Understanding the Role of Smart Cards for Strong Authentication in Network Systems

Bryan Ichikawa Advisory Overview • This session will discuss the state of authentication today, identify some of the main vulnerabilities that exist, and introduce options to consider for strengthening authentication. This session will also look at technologies that support multi-factor authentication, talk about FIDO and how this specification brings a change to the world of online authentication, and discuss how technology can be highly effective and how it is already being used in many places today.

2 Agenda • What is authentication? • Vulnerabilities • Strengthening authentication • Identifiers vs. authentication • Multi-factor authentication • FIDO • Smart cards as authenticators • Authentication futures

3 Authentication – What is it? In information technology, logical access controls are tools and protocols used for identification, authentication, authorization, and accountability in computer information systems. Electronic authentication (e-authentication) is the process of establishing confidence in user identities electronically presented to an information system.

• I want to define and differentiate between plain old logical access and electronic authentication. Logical access is simply logging into a network, system, or application. E-authentication is YOU logging into a network, system, or application. • In the physical access world, most systems allow the card to gain access, and allows whatever carbon life form attached to that card to tag along. • The question is, how do you establish confidence that the carbon life form attached to that access request is the one you think it is?

4 Vulnerabilities – the business drivers • More and more transactions in our business and personal lives are being conducted online • The connected universe is a target rich environment for “bad actors” • It is the collective responsibility of organizations and individuals alike to protect personal and sensitive data • Userid/passwords as the primary authentication mechanism is not sufficient • Many of today’s identifiers provide little or no identity assurance • Criminal sophistication is increasing at an exponential rate (it is amazing what the devious mind can conjure)

A first line of defense is to elevate the security for how we gain access to online resources

5 How does logical access control work? • Initial registration / application • (Optional) Identity proofing • Establish an “identity” that the online system can uniquely recognize (e.g., userid) • Establish a secret that only both parties know (e.g., password) • Off you go…. but…

•How do you know you are logging into the right place? •How do they know it is you? •How do you prevent someone else from hijacking your account? •….. ???

6 Identifiers vs. authentication

• Identifiers by themselves simply identify an entity of sorts • There is no identity assurance necessarily associated here

• Authentication is measurable – assurance is the measuring stick • A level of assurance can be established commensurate with the sensitivity of the information or transaction conducted

7 Tokens – What are they? • In plain English, a token is a secret that comes in a variety of formats. The format of the token has a direct relationship to its strength. For example, a simple password is a very weak token, one that could be easily cracked. A cryptographically protected smart card, on the other hand, is a very strong token.

• The following slides describe the different types of tokens

From NIST Special Publication 800-63-2* Token - Something that the claimant possesses and controls (typically a cryptographic module or password) that is used to authenticate the claimant’s identity.

8 * http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63-2.pdf What are tokens? • Tokens contain secrets: • Shared secrets • Public key cryptography

• The classic paradigm for authentication identifies three factors as the fundamentals for authentication: • Something you know • Something you have • Something you are

• But not all factors are secrets. For example: • KBA (something you know) • Biometrics (something you are) • Therefore, not all factors can be considered tokens

9 Factors

• Use of a single factor is referred to as “single factor authentication” • Combining more than one factor is referred to as “multi- factor authentication”

• But… • Combining multiple single factors (same factor types) is multiple single factor, NOT multi-factor

10 Something you know • Typically these are User ID / Password combinations • Sometimes only User IDs • Sometimes only PIN/Password • Finger patterns (drawing a “Z” on screen)

11 Something you have • Hardware Token Device • Phone (smart or not) • PKI Certificates • Smart Cards • Grid Cards

12 OTP – One Time Pad (Historic)

• OTP – From “One Time Pad”, a cryptographic ciphering technique using pads of paper where the top sheet of keying material was torn off after using it one time

• Today, OTP refers to One Time Password

One Time Pad Example

13 OTP – One Time Password (today) • Typically hardware (e.g., RSA SecurID or cards) • Token (number) generated on smart phones • Token can be delivered via SMS, email, phone message (IVR)

14 OTP protocol as 2nd factor • User login with User ID / Password (1st factor) • System asks for OTP token • User queries device* and gets token • User enters token into system (2nd factor) • System allows access

* OTP tokens can be delivered in many ways, including SMS text, emails, voice messages, computer-based applications, applications, and hardware devices.

OTP tokens are also called verification codes, security codes, passwords, login codes, multi-factor authentication secrets, etc.

15 Something you are • Biometrics: • Fingerprint • Face • Voice • Iris

• Other biometrics modalities are out there, but the above four are the predominant types in use today

16 Token types

• Memorized Secret Token (Password) • Pre-registered Knowledge Token (Favorite Color) • Look-up Secret Token (Grid Card) • Out of Band Token (SMS OTP) • Single Factor One-time Password Device (OTP Device) • Single Factor Cryptographic Device ( Hardware) • Multi-factor Software Cryptographic Token (Soft Cert) • Multi-factor One-time Password Device (Multi-factor OTP) • Multi-factor Cryptographic Device (Smart Card)

17 Token types • Memorized Secret Token: • A secret shared between the Subscriber and the CSP. Memorized Secret Tokens are typically character strings (e.g., passwords and passphrases) or numerical strings (e.g., PINs.) Memorized secret tokens are something you know. • Pre-registered Knowledge Token: • A series of responses to a set of prompts or challenges. These responses may be thought of as a set of shared secrets. The set of prompts and responses are established by the Subscriber and CSP during the registration process. Pre-registered Knowledge Tokens are something you know. • Look-up Secret Token: • A physical or electronic token that stores a set of secrets shared between the claimant and the CSP. The claimant uses the token to look up the appropriate secret(s) needed to respond to a prompt from the verifier (the token input). For example, a specific subset of the numeric or character strings printed on a card in table format. Look-up secret tokens are something you have.

18 Token types • Out of Band Token: • A physical token that is uniquely addressable and can receive a verifier- selected secret for one-time use. The device is possessed and controlled by the claimant and supports private communication over a channel that is separate from the primary channel for e-authentication. Out of Band Tokens are something you have. • Single Factor One-time Password Device: • A hardware device that supports the spontaneous generation of one- time passwords. This device has an embedded secret that is used as the seed for generation of one-time passwords and does not require activation through a second factor. Single Factor OTP devices are something you have. • Single Factor Cryptographic Device: • A hardware device that performs cryptographic operations on input provided to the device. This device does not require activation through a second factor of authentication. This device uses embedded symmetric or asymmetric cryptographic keys. Single Factor Cryptographic Devices are something you have.

19 Token types • Multi-factor Software Cryptographic Token: • A cryptographic key is stored on disk or some other “soft” media and requires activation through a second factor of authentication. The token authenticator is highly dependent on the specific cryptographic protocol, but it is generally some type of signed message. The multi- factor software cryptographic token is something you have (plus something you know/are). • Multi-factor One-time Password Device: • A hardware device that generates one-time passwords for use in authentication and which requires activation through a second factor of authentication. The second factor of authentication may be achieved through some kind of integral entry pad, biometric reader or a direct computer interface (e.g., USB port). The multi-factor OTP device is something you have (plus something you know/are). • Multi-factor Cryptographic Device: • A hardware device that contains a protected cryptographic key that requires activation through a second authentication factor. The multi- factor Cryptographic device is something you have (plus something you know/are). 20 Other authentication methods • OOBA – Out Of Band Authentication: • The use of two separate networks to perform authentication • Can be OTP, smartphone app that confirms query, biometrics, but typical OOBA apps do not cross over attributes or artifacts*

• Step-up Authentication: • System asks for an additional factor when a security threshold has been crossed

* OOBA – Typically, a user tries to login on a computer and the OOBA app on the smart phone asks the user if the login attempt is authorized. The user says yes, and the login takes place on the computer. The authentication protocol on the phone does not interact with the computer login attempt.

21 Credentials and Credential Service Providers (CSP)

• Credentials are tokens that are bound to an identity • Identity proofing becomes an integral element of credential issuance • Credentials are issued and maintained by Credential Service Providers (CSP) • Credentials are associated with a Level of Assurance (LOA); therefore all credentials are not created equal!

22 Relying parties

• Relying parties are those organizations that “consume” credentials.

• Some relying parties issue their own credentials, others simply trust credentials issue by other CSPs.

If a relying party wants to trust a credential issued by a CSP other than themselves, how do they know how trustworthy that credential is?

23 Registration and assurance

• Identity Proofing – proving you are who you claim to be

• In-person Proofing: • Present one or two forms of government issued id • Usually has a picture on it, plus relevant personal information (DOB, address, etc.) • Perform address or telephone verification

• Remote Proofing: • Submit valid government ID • Submit financial or utility account numbers

Identity proofing is the activity that binds an identity to a token to create a credential. There are 4 defined levels of assurance.

24 NIST SP 800-63-2

• NIST Special Publication 800-63-2: • Electronic Authentication Guideline • Released August 2013 • 800-63-2 supplements OMB guidance, E-Authentication Guidance for Federal Agencies [OMB M-04-04*]: . Specifically, provides guidelines for implementing step 3 of e- authentication process (next slide)

800-63-2 provides technical guidelines to agencies to allow an individual to remotely authenticate their identity to a Federal IT system. These guidelines address traditional methods for remote authentication based on secrets.

25 * https://www.whitehouse.gov/sites/default/files/omb/memoranda/fy04/m04-04.pdf OMB M-04-04

• OMB M-04-04: • Defines 4 levels of assurance (Levels 1 to 4) • Outlines 5-step process: . Conduct a risk assessment of the government system . Map identified risks to the appropriate assurance level . Select technology based on e-authentication technical guidance . Validate that the implemented system has met the required assurance level . Periodically reassess the information system to determine technology refresh requirements

26 Authentication levels

Level 1 Level 2 Level 3 Level 4 Little or no Some High confidence Very high confidence in confidence in in the asserted confidence in the asserted asserted identity the asserted identity identity identity •Self-assertion •Online, instant •Remote proofing •In-person •Minimum qualification •Online with out- proofing records •Out-of-band of-band •Recording of a follow-up verification or biometric qualification •Cryptographic •Cryptographic solution solution •Hardware token

OMB M04-04 Levels of Assurance

27 FIDO Alliance*

• Fast IDentity Online – An alliance whose mission is to change the nature of online identification.

• UAF and U2F • UAF = Universal Authentication Framework (password-less experience) • U2F = Universal Second Factor (two factor experience)

28 * https://fidoalliance.org/ FIDO Alliance – Board level

• Alibaba Group • Nok Nok Labs • ARM • NTT DOCOMO • Bank of America • NXP • CrucialTec • Oberthur Technologies • Discover • PayPal • Egis Technology • Qualcomm • Google • RSA • IdentityX • Samsung • ING • Synaptics • Intel • USAA • Lenovo • Visa Inc. • MasterCard • Yubico • Microsoft

29 FIDO Alliance – Sponsor level • Aetna • Feitian • NXTID • Ally • FingerQ • nymi • Authasas • Forgerock • OSD • Authentify • Gemalto • Ping Identity • BKM • G&D • Plantronics • Blackberry • Goldman Sachs • Rambus • CA Technologies • Goodix • Redsys • UK Cabinet Office • Happlink • Samsung SDS • Certivox • Hoyos Labs • SecureKey • Chase • IDEX • SecureAuth • Cherry • Infineon • SK Telecom • Costco • Infoguard • Sonavation • Crossmatch • Intercede • ST • Cypress • Intuit • Tendyron • DDS • ISR • Usher • Dell • KICA • Vanguard • Duo • LG Electronics • Vasco • E-Trade • MedImpact • Visa • Early Warning • Safran • Watchdata • Entersekt • Netflix • Wells Fargo • ETRI • NXTID • WoSign • eyeLock • Netflix • Yahoo! Japan 30 • FacialNetwork • NIST

FIDO Alliance – Associate level

• 126 Additional organizations (as of 9/17/2015) • Specification 1.0 is final and available for UAF and U2F • https://fidoalliance.org

31 Authentication business drivers

The business drivers among various industry sectors are very different

• Public sector and critical infrastructure are driven by policy and standards: • FIPS 201 • Commercial industry is driven by profitability: • And slowly…by security • The general public is driven by convenience and reward: • And slowly…by increasing concern

• Everyone is slowly being driven by education…

32 Other industries

• Banking, Payment and Investments • Many financial businesses now offer multi-factor authentication as an additional security measure

• Email • Most leading email providers support stronger authentication

• Gaming • The gaming industry is becoming a leader in end-user security

Visit www.twofactorauth.org for a comprehensive list of organizations that support stronger levels of authentication

33 Smart cards playing a role for strong authentication • Mobility: • Today’s smart phones contain a “smart card”

• FIDO: • U2F devices are smart card-based

• Financial: • EMV cards are smart cards

• Transit: • Transit cards are moving to smart card technology Authentication futures

• The US federal government has defined standards and specifications for electronic authentication • There is no consistency or standardization outside of the federal government • Commercial and consumer requirements are much different • Separation of token and identity assurance is a notion that is not defined by federal standards (this is where FIDO fits) • But…passwords alone are being recognized as insufficient for the future of online authentication • Smart card technology already exists in many places – use it!

As more and more transactions are conducted online, federal and even state governments can require the binding of identities to tokens, but many commercial and consumer enterprises, for the most part, do not require strong identity proofing

35 Bryan Ichikawa

Deloitte Advisory [email protected]

This presentation contains general information only and Deloitte is not, by means of this presentation, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This presentation is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor.

Deloitte shall not be responsible for any loss sustained by any person who relies on this presentation.

As used in this document, “Deloitte Advisory” means Deloitte & Touche LLP, which provides audit and enterprise risk services; Deloitte Financial Advisory Services LLP, which provides forensic, dispute, and other consulting services; and its affiliate, Deloitte Transactions and Business Analytics LLP, which provides a wide range of advisory and analytics services. Deloitte Transactions and Business Analytics LLP is not a certified public accounting firm. These entities are separate subsidiaries of Deloitte LLP. Please see www.deloitte.com/us/about for a detailed description of the legal structure of Deloitte LLP and its subsidiaries. Certain services may not be available to attest clients under the rules and regulations of public accounting.