Implementation of A Biometric Solution Providing Strong Authentication To Gain Access To Confidential Da

MARET Consulting | Boulevard Georges Favon 43 | CH 1204 Geneva | Tél +41 22 575 30 35 | info@maret-consulting.ch | www.maret-consulting.
ch
Implementation of a biometric solution providing strong

authentication to gain access to confidential data
Sylvain Maret / Security Architect @ MARET Consulting

17 march 2010
MARET Consulting 2010

Conseil en technologies
Agenda
Digital identity Security

Strong authentication?
Applications for the Match on

Strong authentication technology Card technology
Biometry and Match on Card

Digital certificate / PKI
Illustration with a project for
the banking field
Trends 2010
www.maret-consulting.ch Conseil en technologies
Security Summit Milano, march 2010

Who am I?
Security Expert
15 years of experience in ICT Security
CEO and Founder of MARET Consulting
Expert @ Engineer School of Yverdon & Geneva University
Swiss French Area delegate at OpenID Switzerland
Co-founder Geneva Application Security Forum
Author of the Blog: la Citadelle Electronique
Chosen field
Digital Identity Security

Protection of digital identities: a topical issue…
Identification

Strong authentication: why?
Keylogger (hard and Soft)

Malware
Man in the Middle
Browser in the Midle
Password Sniffer
Social Engineering
Phishing / Pharming
The number of identity thefts is increasing dramatically!

A major event in the world of strong authentication
12 October 2005: the Federal Financial Institutions Examination

Council (FFIEC) issues a directive
« Single Factor Authentication » is not enough for the web financial

applications
Before end 2006 it is compulsory to implement a strong
authentication system
http://www.ffiec.gov/press/pr101205.htm
And the PCI DSS norm

Compulsory strong authentication for distant accesses
And now European regulations

Payment Services (2007/64/CE) for banks

Identification and authentication ?
Identification
Who are you?
Authentication
Prove it!

Definition of strong authentication
Strong Authentication on Wikipedia

«Digital identity is the corner stone of trust»
More information on the subject

MARET Consulting | Boulevard Georges Favon 43 | CH 1204 Geneva | Tél +41 22 575 30 35 | info@maret-consulting.ch | www.maret-consulting.ch
Strong authentication
technologies
Which strong authentication technology?

OTP PKI (HW) Biometry
Strong *
authentication
Encryption
Digital signature
Non repudiation
Strong link with

the user
* Biometry type Fingerprinting


Strong authentication:
Technologies on the move
Corporations Public
eBanking
VPN
Web Applications
Mobility
Electronic Document Mgt Social networks
Facebook
Project PIV FIPS-201
SAML Virtual World
Adoption of OpenID
Authentication as a Service Cloud Computing

AaaS Google docs
Sales Forces

Technologies accessible to everyone
Standards Open Source Solution
Open Authentication Mobile One Time Passwords

(OATH) strong, two-factor authentication
with mobile phones
OATH authentication
algorithms
HOTP (HMAC Event
Based)
OCRA
(Challenge/Response)
TOTP (Time Based)
OATH Token Identifier
Specification

Biometry
and
Match on Card
Which biometric technology for IT?

Biometry = strong authentication?
The answer is clearly no

Requires a second factor
Problem of security (usurpation)
Only a convenience for the user
More information on usurpation

Study Yokohama University

Technology Match on Card: your NIP code is your finger

Example of Match on Card technology for IT
A reader
Biometry
SmartCard
A card with chip

Technology MOC
Crypto processor
PC/SC
PKCS#11
Digital certificate X509

Stocking data?
On an external Through an

medium authentication server
Better security Security issue
« Offline » mode Confidentiality issue
MOC = Match On card Availability issue
Federal law of 19 June 1992

on the
Protection of data (LPD)

Example of utilisation of the Match on Card technology
Smart Card Logon of Web SSO Solution

Microsoft SAML
PK-INIT (Kerberos)
Citrix
Very Sensitive Web
Applications Remote access
Electronic Document Mgt
VPN SSL
eBanking VPN IPSEC
Data Encryption Digital Signature Solution

Laptop encryption
Folder (Share) Encryption Etc.

Mobility security with MOC technology
Biometric strong
authentication
Reader of the «swipe» type
X509 machine certificate
Utilisation TPM
Authentication of the
machine
Applications
Pre Boot Authentication
Smart Card Logon
Full Disk Encryption
VPN (SSL, IPSEC)
Web Application
Citrix

Authentication of a user with PKINIT (Smart Card Logon)
U Cert
U_Cert
Schema by Philippe Logean

e-Xpert Solutions SA

Feedback
from the
Banking field
The project: electronic management of documents
Implementation of a Electronic Document Mgt solution

Access to very sensitive information
Classification of the information: Secret
Encryption of data (From BIA)
Authorization Access Control
Project for a Private bank in Switzerland

Start of the project: 2005
Population concerned
500 persons (Phase I)
In the long run: 3000 persons (Phase II)

Business Impact Analysis (BIA)
BIA
Bank Acme SA
Data Services Impact

Hard Impact Soft Impact
Availability (in time)
Reduced i ncome Los s of goodwi l l
Increa s ed cos t of Los s of credi bi l i ty
IT Applications worki ng Breach of the l aw
Confidentiality Integrity Los s of opera ti ona l
ca pabi l i ty
inconvenience quite serious critical
Brea ch of
contra ct/fi na nci a l
pena l ti es
Electronic Documents
Mgt HIGH HIGH 30 min 1H 2H HIGH HIGH

(Data Classification : Secret)
Implementation of a technology allowing

strong authentication
– via a mechanism of irrefutable proof –
of the users accessing the bank’s information
system
Who accesses what, when and how?!

The technical constraints of the strong authentication project
Mandatory Desired
Integration with existing Integration with building security

applications Data encryption
Web Non fixed workstations
Microsoft Smart Card Logon
Future applications
Laptop
Network and systems
Separation of roles Strong authentication
Four eyes
Digital signature
Auditing, proof
Proof management

Basic concept: a unique link
Identity Management Authorization

Management
Issuer
App A cert
Link: cn
User
PHASE 1 PHASE 2
Strong authentication Authorization

Components of the technical architecture
Implementation of a PKI « intra muros »

Non Microsoft (Separation of duties)
Implementation of the Online revocation
OCSP protocol
Utilisation of a Hardware Security Module
Security of the PKI architecture
Shielding and Hardening
Firewall
IDS
FIA

Concept for the GED application security

The focus of biometric authentication

Processus
Human Process
Humain
The weak link? Matters more than the technique…
Definition of roles
Tasks and responsibilities
Purpose: separation of duties
Four eyes
Implementation of identity management processes
Implementation of operating procedures

Implementation of processes
Processes for the identity management team

User enrollment
Revocation
Incident mangement
Loss, theft, forgotten card
Renewal
Process for Help Desk
Process for the Auditors
Process for the RSSI
And the operating procedures!


The result
A series of documents for the bank

Operating procedures
Description of processes
Terms of use
Definition of roles and responsibilities
CP /CPS for the « in house » PKI

Training

A crucial element!
Training of the identity management team

Training of users
Training of Help Desk
Training for the technologies
PKI
Biometry

Identity Management Team Training
Very Important work
How to enroll fingers

Match on Card Technology
Problem handling
Technical
Human
Coaching for 3 weeks

End User Training
About 30 min per User
Technology explication
Match on Card
Finger position
Try (Play with Biometry)
Document for End Users
Signature (Legal Usage)

Problems…

Some examples
Enrollment with some Users
End Users convocation
Technical Problem on Validation Authority

OCSP Servers

Feedback?

Conclusion of the project
Pure technique is a minor Biometry is a mature technology

element in the success of
such a large scale project Technology PKI
Offers a safety kernel for the
future
Never under estimate the
Encryption, signature
organisational aspect Rights management information
CP / CPS for the PKI Data security
Management process
A step towards convergence
Ask for management support Physical and logical security

Tendency Biometry Match on Card
The PIV Fips-201 project is a leader!
Convergence
Physical security and logical security
Biometric sensor for laptops

UPEK (Solution FIPS-201)
New biometric technologies
Full Disk Encryption (Laptop)

Support of the Match on Card technology
McAfee Endpoint Encryption™ (formerly SafeBoot® Encryption)
Win Magic SecureDoc Disk Encryption

A very promising technology: Vascular Pattern Recognition
By SONY

When will the convergence happen?
A difficult convergence! Physical security and logical security


A few links to deepen the subject
MARET Consulting
http://maret-consulting.ch/
La Citadelle Electronique (blog on digital identities)
http://www.citadelle-electronique.net/
Banking and finance article
Steal an identity? Impossible with biometry!
http://www.banque-finance.ch/numeros/88/59.pdf
Biometry and Mobility
http://www.banque-finance.ch/numeros/97/62.pdf
Publique presentations
OSSIR Paris 2009: Feedback on the deployment of biometry on a large scale
http://www.ossir.org/paris/supports/2009/2009-10-13/Sylvain_Maret_Biometrie.pdf
ISACA, Clusis: Access to information : Roles and responsibilities
http://blog.b3b.ch/wp-content/uploads/mise-en-oeuvre-de28099une-solution-biometrique-
de28099authentification-forte.pdf

“The counseling and the expertise for the selection and
the implementation of innovative technologies
in the field of security of information systems and digital identity"

Annexes

Processus
Authentifiers
inHumain
2010
OTP Software using SmartPhone
OTP for iPhone: a feedback

Software OTP for iPhone
Mobile One Time Passwords

Biometry Match on Card
Feedback on the deployment of biometry on a large scale


The focus of biometric authentication

USB Token

Internet Passport

Matrix cryptography

PKI: Digital certificate X509
Software Certificate Hardware Certificate

OTP via SMS
OTP via SMS
Enter OTP

State of the art in 2010 of the authentifiers: Synthesis
Technologies Explanations
OTP Software One Time Password software

SmartPhone Event, Time or mode challenge response
Mode not connected
Biometry Match on Biometry and chip card
Card Digital certificate
Stocking of the Biometric pattern
USB Token One Time Password in mode connected
Event, Time ou mode challenge response
Internet Passport Biometry One Time Password
Mode not connected
Mode challenge response
Matrix cryptography One Time Password
Mode challenge response
PKI Certificate software
Certificaet Hardware
OTP SMS One Time Password by SMS
Processus
Integration with
webHumain
applications
Web application with a basic authentication

Web application towards a strong authentication?

“Shielding” approach - (Perimetric Authentication)

Approach by Module or Agents

Approach API / SDK

SSL PKI: how does it work?
Validation
Authority
OCSP request
Valide
Pas valide
Inconu
SSL / TLS Mutual Authentication

Alice
Web Server

Approach federation of identity
a change of paradigm

a change of paradigm


Approaches for an integration of the strong authentication
Approaches Examples
Shielding Utilisation of a protective third party compnent

(Perimetric Auth) Such as a Reverse Proxy (Web Application Firewall)
Module Utilisation of a software module

(Agents) Such as an Apache module, a SecurID agent, etc.
Utilisation of a protocol such as Radius
API Development via an API

(SDK) For instance by using the Web Services (SOAP)
SSL PKI Utilisation of a certificate X509

Utilisation of SSL/TLS functionalities
PKI Ready
Identity Federation Utilisation of a federation protocol such as SAML, OpenID,
Others PKI application, etc.


Implementation of A Biometric Solution Providing Strong Authentication To Gain Access To Confidential Da

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Implementation of A Biometric Solution Providing Strong Authentication To Gain Access To Confidential Da

Uploaded by

Copyright:

Available Formats

MARET Consulting | Boulevard Georges Favon 43 | CH 1204 Geneva | Tél +41 22 575 30 35 | info@maret-consulting.ch | www.maret-consulting.

Implementation of a biometric solution providing strong

Sylvain Maret / Security Architect @ MARET Consulting

MARET Consulting 2010

Digital identity Security

Applications for the Match on

Biometry and Match on Card

www.maret-consulting.ch Conseil en technologies

Security Summit Milano, march 2010

www.maret-consulting.ch Conseil en technologies

Security Summit Milano, march 2010

www.maret-consulting.ch Conseil en technologies

Security Summit Milano, march 2010

Keylogger (hard and Soft)

The number of identity thefts is increasing dramatically!

www.maret-consulting.ch Conseil en technologies

Security Summit Milano, march 2010

12 October 2005: the Federal Financial Institutions Examination

« Single Factor Authentication » is not enough for the web financial

And the PCI DSS norm

And now European regulations

www.maret-consulting.ch Conseil en technologies

Security Summit Milano, march 2010

www.maret-consulting.ch Conseil en technologies

Security Summit Milano, march 2010

Strong Authentication on Wikipedia

www.maret-consulting.ch Conseil en technologies

Security Summit Milano, march 2010

More information on the subject

www.maret-consulting.ch Conseil en technologies

Security Summit Milano, march 2010

www.maret-consulting.ch Conseil en technologies

Security Summit Milano, march 2010

Strong link with

* Biometry type Fingerprinting

Security Summit Milano, march 2010

Authentication as a Service Cloud Computing

Security Summit Milano, march 2010

Standards Open Source Solution

Open Authentication Mobile One Time Passwords

Security Summit Milano, march 2010

www.maret-consulting.ch Conseil en technologies

Security Summit Milano, march 2010

The answer is clearly no

Problem of security (usurpation)

Only a convenience for the user

More information on usurpation

www.maret-consulting.ch Conseil en technologies

Security Summit Milano, march 2010

www.maret-consulting.ch Conseil en technologies

Security Summit Milano, march 2010

A card with chip

www.maret-consulting.ch Conseil en technologies

Security Summit Milano, march 2010

On an external Through an

Federal law of 19 June 1992

www.maret-consulting.ch Conseil en technologies

Security Summit Milano, march 2010

Smart Card Logon of Web SSO Solution

Data Encryption Digital Signature Solution

Security Summit Milano, march 2010

Security Summit Milano, march 2010

Schema by Philippe Logean