Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Introduction
User authentication is growing in importance in e-commerce Many organizations are calling for stronger authentication mechanisms than the typical password-based schemes
e.g., FFIEC guidance on authentication in Internet banking (Oct. 2005); FSTC Better Mutual Authentication project
10/22/2012 confidential 2
..
As these efforts illustrate, authentication strength depends on more than just the factors And the authentication story depends on more than just the user
10/22/2012
confidential
Evidence
Auth. Factors
Users Devices
Auth. Protocol
Forward Authentication Steps User and Users Devices present Evidence to Agent demonstrating possession of Authentication Factors
.
Sequential composition: One mechanism adds to another e.g.: Authenticate to resource with password, then later with answers to life questions; Risk-based approaches
10/22/2012
confidential
Example Factors
Something you know:
Password / PIN Knowledge-based authentication
10/22/2012
confidential
10
Security Challenges
Corrupted agent can misuse evidence Rogue resource can also misuse evidence, unless agent runs strong protocol Man-in-the-middle is also a threat, depending on protocol Key question: How does user authenticate the resource and the agent?
10/22/2012 confidential 11
Evidence
Auth. Factors
Users Devices
Auth. Protocol
10/22/2012
confidential
12
10/22/2012
confidential
13
..
3. Dynamic security skins
Resource authenticates to agent with certificate Agent presents resource identifier via pattern based on hash of resource identifier
10/22/2012
confidential
15
10/22/2012
confidential
16
10/22/2012
confidential
17
Resource should enable some evidence that the agent can present to user Rapport-building is important if user cant be sure that agent is running strong protocols
Contextual factors provide a foundation
10/22/2012
confidential
18
19
Conclusions
All parties need assurance that the others are authentic both the user or tag, and the system Obtaining this assurance is an important challenge in protocol design whether for e-commerce or physical objects Authentication is more than just about factors the evidence
10/22/2012 confidential 20
Contact Information
www.rsasecurity.com/rsalabs
10/22/2012
confidential
21
.
Thank you
10/22/2012
confidential
22