信息安全身份认证策略

Strong Authentication
Agenda
3
• Identity assurance • Strong authentication survey • Identity management stack and Microsoft Windows • Authentication challenges • Recommendations
Strong Authentication: Increased Options, but Interoperability and Mobility Challenges Remain
All Contents © 2005 Burton Group. All rights reserved.
Strong Authentication
• Interactive voice response (IVR) system with phone number of record • KBA and dynamic KBA (last paycheck number) • Voice biometric (prior sample match or recorded for future audit trail)
• New WSS profile for OTPs, similar to the password, X.509, and SAML profiles • Will most likely be submitted the OASIS Web Services Security Technical Committee by RSA Security, VeriSign, and others later this year
Identity Assurance
Identity Proofing
ห้องสมุดไป่ตู้
5
• Cornerstone of authentication • Due diligence performed before issuance or certification of user credentials • Must be performed at each stage of the identity lifecycle
Strong Authentication
Agenda
7
• Identity assurance • Strong authentication survey • Identity management stack and Microsoft Windows • Authentication challenges • Recommendations
• • • • Lot of buzz in recent years, but not many deployments Requires network access Not as secure Typically requires two phase authentication (with a wait in between)
• PDA
• Very convenient, not as widely deployed as other methods • Can be difficult to deploy and secure • Time-based OTPs present challenges
• Mobile (SMS)
Strong Authentication
Agenda
4
• Identity assurance • Strong authentication survey • Identity management stack and Microsoft Windows • Authentication challenges • Recommendations
Thesis
2
• Strong authentication deployments are growing due to security, cost reduction, and identity theft concerns • One time password (OTP) device deployments continue to grow due to their “zero footprint” attribute and broad application coverage • Organizations are increasingly deploying smart cards, due to their security and application coverage, including physical access and OTP • Biometrics have their rightful place in the strong authentication landscape • Enterprises should adopt adequate identity proofing processes to ensure that strong authenticators are not degraded • Strong authentication presents issues for organizations’ Identity Management (IdM) infrastructure • Strong authentication is frequently paired with enterprise SSO (SSO) systems, which provides organizational benefits and challenges
Strong Authentication Survey
Initiative for Open Authentication (OATH)
8
• Wide industry support for a standard OTP algorithm from both strong authentication vendors and application consumers • The specification promises interoperability between authentication servers and OTP devices, with basic agent interoperability (in addition to RADIUS) • RSA SecurID is not a participant (70% market share) • Existing RSA Security customers will likely continue to use SecurID tokens, but increased market pressure will force the price of SecurID tokens down • New strong authentication customers, especially those interested in hybrid OTP and smart cards will likely look at other vendor offerings
• Initialization, recertification, emergency access, elevated access (optional)
• Knowledge-based authentication (KBA) alone is not sufficient identity proofing
Strong Authentication Survey
Software OTP devices
10
• PC
• Most widely deployed method to date • Most have cryptographic security controls • Time-based OTPs present challenges
Identity Assurance
Authentication Assurance = identity proofing + authentication attributes Strong authentication attributes
Attribute Ubiquity Application Coverage Usability Security Secure Storage Management Acquisition Cost Description Kiosk and offline scenarios Excludes SSO Includes help desk and emergency access scenarios Includes inherent security of device, number of factors used, authentication protocol Capability to securely store credentials (excludes SSO) Organizational burden of managing the authenticator Hardware, software, readers, licensing, professional services
6
Attribute and Strong Authenticator Matrix is available in the Identity and Privacy Strategies report “Strong Authentication: Increased Options, but Interoperability and Mobility Challenges Remain” in late November, 2005
• Reduces strong authenticator to a few well-known questions • Presents usability problems (especially when number of questions are increased)
• Layered and out of band authentication can provide adequate identity proofing
• Advantage: very low cost OTPs • Challenge: reproducible • Sweet spot: consumers/citizens and (increasingly) remote access
Strong Authentication Survey
Grid cards
11
• Entrust IdentityGuard
• Patent holder • Works with RADIUS and agents
• User is challenged for both:
• Characters at the intersection of the grid challenge • Password
Strong Authentication Survey
RSA Security One-Time Password Specifications
9
• Good vendor participation, including VeriSign and ActivCard • Specifications focus on the infrastructure required for OTP devices • OTP-WSS-Token: Web Services Security One-Time Password Token Profile