Securing the Cloud for a
Connected Society
Computex – Cloud Industry Forum
Taipei, June 6, 2013
Michael Poitner
Table of Contents
Online Authentication Facts
Today’s 2-factor Authentication Solutions
Google’s “War on Password” and Solution
Hardware Secure Elements and Threats
Introduction to Fido (Fast Identity Online)
User vs. Device Authentication
Overview NXP
6/6/2013 Page 2 Securing The Cloud – War On Password
Although I connect to 8
different services per day,
I use some of them very
seldom and sometimes
forget the associated
password.
In average, a user has 6.5
different passwords
• Account takeover (ATF+NAF)
rose by 50% in 2012 (Javelin March
2013)
• Average 25 accounts per user
• 6.5 different passwords
• 8 services used per day in
average
• $15 per password re-initialization
• Passwords are being • Reused
• Phished
• Keylogged
User Service
Provider
Online Authentication: few facts Username and password prevalent for the past 40 years: Still adapted?
I own 25 online accounts.
Do you expect me to
remember 25 passwords?
a password re-initialization
costs $15 to the service
provider
6/6/2013 Page 3 Securing The Cloud – War On Password
Online Authentication: more facts Passwords are not secure enough
Source: Ponemon Institute 2013 (sponsored by NokNok Labs Inc.)
Some more hacking incidents
Cisco IOS Passwords Issue: March 18
Michelle Obama, Hillary Clinton, Britney
Spears, …: March 11
Evernote hacked, Password reset for 50M:
March 2
cPanel web hosting control service
hacked: Feb 28
Google 2-step verification tricked: Feb 26
Facebook, Apple, Microsoft corporate
network hacked: Feb 22
250,000 Twitter accounts (Burger King,
Jeep) hacked: Feb 19
6/6/2013 Page 4 Securing The Cloud – War On Password
6/6/2013 Page 5
Source: http://www.troyhunt.com/2011/03/only-secure-password-is-one-you-cant.html
Good Pa$$phr@ses#1 are rare
Securing The Cloud – War On Password
• With Chip-and-PIN card
introduction in UK, fraud has
decreased by 69%
• For user convenience, tokens
should be shared between
services
6
User Service
Provider
Online Authentication: few facts Multi-factors authentication proved efficiency in reducing fraud
Multi-Factor Authentication,
e.g. a token and a secret
(Pin or password) proved
very secure
I don’t want to carry one
physical token for each of
my accounts.
6/6/2013 Page 6 Securing The Cloud – War On Password
Security level is defined
by the weakest link. We
must insure utmost
security through all
platforms
• 64% of Facebook users via
Smartphone, up by 57% year-
over-year (FB Q4-12)
• By 2016, 100M homes will be
equipped with SmartTV in US and
Western Europe (NPD In-Stat 2012)
• Must have consistent level of
security through all platforms
• Solution must be user-friendly:
avoid too many user
manipulations
My TV is now connected.
I can use it access my
favorite content
Please don’t ask me to
move the credential back
and forth between all my
platforms
I use my smartphone
more often than my PC to
access Facebook
User Service
Provider
What about securing
accesses through my
game console? My
connected car?
Online Authentication: few facts PC is no longer the only access platform
6/6/2013 Page 7 Securing The Cloud – War On Password
Today’s 2-factor solutions (consumer)
Something you have + Something you know
• Cost (user and issuer)
• Coverage issues
• Delay
• Type 6 or 8 digits into
the phone
• Cannot hold identity
• No contactless interface
SMS OTP
OTP Security
OTP fobs
Convenience/
Features
• Phishable
• Vulnverable to MITM and
MITB attacks
• OTP not calculated in a
Secure Element
• Use proprietary
algorithms
• Typically one per site
• On the large side
OTP App/
Soft Certificates
• Vulnerable to malware
on host system
• No 2nd factor if
phone/tablet is
used for Internet
access
6/6/2013 Page 8 Securing The Cloud – War On Password
Google declared “War On Passwords”
IEEE paper
“Authentication at Scale”
Wired article Jan 18
“Gnubby” term leaked
on Google blog Jan 18
Yubico blog Jan 21
Google protocol
RSA conference Feb 25
Strong user auth
Strong auth everywhere
FIDO membership
U2F working group April 18
6/6/2013 Page 9 Securing The Cloud – War On Password
DISCOVERY
PROVISIONING
AUTHENTICATION
AUTHENTICATION
PROTOCOL
AUTHENTICATION VALIDATION
SERVICES
RELYING PARTY WEBSITE
AUTHENTICATION
SERVER
WEB APPLICATION
IDENTITY
SYSTEMS
END USER
MOBILE
APP BROWSER
DEVICE ABSTRACTION
Authentication System Architecture
6/6/2013 Page 10 Securing The Cloud – War On Password
• Tamper resistant: credentials can’t be duplicated nor altered
• Proven security: core technology for banking cards and e-passports
• Works on Windows, Mac and Linux. No driver needed.
• Standardized and “open”: Supports multiple web sites
• Ubiquitous interface: USB or NFC
Hardware Secure Element: a natural
placeholder for security credentials
6/6/2013 Page 11 Securing The Cloud – War On Password
Page 12
In
va
siv
e A
tta
cks
S
em
i-in
va
siv
e A
tta
cks: F
au
lt A
tta
cks
N
on
in
va
siv
e A
tta
cks: L
ea
ka
ge
Photo emission
Analysis
Reverse
Engineering
Delayering
Micro-probing
Forcing
Manipulation
Electron Microscopy
Atomic Force
Microscopy (AFM)
Spike/Glitch injection
Global And Local Light
Attacks
Contrast Etching
Decoration
Alpha Particle
Penetration
SPA/DPA
Analysis
Timing
Analysis
EMA
Analysis
Combined Attacks
Typical Secure Element attacks
6/6/2013 Securing The Cloud – War On Password
Board Members
NXP has joined the
FIDO alliance board
6/6/2013 Page 13 Securing The Cloud – War On Password
DISCOVERY
PROVISIONING
AUTHENTICATION
FIDO
AUTHENTICATION
PROTOCOL
AUTHENTICATION VALIDATION
SERVICES
RELYING PARTY WEBSITE
FIDO AUTHENTICATION
SERVER
WEB APPLICATION
IDENTITY
SYSTEMS
END USER
MOBILE
APP BROWSER
FIDO AUTHENTICATION CLIENT
(WINDOWS, MAC, IOS, ANDROID…)
DEVICE ABSTRACTION
FIDO AUTHENTICATORS
FIDO System Architecture
6/6/2013 Page 14 Securing The Cloud – War On Password
User vs. Device Authentication
• Medical Devices
• Cloud Services
• Smart Grid
• Industrial Control
Protect sensitive
networks and
infrastructures
Secure
communications
and services
Bank-grade
security
Tailored
solution
Trust
provisioning
Credential
management
secure firmware
management
6/6/2013 Page 15 Securing The Cloud – War On Password
Distinctive Technologies:
Portfolio of secure/non-secure MCU
Embedded non-volatile & flash
Mixed signal processing
Zero power RF & NFC
Strong Innovation Pipeline:
Over $600M / year in R&D
3,200 engineers
11,000 patents
Down to 40nm processes
NXP Semiconductors
6/6/2013 Page 16 Securing The Cloud – War On Password
NXP
Headquarters: Eindhoven/NL
Employees: ~25,000 employees
in more than 25 countries
Net sales: $4.3B in 2012
Bank Cards Smart Mobility
(MIFARE) Cards
Tags & Authentication Readers Mobile
NXP is the Identification Industry’s
#1 Semiconductor Supplier
eGovernment
6/6/2013 Page 17 Securing The Cloud – War On Password
Thank you for your
attention!
http://www.us-cert.gov/
http://krebsonsecurity.com/
http://www.schneier.com/
https://www.grc.com/haystack.htm
Top Related