the role of pnt in cybersecurity - stanford university...• there is a compelling need for improved...
TRANSCRIPT
© 2013 iKare Corporation. All Rights Reserved
The Role of PNT in CybersecurityLocation-based Authentication
Dr. Michael O’Connor
November 14, 2013Satelles is a Division of
iKare Corporation
© 2013 iKare Corporation. All Rights Reserved
What do we mean by Authentication?
2
Authentication is the act of confirming the truth of an attribute of a datum or entity
The examples in this presentation focus on a user’s identity
The concepts also apply to document and data authentication
Image Source: secureauth.com
© 2013 iKare Corporation. All Rights Reserved
The Classic Authentication “Factors”
3
Something you know Something you have Something you are
• Username
• Password / PIN
• SSN
• Name of first pet
• Credit/Debit Card
• Mobile phone
• Hardware token
• Encryption key
• Fingerprint
• Iris or retinal pattern
• Voice
• DNA
How many of us (until recently) thought about authentication
© 2013 iKare Corporation. All Rights Reserved
Passwords Don’t Work for Most of Us
4
• 123456
• 123456789
• password
• adobe123
• 12345678
• qwerty
• 1234567
• 111111
• photoshop
• 123123
October, 2013, an Adobe security breach revealed these as the top 10 account passwords
2 million of 38 million users
CONVENIENCE IS THE ENEMY OF SECURITY
© 2013 iKare Corporation. All Rights Reserved
Two-Factor Authentication
5
Something you know Something you have Something you are
• Username
• Password / PIN
• SSN
• Name of first pet
• Credit/Debit Card
• Mobile phone
• Hardware token
• Encryption key
• Fingerprint
• Iris or retinal pattern
• Voice
• DNA
How many of us think about authentication today
PrivacyData Permanence
Amputation
© 2013 iKare Corporation. All Rights Reserved
Two Factors are Not Always Enough
6
Businesses like RSA and CA Technologies offer “Something You Have” authentication
In 2011, RSA servers were compromised. Attackers captured algorithms and seeds
Cloned SecurID tokens were later used to attack several companies. RSA was required to replace compromised tokens.
© 2013 iKare Corporation. All Rights Reserved
Adoption of Two Factor Authentication
7
CONVENIENCE IS THE ENEMY OF SECURITY
• A majority of US consumers have been affected by typical online threats- 56% virus or malware infection on a computer
- 37% victim of a phishing attack
- 26% victim of account compromise (e.g., hacked, broken into, password theft)
- 20% victim of a social media phishing attack
- 5% had a phone lost or stolen that resulted in unwanted access to sensitive information.
• Despite the recent hype, 75% of Americans have never signed into a website using two-factor authentication
Source: http://online.wsj.com/article/PR-CO-20130627-907711.html?mod=googlenews_wsj
© 2013 iKare Corporation. All Rights Reserved
Location – a Fourth Authentication Factor
Trusted location is independent of other authentication factors
Solutions can be invisible to the user – no action required
8
LOCATION-BASED AUTHENTICATION HAS THE POTENTIAL TO BE
MORE SECURE AND MORE CONVENIENT
Somethingyou know
Somethingyou have
Somethingyou are
Somewhereyou are
© 2013 iKare Corporation. All Rights Reserved
Location: Used Today, but not Secure
9Image Source: lifehacker.com
© 2013 iKare Corporation. All Rights Reserved
GPS / GNSS for Trusted Location
10
July, 2013
• UT Austin research team spoofs GPS
• Cause yacht to veer from its intended course
December, 2011
• Stealth US RQ-170 Sentinel lost in Iranian airspace
• Photo above appears days later on Iranian television
• Iran claims GPS spoofing was used to capture drone
Available in nearly every device, but susceptible to spoofing
© 2013 iKare Corporation. All Rights Reserved
GPS / GNSS for Trusted Location
Higher integrity solutions are being considered
• Nav message encryption and digital signatures
• P-code correlation techniques
11
C/A Code (blue)Public signal1 MHz chipping rate, publishedPredictableP(Y) Code (magenta)
Protected signal10 MHz chipping rate, encryptedUnpredictable
© 2013 iKare Corporation. All Rights Reserved
Cell Towers for Trusted Location
12
• Several methods of location determination possible- Time Difference of Arrival (TDOA/UTDOA)
- Cell ID / Enhanced Cell ID
- RF pattern matching
• User-plane solutions are more susceptible to spoofing
• Control-plane solutions are more resistant to spoofing- Require infrastructure
- Carrier specific
© 2013 iKare Corporation. All Rights Reserved
Local Transmitters for Trusted Location
13
• Local beacons can authenticate device proximity
• Work indoors
• Require local infrastructure
Near Field Communications(NFC)
Bluetooth Low Energy(BLE)
© 2013 iKare Corporation. All Rights Reserved
Applications for Trusted Location
• Government network and data access control- Examples include DoD, tracking of high value assets, and critical
infrastructure such as power plants and water supplies
• Financial Institutions- Numbers are not published, but these companies lose billions to
cyber attacks each year, and the losses are growing
- Customers include financial infrastructure, banks and credit card companies – Major banks, SWIFT, Fiserv, First Data, Jack Henry
• Enterprise networks and high value data- Examples include IP, financial, medical records, and cloud security
- Customers already paying for, and would value increased security
• Online Gambling- Locations of users and servers is highly regulated in the US
- $6B industry in US; $22B globally
• Entertainment Industry
14
Incr
ea
sin
g V
alu
e to
Pro
fess
ion
al C
ybe
rcri
min
als
© 2013 iKare Corporation. All Rights Reserved
Example Application: Mobile Payments
• Growth of mobile payments is staggering:44% annual growth rateExpected to exceed $1B in 2014
• Volume still tiny relative to card payments ~$21B per day
15
per day
CAGR >250%
© 2013 iKare Corporation. All Rights Reserved
Mobile Made “Easier than a Credit Card”
16
Consumer enters a market zone
Smart phone provides location data to mobile payment provider
Authentication server confirms location for mobile payment provider
Informs approved retailers in the area
Point of sale ready for transaction
Verbal lookup and/or visual confirmation
Transaction approved
Consumer never reached for phone or wallet
© 2013 iKare Corporation. All Rights Reserved
“Magic” Required to Revolutionize Mobile Transactions for Consumers
• Must be trustworthy
• Must be virtually invisible to the user
• Must work where the transactions are happening
• Ideally would not require significant new infrastructure
• Cannot drain your phone battery
17
© 2013 iKare Corporation. All Rights Reserved
Unique Value Derived from Iridium
3. High Power BroadcastsSignals penetrate buildings
4. Close to GPS BandHardware is based on standard GPS chipsets
1. Worldwide CoverageWithout local infrastructure
2. Custom SignalsProvide secure timetransfer and navigationcapabilities
5. Focused Spot BeamsKey feature for proving userlocation and time
18
Leverages unique capabilities developed and demonstrated by Boeing, Iridium, and Satelles
© 2013 iKare Corporation. All Rights Reserved
Demonstrated Indoor Signal Penetration
• Extensive testing performed in dense urban (Tokyo)
• Iridium signal coverage at 98% of tested sites- 300+ indoor measurements; average attenuation: 36dB
19
© 2013 iKare Corporation. All Rights Reserved
Signal Penetration Inside Container
20
Blue points: Iridium in containerBrown line: GPS outdoorsGreen points: Iridium outdoors
© 2013 iKare Corporation. All Rights Reserved
Site-specific Keys Delivered from Space
21
Beams for two of 66satellites at one pointin time is shown
Overlapping beamsprovide a distinct, location-specific pattern
Notional Iridium beam coverage map property of Iridium Satellite LLC.
© 2013 iKare Corporation. All Rights Reserved
How it Works
22
1
User device receives location-specific
satellite data
2
Satelles Customer
User login data andsatellite data are sent automatically
3 SatellesAuthentication
Server
IridiumGateway
(Co-located)
VPN / TLS Socket ConnectionT
LS
So
cke
t
5 Trusted location is used in decision engine to allow or deny access
Valid user or hacker initiates secure online activity
Satelles determines trusted user location
based on satellite data
4
© 2013 iKare Corporation. All Rights Reserved
“Magic” Required to Revolutionize Mobile Transactions for Consumers
• Must be trustworthy Spot beams, random data make signal extremely difficult to spoof
• Must be virtually invisible to the user Reporting trusted location does not require user interaction
• Must work where the transactions are happening Satelles signals are 1000X stronger than GPS, penetrate buildings
• Should NOT require significant new infrastructure Signals come from space, world-wide, no local infrastructure
• Cannot drain your phone battery Satelles processing requires - potentially half the power of GPS
23
© 2013 iKare Corporation. All Rights Reserved
Summary
• There is a compelling need for improved cyber security
• Current methods of authentication are inadequate
• Convenience is the greatest enemy to security
• Trusted location can play an important role in authentication- More Secure AND More Convenient
• Among a range of good solutions, Iridium-based techniques potentially offer unique and compelling features- Trustworthy
- Invisible to the user
- Work indoors
- Require no local infrastructure
- Possible power advantages
24
© 2013 iKare Corporation. All Rights Reserved
Questions?
25Artist depiction of an Iridium LEO satellite in space