COMPUTEX TAIPEI 2013 - Cloud Industry Forum
Topic: Securing the Cloud for a Connected Society
Speaker: Michael Poitner
Global Segment Marketing Director, Authentication, NXP Semiconductors
1. Securing the Cloud for a
Connected Society
Computex – Cloud Industry Forum
Taipei, June 6, 2013
Michael Poitner
2. Table of Contents
Online Authentication Facts
Today’s 2-factor Authentication Solutions
Google’s “War on Password” and Solution
Hardware Secure Elements and Threats
Introduction to Fido (Fast Identity Online)
User vs. Device Authentication
Overview NXP
Page 2
6/6/2013
Securing The Cloud – War On Password
3. Online Authentication: few facts
Username and password prevalent for the past 40 years: Still adapted?
Although I connect to 8
different services per day,
I use some of them very
I own 25 online accounts.
a password re-initialization
seldom and sometimes
In you expect
user has 6.5
Doaverage, athe service
costs the to me to
forget $15 associated
different passwords
remember
provider
password. 25 passwords?
• Account takeover (ATF+NAF)
rose by 50% in 2012 (Javelin March
2013)
• Average 25 accounts per user
• 6.5 different passwords
• 8 services used per day in
average
• $15 per password re-initialization
User
Page 3
Service
Provider
6/6/2013
• Passwords are being
• Reused
• Phished
• Keylogged
Securing The Cloud – War On Password
4. Online Authentication: more facts
Passwords are not secure enough
Some more hacking incidents
Cisco IOS Passwords Issue: March 18
Michelle Obama, Hillary Clinton, Britney
Spears, …: March 11
Evernote hacked, Password reset for 50M:
March 2
cPanel web hosting control service
hacked: Feb 28
Google 2-step verification tricked: Feb 26
Facebook, Apple, Microsoft corporate
network hacked: Feb 22
250,000 Twitter accounts (Burger King,
Jeep) hacked: Feb 19
Source: Ponemon Institute 2013 (sponsored by NokNok Labs Inc.)
Page 4
6/6/2013
Securing The Cloud – War On Password
5. Good Pa$$phr@ses#1 are rare
Source: http://www.troyhunt.com/2011/03/only-secure-password-is-one-you-cant.html
Page 5
6/6/2013
Securing The Cloud – War On Password
6. Online Authentication: few facts
Multi-factors authentication proved efficiency in reducing fraud
Multi-Factor Authentication,
e.g. a token and a secret
I don’t want to carry one
(Pin or password) each of
physical token for proved
veryaccounts.
my secure
User
Page 6
• With Chip-and-PIN card
introduction in UK, fraud has
decreased by 69%
• For user convenience, tokens
should be shared between
services
Service
Provider
6/6/2013
Securing The Cloud – War On Password
6
7. Online Authentication: few facts
PC is no longer the only access platform
What about securing to
Please don’t ask me
My TVthesmartphone
I use my now connected.
accesses credential back
move is through my
Iand forth between all my
can console? my
more use it than Mymy to
gameoften access PC
favorite Facebook
access content
connected car?
platforms
• 64% of Facebook users via
Smartphone, up by 57% yearover-year (FB Q4-12)
• By 2016, 100M homes will be
equipped with SmartTV in US and
Western Europe (NPD In-Stat 2012)
• Must have consistent level of
security through all platforms
User
Page 7
Service
Provider
6/6/2013
Security level is defined
• Solution must
by the weakest link. We be user-friendly:
avoid too
must insure utmost many user
securitymanipulations
through all
platforms
Securing The Cloud – War On Password
8. Today’s 2-factor solutions (consumer)
Something you have + Something you know
SMS OTP
• Cost (user and issuer)
OTP App/
Soft Certificates
• Delay
• Vulnerable to malware
on host system
• Use proprietary
algorithms
• No 2nd factor if
phone/tablet is
used for Internet
access
• Coverage issues
• Typically one per site
OTP Security
• Phishable
Convenience/
Features
• Cannot hold identity
• OTP not calculated in a
Secure Element
6/6/2013
• On the large side
• Type 6 or 8 digits into
the phone
• Vulnverable to MITM and
MITB attacks
Page 8
OTP fobs
• No contactless interface
Securing The Cloud – War On Password
9. Google declared “War On Passwords”
IEEE paper
“Authentication at Scale”
Wired article Jan 18
“Gnubby” term leaked
on Google blog Jan 18
Yubico blog Jan 21
Google protocol
RSA conference Feb 25
Strong user auth
Strong auth everywhere
FIDO membership
U2F working group April 18
Page 9
6/6/2013
Securing The Cloud – War On Password
10. Authentication System Architecture
AUTHENTICATION
PROTOCOL
END USER
RELYING PARTY WEBSITE
DISCOVERY
BROWSER
MOBILE
APP
WEB APPLICATION
PROVISIONING
DEVICE ABSTRACTION
AUTHENTICATION
AUTHENTICATION
SERVER
IDENTITY
SYSTEMS
AUTHENTICATION VALIDATION
SERVICES
Page 10
6/6/2013
Securing The Cloud – War On Password
11. Hardware Secure Element: a natural
placeholder for security credentials
• Tamper resistant: credentials can’t be duplicated nor altered
• Proven security: core technology for banking cards and e-passports
• Works on Windows, Mac and Linux. No driver needed.
• Standardized and “open”: Supports multiple web sites
• Ubiquitous interface: USB or NFC
Page 11
6/6/2013
Securing The Cloud – War On Password
12. Typical Secure Element attacks
Micro-probing
Forcing
Manipulation
Electron Microscopy
Atomic Force
Microscopy (AFM)
Contrast Etching
Decoration
Page 12
6/6/2013
Global And Local Light
Attacks
Spike/Glitch injection
Alpha Particle
Penetration
Securing The Cloud – War On Password
Non invasive Attacks: Leakage
Invasive Attacks
Reverse
Engineering
Delayering
Semi-invasive Attacks: Fault Attacks
Combined Attacks
Photo emission
Analysis
EMA
Analysis
Timing
Analysis
SPA/DPA
Analysis
13. NXP has joined the
FIDO alliance board
Board Members
Page 13
6/6/2013
Securing The Cloud – War On Password
14. FIDO System Architecture
FIDO
AUTHENTICATION
PROTOCOL
END USER
RELYING PARTY WEBSITE
DISCOVERY
BROWSER
MOBILE
APP
WEB APPLICATION
PROVISIONING
FIDO AUTHENTICATION CLIENT
(WINDOWS, MAC, IOS, ANDROID…)
DEVICE ABSTRACTION
FIDO
AUTHENTICATION
6/6/2013
SERVER
IDENTITY
SYSTEMS
AUTHENTICATION VALIDATION
SERVICES
FIDO AUTHENTICATORS
Page 14
AUTHENTICATION
Securing The Cloud – War On Password
15. User vs. Device Authentication
Protect sensitive
networks and
infrastructures
• Industrial
Control
• Smart
Grid
Secure
communications
and services
• Medical
Devices
secure firmware
management
Trust
provisioning
Tailored
solution
Bank-grade
security
Credential
management
Page 15
• Cloud
Services
6/6/2013
Securing The Cloud – War On Password
16. NXP Semiconductors
NXP
Strong Innovation Pipeline:
Distinctive Technologies:
Headquarters: Eindhoven/NL
Over $600M / year in R&D
Portfolio of secure/non-secure MCU
Employees: ~25,000 employees
3,200 engineers
Embedded non-volatile & flash
11,000 patents
Mixed signal processing
Down to 40nm processes
Zero power RF & NFC
in more than 25 countries
Net sales: $4.3B in 2012
Page 16
6/6/2013
Securing The Cloud – War On Password
17. NXP is the Identification Industry’s
#1 Semiconductor Supplier
eGovernment
Bank Cards
Smart Mobility
(MIFARE) Cards
Tags & Authentication
Readers
Mobile
Page 17
6/6/2013
Securing The Cloud – War On Password
18. Thank you for your
attention!
michael.poitner@nxp.com
http://www.us-cert.gov/
http://krebsonsecurity.com/
http://www.schneier.com/
https://www.grc.com/haystack.htm