the Front) Rodney Thayer.