How Do I Sign North Carolina Banking Presentation

Help me with industry sign banking north carolina presentation simple

good morning everybody my name is arshad noor and i'm speaking to you from california to talk about the future of authentication with pki and fido when i use the word fido it's synonymous with fido 2 the newest protocol of the fido alliance i'll probably stick with using fido instead of 502. so here is our agenda for the next 20 25 minutes i'm going to leave a little time for question and answers uh we're just going to go through a brief introduction on myself for about a few 30 seconds we're going to compare fido and pki what are the essential differences between the two technologies and we're going to dive a little deeper into that from a technical point of view the assumption that i'm making is that the audience listening to this recording is very familiar with public key infrastructure without that background there is the there is a higher possibility of getting a little lost in this particular presentation once we have compared the differences between fido and pki we'll talk a little bit about the operational requirements for operating a public key infrastructure and a fido infrastructure within the same enterprise and then we'll summarize the essential differences between the two and go into the question and answer session so let's get started on the introduction so my personal background i am the chief technology officer of stronkie it's a small company based in california and north carolina durham north carolina i have personally been working in the technology industry for 34 years of my career in the united states more than 20 roughly 22 years have been spent in the discipline of public key cryptography and cryptographic key management i built my first pki for sun microsystems back in the late 90s and it was a very large pki sun was at the peak of its its life cycle if i may and the pki was an extraordinary extraordinarily complex one and it was a great experience and that's what got me launched into the public key cryptocryptography segment of the industry and i've been with strong key ever since after leaving sun and i've designed pkis constructed them for some of the world's largest companies the world's largest pharmaceutical world's largest telecommunications center banks uh biotechnology device companies defense contractors so i have quite a few arrows on my back with pki deployments to be able to discuss this topic i also wrote one of the first open source cryptographic key management systems back in 2006. uh it's by the name of stronkie and you'll still find it on the internet if you're interested so let's talk about pki and phyto differences how is fido different from pki uh very essentially fido does not use x.509 digital certificates so there is no binding between the public key and the user using the x.509 standard fido uses raw cryptographic keys it used to be that it only supported a curve but the new fido standard that we also know as web authen from the w3c supports both elliptic curve as well as the traditional rsa cryptographic algorithms but no digital certificates for end users there are digital certificates used in a small part of the fido protocols for essentially attestation of a newly registered public key but that's optional too essentially you can build an entire fido ecosystem without the use of a single digital certificate although some certificates are involved but not for end users firo technology does not depend on external middleware this is a great advantage over pki because most of the pki problems that i have encountered in the past have been related to the use of smart cards middleware technology and the backend public key infrastructure fido is supported by all browsers today and the drivers for working with fido authenticators hardware authenticators are embedded in platforms like windows and os x and linux with just a little bit of tweaking so they're pretty much standardized and work completely out of the box immediately with whatever fido certified authenticator you may happen to use fido keys do not expire like digital certificates we are also used to the whole life cycle of certificate management and the validity period and duration of a digital certificate but fido keys are raw keys and once registered with a relying party uh there is no expiration date so managing fido keys and their life cycle requires a different mindset and philosophy from use of public key infrastructure there is no concept of a certificate revocation list or an online certificate status protocol responder in a pki so companies that deploy a fido ecosystem have to take advantage of other mechanisms to determine when a particular public key a fido key of a specific user should be revoked and i use the word revoked a little loosely because the concept of revoking a fido key does not exist companies can choose to delete a fido key if they do not want to allow a user to access the system anymore or they can suspend it deactivate it reactivate it bring it back out of suspension all of these processes are possible with fido companies can choose to build whatever they want server manufacturers like strong key provide certain capabilities in fido's servers and companies can take advantage of those features to essentially deny users access to the authentication systems of applications that use fido there is also a metadata services defined in the fido ecosystem that allows authenticator manufacturers who who market fido authenticators to be able to publish information about their authenticators and fido alliance hosts such a service relying parties essentially have to sign up to the service there's an agreement that they sign up to and once agreed they are given access to the metadata services where they can retrieve a blob that conforms to the metadata services specification that can give them up to the moment information on any specific authenticator but this is optional uh authenticator manufacturers optionally choose to publish this relying parties optionally choose to subscribe to this there is no requirement that a fido ecosystem must use the metadata services loosely mds is equivalent to a crl if you will if i had to conceptually compare the two but there's no requirement relying parties can have private relationships with authenticator manufacturers and choose to get information about buggy authenticators or compromised authenticators or lost authenticators separately and incorporate those policy requirements into their fido server and processes there is no requirement to chain to a trusted third-party certificate authority there is no pkx validation to do with fido keys there are no bridge certification authorities all of the complexity that pki brings to the table doesn't exist with fido there's a different kind of complexity i'm not going to make this sugar coated but there is a certain amount of complexity in 502 but it's not quite as complex as pki in my personal opinion what fido does do is that it mandates a test of user presence this is required although i've been hearing things about how even that may not be necessary going forward whether that's a good thing or a bad thing it's up to the fido ecosystem to decide and for relying parties to choose what they want but the default requirement is that a user using a fido authenticator and authenticating to a website that leverages the fido protocol must use some gesture and action to prove that they are in front of the computer using their authenticator to login into that particular website that gesture may be to touch an electrostatic component of an authenticator it may be to use their fingerprint a pin a pattern on a mobile phone face id any one of those local authentication mechanisms on a device or can be used to test for a human presence the primary impetus for this particular mandate is to ensure that a man in the middle attacker does not have access to your authenticator and therefore is incapable of providing the test of user presence fido obviously supports more than just a test of use of presence it supports something called user verification where biometrics or pin known only to the legitimate user can be used to verify the user's identity before invoking the private key of the fido keeper one interesting capability of the fido protocol is the potential to use multiple authenticators and bind them to the same credential account at the relying party site so if i have and if i have an account on a particular website i have actually there are a few dns um providers who have enabled fido on their website so i have a single account and i can choose to login into the dns service provider with a user id password and a second factor otp sent to my mobile phone which i don't particularly care for but because i have registered multiple fido authenticators to the same account each fido authenticator generating a unique key pair and registering the public key with that with the reliant party i can use any one of those phyto authenticators that i have in my possession to log in into that dns service provider site now technically in the world of pki there is nothing preventing a pki from issuing the same user unique digital certificates each with its own key pair on different smart cards if you will or different key keystore devices but that concept does not it has not been implemented in the world of a pki there is the underlying principle in a public key infrastructure that every user in the entity has one digital certificate associated with that individual's name and that binding is unique within pki now of course over the life cycle of that digital certificate an end user might end up with many digital certificates within that pki but only one might be active for a specific purpose a user can have multiple digital certificates for different use cases they may have a digital certificate for signing they may have another digital certificate for encryption a third one for vpn but the idea of associating a single key with the identity of a user is pretty much the foundation of a pki in the fido protocols conceptually it's similar there is a public key that's associated with the identity of a user but nothing prevents the user from getting 10 authenticators and registering 10 public keys all to the same account and then using any one of these 10 authenticators to log in into the website so the issue of whether what does the user do when they lose a particular authenticator is non-issue if you have more than one authenticator and personally speaking even without all the external authenticators that i have i probably have at least three authenticators one in my macbook one in my windows pc laptop and one on my mobile phone so right there i had three authenticators that i can potentially use with a website even without having to buy an external usb based authenticator and that is a very interesting feature of the fido protocol i've already mentioned that fido is supported by all browsers the android operating system as well as windows 10 operating system and apple has also released a beta version of safari that supports fido i have no doubt in my mind that they are working on their platforms the operating systems for their phone and their computers it's only a matter of time the ubiquity of fido and makes this extraordinary as a capability for those who are looking for a passwordless authentication capability across the enterprise or their ecosystems let's talk a little bit about the benefits of fido over pki pki was i recall pki was born in the early 90s little before even the world wide web uh showed up and as a result pki and the worldwide web evolved together and but the web grew significantly faster and evolved significantly faster than pki so the capabilities of the web and the vulnerabilities of the web are very very far ahead of the world of public key infrastructure as a result pki unfortunately does not keep up with things that are happening in the web world fido on the other hand was designed for the world wide web it took vulnerabilities into account it took the features and capabilities of the web into account and incorporated them into the protocol and one of the essential benefits is the potential the ability of fido protocol to eliminate phishing completely fishing for passwords mind you because attackers can use phishing attacks for all kinds of different use cases to download malware to be able to put a trojan on a computer of a user but more often than not phishing is also used to acquire passwords out of users for protected uh applications fido completely eliminates phishing for passwords how does it do that because the binding of a public key in an authenticator is bound to the origin of the relying party's website the authenticator manufacturer has an obligation each time an app and the user connects to a particular website and the website sends out a challenge to be digitally signed by the file by the fido key the authenticator manufacturer relies upon information provided by the browser to determine whether a key pair exists for that particular origin so if the user has registered a legitimate key pair with legitimate bank.com but now the user has been diverted to an attacker's website that looks very much like the legitimatebank.com and even has fido enabled and sends out a challenge unless the attacker has somehow managed to compromise dns and get the user's computer to think that the computer is connected to legitimate bank term the url of the attacker's website is going to be different from the legitimate bank's url for that site as a result the authenticator is going to know the difference and it is not going to find a key pair for the attacker's website and consequently a fido challenge sent to the user is not going to get any response from the authenticator if the attacker were attempting to get passwords if the bank were using fido exclusively a passwordless protocol then the whole attack fails because the user is going to be educated enough to know that there are no passwords on that fido is already integrated into android the largest deployed mobile operating system so it is possible to use any modern android device and the chrome browser on that particular device to register fido credentials there are external authenticators with nfc that work uh in that in that use case and there are companies who are also building native uh android authenticators within the platform device itself so and windows 10 of course windows hello delivers fido capability out of the box on laptops and desktops today one big advantage of the fido protocols are that they are significantly less expensive than pki having built many many many pkis over two decades i can tell you that it is significantly cheaper to manage a fido ecosystem than it is a pki and from a programmer's point of view having developed a couple of applications using tls client auth and having developed some sample applications using the fido protocols uh they're a world apart they are a world apart that much i can claim with great assurance so what are why why would an enterprise need to maintain both fido and pki systems almost every new web application that is being built today any application that is being built today is either for the web or mobile and from an end user's point of view fido delivers a better and a frictionless experience there's a lot that goes into the application design and fido can fit into various user flows so depending on the application it can be clunky but it can also be a frictionless experience pki lends itself in my personal opinion better for server to server communication because fido mandates a test of human presence in the protocol pki probably will serve better if an application server if an application on one machine is attempting to call services on another application on another machine and tls client auth is a better way to protect that than file of course if companies are using encrypted or digitally signed email s mine is the definitive protocol that relies upon digital certificates for uh email protection and finally given that 50 60 years after passwords have been invented they are still in use today much to my disappointment the transition from a pki to fido could take many many many years it could it could potentially even take a decade or two uh depends on the application and the industry in which those pki digital certificates are used so i don't see the possibility of a sunset on pki very quickly so enterprises that do have a pki they probably should plan for having both ecosystems work within their enterprise for quite some time so what are the pathways to transition from pki to fido once a fido ecosystem is in place it is possible for new users who are enrolled into a pki to automatically get fido credentials in the same enrollment process there is an open source software product that we have put out on the internet called pki to fido that can essentially authenticate a user using tls client auth and go through the whole peaks validation process and once validated it can walk them through a fido registration process and essentially enable the tls client or protocol to register a fido key for a user the user is expected to have the appropriate fido enabled authenticator in during that process of course and businesses will need to start thinking about the investments that they are going to be making for new applications credentialing procedures are likely to change uh especially after this year's lockdowns um remote credentialing is probably going to become a little more of a common practice but if the user already has the digital certificate from a previous credentialing process leveraging that through something like pki to fido makes it very easy to enable the registration of a file key for such remote users applications definitely have to be modified fido is a protocol that must be known to the web application or mobile application it's not an out-of-the-box solution so applications do have to be enabled with the fido capability in there clearly different new policies and new procedures are going to have to be implemented although both use public key cryptography there is a different set of requirements for how pkis are managed and they have a different set of policies fido is is evol is growing and even though they use public keys because they are not like digital certificates people have to view their policy management a little differently and users clearly have to be trained to work with different types of authenticators pki pretty much is standardized on the use of smart cards most places i know and whereas phytoauthenticators come in many different shapes forms and there are still new mechanisms that are being developed so operationally all of the knowledge that users have administrators developers have about pki can be leveraged in fido except that the details about x509 and are not that necessary support procedures are definitely going to be simpler with fido and as a result the the process of supporting final breakdowns or troubleshooting fido is likely to be simpler in the fido ecosystem smart card lifecycle management can be eliminated the complex of managing smart cards the middleware the life cycle of smart card applets all of those procedures can be eliminated with simpler badges with photo id and building access where necessary and replacing it with fido authenticators given that all new laptops and mobile devices come with some form of biometric authentication many have trusted execution environments and mobile devices and most of the laptops also have biometric capabilities these days it is possible to use these security elements of these newer devices to be the fido authenticators that said i would think of fido as a faster better cheaper version of pki if you have a pki your investments are not likely to be wasted but any new pki investments are not likely to give you the same return that you have received in the past given that fido is here it is my personal and professional opinion that it will stay and it will continue to drive the ecosystem towards improving the capabilities and driving costs down thank you very much i'm open for questions at this point you