Software Token Security & Provisioning: Innovation Galore!

Software Token Security &

Provisioning: Innovation Galore!

Kenn Min Chong, Principal Product Manager – SecurID, RSA Emily Ryan, Security Solution Architect, Intel

• Software Tokens:

– Recap

– Where Could We Go Next?

• iOS/Android

• Windows

• Protecting RSA SecurID Software Tokens with Intel 5

th

_Generation

vPro Systems



QR Code Provisioning of Software Tokens will reduce

provisioning time and costs by 80%

 Increase user self-service

 Eliminate help desk calls

 Streamline the provisioning process with fewer, intuitive steps



QR codes are becoming more accepted by end users



Software tokens are “QR Code Ready” (iOS and Android)

Software Tokens: 2015 Recap

Software Tokens: 2015 Recap

Windows Desktop Token: RSA + Intel

•

Available on all Intel 5

th

_{generation vPro}

Systems(PCs/tablets)

•

Encryption and signing of token record

using Intel hardware based Platform binding

key

•

Plug-in fully built and supported by Intel

–

Available for download today at Intel with

whitepaper and guides

(

https://downloadcenter.intel.com/download/24788

)

Where Could We Go Next?

iOS/Android: Fingerprint

•

2 Concepts

•

PIN Convenience: Fingerprint to submit stored PIN

•

App Security: Fingerprint to launch app

•

Proposed Approaches:

SW Token Type

Biometric Approach

Benefits

PINPad

PIN Convenience

Convenience

Fob Style

App Security

Extra Factor

•

Example vendors: AirWatch, MobileIron, Good, etc…

•

Proposal

–

Push data from EMM server to managed RSA Software Token app

•

App configuration (Mask PIN, enable/disable TouchID)

•

Provisioning Token Record (no emails, QR Code, behind the scenes provisioning)

–

Pull data from managed RSA Software Token app to EMM server

•

Binding ID (auto user provisioning by EMM server at RSA Authentication Manager server)

•

Question: Are you willing to get an EMM solution to get these features?

Where Could We Go Next?

Protecting RSA SecurID Soft Tokens with Intel 5

th

Generation vPro Systems

Business Megatrend:

Security

>500Mu active business clients are

vulnerable to the same attack

0 2 4 6 8 10 12 14 16 18 20

2009 2010 2011 2012 2013E 2014E 2015E 2016E 2017E 2018E

N um ber of dev ic e s i n use gl obal ly (i n bi ll ions)

The Internet of Everything

Connected Cars Wearables Connected TVs Internet of Things Tablets Smartphones PCs

How Big is the Emerging Attack Surface?

1 source: Check Point Security Report 2014 2 source: BI Intelligence Investments 2014

Forecast: Global Internet Device Installed Base

2

An Average Day In An Average Enterprise

1

Every

1

mina host

accesses a malicious website Every

3

minsa bot is

communicating with its command and control center

Every

9

minsa High Risk application is being used Every

10

mins a known malware is being downloaded Every

27

mins an unknown malware is being downloaded Every

49

mins sensitive data is sent outside the organization

Every

24

ha given host is infected with a bot

49 27 10 9 3 1 min 24H mins mins mins mins mins

The Four Pillars of Intel’s Security Focus

Anti-Malware

Resiliency

Identity

Data Protection

Detect malware based

on signature &

behavior

Correct security

weaknesses &

breaches

Protect user & device

identities

Protect data at rest

and in transit

Protect

Detect

Correct

Intel® platforms ship with Security built-in!

16 PCI-E, 8Ports (2x4, 4x1)

SPI/eSPI

Intel® Audio DSP on I2S, HD Audio

SMBus SMLink SDIO CODEC EC/SIO FWHx TPM 2.0 FLASH AMT Code BIOS GbE WLAN GbE Phy SP I

8 USB3 (4 Muxed)

SPI TPM

HDA

2 SPI, 3 UART

Where is Intel Security Engine?

2 I2C

PCH

CPU

X4 DMI

4 SATA Gen3 12 USB2

Intel Confidential *Other names and brands may be claimed as the property of others

Intel 5

th

_Gen

CPU-PCH

Superior I/O and

Great Flexibility

Skylake PCH

Software and workloads used in performance tests may have been optimized for performance only on Intel microprocessors. Performance tests, such as SYSmark and MobileMark, are measured using specific computer systems, components, software, operations and functions. Any change to any of those factors may cause the results to vary. You should consult other information and performance tests to assist you in fully evaluating your contemplated purchases, including the performance of that product when combined with other products. For more information go to http://www.intel.com/benchmark

Identity and Access Management (IAM)

Securing the Front Door a Key Challenge

•

Many authentication factors including Passwords, Tokens, Key Infrastructure. But

no unifying framework to simplify implementation, management, enforcement.

•

Known challenges with

current

authentication methods:



Passwords: Complex Users and IT = vulnerable



Tokens and Smart Cards: Costly to maintain



Software-based Keys: are at greater risk



User Presence and context: Location confirmation is difficult

Many weaknesses in

traditional

security make it difficult and expensive to optimize

identity and access management

What is Multi-Factor Authentication?

Multi-Factor

Two Factor

Single

Knowledge + Possession or

Inheritance

Knowledge + Possession and

Inheritance

Multi-factor authentication increases your security posture, but traditionally has

been at the cost of user experience

One Factor

2 Factors

2+ Factors “Knowledge”

Username + Password

Industry is adopting an experience-based approach to verifying identity (biometrics, MFA) using a

combination of

two

(ex - fingerprint and device) or more factors.

•

NOTE

: A single factor (password, pin, etc.) is not deemed secure, presence detection is a new

requirement.

Intel® IPT with MFA

For Corporate and

Managed

Small

Businesses

Authenticate yourself Simply & Securely

Business

Users

Network Devices

Intel IPT w/ MFA

to securely login anywhere

•

Hardened with Intel’s Security

Technologies rooted in

firmware and hardware

•

Supports a variety of hardened

authentication factors

•

Designed as a horizontal

capability and available to ISVs

& OEMs

•

Easily integrates with existing

corporate infrastructure

•

Provides hardened MFA policy

management using your choice

of console (e.g. McAfee ePO,

Microsoft* SCCM)

1

3

2

3

Manage your companies Authentication Policy

IT Admin

Securely & Reliably PIN Proximity Biometrics Location

Apps & Websites

OS, Domain

Login VPN Single Sign-on _{& more}

3

3

4

5

5

4

4

4

Multi-Factor Authentication

2

1

Market Leading Identity Provider RSA Now Integrated with

5

th

Generation Intel® vPro™ Platforms

•

RSA® SecurID® Software Token is protected in hardware by Intel Identity

Protection (IPT) based Token Provider supported by 5

th

_{Generation Intel vPro}

Platforms

•

SecurID seed record protected and signed by encryption key that is stored on Intel

chipset

•

Provides a hardened solution against removing the SecurID seed record (with

malware) and running on a different machine

•

Offers hardware level token security with the convenience of a software token

•

Easy to install

Set up of RSA SecurID Software Token on 5

th

_{Generation Intel vPro}

Windows OS

Intel® Chipset/Intel SE

Intel SE Dynamic Application Loader

Intel® IPT Based Token Provider.dll

Install RSA SecurID Software Token v. 5.0 or later

Install Intel Token Provider.dll, Intel CSP and Intel® ME

Driver

Intel® _{MEI Driver}

RSA SecurID Software Token v. 5.0

Intel® IPT PKI Applet

RSA SecurID

Server

Intel® _{Crypto Service Provider}

1

2

3

RSA SecurID server

provisions SecurID Software Token Seed to hard disk

Import the Token Seed by selecting “Import Token” from the pull down and choose Intel Token Provider from list of Storage Devices to store Token Seed

Protecting RSA SecurID Software Client with Intel

®

_{IPT Token Provider}

Windows OS

Intel® Chipset/Intel SE

Intel SE Dynamic Application Loader

Intel® IPT Based Token Provider.dll

Intel CSP Generates

public/private key pair in ME

Intel® _{MEI Driver}

RSA SecurID Software Token

Intel® IPT PKI Applet

Intel® _{Crypto Service Provider}

1

2

3

RSA SecurID Software token seed encrypted with public key and signed by private key.

Signed and Encrypted RSA Software Token (seed) is

stored in Persistent Storage in Intel IPT Based Token

Using RSA SecurID Software Client with Intel

®

_{IPT Token Provider}

RSA SecurID Software Token Seed Record Cannot be Removed by

Malware and Run on Another PC

Windows OS

Intel® Chipset/Intel SE

Intel SE Dynamic Application Loader

“Get OTP request” from SecurID Software Token request to Intel® IPT Based Token Provider

Private key stored in ME is used to decrypt SecurID Software token and verify signature.

Seed record is re-encrypted and stored again in the Intel IPT Based Token Provider. SecurID Software token generates OTP.

RSA SecurID Software Token

Intel® IPT PKI Applet

1

4

3

2

2

Intel® IPT Based Token Provider.dll

Intel® _{MEI Driver}

Intel® _{Crypto Service Provider}

1

Demo

Notices & Disclaimers

Intel technologies’ features and benefits depend on system configuration and may require enabled

hardware, software or service activation. Performance varies depending on system configuration.

No computer system can be absolutely secure. Check with your system manufacturer or retailer

or learn more at intel.com.

All information provided here is subject to change without notice. Contact your Intel representative

to obtain the latest Intel product specifications and roadmaps

Copyright © 2015, Intel Corporation. All rights reserved. Intel and the Intel logo are trademarks of

Intel Corporation in the U.S. and/or other countries.