the role of pnt in cybersecurity - stanford university...• there is a compelling need for improved...

© 2013 iKare Corporation. All Rights Reserved

The Role of PNT in CybersecurityLocation-based Authentication

Dr. Michael O’Connor

November 14, 2013Satelles is a Division of

iKare Corporation


What do we mean by Authentication?

2

Authentication is the act of confirming the truth of an attribute of a datum or entity

The examples in this presentation focus on a user’s identity

The concepts also apply to document and data authentication

Image Source: secureauth.com


The Classic Authentication “Factors”

3

Something you know Something you have Something you are

• Username

• Password / PIN

• SSN

• Name of first pet

• Credit/Debit Card

• Mobile phone

• Hardware token

• Encryption key

• Fingerprint

• Iris or retinal pattern

• Voice

• DNA

How many of us (until recently) thought about authentication


Passwords Don’t Work for Most of Us

4

• 123456

• 123456789

• password

• adobe123

• 12345678

• qwerty

• 1234567

• 111111

• photoshop

• 123123

October, 2013, an Adobe security breach revealed these as the top 10 account passwords

2 million of 38 million users

CONVENIENCE IS THE ENEMY OF SECURITY


Two-Factor Authentication

5

Something you know Something you have Something you are

• Username

• Password / PIN

• SSN

• Name of first pet

• Credit/Debit Card

• Mobile phone

• Hardware token

• Encryption key

• Fingerprint

• Iris or retinal pattern

• Voice

• DNA

How many of us think about authentication today

PrivacyData Permanence

Amputation


Two Factors are Not Always Enough

6

Businesses like RSA and CA Technologies offer “Something You Have” authentication

In 2011, RSA servers were compromised. Attackers captured algorithms and seeds

Cloned SecurID tokens were later used to attack several companies. RSA was required to replace compromised tokens.


Adoption of Two Factor Authentication

7

CONVENIENCE IS THE ENEMY OF SECURITY

• A majority of US consumers have been affected by typical online threats- 56% virus or malware infection on a computer

- 37% victim of a phishing attack

- 26% victim of account compromise (e.g., hacked, broken into, password theft)

- 20% victim of a social media phishing attack

- 5% had a phone lost or stolen that resulted in unwanted access to sensitive information.

• Despite the recent hype, 75% of Americans have never signed into a website using two-factor authentication

Source: http://online.wsj.com/article/PR-CO-20130627-907711.html?mod=googlenews_wsj


Location – a Fourth Authentication Factor

Trusted location is independent of other authentication factors

Solutions can be invisible to the user – no action required

8

LOCATION-BASED AUTHENTICATION HAS THE POTENTIAL TO BE

MORE SECURE AND MORE CONVENIENT

Somethingyou know

Somethingyou have

Somethingyou are

Somewhereyou are


Location: Used Today, but not Secure

9Image Source: lifehacker.com


GPS / GNSS for Trusted Location

10

July, 2013

• UT Austin research team spoofs GPS

• Cause yacht to veer from its intended course

December, 2011

• Stealth US RQ-170 Sentinel lost in Iranian airspace

• Photo above appears days later on Iranian television

• Iran claims GPS spoofing was used to capture drone

Available in nearly every device, but susceptible to spoofing


GPS / GNSS for Trusted Location

Higher integrity solutions are being considered

• Nav message encryption and digital signatures

• P-code correlation techniques

11

C/A Code (blue)Public signal1 MHz chipping rate, publishedPredictableP(Y) Code (magenta)

Protected signal10 MHz chipping rate, encryptedUnpredictable


Cell Towers for Trusted Location

12

• Several methods of location determination possible- Time Difference of Arrival (TDOA/UTDOA)

- Cell ID / Enhanced Cell ID

- RF pattern matching

• User-plane solutions are more susceptible to spoofing

• Control-plane solutions are more resistant to spoofing- Require infrastructure

- Carrier specific


Local Transmitters for Trusted Location

13

• Local beacons can authenticate device proximity

• Work indoors

• Require local infrastructure

Near Field Communications(NFC)

Bluetooth Low Energy(BLE)


Applications for Trusted Location

• Government network and data access control- Examples include DoD, tracking of high value assets, and critical

infrastructure such as power plants and water supplies

• Financial Institutions- Numbers are not published, but these companies lose billions to

cyber attacks each year, and the losses are growing

- Customers include financial infrastructure, banks and credit card companies – Major banks, SWIFT, Fiserv, First Data, Jack Henry

• Enterprise networks and high value data- Examples include IP, financial, medical records, and cloud security

- Customers already paying for, and would value increased security

• Online Gambling- Locations of users and servers is highly regulated in the US

- $6B industry in US; $22B globally

• Entertainment Industry

14

Incr

ea

sin

g V

alu

e to

Pro

fess

ion

al C

ybe

rcri

min

als


Example Application: Mobile Payments

• Growth of mobile payments is staggering:44% annual growth rateExpected to exceed $1B in 2014

• Volume still tiny relative to card payments ~$21B per day

15

per day

CAGR >250%


Mobile Made “Easier than a Credit Card”

16

Consumer enters a market zone

Smart phone provides location data to mobile payment provider

Authentication server confirms location for mobile payment provider

Informs approved retailers in the area

Point of sale ready for transaction

Verbal lookup and/or visual confirmation

Transaction approved

Consumer never reached for phone or wallet


“Magic” Required to Revolutionize Mobile Transactions for Consumers

• Must be trustworthy

• Must be virtually invisible to the user

• Must work where the transactions are happening

• Ideally would not require significant new infrastructure

• Cannot drain your phone battery

17


Unique Value Derived from Iridium

3. High Power BroadcastsSignals penetrate buildings

4. Close to GPS BandHardware is based on standard GPS chipsets

1. Worldwide CoverageWithout local infrastructure

2. Custom SignalsProvide secure timetransfer and navigationcapabilities

5. Focused Spot BeamsKey feature for proving userlocation and time

18

Leverages unique capabilities developed and demonstrated by Boeing, Iridium, and Satelles


Demonstrated Indoor Signal Penetration

• Extensive testing performed in dense urban (Tokyo)

• Iridium signal coverage at 98% of tested sites- 300+ indoor measurements; average attenuation: 36dB

19


Signal Penetration Inside Container

20

Blue points: Iridium in containerBrown line: GPS outdoorsGreen points: Iridium outdoors


Site-specific Keys Delivered from Space

21

Beams for two of 66satellites at one pointin time is shown

Overlapping beamsprovide a distinct, location-specific pattern

Notional Iridium beam coverage map property of Iridium Satellite LLC.


How it Works

22

1

User device receives location-specific

satellite data

2

Satelles Customer

User login data andsatellite data are sent automatically

3 SatellesAuthentication

Server

IridiumGateway

(Co-located)

VPN / TLS Socket ConnectionT

LS

So

cke

t

5 Trusted location is used in decision engine to allow or deny access

Valid user or hacker initiates secure online activity

Satelles determines trusted user location

based on satellite data

4


“Magic” Required to Revolutionize Mobile Transactions for Consumers

• Must be trustworthy Spot beams, random data make signal extremely difficult to spoof

• Must be virtually invisible to the user Reporting trusted location does not require user interaction

• Must work where the transactions are happening Satelles signals are 1000X stronger than GPS, penetrate buildings

• Should NOT require significant new infrastructure Signals come from space, world-wide, no local infrastructure

• Cannot drain your phone battery Satelles processing requires - potentially half the power of GPS

23


Summary

• There is a compelling need for improved cyber security

• Current methods of authentication are inadequate

• Convenience is the greatest enemy to security

• Trusted location can play an important role in authentication- More Secure AND More Convenient

• Among a range of good solutions, Iridium-based techniques potentially offer unique and compelling features- Trustworthy

- Invisible to the user

- Work indoors

- Require no local infrastructure

- Possible power advantages

24


Questions?

25Artist depiction of an Iridium LEO satellite in space

the role of pnt in cybersecurity - stanford university...• there is a compelling need for improved...

Documents