VASCO Best Practice per l adozione della strong authentication 3 Maggio 2011 Richard Zoni Channel Manager Italy rzo@vasco.com Frederik Mennes Manager Security Competence Center fme@vasco.com
Agenda 1. Introduzione 2. Overview delle minacce 3. Protezione del DPX files e Digipass BLOBs 4. Soluzioni Commerciali
Agenda 1. Introduzione 2. Overview delle minacce 3. Protezione del DPX files e Digipass BLOBs 4. Soluzioni Commerciali
E un mondo difficile... e pericoloso FBI and Italian police are investigating how hacker managed to convince N.J. security firm into issuing it digital certificates for Google, Yahoo, Microsoft, other major Web sites Money Sony Confirms That PlayStation Network Attack Exposed Personal Information Power Glory
VASCO Core activities Autenticazione Forte degli Utenti log on verifica sicura che l utente sia chi pretende di essere Firma Elettronica di transazioni Sicurezza di un messaggio/transazione (integrità e non ripudio) tra due soggetti che si conoscono Firma Digitale PKI Sicurezza di un messaggio/transazione tra due soggetti che potrebbero non conoscersi, e le cui identità viene garantita da una terza parte. Tecnologia PKI
VASCO: sicurezza di livello banking Security Flexibility Price User friendliness
Agenda 1. Introduzione 2. Overview delle minacce 3. Protezione del DPX files e Digipass BLOBs 4. Soluzioni Commerciali
Overview delle minacce (1/4) People often focus on threats that directly target the user authentication mechanism Examples: Phishing and variants (whaling, vishing, SMiShing) Crimeware (keyloggers, Banking Trojans, ) Man in the Middle attacks Man in the Browser Man in the Mobile (since September 2010)
Overview delle minacce(2/4) These threats can be addressed using one time passwords and electronic / digital signatures Counter based OTPs Remain valid until used, or until next one is used Lifetime controlled by end user Time based OTPs Become invalid after predefined amount of time Lifetime controlled by server Challenge based OTPs (challenge/response) Only a single one time password is ever valid Lifetime controlled by server
Overview delle minacce(3/4) However, strong authentication mechanisms rely on secret keys, which need sound management Secret keys are present at different locations: At client side: in token, smart phone, USB dongle At server side: cfr. DPX files and Digipass BLOBs
Overview delle minacce (4/4)
Agenda 1. Introduzione 2. Overview delle minacce 3. Protezione del DPX files e Digipass BLOBs 4. Soluzioni Commerciali
Protecting DPX files
Protecting DPX files Distribution Protection of DPX file Always encrypted with DPX Transport Key Good practice: add encryption with PGP, Winzip Protection of DPX Transport Key Bad practice: key exchanged in cleartext Good practice: PGP, Winzip, key sharing Additional good practices: Different channels (sftp, CD ROM, e mail, ) Different people for file and key Different moments in time
Protecting DPX files Storage Good practice: limit the locations where DPXfiles and keys are stored On e mail servers, FTP servers, network shares? On laptops, desktops, USB sticks of employees? On backup tapes? Good practice: use a policy that defines where DPX files and keys are allowed to be stored Good practice: store DPX files and keys at different locations
Usage Protecting DPX files Usage / Backup / Destruction Bad practice: hardcode DPX Transport Key in code Good practice: enter DPX Transport Key manually Backup Good practice: backup only in encrypted format Good practice: backup DPX file and key separately Destruction Ensure DPX file and key are destroyed everywhere Use policy with allowed storage locations
Protecting Digipass BLOBs
Protecting BLOBs Storage (1/2) Protection of BLOBs BLOBs are always encrypted with a BLOB Storage Key Good practice: add encryption (e.g. database) Protection of BLOB Storage Keys Good practice: define your own key using the StorageDeriveKey kernel parameters of VACMAN Controller (not with other parameters) Bad practice: hardcode the BLOB Storage Key Good practice: store the BLOB Storage Key inside a database under dual control
Protecting BLOBs Storage (2/2) Good practice: limit the locations where BLOBs and BLOB Storage Keys are stored In development / test / production environment? On backup tapes? Good practice: use a policy that defines where BLOBs and keys are allowed to be stored Good practice: store BLOBs and keys at different locations (e.g. different databases) accessible by different people
Conclusions Know where your data is, and make sure it only stays there Limit the Trusted Computing Base, i.e. the people and systems that process data Keep data and keys separate Keep keys under dual control
Agenda 1. Introduzione 2. Overview delle minacce 3. Protezione del DPX files e Digipass BLOBs 4. Soluzioni Commerciali
La stessa sicurezza delle banche... sealed packaging ½DPX transport key secured transport key letter
VASCO Services
Competitive Upgrade Program
VASCO round tables Netherlands April 7th 9.30h 11.30h VASCO Rosmalen office Belgium April 8th 9.30h 11.30h VASCO Wemmel office UK April 20th 14h 16h Earls Court Infosecurity UK
Block your calendar Next Channel Webinar session: May 4th (register through PP)
Questions & answers