Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Jose Bravo
Tivoli Security Sales Leader East
jbravo@us.ibm.com
So far, we have been relying on an old abstraction called userid. This has
and will work, as long as the userid truly represents an intended human
being, which requires a very strong authentication.
2007 IBM Corporation
Authentication today
We have seen PKI, Hard Tokens, Soft Token, and Biometrics try to improve
authentication however, reality is that passwords still are the sole moats
that fortify most of our systems.
This makes passwords incovenient and when a security issue causes difficult
technological changes, people often reject it either by subverting or by not
using that technology.
If you do not have the option of using a key, but still want it
secured, you would need a longer combination, changed frequently
for improved security.
Most people find this bothersome and thats how passwords can be
described today.
Password strength
Alpha
Alphanumeric
Mixed Alpha
26
36
52
94
676
1,296
2,704
8,836
17,576
46,656
140,608
830,584
456,976
1,679,616
7,311,616
78,074,896
11,881,376
60,466,176
380,204,032
7,339,040,224
308,915,776
2,176,782,336
19,770,609,664
689,869,781,056
8,031,810,176
78,364,164,096
1,028,071,702,528
64,847,759,419,264
208,827,064,576
2,821,109,907,456
53,459,728,531,456
6,095,689,385,410,820
5,429,503,678,976
101,559,956,668,41
6
2,779,905,883,635,710
572,994,802,228,617,000
10
141,167,095,653,37
6
3,656,158,440,062,9
80
144,555,105,949,057,000
53,861,511,409,490,000,000
Length
Passwords
Problems:
Trivial passwords
Easy to remember easy to guess
Yellow sticky pads
Password cracking
Some crackers claim 30% success rate
OR D
W
S
P AS
RTY
QW E
2C3
B
1
A
Keystroke loggers
10
Overburdened passwords
Remember the safe box model?
What we are missing is the key OR, are we missing something key?
If we find a way to combine what you know (password) with something
that you have, we can make strong authentication a convenient and
inexpensive reality!
11
12
13
Subverting security
14
15
16
Subverting security
17
18
19
20
Comparing Biometrics
Effortless
Inexpensive
Non-intrusive
Finger
Iris
Voice
Face
21
22
23
24
25
This idea required the cell provider (i.e. Verizon, AT&T, Sprint) to be
involved in the process, by programming a new service (*88 in this
example) that receives requests from any authentication requester (a
Bank in this example) and replies when the strong authentication has
been completed. There is another approach where the company that
wants strong authentication requires an IVR with a number specified for
that authenticator.
The user has previosly registered his cell phone with the Bank.
26
Customers
Browser
Users cell
phone
914-588-9992
Application at
the cellular
provider
The message at the customers browser reads: Dear customer, please use your
cell phone to dial *88 followed by this one-time token: 6036
The message to the cell provider reads: please reply to this message once
cellphone 914-588-9992 inputs token 6036. The message has a message id
number as well as a expiration time.
2007 IBM Corporation
27
Once the customer enters the one time token the strong
authentication is completed
Banking
Application
4
Customers Browser
2
Wireless
Core
Network
RAN
Application at
the cellular
provider (Web
service/SOA)
As instructed, the customer dials *88 ( + send/call) and then 6036. This is an
out-bound message traveling over the wireless network between the cell phone
and the cell that is serving him (no cell routing/roaming required, therefore
minimal delay is added to the transaction).
Immediately, the application at the cell provider detects that there is a match
for one of the requests it received and sends a reply back to the bank
The Bank knows the customer is in possesion of their cell phone. The strong
authentication has completed and the customer is authorized to perfom the
secure operation.
2007 IBM Corporation
28
ATM
Application
1
User at an
ATM
1
Reply once
914-588-9992
inputs 2359
Like before, the customer reads on the ATM screen: Dear user,
please use your cell phone to dial *88 ( + send/call) and then
inmediatly input this one-time token: 6036
29
Once the customer enters the one time token the strong
authentication is completed
4
Banking
Application
Application at the
cellular provider
Users cell phone
914-588-9992
Immediately the application at the cell provider detects that there is a match
for one of the requests it received and sends a reply back to the bank
The Bank knows the customer is in possesion of his very own cell phone. The
strong authentication has completed and the user is given the large amount
cash requested. Or even Point Of Sale.
30
1
User at his
desktop
Application at the
cellular provider
1
Reply once
914-5889992 inputs
6036
Like before the employee reads on the PC login screen: Dear employee, please
use your cell phone to dial *88 ( + send/call) and the immediately input this
one-time token: 6036
The message to the cell provider reads: please reply to this message once
cellphone 914-588-9992 inputs token 6036.
31
Once the employee enteres the one time token the strong
authentication is completed
4
Banking
Application
Application at the
cellular provider
Users cell phone
914-588-9992
Immediately the application at the cell provider detects that there is a match
for one of the requests it received and send a relpy bank to bank
The Bank knows the employee is in possesion of his very own cell phone. The
strong authentication has completed and the user is allowed into the Banks
coorporate network
32
Application
Customers
Browser
1
1
1
IVR
programmed
at the cell
provider
On this example the Banking Application generates a four-digit psudo ramdom, ontime token: 6036. The application waits for the IVR to send the cell phone number and
token entered
The message at the customers browser reads: Dear customer, please use your cell
phone to dial *myBank (*CITI) and the inmediatly after input this one-time token:
6036. The Bank subcontract a service with the 3 mayor carriers where *myBank
routes a message to the Bank passing on the number that dialed the service and the
one time password input.
When the application receives from the IVR that 914-588-9992 has input token 6036,
it detects a match and the strong authentication is completed
2007 IBM Corporation
33
34
zz
z
z
z
z
Questions?
2007 IBM Corporation
35