Heartbleed – critical next steps after the patch

The Heartbleed bug, which gained worldwide attention in April, is a timely reminder of what can potentially go horribly wrong even with the simplest of flaws. Although the overrun vulnerability in the OpenSSL encryption program was quickly fixed, the patch was issued more than two years after the bug was introduced.

A survey by UK-based internet service company Netcraft found that the Heartbleed bug could have affected some 17.5% of Secure Socket Layer (SSL) sites, accounting for around 500,000 or more certificates issued by trusted certificate authorities.

In a heartbeat

Vulnerabilities caused by Heartbleed allow attackers to view up to 64KB of memory on an affected server, enough to eavesdrop secure sessions, retrieve private keys and eventually spoof the server for sensitive data once it is “clear texted” by the SSL decryption process.

A Pew Research Center survey of 1,501 American adults over landlines and cell phones captured their reaction the bug. As many as 39% of respondents took steps to protect their online accounts by changing passwords or even canceling accounts; 29% believe their personal information was put at risk by the Heartbleed bug; and 6% believe their personal information was stolen.

User confidence in secure https sites has been shaken. Even after updating the SSL certificates, companies running secure sites have to assure users that sensitive information is safe and initiate next steps to prevent further exposure of data while ensuring proper compliance.

A key lesson from Heartbleed is the need to bolster data protection beyond SSL encryption. Here, an end-to-end encryption (E2EE) solution offers assurance that sensitive data, especially passwords, stay encrypted even within the memory of vulnerable web or application servers.

Bolster SSL with E2EE

While data may be decrypted at the application server, passwords are decrypted and verified inside a tamper-resistant hardware security module (HSM) that is built to meet US Federal Information Processing Standards (FIPS) standards.

An effective E2EE implementation integrates a versatile authentication server with the HSM. Such a server manages and enforces security policies, users, applications, user entitlement, user stores and administration delegation. It centralizes different authentication mechanisms, session management, audit logging and compliance reporting.

i-Sprint’s AccessMatrix Universal Authentication Server (UAS) E2EE solution, for example, addresses vulnerabilities like the Heartbleed bug by creating a secure channel between the client’s access device where the password is encrypted, and the HSM where the authentication process is managed. That way, credentials, passwords and data are protected from the client’s access device right through to the HSM.

Simplify and adapt

Without complex programming, the AccessMatrix UAS solution integrates front-end password encryption and popular HSMs that encrypt or decrypt the passwords; protect the master encryption key; generate initial PINs and verify PINs; and generate random numbers for authentication.

The server supports new and existing authentication mechanisms such as dynamic passwords, certificates, biometrics, or security tokens, via the Pluggable Authentication Module (PAM) framework. The authentication infrastructure adapts to changing business and regulatory mandates.

Technology risk management guidelines from monetary authorities in countries such as Singapore and Hong Kong, for instance, encourage financial institutions to encrypt sensitive data, such as customer passwords and PINs, transmitted between the web servers and their internal systems. Specifically, strong E2EE should be applied to ensure continued data protection even if web servers or internal networks are compromised.

Bank builds trust

Doing just that, a leading Southeast Asian bank implemented E2EE of its internet banking customer PINs from their entry at login to the point of comparison inside the HSM. This prevents even privileged users or administrators from accessing the PIN.

The E2EE is complemented by strong authentication – one-time password (OTP) token and OTP over SMS – that adheres to corporate security and regulatory standards. The AccessMatrix UAS E2EE solution, a token management module and an SMS OTP module enable the bank to attain the authentication and administration required by internet banking regulations.

The bank is now equipped for PIN life cycle management – such as secure generation and mailer printing – as well as the distribution and management of tokens. The solution also includes pre-integrated and tested two-factor authentication.

To aid regulatory compliance, an audit and reporting module enables the bank to report access activities and security violations, and administer granular password policy such password history, aging and quality check.

Ultimately, i-Sprint’s AccessMatrix UAS platform aims to strengthen customer confidence and integrity of access across business e-channels. It establishes a framework of trust based on effective and rapid responses to exploits such as the Heartbleed bug.