8/14/2019 Implementation of a Biometric Solution Providing Strong Authentication to Gain Access to Confidential Da
1/71
8/14/2019 Implementation of a Biometric Solution Providing Strong Authentication to Gain Access to Confidential Da
2/71
Agenda
Digital identity SecurityStrong authentication?
Applications for the Match on
Conseil en technologieswww.maret-consulting.ch
rong au en ca on ec no ogy
Biometry and Match on CardDigital certificate / PKI
Card technology
Illustration with a project forthe banking field
Trends 2010
Security Summit Milano, march 2010
8/14/2019 Implementation of a Biometric Solution Providing Strong Authentication to Gain Access to Confidential Da
3/71
Who am I?
Security Expert15 years of experience in ICT SecurityCEO and Founder of MARET Consulting
Conseil en technologieswww.maret-consulting.ch
Expert @ Engineer School of Yverdon & Geneva UniversitySwiss French Area delegate at OpenID SwitzerlandCo-founder Geneva Application Security ForumAuthor of the Blog: la Citadelle Electronique
Chosen fieldDigital Identity Security
Security Summit Milano, march 2010
8/14/2019 Implementation of a Biometric Solution Providing Strong Authentication to Gain Access to Confidential Da
4/71
Protection of digital identities: a topical issue
Conseil en technologieswww.maret-consulting.ch
Identificati on
Security Summit Milano, march 2010
8/14/2019 Implementation of a Biometric Solution Providing Strong Authentication to Gain Access to Confidential Da
5/71
Strong authentication: why?
Keylogger (hard and Soft)MalwareMan in the Middle
Conseil en technologieswww.maret-consulting.ch
Browser in the MidlePassword SnifferSocial EngineeringPhishing / Pharming
The number of identity thefts is increasing dramatically!
Security Summit Milano, march 2010
8/14/2019 Implementation of a Biometric Solution Providing Strong Authentication to Gain Access to Confidential Da
6/71
8/14/2019 Implementation of a Biometric Solution Providing Strong Authentication to Gain Access to Confidential Da
7/71
Identification and authentication ?
IdentificationWho are you?
Conseil en technologieswww.maret-consulting.ch
AuthenticationProve it!
Security Summit Milano, march 2010
8/14/2019 Implementation of a Biometric Solution Providing Strong Authentication to Gain Access to Confidential Da
8/71
Definition of strong authentication
Conseil en technologieswww.maret-consulting.ch
Strong Authentication on Wikipedia
Security Summit Milano, march 2010
8/14/2019 Implementation of a Biometric Solution Providing Strong Authentication to Gain Access to Confidential Da
9/71
8/14/2019 Implementation of a Biometric Solution Providing Strong Authentication to Gain Access to Confidential Da
10/71
MARET Consulting| Boulevard Georges Favon 43 | CH 1204 Geneva| Tl +41 22 575 30 35| [email protected] | www.maret-consulting.ch
Conseil en technologies
technologies
8/14/2019 Implementation of a Biometric Solution Providing Strong Authentication to Gain Access to Confidential Da
11/71
Which strong authentication technology?
Conseil en technologieswww.maret-consulting.ch
Security Summit Milano, march 2010
8/14/2019 Implementation of a Biometric Solution Providing Strong Authentication to Gain Access to Confidential Da
12/71
OTP PKI (HW) Biometry
Strongauthentication
*
Conseil en technologieswww.maret-consulting.ch
Digital signature
Non repudiation
Strong link withthe user
* Biometry type FingerprintingSecurity Summit Milano, march 2010
8/14/2019 Implementation of a Biometric Solution Providing Strong Authentication to Gain Access to Confidential Da
13/71
Strong authentication:
Technologies on the move
Corporations
eBankingVPN
Public
Conseil en technologieswww.maret-consulting.ch
Web ApplicationsMobilityElectronic Document Mgt
Project PIV FIPS-201SAMLAdoption of OpenID
Authentication as a ServiceAaaS
Social networksFacebook
Virtual World
Cloud ComputingGoogle docsSales Forces
Security Summit Milano, march 2010
8/14/2019 Implementation of a Biometric Solution Providing Strong Authentication to Gain Access to Confidential Da
14/71
Technologies accessible to everyone
Standards
O en Authentication
Open Source Solution
Conseil en technologieswww.maret-consulting.ch
(OATH)OATH authenticationalgorithms
HOTP (HMAC EventBased)OCRA(Challenge/Response)TOTP (Time Based)
OATH Token Identifier
Specification
strong, two-factor authenticationwith mobile phones
Security Summit Milano, march 2010
8/14/2019 Implementation of a Biometric Solution Providing Strong Authentication to Gain Access to Confidential Da
15/71
MARET Consulting| Boulevard Georges Favon 43 | CH 1204 Geneva| Tl +41 22 575 30 35| [email protected] | www.maret-consulting.ch
Biometry
Conseil en technologies
Match on Card
8/14/2019 Implementation of a Biometric Solution Providing Strong Authentication to Gain Access to Confidential Da
16/71
Which biometric technology for IT?
Conseil en technologieswww.maret-consulting.ch
Security Summit Milano, march 2010
8/14/2019 Implementation of a Biometric Solution Providing Strong Authentication to Gain Access to Confidential Da
17/71
Biometry = strong authentication?
The answer is clearly noRequires a second factor
Conseil en technologieswww.maret-consulting.ch
Problem of security (usurpation)
Only a convenience for the user
More information on usurpationStudy Yokohama University
Security Summit Milano, march 2010
8/14/2019 Implementation of a Biometric Solution Providing Strong Authentication to Gain Access to Confidential Da
18/71
Technology Match on Card: your NIP code is your finger
Conseil en technologieswww.maret-consulting.ch
Security Summit Milano, march 2010
8/14/2019 Implementation of a Biometric Solution Providing Strong Authentication to Gain Access to Confidential Da
19/71
Example of Match on Card technology for IT
A readerBiometrySmartCard
Conseil en technologieswww.maret-consulting.ch
A card with chipTechnology MOC
Crypto processorPC/SCPKCS#11Digital certificate X509
Security Summit Milano, march 2010
8/14/2019 Implementation of a Biometric Solution Providing Strong Authentication to Gain Access to Confidential Da
20/71
Stocking data?
On an external
mediumBetter security Offline modeMOC = Match On card
Through an
authentication serverSecurity issueConfidentiality issueAvailability issue
Conseil en technologieswww.maret-consulting.ch
Federal law of 19 June 1992on theProtection of data (LPD)
Security Summit Milano, march 2010
8/14/2019 Implementation of a Biometric Solution Providing Strong Authentication to Gain Access to Confidential Da
21/71
Example of utilisation of the Match on Card technology
Smart Card Logon ofMicrosoft
PK-INIT (Kerberos)
Web SSO SolutionSAML
Conseil en technologieswww.maret-consulting.ch
Very Sensitive WebApplications
Electronic Document MgteBanking
Data EncryptionLaptop encryptionFolder (Share) Encryption
Citrix
Remote accessVPN SSLVPN IPSEC
Digital Signature Solution
Etc.
Security Summit Milano, march 2010
8/14/2019 Implementation of a Biometric Solution Providing Strong Authentication to Gain Access to Confidential Da
22/71
Mobility security with MOC technology
Biometric strongauthentication
Reader of the swipe type
Conseil en technologieswww.maret-consulting.ch
ApplicationsSmart Card LogonVPN (SSL, IPSEC)Web Application
Citrix
Utilisation TPMAuthentication of themachine
Pre Boot AuthenticationFull Disk Encryption
Security Summit Milano, march 2010
8/14/2019 Implementation of a Biometric Solution Providing Strong Authentication to Gain Access to Confidential Da
23/71
Authentication of a user with PKINIT (Smart Card Logon)
1
Conseil en technologieswww.maret-consulting.ch
_
2
2
Schema by Philippe Logeane-Xpert Solutions SA
Security Summit Milano, march 2010
8/14/2019 Implementation of a Biometric Solution Providing Strong Authentication to Gain Access to Confidential Da
24/71
Feedback
Conseil en technologieswww.maret-consulting.ch
Banking field
8/14/2019 Implementation of a Biometric Solution Providing Strong Authentication to Gain Access to Confidential Da
25/71
The project: electronic management of documents
Implementation of a Electronic Document Mgt solutionAccess to very sensitive informationClassification of the information: SecretEncr tion of data From BIA
Conseil en technologieswww.maret-consulting.ch
Authorization Access Control
Project for a Private bank in SwitzerlandStart of the project: 2005
Population concerned500 persons (Phase I)In the long run: 3000 persons (Phase II)
Security Summit Milano, march 2010
8/14/2019 Implementation of a Biometric Solution Providing Strong Authentication to Gain Access to Confidential Da
26/71
Business Impact Analysis (BIA)
Soft Impact
Loss of goodwillLoss of credibi lityBreach of the l aw
BIABank Acme SA
ImpactData
Availability (in time)
ServicesHard Impact
Reduced incomeIncreas ed cost of
working
IT Applications
Conseil en technologieswww.maret-consulting.ch
inconvenience quite serious critical
Electronic DocumentsMgt HIGH HIGH 30 min 1 H 2 H HIGH HIGH
Confidentiality Integrity Loss of operationalcapabilityBreach of
contract/financialpenalties
Security Summit Milano, march 2010
8/14/2019 Implementation of a Biometric Solution Providing Strong Authentication to Gain Access to Confidential Da
27/71
(Data Classification : Secret)
Implementation of a technology allowingstrong authentication
via a mechanism of irrefutable proof
Conseil en technologieswww.maret-consulting.ch
of the users accessing the banks informationsystem
Who accesses what, when and how?!
8/14/2019 Implementation of a Biometric Solution Providing Strong Authentication to Gain Access to Confidential Da
28/71
The technical constraints of the strong authentication project
Mandatory
Integration with existingapplications
Web
Desired
Integration with building securityData encryption
Conseil en technologieswww.maret-consulting.ch
Microsoft Smart Card LogonLaptop
Separation of rolesFour eyes
Digital signatureAuditing, proofProof management
Future applicationsNetwork and systemsStrong authentication
Security Summit Milano, march 2010
8/14/2019 Implementation of a Biometric Solution Providing Strong Authentication to Gain Access to Confidential Da
29/71
Issuer App A cert
Identity Management AuthorizationManagement
Basic concept: a unique link
Conseil en technologieswww.maret-consulting.ch
User
PHASE 1PHASE 1PHASE 1PHASE 1Strong authenticationStrong authenticationStrong authenticationStrong authentication
PHASE 2PHASE 2PHASE 2PHASE 2AuthorizationAuthorizationAuthorizationAuthorization
Link: cn
Security Summit Milano, march 2010
8/14/2019 Implementation of a Biometric Solution Providing Strong Authentication to Gain Access to Confidential Da
30/71
Components of the technical architecture
Implementation of a PKI intra muros Non Microsoft (Separation of duties)
Conseil en technologieswww.maret-consulting.ch
OCSP protocol
Utilisation of a Hardware Security ModuleSecurity of the PKI architecture
Shielding and HardeningFirewallIDSFIA
Security Summit Milano, march 2010
8/14/2019 Implementation of a Biometric Solution Providing Strong Authentication to Gain Access to Confidential Da
31/71
Concept for the GED application security
Conseil en technologieswww.maret-consulting.ch
8/14/2019 Implementation of a Biometric Solution Providing Strong Authentication to Gain Access to Confidential Da
32/71
The focus of biometric authentication
Conseil en technologieswww.maret-consulting.ch
Security Summit Milano, march 2010
8/14/2019 Implementation of a Biometric Solution Providing Strong Authentication to Gain Access to Confidential Da
33/71
Conseil en technologieswww.maret-consulting.ch
Humain
8/14/2019 Implementation of a Biometric Solution Providing Strong Authentication to Gain Access to Confidential Da
34/71
The weak link? Matters more than the technique
Definition of rolesTasks and responsibilitiesPur ose: se aration of duties
Conseil en technologieswww.maret-consulting.ch
Four eyes
Implementation of identity management processes
Implementation of operating procedures
Security Summit Milano, march 2010
8/14/2019 Implementation of a Biometric Solution Providing Strong Authentication to Gain Access to Confidential Da
35/71
Implementation of processes
Processes for the identity management teamUser enrollmentRevocation
Conseil en technologieswww.maret-consulting.ch
Incident mangementLoss, theft, forgotten card
Renewal
Process for Help DeskProcess for the AuditorsProcess for the RSSI
And the operating procedures!
Security Summit Milano, march 2010
8/14/2019 Implementation of a Biometric Solution Providing Strong Authentication to Gain Access to Confidential Da
36/71
The result
A series of documents for the bankOperating proceduresDescri tion of rocesses
Conseil en technologieswww.maret-consulting.ch
Terms of useDefinition of roles and responsibilitiesCP /CPS for the in house PKI
Security Summit Milano, march 2010
8/14/2019 Implementation of a Biometric Solution Providing Strong Authentication to Gain Access to Confidential Da
37/71
Conseil en technologieswww.maret-consulting.ch
8/14/2019 Implementation of a Biometric Solution Providing Strong Authentication to Gain Access to Confidential Da
38/71
Conseil en technologieswww.maret-consulting.ch
Training of the identity management teamTraining of users
Training of Help DeskTraining for the technologies
PKIBiometry
Security Summit Milano, march 2010
8/14/2019 Implementation of a Biometric Solution Providing Strong Authentication to Gain Access to Confidential Da
39/71
Identity Management Team Training
Very Important work
How to enroll fin ers
Conseil en technologieswww.maret-consulting.ch
Match on Card TechnologyProblem handling
TechnicalHuman
Coaching for 3 weeks
Security Summit Milano, march 2010
8/14/2019 Implementation of a Biometric Solution Providing Strong Authentication to Gain Access to Confidential Da
40/71
End User Training
About 30 min per User
Conseil en technologieswww.maret-consulting.ch
Match on Card
Finger positionTry (Play with Biometry)
Document for End Users
Signature (Legal Usage)
Security Summit Milano, march 2010
8/14/2019 Implementation of a Biometric Solution Providing Strong Authentication to Gain Access to Confidential Da
41/71
Problems
Conseil en technologieswww.maret-consulting.ch
8/14/2019 Implementation of a Biometric Solution Providing Strong Authentication to Gain Access to Confidential Da
42/71
Some examples
Enrollment with some Users
Conseil en technologieswww.maret-consulting.ch
End Users convocation
Technical Problem on Validation AuthorityOCSP Servers
Security Summit Milano, march 2010
8/14/2019 Implementation of a Biometric Solution Providing Strong Authentication to Gain Access to Confidential Da
43/71
Feedback?
Conseil en technologieswww.maret-consulting.ch
8/14/2019 Implementation of a Biometric Solution Providing Strong Authentication to Gain Access to Confidential Da
44/71
Conclusion of the project
Pure technique is a minorelement in the success ofsuch a large scale project
Biometry is a mature technology
Technology PKI
Conseil en technologieswww.maret-consulting.ch
Never under estimate theorganisational aspect
CP / CPS for the PKIManagement process
Ask for management support
ers a sa ety erne or t e
futureEncryption, signatureRights management informationData security
A step towards convergencePhysical and logical security
Security Summit Milano, march 2010
8/14/2019 Implementation of a Biometric Solution Providing Strong Authentication to Gain Access to Confidential Da
45/71
Tendency Biometry Match on Card
The PIV Fips-201 project is a leader!
ConvergencePh sical securit and lo ical securit
Conseil en technologieswww.maret-consulting.ch
Biometric sensor for laptopsUPEK (Solution FIPS-201)
New biometric technologies
Full Disk Encryption (Laptop)Support of the Match on Card technologyMcAfee Endpoint Encryption (formerly SafeBoot Encryption)Win Magic SecureDoc Disk Encryption
Security Summit Milano, march 2010
8/14/2019 Implementation of a Biometric Solution Providing Strong Authentication to Gain Access to Confidential Da
46/71
A very promising technology: Vascular Pattern Recognition
Conseil en technologieswww.maret-consulting.ch
By SONY
Security Summit Milano, march 2010
8/14/2019 Implementation of a Biometric Solution Providing Strong Authentication to Gain Access to Confidential Da
47/71
When will the convergence happen?
Conseil en technologieswww.maret-consulting.ch
A difficult convergence! Physical security and logical security
Security Summit Milano, march 2010
8/14/2019 Implementation of a Biometric Solution Providing Strong Authentication to Gain Access to Confidential Da
48/71
A few links to deepen the subject
MARET Consultinghttp://maret-consulting.ch/
La Citadelle Electronique (blog on digital identities)http://www.citadelle-electronique.net/
Conseil en technologieswww.maret-consulting.ch
Banking and finance articleSteal an identity? Impossible with biometry!
http://www.banque-finance.ch/numeros/88/59.pdf
Biometry and Mobilityhttp://www.banque-finance.ch/numeros/97/62.pdf
Publique presentations
OSSIR Paris 2009: Feedback on the deployment of biometry on a large scalehttp://www.ossir.org/paris/supports/2009/2009-10-13/Sylvain_Maret_Biometrie.pdfISACA, Clusis: Access to information : Roles and responsibilities
http://blog.b3b.ch/wp-content/uploads/mise-en-oeuvre-de28099une-solution-biometrique-de28099authentification-forte.pdf
Security Summit Milano, march 2010
8/14/2019 Implementation of a Biometric Solution Providing Strong Authentication to Gain Access to Confidential Da
49/71
Conseil en technologieswww.maret-consulting.ch
The counseling and the expertise for the selection and
the implementation of innovative technologies
in the field of security of information systems and digital identity"
8/14/2019 Implementation of a Biometric Solution Providing Strong Authentication to Gain Access to Confidential Da
50/71
MARET Consulting| Boulevard Georges Favon 43 | CH 1204 Geneva| Tl +41 22 575 30 35| [email protected] | www.maret-consulting.ch
Annexes
Conseil en technologies
Security Summit Milano, march 2010
8/14/2019 Implementation of a Biometric Solution Providing Strong Authentication to Gain Access to Confidential Da
51/71
Conseil en technologieswww.maret-consulting.ch
Humain
in 2010
8/14/2019 Implementation of a Biometric Solution Providing Strong Authentication to Gain Access to Confidential Da
52/71
OTP Software using SmartPhone
Conseil en technologieswww.maret-consulting.ch
OTP for iPhone: a feedbackSoftware OTP for iPhoneMobile One Time Passwords
Security Summit Milano, march 2010
8/14/2019 Implementation of a Biometric Solution Providing Strong Authentication to Gain Access to Confidential Da
53/71
Biometry Match on Card
Conseil en technologieswww.maret-consulting.ch
Feedback on the deployment of biometry on a large scale
Security Summit Milano, march 2010
8/14/2019 Implementation of a Biometric Solution Providing Strong Authentication to Gain Access to Confidential Da
54/71
The focus of biometric authentication
Conseil en technologieswww.maret-consulting.ch
Security Summit Milano, march 2010
8/14/2019 Implementation of a Biometric Solution Providing Strong Authentication to Gain Access to Confidential Da
55/71
USB Token
Conseil en technologieswww.maret-consulting.ch
Security Summit Milano, march 2010
8/14/2019 Implementation of a Biometric Solution Providing Strong Authentication to Gain Access to Confidential Da
56/71
Internet Passport
Conseil en technologieswww.maret-consulting.ch
Security Summit Milano, march 2010
8/14/2019 Implementation of a Biometric Solution Providing Strong Authentication to Gain Access to Confidential Da
57/71
Matrix cryptography
Conseil en technologieswww.maret-consulting.ch
Security Summit Milano, march 2010
8/14/2019 Implementation of a Biometric Solution Providing Strong Authentication to Gain Access to Confidential Da
58/71
PKI: Digital certificate X509
Software Certificate Hardware Certificate
Conseil en technologieswww.maret-consulting.ch
Security Summit Milano, march 2010
8/14/2019 Implementation of a Biometric Solution Providing Strong Authentication to Gain Access to Confidential Da
59/71
OTP via SMS
OTP via SMS
Conseil en technologieswww.maret-consulting.ch
Enter OTP
Security Summit Milano, march 2010
8/14/2019 Implementation of a Biometric Solution Providing Strong Authentication to Gain Access to Confidential Da
60/71
State of the art in 2010 of the authentifiers: Synthesis
TechnologiesTechnologiesTechnologiesTechnologies ExplanationsExplanationsExplanationsExplanations
OTP SoftwareSmartPhone
One Time Password softwareEvent, Time or mode challenge responseMode not connected
Biometry Match onCard
Biometry and chip cardDigital certificate
Conseil en technologieswww.maret-consulting.ch
USB Token One Time Password in mode connectedEvent, Time ou mode challenge response
Internet Passport Biometry One Time PasswordMode not connectedMode challenge response
Matrix cryptography One Time PasswordMode challenge response
PKI Certificate softwareCertificaet Hardware
OTP SMS One Time Password by SMS
8/14/2019 Implementation of a Biometric Solution Providing Strong Authentication to Gain Access to Confidential Da
61/71
Conseil en technologieswww.maret-consulting.ch
Humain
web applications
b l h b h
8/14/2019 Implementation of a Biometric Solution Providing Strong Authentication to Gain Access to Confidential Da
62/71
Web application with a basic authentication
Conseil en technologieswww.maret-consulting.ch
Security Summit Milano, march 2010
W b li i d h i i ?
8/14/2019 Implementation of a Biometric Solution Providing Strong Authentication to Gain Access to Confidential Da
63/71
Web application towards a strong authentication?
Conseil en technologieswww.maret-consulting.chSecurity Summit Milano, march 2010
Shi ldi g h (P i t i A th ti ti )
8/14/2019 Implementation of a Biometric Solution Providing Strong Authentication to Gain Access to Confidential Da
64/71
Shielding approach - (Perimetric Authentication)
Conseil en technologieswww.maret-consulting.chSecurity Summit Milano, march 2010
8/14/2019 Implementation of a Biometric Solution Providing Strong Authentication to Gain Access to Confidential Da
65/71
Approach API / SDK
8/14/2019 Implementation of a Biometric Solution Providing Strong Authentication to Gain Access to Confidential Da
66/71
Approach API / SDK
Conseil en technologieswww.maret-consulting.chSecurity Summit Milano, march 2010
SSL PKI: how does it work?
8/14/2019 Implementation of a Biometric Solution Providing Strong Authentication to Gain Access to Confidential Da
67/71
SSL PKI: how does it work?
ValidationAuthority
Valide
OCSP request
Conseil en technologieswww.maret-consulting.ch
Web ServerAlice
Pas valideInconu
SSL / TLS Mutual Authentication
Security Summit Milano, march 2010
Approach federation of identity
8/14/2019 Implementation of a Biometric Solution Providing Strong Authentication to Gain Access to Confidential Da
68/71
a change of paradigm
Conseil en technologieswww.maret-consulting.chSecurity Summit Milano, march 2010
Approach federation of identityh f d
8/14/2019 Implementation of a Biometric Solution Providing Strong Authentication to Gain Access to Confidential Da
69/71
a change of paradigm
Conseil en technologieswww.maret-consulting.chSecurity Summit Milano, march 2010
Approach federation of identity
8/14/2019 Implementation of a Biometric Solution Providing Strong Authentication to Gain Access to Confidential Da
70/71
pp y
Conseil en technologieswww.maret-consulting.chSecurity Summit Milano, march 2010
Approaches for an integration of the strong authentication
8/14/2019 Implementation of a Biometric Solution Providing Strong Authentication to Gain Access to Confidential Da
71/71
pp g g
Approaches Examples
Shielding(Perimetric Auth)
Utilisation of a protective third party compnentSuch as a Reverse Proxy (Web Application Firewall)
Module(Agents)
Utilisation of a software moduleSuch as an Apache module, a SecurID agent, etc.
Conseil en technologieswww.maret-consulting.ch
API(SDK)
Development via an APIFor instance by using the Web Services (SOAP)
SSL PKI Utilisation of a certificate X509Utilisation of SSL/TLS functionalities
PKI ReadyIdentity Federation Utilisation of a federation protocol such as SAML, OpenID,
Others PKI application, etc.