CertAnon

1
CertAnon

• A Proposal for an Anonymous WAN Authentication
  Service
• David Mirra
• CS410
• January 30, 2007

2
A Wired World

• Who is online?1
• 73 of American adults
• 88 of 18-29 year-olds
• 91 of college-educated adults

• What are they doing?2
• Communicating
• Shopping
• Banking

• US users, April 2006 - http//www.pewinternet.org/
  pdfs/PIP_Internet_Impact.pdf
• UK users, Q1 2005 - http//www.e-consultancy.com/p
  ublications/internet-stats-compendium/

3
The Identity Issue

• Strong authentication needed for online accounts
• Permit remote access for authorized users
• Allow the good guys in
• Keep the bad guys out
• Typically done via username/password mechanism

4
The Problem with Passwords

• More online accounts more passwords
• Complexity of passwords is limited by the human
  factor3
• Vulnerability is enhanced by the technology
  factor
• Password control is difficult4
• Dissemination is too easy
• Once compromised, a password is no longer
  effective for authentication

3. http//www.schneier.com/blog/archives/2006/12/r
ealworld_passw.html 4. http//www.schneier.com/cry
pto-gram-0503.html2
5
The Risk of Theft

• Phishing attempts are on the rise5
• Social engineering tricks users into divulging
  info
• Crimeware steals account credentials directly

5. Anti-Phishing Working Group -
http//www.antiphishing.org/
6
Whats Been Tried?

• Microsoft .NET Passport6 and Sun Liberty
  Alliance7
• Single sign-on services for web commerce
• Privacy concerns
• Relied on username/password paradigm
• Company-specific token authentication
• A token for every site

6. Wikipedia - http//en.wikipedia.org/wiki/Micros
oft_Passport 7. Wikipedia - http//en.wikipedia.or
g/wiki/Liberty_Alliance
7
A New Proposal

• Anonymous WAN authentication service
• Used for any and all online accounts
• Strong two-factor authentication
• Limited information sharing
• Initial customers are Internet users
• Ultimate customers are online businesses

8
Two-factor Authentication8

• Something you know
• A single PIN
• Plus something you have
• Hardware token generating pseudo-random numbers
• Effectively changes your password every 60 seconds

8. RSA - http//www.rsasecurity.com/node.asp?id11
56
9
CertAnon Hardware

• Four global servers running RSA Authentication
  Manager
• RSA SecurID tokens available for retail purchase

10
CertAnon Software

• Public web service
• Encrypted authentication request/response
• Free software modules for download by web site
  operators
• Encourages adoption of CertAnon authentication

11
How Does It Work for Me?

• Buy a token
• Anonymous purchase
• Register it with CertAnon
• Anonymous registration
• Create a web account anywhere
• Check the box I use CertAnon
• Link that account to your token
• And off you go!

12
How About the Web Sites?

• Register servers with CertAnon
• Receive key to encrypt requests
• Make CertAnon authentication available to
  customers
• Authentication requests are sent to all CertAnon
  servers
• First to respond is accepted

13
Benefits

• Consumers
• Only one pin to remember
• Authenticate without sharing identity
• Increased security
• Pay once, protect forever
• Businesses
• Free for early adopters
• No more password management
• Close the trust gap

14
Pitfalls

• Requires adoption by consumers and businesses
• Establish trust
• Make it easy to get and easy to use
• Not a silver bullet
• Part of defense-in-depth strategy
• Governmental resistance to anonymity
• Similar hurdles faced by encryption products

15
It Can Be Done

• Available, affordable, and proven technology
• Targets a large and growing market
• Benefits consumers and online businesses
• Manageable project scope, scaleable product
• Build it and they will come!

16
Works Cited

• Failure of Two-Factor Authentication. Schneier
  on Security. 12 Jul. 2006. Bruce Schneier. 28
  Jan. 2007 lthttp//www.schneier.com/blog/archives/2
  006/07/failure_of_twof.htmlgt.
• Internet Penetration and Impact. Pew/Internet.
  April 2006. Pew Internet American Life
  Project. 28 Jan. 2007 lthttp//www.pewinternet.org
  /pdfs/PIP_Internet_Impact.pdfgt.
• Internet Statistics Compendium - Sample.
  E-consultancy.com. 9 Jan. 2007.
  E-consultancy.com LTD. 28 Jan. 2007
  lthttp//www.e-consultancy.com/publications/downloa
  d/91130/internet-stats-compendium/internet-stats-c
  ompendium-January-2007-SAMPLE.docgt.
• Liberty Alliance. Wikipedia. 25 Jan. 2007.
  Wikipedia. 28 Jan. 2007 lthttp//en.wikipedia.org/
  wiki/Liberty_Alliancegt.

17
Works Cited (cont.)

• Phishing Activity Trends Report for the Month
  of November, 2006. Anti-Phishing Working Group.
  Nov. 2006. Anti-Phishing Working Group. 28
  Jan. 2007 lthttp//www.antiphishing.org/reports/apw
  g_report_november_2006.pdfgt.
• Real-World Passwords. Schneier on Security.
  14 Dec. 2006. Bruce Schneier. 28 Jan. 2007
  lthttp//www.schneier.com/blog/archives/2006/12/rea
  lworld_passw.htmlgt.
• RSA SecurID Authentication. RSA Security.
  2007. RSA Security, Inc. 28 Jan. 2007
  lthttp//www.rsasecurity.com/node.asp?id1156gt.
• Windows Live ID. Wikipedia. 23 Jan. 2007.
  Wikipedia. 28 Jan. 2007 lthttp//en.wikipedia.org/
  wiki/Microsoft_Passportgt.