Techniques for Implementing Derived Credentials Francisco Corella fcorellapomcor

  • Slides: 35
Download presentation
Techniques for Implementing Derived Credentials Francisco Corella (fcorella@pomcor. com) Karen Lewison (kplewison@pomcor. com) Pomcor

Techniques for Implementing Derived Credentials Francisco Corella (fcorella@pomcor. com) Karen Lewison (kplewison@pomcor. com) Pomcor (http: //pomcor. com/) 1 9/11/2012 Pomcor

Derived Credential n n Electronic Authentication Guideline: “A credential issued based on a proof

Derived Credential n n Electronic Authentication Guideline: “A credential issued based on a proof of possession of a PIV credential ” Motivation n 2 Store credential in a mobile device Use it instead of PIV card for logical access (authentication to information systems) http: //csrc. nist. gov/groups/SMA/ispab/document s/minutes/201202/feb 1_der_cred_ferraiolo_h_fips_201 -2. pdf 9/11/2012 Pomcor

Challenges n n 3 Complexity of cryptographic and biometric processing for app developers No

Challenges n n 3 Complexity of cryptographic and biometric processing for app developers No FIPS 140 -2 Level 3 tamper resistant storage in mobile devices 9/11/2012 Pomcor

Techniques for Addressing Challenges 1. 2. 3. 4 Public key cryptography without certificates Key

Techniques for Addressing Challenges 1. 2. 3. 4 Public key cryptography without certificates Key pair regeneration as an alternative to tamper resistance Encapsulation of cryptographic and biometric processing in black boxes 9/11/2012 Pomcor

1. Public Key Cryptography without Certificates n Mobile device application (back-end): n n Application

1. Public Key Cryptography without Certificates n Mobile device application (back-end): n n Application directory n n n Database handle of device record Hash of public key Directory application n 5 Database handle of a device record that contains the hash of public key and refers to user record Public key Proof of knowledge of private key User identifier(s) and/or attribute(s) 9/11/2012 Pomcor

Directory User record Tablet record Phone record Device handle Hash of public key Mobile

Directory User record Tablet record Phone record Device handle Hash of public key Mobile device (e. g. smart phone) with application front-end or web browser Key pair 6 Device handle User identifiers and/or attributes Application back-end Public key Proof of knowledge of private key 9/11/2012 Pomcor

2. Key Pair Regeneration as an Alternative to Tamper Resistance n n n 7

2. Key Pair Regeneration as an Alternative to Tamper Resistance n n n 7 PIV card stores credentials in tamper-resistant storage But mobile devices do not have tamper-resistant storage Encrypt private key under key derived from PIN? n That would allow offline attack against PIN Instead we propose to regenerate the key pair from the PIN (or from a biometric key) All PINs produce well-formed key pairs, so PINs cannot be tested and offline attack is not possible 9/11/2012 Pomcor

RSA Key Pair Regeneration from a PIN n Idea n n n Problem: what

RSA Key Pair Regeneration from a PIN n Idea n n n Problem: what if gcd(d, φ) 1? Solution: n n 8 Store p, q in device, but not e or d Generate d as a randomized hash of the PIN, of same length as the modulus Compute e such that 1 < e < φ and ed 1 (mod φ) Remove from d all prime factors r < 100 shared with φ. During initial key generation, if d has prime factors r’ > 100 shared with φ, we start over with different p and q (probability: 0. 2%) 9/11/2012 Pomcor

RSA Key Pair Regeneration from a PIN (Continued) n Non-problem: n 9 Retaining p

RSA Key Pair Regeneration from a PIN (Continued) n Non-problem: n 9 Retaining p and q does not reduce security (they could be computed from the key pair) d not vulnerable to small-decryption-exponent attacks 9/11/2012 Pomcor

Regeneration from Biometric Key n Biometric key generated from an iris image (to be

Regeneration from Biometric Key n Biometric key generated from an iris image (to be taken by device camera) and an auxiliary string n n F. Hao, R. Anderson, and J. Daugman. Combining Cryptography with Biometric Effectively. IEEE Trans. Comput. , 55(9): 1081 -1088, 2006. Biometric template not at risk because not used Iris image Aux. string Biometric key generation Biometric key Key pair regeneration p 10 9/11/2012 Key pair q Pomcor

Three-Factor Authentication n Key pair + PIN + iris image Biometric key used to

Three-Factor Authentication n Key pair + PIN + iris image Biometric key used to regenerate key pair PIN used to n n 11 Encrypt auxiliary string, or Scramble the biometric key generation algorithm (suggested by Hao et al. ) 9/11/2012 Pomcor

3. Encapsulation of Cryptographic and Biometric Processing n n n Application outsources cryptographic and

3. Encapsulation of Cryptographic and Biometric Processing n n n Application outsources cryptographic and biometric complexities to a Prover Black Box (PBB) and a Verifier Black Box (VBB) PBB is in mobile device VBB online, trusted by application n n Many possible configurations n 12 Could be implemented as a generic server appliance In some configurations, outsourcing protocol uses “native URLs” (available in i. OS and Android) for interapp communications within the device 9/11/2012 Pomcor

Directory Mobile device App front-end App back-end User record Device record Dev. handle Hash

Directory Mobile device App front-end App back-end User record Device record Dev. handle Hash of PK PBB VBB p, q, s, S, a 13 9/11/2012 Native front-end, native PBB, generic VBB Pomcor

Directory Mobile device App front-end App back-end User record Device record Dev. handle Hash

Directory Mobile device App front-end App back-end User record Device record Dev. handle Hash of PK VBB PBB p, q, s, S, a PIN and/or iris image 14 9/11/2012 Pomcor

Directory Mobile device App front-end App back-end User record Device record Dev. handle PBB

Directory Mobile device App front-end App back-end User record Device record Dev. handle PBB Public key + proof of knowledge of private key Hash of PK VBB Auth token p, q, s, S, a 15 Hash of PK 9/11/2012 Pomcor

Directory Mobile device App front-end App back-end User record Device record Dev. handle Hash

Directory Mobile device App front-end App back-end User record Device record Dev. handle Hash of PK PBB Auth token VBB Auth token p, q, s, S, a 16 Hash of PK 9/11/2012 Pomcor

Directory Mobile device App front-end App back-end User record Device record Dev. handle Hash

Directory Mobile device App front-end App back-end User record Device record Dev. handle Hash of PK Auth token + device handle 17 PBB VBB Dev. handle Auth token p, q, s, S, a Hash of PK 9/11/2012 Pomcor

Mobile device App front-end Auth token + device handle Directory App back-end User record

Mobile device App front-end Auth token + device handle Directory App back-end User record Device record Dev. handle Hash of PK 18 PBB VBB Dev. handle Auth token p, q, s, S, a Hash of PK 9/11/2012 Pomcor

Directory Mobile device App front-end App back-end User record Device record Dev. handle Hash

Directory Mobile device App front-end App back-end User record Device record Dev. handle Hash of PK Auth token 19 PBB VBB Dev. handle Auth token p, q, s, S, a Hash of PK 9/11/2012 Pomcor

Directory Mobile device App front-end App back-end User record Device record Dev. handle Hash

Directory Mobile device App front-end App back-end User record Device record Dev. handle Hash of PK Hash of public key PBB VBB Dev. handle p, q, s, S, a 20 9/11/2012 Pomcor

Mobile device App front-end App back-end Device handle + hash of public key Directory

Mobile device App front-end App back-end Device handle + hash of public key Directory User record Device record Dev. handle Hash of PK PBB VBB Dev. handle p, q, s, S, a 21 9/11/2012 Pomcor

Directory Mobile device App front-end App back-end User ID(s) and/or attribute(s) User record Device

Directory Mobile device App front-end App back-end User ID(s) and/or attribute(s) User record Device record Dev. handle Hash of PK PBB VBB Dev. handle p, q, s, S, a 22 9/11/2012 Pomcor

Many Possible Configurations n n 23 App n May have native front-end (as shown),

Many Possible Configurations n n 23 App n May have native front-end (as shown), or n May be accessed through a web browser PBB n One credential for multiple apps n Different credentials for different apps n May be embedded in application front-end n Browser plug-in works on desktops and laptops VBB n May be a generic server appliance n May be app- or enterprise-specific, and access the directory Multiple security domains 9/11/2012 Pomcor

Directory Mobile device Web browser App back-end User record Device record Dev. handle Hash

Directory Mobile device Web browser App back-end User record Device record Dev. handle Hash of PK PBB VBB Dev. handle p, q, s, S, a 24 9/11/2012 Web-based app, native PBB, generic VBB Pomcor

Mobile device App front-end App back-end Native front-end, native PBB, app-specific or enterprise-specific VBB

Mobile device App front-end App back-end Native front-end, native PBB, app-specific or enterprise-specific VBB Directory PBB VBB User record Device record Dev. handle p, q, s, S, a Hash of PK 25 9/11/2012 Pomcor

Directory Mobile device App front-end App back-end User record Device record Dev. handle Hash

Directory Mobile device App front-end App back-end User record Device record Dev. handle Hash of PK PBB VBB Dev. handle p, q, s, S, a 26 9/11/2012 Native front-end, PBB embedded in app front-end, generic VBB Pomcor

Directory Mobile device Web browser App back-end User record Device record Dev. handle Hash

Directory Mobile device Web browser App back-end User record Device record Dev. handle Hash of PK PBB VBB Dev. handle p, q, s, S, a 27 9/11/2012 Web-based app, PBB as browser plug-in, generic VBB Pomcor

S E C U R I T Y Directory User record Device record Security

S E C U R I T Y Directory User record Device record Security domain mapper Attributes Security domain mapper Mapped attributes D O M A I N Mobile device Web browser App back-end # 2 1 PBB VBB 28 Credential 9/11/2012 S E C U R I T Y D O M A I N Multiple security domains Device handler augmented by Security Domain ID # 2 Pomcor

Beyond Derived Credentials n n n 29 Password elimination on the Web at large

Beyond Derived Credentials n n n 29 Password elimination on the Web at large without sacrificing privacy Social login without passwords Effective data protection for locked phones 9/11/2012 Pomcor

Eliminating Passwords without Sacrificing Privacy n n n 30 Authentication by userid-password provides anonymity,

Eliminating Passwords without Sacrificing Privacy n n n 30 Authentication by userid-password provides anonymity, unlinkability and unobservability Alternatives being proposed (Open. ID, SAML, etc. ) redirect to a third party n Third party identifies user no anonymity n Authentication to different relying parties can be linked via the third party identifier n Third party observes the transaction Our techniques eliminate passwords and preserves privacy (anonymity, unlinkability and unobservability) because they do not involve a third party 9/11/2012 Pomcor

Social login without passwords Mobile device App front-end Relying party User database App back-end

Social login without passwords Mobile device App front-end Relying party User database App back-end User record Social ID User data Token Social ID User database User record PBB VBB Dev. handle Token Device record p, q, s, S, a Social ID Dev. handle Social ID Hash of PK 31 Social network (e. g. Facebook) 9/11/2012 Pomcor

Data Protection Problem n Data protection in i. Phone locked by a PIN n

Data Protection Problem n Data protection in i. Phone locked by a PIN n n n But: n n 32 Data encrypted by key hierarchy including a key derived from PIN and a “hardware key” that cannot be extracted from the silicon by a casual user PIN protected against offline attack by hardware key Vulnerabilities hardware key used for offline attack using the phone’s own processor; exhaustive attack on 4 digit PIN takes 40 min Hardware key could be extracted by probing the silicon 9/11/2012 Pomcor

Data Protection Solution n 33 Encrypt data under symmetric key Store symmetric key in

Data Protection Solution n 33 Encrypt data under symmetric key Store symmetric key in online server, or split it over several servers using Shamir’s k-of-n secret sharing technique Retrieve key over secure connection(s), authenticating with a key pair regenerated from a PIN and/or a biometric, so that tampering with phone does not help attacker 9/11/2012 Pomcor

Risks of Mobile Applications? n n Mobile computing architecture potentially more secure n Apps

Risks of Mobile Applications? n n Mobile computing architecture potentially more secure n Apps are sandboxed But vulnerabilities allow rooting n n n Our data protection technique… n n 34 Routinely used for jailbreaking and by forensic tools GMU, NIST, NSA working on hardened Android kernel n Hardening should include interapp communications Protects data against exploitation of vulnerabilities after seizing device But malware running while legitimate user is using the device could capture PIN or biometric data 9/11/2012 Pomcor

For more information… n Whitepapers n n 35 http: //pomcor. com/whitepapers/Derived. Credentials. pdf http:

For more information… n Whitepapers n n 35 http: //pomcor. com/whitepapers/Derived. Credentials. pdf http: //pomcor. com/whitepapers/Mobile. Authentication. pdf fcorella@pomcor. com kplewison@pomcor. com 9/11/2012 Pomcor