Securing the Cloud for a

Connected Society

Computex – Cloud Industry Forum

Taipei, June 6, 2013

Michael Poitner

Table of Contents

Online Authentication Facts

Today’s 2-factor Authentication Solutions

Google’s “War on Password” and Solution

Hardware Secure Elements and Threats

Introduction to Fido (Fast Identity Online)

User vs. Device Authentication

Overview NXP

6/6/2013 Page 2 Securing The Cloud – War On Password

Although I connect to 8

different services per day,

I use some of them very

seldom and sometimes

forget the associated

password.

In average, a user has 6.5

different passwords

• Account takeover (ATF+NAF)

rose by 50% in 2012 (Javelin March

2013)

• Average 25 accounts per user

• 6.5 different passwords

• 8 services used per day in

average

• $15 per password re-initialization

• Passwords are being • Reused

• Phished

• Keylogged

User Service

Provider

Online Authentication: few facts Username and password prevalent for the past 40 years: Still adapted?

I own 25 online accounts.

Do you expect me to

remember 25 passwords?

a password re-initialization

costs $15 to the service

provider

6/6/2013 Page 3 Securing The Cloud – War On Password

Online Authentication: more facts Passwords are not secure enough

Source: Ponemon Institute 2013 (sponsored by NokNok Labs Inc.)

Some more hacking incidents

Cisco IOS Passwords Issue: March 18

Michelle Obama, Hillary Clinton, Britney

Spears, …: March 11

Evernote hacked, Password reset for 50M:

March 2

cPanel web hosting control service

hacked: Feb 28

Google 2-step verification tricked: Feb 26

Facebook, Apple, Microsoft corporate

network hacked: Feb 22

250,000 Twitter accounts (Burger King,

Jeep) hacked: Feb 19

6/6/2013 Page 4 Securing The Cloud – War On Password

6/6/2013 Page 5

Source: http://www.troyhunt.com/2011/03/only-secure-password-is-one-you-cant.html

Good Pa$$phr@ses#1 are rare

Securing The Cloud – War On Password

• With Chip-and-PIN card

introduction in UK, fraud has

decreased by 69%

• For user convenience, tokens

should be shared between

services

6

User Service

Provider

Online Authentication: few facts Multi-factors authentication proved efficiency in reducing fraud

Multi-Factor Authentication,

e.g. a token and a secret

(Pin or password) proved

very secure

I don’t want to carry one

physical token for each of

my accounts.

6/6/2013 Page 6 Securing The Cloud – War On Password

Security level is defined

by the weakest link. We

must insure utmost

security through all

platforms

• 64% of Facebook users via

Smartphone, up by 57% year-

over-year (FB Q4-12)

• By 2016, 100M homes will be

equipped with SmartTV in US and

Western Europe (NPD In-Stat 2012)

• Must have consistent level of

security through all platforms

• Solution must be user-friendly:

avoid too many user

manipulations

My TV is now connected.

I can use it access my

favorite content

Please don’t ask me to

move the credential back

and forth between all my

platforms

I use my smartphone

more often than my PC to

access Facebook

User Service

Provider

What about securing

accesses through my

game console? My

connected car?

Online Authentication: few facts PC is no longer the only access platform

6/6/2013 Page 7 Securing The Cloud – War On Password

Today’s 2-factor solutions (consumer)

Something you have + Something you know

• Cost (user and issuer)

• Coverage issues

• Delay

• Type 6 or 8 digits into

the phone

• Cannot hold identity

• No contactless interface

SMS OTP

OTP Security

OTP fobs

Convenience/

Features

• Phishable

• Vulnverable to MITM and

MITB attacks

• OTP not calculated in a

Secure Element

• Use proprietary

algorithms

• Typically one per site

• On the large side

OTP App/

Soft Certificates

• Vulnerable to malware

on host system

• No 2nd factor if

phone/tablet is

used for Internet

access

6/6/2013 Page 8 Securing The Cloud – War On Password

Google declared “War On Passwords”

IEEE paper

“Authentication at Scale”

Wired article Jan 18

“Gnubby” term leaked

on Google blog Jan 18

Yubico blog Jan 21

Google protocol

RSA conference Feb 25

Strong user auth

Strong auth everywhere

FIDO membership

U2F working group April 18

6/6/2013 Page 9 Securing The Cloud – War On Password

DISCOVERY

PROVISIONING

AUTHENTICATION

AUTHENTICATION

PROTOCOL

AUTHENTICATION VALIDATION

SERVICES

RELYING PARTY WEBSITE

AUTHENTICATION

SERVER

WEB APPLICATION

IDENTITY

SYSTEMS

END USER

MOBILE

APP BROWSER

DEVICE ABSTRACTION

Authentication System Architecture

6/6/2013 Page 10 Securing The Cloud – War On Password

• Tamper resistant: credentials can’t be duplicated nor altered

• Proven security: core technology for banking cards and e-passports

• Works on Windows, Mac and Linux. No driver needed.

• Standardized and “open”: Supports multiple web sites

• Ubiquitous interface: USB or NFC

Hardware Secure Element: a natural

placeholder for security credentials

6/6/2013 Page 11 Securing The Cloud – War On Password

Page 12

In

va

siv

e A

tta

cks

S

em

i-in

va

siv

e A

tta

cks: F

au

lt A

tta

cks

N

on

in

va

siv

e A

tta

cks: L

ea

ka

ge

Photo emission

Analysis

Reverse

Engineering

Delayering

Micro-probing

Forcing

Manipulation

Electron Microscopy

Atomic Force

Microscopy (AFM)

Spike/Glitch injection

Global And Local Light

Attacks

Contrast Etching

Decoration

Alpha Particle

Penetration

SPA/DPA

Analysis

Timing

Analysis

EMA

Analysis

Combined Attacks

Typical Secure Element attacks

6/6/2013 Securing The Cloud – War On Password

Board Members

NXP has joined the

FIDO alliance board

6/6/2013 Page 13 Securing The Cloud – War On Password

DISCOVERY

PROVISIONING

AUTHENTICATION

FIDO

AUTHENTICATION

PROTOCOL

AUTHENTICATION VALIDATION

SERVICES

RELYING PARTY WEBSITE

FIDO AUTHENTICATION

SERVER

WEB APPLICATION

IDENTITY

SYSTEMS

END USER

MOBILE

APP BROWSER

FIDO AUTHENTICATION CLIENT

(WINDOWS, MAC, IOS, ANDROID…)

DEVICE ABSTRACTION

FIDO AUTHENTICATORS

FIDO System Architecture

6/6/2013 Page 14 Securing The Cloud – War On Password

User vs. Device Authentication

• Medical Devices

• Cloud Services

• Smart Grid

• Industrial Control

Protect sensitive

networks and

infrastructures

Secure

communications

and services

Bank-grade

security

Tailored

solution

Trust

provisioning

Credential

management

secure firmware

management

6/6/2013 Page 15 Securing The Cloud – War On Password

Distinctive Technologies:

Portfolio of secure/non-secure MCU

Embedded non-volatile & flash

Mixed signal processing

Zero power RF & NFC

Strong Innovation Pipeline:

Over $600M / year in R&D

3,200 engineers

11,000 patents

Down to 40nm processes

NXP Semiconductors

6/6/2013 Page 16 Securing The Cloud – War On Password

NXP

Headquarters: Eindhoven/NL

Employees: ~25,000 employees

in more than 25 countries

Net sales: $4.3B in 2012

Bank Cards Smart Mobility

(MIFARE) Cards

Tags & Authentication Readers Mobile

NXP is the Identification Industry’s

#1 Semiconductor Supplier

eGovernment

6/6/2013 Page 17 Securing The Cloud – War On Password

Thank you for your

attention!

michael.poitner@nxp.com

http://www.us-cert.gov/

http://krebsonsecurity.com/

http://www.schneier.com/

https://www.grc.com/haystack.htm