Transcript pres1

CertAnon
A Proposal for an
Anonymous WAN
Authentication Service
David Mirra
CS410
January 30, 2007
A Wired World
• Who is online?1
– 73% of American adults
– 88% of 18-29 year-olds
– 91% of college-educated
adults
• What are they doing?2
– Communicating
– Shopping
– Banking
1. US users, April 2006 - http://www.pewinternet.org/pdfs/PIP_Internet_Impact.pdf
2. UK users, Q1 2005 - http://www.e-consultancy.com/publications/internet-statscompendium/
The Identity Issue
• Strong authentication needed for online
accounts
– Permit remote access for authorized users
– Allow the good guys in
– Keep the bad guys out
• Typically done via username/password
mechanism
The Problem with Passwords
• More online accounts = more passwords
• Complexity of passwords is limited by the human
factor3
• Vulnerability is enhanced by the technology
factor
• Password control is difficult4
– Dissemination is too easy
• Once compromised, a password is no longer
effective for authentication
3. http://www.schneier.com/blog/archives/2006/12/realworld_passw.html
4. http://www.schneier.com/crypto-gram-0503.html#2
The Risk of Theft
• Phishing attempts are on the rise5
– Social engineering tricks users into divulging info
– Crimeware steals account credentials directly
5. Anti-Phishing Working Group - http://www.antiphishing.org/
What’s Been Tried?
• Microsoft .NET Passport6 and Sun Liberty
Alliance7
– Single sign-on services for web commerce
– Privacy concerns
– Relied on username/password paradigm
• Company-specific token authentication
– A token for every site
6. Wikipedia - http://en.wikipedia.org/wiki/Microsoft_Passport
7. Wikipedia - http://en.wikipedia.org/wiki/Liberty_Alliance
A New Proposal
• Anonymous WAN authentication service
– Used for any and all online accounts
– Strong two-factor authentication
– Limited information sharing
• Initial customers are Internet users
• Ultimate customers are online businesses
Two-factor Authentication8
• Something you know
– A single PIN
• Plus something you have
– Hardware token generating
pseudo-random numbers
• Effectively changes your
password every 60 seconds
8. RSA - http://www.rsasecurity.com/node.asp?id=1156
CertAnon Hardware
• Four global servers running RSA
Authentication Manager
• RSA SecurID tokens available for retail
purchase
CertAnon Software
• Public web service
– Encrypted authentication request/response
• Free software modules for download by
web site operators
– Encourages adoption of CertAnon
authentication
How Does It Work for Me?
• Buy a token
– Anonymous purchase
• Register it with CertAnon
– Anonymous registration
• Create a web account anywhere
– Check the box “I use CertAnon”
• Link that account to your token
– And off you go!
How About the Web Sites?
• Register servers with CertAnon
• Receive key to encrypt requests
• Make CertAnon authentication available to
customers
• Authentication requests are sent to all
CertAnon servers
– First to respond is accepted
Benefits
• Consumers
– Only one pin to remember
– Authenticate without sharing identity
– Increased security
– Pay once, protect forever
• Businesses
– Free for early adopters
– No more password management
– Close the “trust gap”
Pitfalls
• Requires adoption by consumers and
businesses
– Establish trust
– Make it easy to get and easy to use
• Not a silver bullet
– Part of defense-in-depth strategy
• Governmental resistance to anonymity
– Similar hurdles faced by encryption products
It Can Be Done
• Available, affordable, and proven
technology
• Targets a large and growing market
• Benefits consumers and online businesses
• Manageable project scope, scaleable
product
• Build it and they will come!
Works Cited
•
•
•
•
“Failure of Two-Factor Authentication.” Schneier on Security. 12
Jul. 2006. Bruce Schneier. 28 Jan. 2007
<http://www.schneier.com/blog/archives/2006/07/failure_of_twof.
html>.
“Internet Penetration and Impact.” Pew/Internet. April 2006.
Pew Internet & American Life Project. 28 Jan. 2007
<http://www.pewinternet.org/pdfs/PIP_Internet_Impact.pdf>.
“Internet Statistics Compendium - Sample.” E-consultancy.com.
9 Jan. 2007. E-consultancy.com LTD. 28 Jan. 2007
<http://www.econsultancy.com/publications/download/91130/internet-statscompendium/internet-stats-compendium-January-2007SAMPLE.doc>.
“Liberty Alliance.” Wikipedia. 25 Jan. 2007. Wikipedia. 28 Jan.
2007 <http://en.wikipedia.org/wiki/Liberty_Alliance>.
Works Cited (cont.)
•
•
•
•
“Phishing Activity Trends: Report for the Month of November,
2006.” Anti-Phishing Working Group. Nov. 2006. Anti-Phishing
Working Group. 28 Jan. 2007
<http://www.antiphishing.org/reports/apwg_report_november_2
006.pdf>.
“Real-World Passwords.” Schneier on Security. 14 Dec. 2006.
Bruce Schneier. 28 Jan. 2007
<http://www.schneier.com/blog/archives/2006/12/realworld_pas
sw.html>.
“RSA SecurID Authentication.” RSA Security. 2007. RSA
Security, Inc. 28 Jan. 2007
<http://www.rsasecurity.com/node.asp?id=1156>.
“Windows Live ID.” Wikipedia. 23 Jan. 2007. Wikipedia. 28
Jan. 2007 <http://en.wikipedia.org/wiki/Microsoft_Passport>.