1 / 17

CertAnon

CertAnon. A Proposal for an Anonymous WAN Authentication Service David Mirra CS410 January 30, 2007. Who is online? 1 73% of American adults 88% of 18-29 year-olds 91% of college-educated adults. What are they doing? 2 Communicating Shopping Banking. A Wired World.

molly-cooke
Download Presentation

CertAnon

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. CertAnon A Proposal for an Anonymous WAN Authentication Service David Mirra CS410 January 30, 2007

  2. Who is online?1 73% of American adults 88% of 18-29 year-olds 91% of college-educated adults What are they doing?2 Communicating Shopping Banking A Wired World • US users, April 2006 - http://www.pewinternet.org/pdfs/PIP_Internet_Impact.pdf • UK users, Q1 2005 - http://www.e-consultancy.com/publications/internet-stats-compendium/

  3. The Identity Issue • Strong authentication needed for online accounts • Permit remote access for authorized users • Allow the good guys in • Keep the bad guys out • Typically done via username/password mechanism

  4. The Problem with Passwords • More online accounts = more passwords • Complexity of passwords is limited by the human factor3 • Vulnerability is enhanced by the technology factor • Password control is difficult4 • Dissemination is too easy • Once compromised, a password is no longer effective for authentication 3. http://www.schneier.com/blog/archives/2006/12/realworld_passw.html 4. http://www.schneier.com/crypto-gram-0503.html#2

  5. The Risk of Theft • Phishing attempts are on the rise5 • Social engineering tricks users into divulging info • Crimeware steals account credentials directly 5. Anti-Phishing Working Group - http://www.antiphishing.org/

  6. What’s Been Tried? • Microsoft .NET Passport6 and Sun Liberty Alliance7 • Single sign-on services for web commerce • Privacy concerns • Relied on username/password paradigm • Company-specific token authentication • A token for every site 6. Wikipedia - http://en.wikipedia.org/wiki/Microsoft_Passport 7. Wikipedia - http://en.wikipedia.org/wiki/Liberty_Alliance

  7. A New Proposal • Anonymous WAN authentication service • Used for any and all online accounts • Strong two-factor authentication • Limited information sharing • Initial customers are Internet users • Ultimate customers are online businesses

  8. Two-factor Authentication8 • Something you know • A single PIN • Plus something you have • Hardware token generating pseudo-random numbers • Effectively changes your password every 60 seconds 8. RSA - http://www.rsasecurity.com/node.asp?id=1156

  9. CertAnon Hardware • Four global servers running RSA Authentication Manager • RSA SecurID tokens available for retail purchase

  10. CertAnon Software • Public web service • Encrypted authentication request/response • Free software modules for download by web site operators • Encourages adoption of CertAnon authentication

  11. How Does It Work for Me? • Buy a token • Anonymous purchase • Register it with CertAnon • Anonymous registration • Create a web account anywhere • Check the box “I use CertAnon” • Link that account to your token • And off you go!

  12. How About the Web Sites? • Register servers with CertAnon • Receive key to encrypt requests • Make CertAnon authentication available to customers • Authentication requests are sent to all CertAnon servers • First to respond is accepted

  13. Benefits • Consumers • Only one pin to remember • Authenticate without sharing identity • Increased security • Pay once, protect forever • Businesses • Free for early adopters • No more password management • Close the “trust gap”

  14. Pitfalls • Requires adoption by consumers and businesses • Establish trust • Make it easy to get and easy to use • Not a silver bullet • Part of defense-in-depth strategy • Governmental resistance to anonymity • Similar hurdles faced by encryption products

  15. It Can Be Done • Available, affordable, and proven technology • Targets a large and growing market • Benefits consumers and online businesses • Manageable project scope, scaleable product • Build it and they will come!

  16. Works Cited • “Failure of Two-Factor Authentication.” Schneier on Security. 12 Jul. 2006. Bruce Schneier. 28 Jan. 2007 <http://www.schneier.com/blog/archives/2006/07/failure_of_twof.html>. • “Internet Penetration and Impact.” Pew/Internet. April 2006. Pew Internet & American Life Project. 28 Jan. 2007 <http://www.pewinternet.org/pdfs/PIP_Internet_Impact.pdf>. • “Internet Statistics Compendium - Sample.” E-consultancy.com. 9 Jan. 2007. E-consultancy.com LTD. 28 Jan. 2007 <http://www.e-consultancy.com/publications/download/91130/internet-stats-compendium/internet-stats-compendium-January-2007-SAMPLE.doc>. • “Liberty Alliance.” Wikipedia. 25 Jan. 2007. Wikipedia. 28 Jan. 2007 <http://en.wikipedia.org/wiki/Liberty_Alliance>.

  17. Works Cited (cont.) • “Phishing Activity Trends: Report for the Month of November, 2006.” Anti-Phishing Working Group. Nov. 2006. Anti-Phishing Working Group. 28 Jan. 2007 <http://www.antiphishing.org/reports/apwg_report_november_2006.pdf>. • “Real-World Passwords.” Schneier on Security. 14 Dec. 2006. Bruce Schneier. 28 Jan. 2007 <http://www.schneier.com/blog/archives/2006/12/realworld_passw.html>. • “RSA SecurID Authentication.” RSA Security. 2007. RSA Security, Inc. 28 Jan. 2007 <http://www.rsasecurity.com/node.asp?id=1156>. • “Windows Live ID.” Wikipedia. 23 Jan. 2007. Wikipedia. 28 Jan. 2007 <http://en.wikipedia.org/wiki/Microsoft_Passport>.

More Related