CertAnon

transcript

CertAnon

The feasibility of an anonymous WAN authentication service

Red GroupCS410

March 1, 2007

Our Team

3/1/2007 Red Group 2

Threatening News

• 1/5/2007: In an Instant, Retirement Savings Vanish

• 2/15/2007: Online Identity Stolen• 2/20/2007: Phishers Targeting MySpace• 2/23/2007: Free Wi-Fi scam hitting airports• 2/26/2007: Trojan Horse Designed to Steal

Usernames and Passwords

How About You?

• How many online accounts do you have?

• How many passwords do you have to remember?

• How do you manage them?

The Problem

• Single-factor password authentication is easily compromised and endangers the security of online accounts.– Username/Password paradigm is insecure1

– Management of multiple strong passwords is difficult for individuals

– Fraudulent online account access is increasing

1. http://www.schneier.com/crypto-gram-0503.html#2

The Endangered Password

• More online accounts = more passwords• Complexity of passwords is limited by the

human factor2

• Vulnerability is enhanced by the technology factor

• Dissemination is too easy• Once compromised, a password is no longer

effective for authentication

2. http://www.schneier.com/blog/archives/2006/12/realworld_passw.html

Going Phishing

• Phishing sites are on the rise3

• Over 7 million phishing attempts per day

3. Anti-Phishing Working Group - http://www.antiphishing.org/

CertAnon - A New Proposal

• Anonymous WAN authentication service– Used for any and all online accounts– Strong two-factor authentication– Limited information sharing

• Partner with online businesses

• Initial customers are Internet users

Goal and Objectives

• Build a WAN authentication service that permits customers to securely access all of their online accounts using a single access method– Build our website– Write software modules for partner sites– Develop testing portal– Install authentication servers– Distribute tokens– Beta-testing, then go live!

What Would It Look Like?

3/1/2007 Red Group 10

Website Host

US East CoastRSA ACE server

USA West CoastRSA ACE server

UK RSAACE server

AustraliaRSA ACE

server

Login attempt

Login response

Auth request

Auth response

CertAnon website

Account setup Database update

Internet user withCertAnon token

Two-factor Authentication4

• Something you know– A single PIN

• Plus something you have– Hardware token generating pseudo-

random numbers

• Effectively changes your password every 60 seconds

3/1/2007 Red Group 11

4. RSA - http://www.rsasecurity.com/node.asp?id=1156

3/1/2007 Red Group 12

4. Bob goes to E*Trade's website to sign in.

Username: TraderBob

Password: 1a2b3c234836

His E*Trade usernameis TraderBob, so hetypes that as usual.

He looks at the codeon his token display.He types his PIN andthat token code in thePassword field.

5. And now he's in his E*Trade account!

SpamBob

1a2b3c184675

His Yahoo! usernameis SpamBob, so hetypes that as usual.

He looks at the codeon his token display.He types his PIN andthat token code in thePassword field.

Username:

Password:

7. And now he's in his Yahoo! account!

6. One minute later, he jumps to the Yahoo!mail page to check e-mail.

3/1/2007 Red Group 13

Visit CertAnonwebsite Create CertAnon

username and PIN

Valid serialnumber andtoken codes?

Enter token serialnumber and two

consecutive tokencodes

3rd badattempt?

CertAnon supportintervention

Set up securityquestions/answers

Buy CertAnontoken

Log out ofCertAnon account

Token Setup Process

3/1/2007 Red Group 14

Use CertAnon forauthentication? Create account

password

Choose temporarypassword

Log into CertAnonwebsite with

CertAnonusername and

passcode (PIN +token code)

Does domainsupport

CertAnon?

Automated login toaccount using temppassword to verify

ownership

YesSuccessful

login?

Add online accountusername and

domain to CertAnonaccount

Return to accountwebsite

Temporarypassword cancelled

3rd badattempt?

CertAnon supportintervention

Red - 3rd party account processBlue - CertAnon processGreen - Interaction between them

Color Scheme

Open onlineaccount and create

username

Change passwordfor existing online

account

Authenticate withCertAnon passcode

Account Setup Process

Who is Our Customer?

• Individual Internet User– Purchases CertAnon token for one-time fee

of $50

• Obtaining a critical mass of customers makes CertAnon a must have for online vendors– Could give leverage to charge vendors in

the future

3/1/2007 Red Group 15

About the Customer

3/1/2007 Red Group 16

Consumers Profess.

Bank Online

TravelReservations

Commerce &Communicate

6-15passwords

Over 15passwords

5. Internet World Stats - http://www.internetworldstats.com/stats2.htm 6. Clickz.com - http://www.clickz.com/showPage.html?page=3481976#table 7. Clickz.com - http://www.clickz.com/showPage.html?page=3587781#table2 8. RSA Security Password Management Survey - http://www.rsa.com/products/SOM/whitepapers/PASSW_WP_0906.pdf

Why Will The Customer Care?

• Reduce/eliminate need for multiple passwords

• Avoid password theft and unauthorized account access

• No information stored on a card that can be lost

• No password database to be hacked

3/1/2007 Red Group 17

What’s in it for a business?

3/1/2007 Red Group 18

• It’s free• No need to implement a costly proprietary

solution• Improves security of customer base by

moving more people away from passwords• Snaps into existing infrastructure with minimal

development• Customers who don't switch will be unaffected

Competition Matrix

3/1/2007 Red Group 19

• Still not perfectly secure

• Token trouble– Forgotten– Broken– Lost or stolen

• Inadequate for sight-impaired users

3/1/2007 Red Group 20

Risks & Mitigation

3/1/2007 Red Group 21

Impact

5 5 2 1

1 2 3 4 5

Probability

(1-Low to 5-High)

# Risk Mitigation

1 Trust Beta-testing

2 Customerunderstanding

Tutorials on website

3 Reliance on token sales revenue

Encourage early partner site adoption

4 Viable alternatives Single source two-factor

Token loss Provide temporary password access

6 Token availability Offer online and through retail outlets

7 Government vs. Anonymity

Follow the lead of encryption products

Costs & Revenue

3/1/2007 Red Group 22

Servers $16,000

RSA training $1,600

1.5 developers (3yr) $600,000

Server/application admin (3yr) $414,000

Co-location and access costs (3yr) $144,000

RSA Authentication Manager (3yr)* $3,600,000

Tokens* and packaging @$30 $30,000,000

Total* $34,775,600

Revenue* $50,000,000

*Based on sales of one million tokens

Conclusion

• Available, affordable, and proven technology

• Targets a large and growing market

• Benefits consumers and online businesses

• Manageable project scope, scaleable product

3/1/2007 Red Group 23

References

• “Failure of Two-Factor Authentication.” Schneier on Security. 12 Jul. 2006. Bruce Schneier. 28 Jan. 2007 <http://www.schneier.com/blog/archives/2006/07/failure_of_twof.html>.

• “Internet Penetration and Impact.” Pew/Internet. April 2006. Pew Internet & American Life Project. 28 Jan. 2007 <http://www.pewinternet.org/pdfs/PIP_Internet_Impact.pdf>.

• “Internet Statistics Compendium - Sample.” E-consultancy.com. 9 Jan. 2007. E-consultancy.com LTD. 28 Jan. 2007 <http://www.e-consultancy.com/publications/download/91130/internet-stats-compendium/internet-stats-compendium-January-2007-SAMPLE.doc>.

• “Internet World Stats.” Internet World Stats. 11 Jan. 2007. Internet World Stats. 15 Feb. 2007 <http://www.internetworldstats.com/stats2.htm >.

• “Online Banking Increased 47% since 2002.” ClickZ Stats. 9 Feb. 2007. The ClickZ Network. 15 Feb. 2007 <http://www.clickz.com/showPage.html?page=3481976#table>.

3/1/2007 Red Group 24

References (cont.)

• “Phishing Activity Trends: Report for the Month of November, 2006.” Anti-Phishing Working Group. Nov. 2006. Anti-Phishing Working Group. 28 Jan. 2007 <http://www.antiphishing.org/reports/apwg_report_november_2006.pdf>.

• “Real-World Passwords.” Schneier on Security. 14 Dec. 2006. Bruce Schneier. 28 Jan. 2007 <http://www.schneier.com/blog/archives/2006/12/realworld_passw.html>.

• “RSA SecurID Authentication.” RSA Security. 2007. RSA Security, Inc. 28 Jan. 2007 <http://www.rsasecurity.com/node.asp?id=1156>.

• “RSA Security Password Management Survey.” RSA Security. Sep. 2006. Wikipedia. 15 Feb. 2007 <http://www.rsa.com/products/SOM/whitepapers/PASSW_WP_0906.pdf >.

• “Rural America Slow to Adopt Broadband.” ClickZ Stats. 27 Feb. 2007. The ClickZ Network. 28 Feb. 2007 <http://www.clickz.com/showPage.html?page=3587781#table2>.

3/1/2007 Red Group 25

CertAnon

Documents

CertAnon Product Specification - cs.odu.edu file · Web viewThe types of documents that the LASI prototype accepts has been limited to just DOC and DOCX. ... Head word: A locally

CertAnon Product Specification - Old Dominion Universitycpi/411/reds13/tabs/papers/brittany/jo… · Web viewAs shown in Figure 2., results can be viewed in three different format

CertAnon Anonymous WAN Authentication Service Approval Presentation Red Group CS410 May 1, 2007.

CertAnon Product Specificationcpi/old/411/purpls13/files/Lab2… · Web viewThese are instrumental in reviving languages to prevent them from going out of use. As long as these

CertAnon Product Specification - cs.odu.edu · Web viewThe LASI User Interface is a Windows Presentation Foundation (WPF) project using XAML to define the structure of the views

CertAnon The feasibility of an anonymous WAN authentication service Red Group CS410 March 1, 2007.

CertAnon Anonymous WAN Authentication Service Milestone Presentation Red Group CS410 April 5, 2007.