|
|
 |
|
|
©workingarts.com |
[User] Authentication technologies overview. To most, information security begins with passwords. In the language of security experts, this is called [user] authentication, usually carried out with user IDs and Passwords, during the log in process. Passwords or pass phrases have been used for centuries. However, with the advent of computer technologies, user authentication has become so pervasive that it has become overwhelming and unmanageable. Ordinary people end up with too many passwords: your PIN for your bank and credit cards, passwords for your computer at work, at home, your online banking, your home finance software, your voicemail, your cell phone, etc. To manage their user credentials, people often choose to use the same password for everything, or write their passwords on sticky notes kept near their computers, and - worse -- share them with co-workers or family members, thereby stripping the authentication system of its key feature: its accountability. User authentication with passwords is known as one-factor authentication: to prove that you are who you claim to be, you use one thing you uniquely know -- your secret password. Unfortunately, passwords are easily compromised; beside being easily shared, and rarely replaced, they are mostly transmitted "in the clear" (i.e. not encrypted or scrambled), hence vulnerable to so-called "sniffer" attacks (hardware/software combinations that enable a network administrator - or a hacker - to listen in on the network traffic and pick up passwords and user ids as they travel over the network). Passwords are also vulnerable to "brute force" or "dictionary attacks" used to guess the password by running entire dictionaries against the password request just in case one uses a common or proper name as a password. Mostly, however, people use personal information, such as birthdays, spouse or children names, etc. which can be easily captured via a hacker's favorite tactic: social engineering. Social engineering is a process used to gather personal information on the victim, sometimes using tricks such as posing as the network administrator and, with a phone call, simply requesting the user to give out their password to be matched against a database for alleged "security" reasons. MIT Scientists have come up with a security solution called Kerberos (after the Greek mythological three headed dog, guardian of the gates of Hades), which uses cryptography to protect the password over insecure networks, hence no longer vulnerable to the attacks mentioned above. Unfortunately, even though it is a very effective security solution, Kerberos requires a lot of custom programming for all the applications to be "kerberized", or equipped to understand the Kerberos protocol. This makes it a difficult proposition because very few of-the-shelf applications are Kerberos-ready (Windows XP claims to facilitate that process, but, that's Microsoft Marketing speaking…). Security vendors have designed and implemented other solutions that help increase password security. Such solutions use calculator-like devices, called two-factor authentication tokens, called "two-factor" solutions because they require something you know - the PIN that unlocks the calculator-and something you have - the calculator itself. Early versions required a user to unlock the token with a PIN, to enable the calculator to use an encryption algorithm and a user specific key (the constants), safely stored in the device, to create one-time-use passwords. When the user tries to login, the receiving end system creates a one-time random challenge number (the variable) and present it to the user during the log in process. The user unlocks the calculator, enters the challenge into it and the device uses the algorithm and the user's secret and unique key to generate the "answer" to the challenge: the one-time password. Because the challenge changes with every log in attempt, so does the resulting password generated by the calculator - hence the "one-time password' appellation. In the late 1980's an easier solution came to market. Instead of using the challenge-response technique described above (also referred to as "asynchronous") the new product used an internal time counter ("synchronous") as the variable: as time passes, it adds seconds to the initial value, hence creating a new variable every second, which can never repeat itself as it can only grow bigger. This device, known as the "SecurId" from a company called RSA Security, is a calculator that requires no entry: the password keeps changing every minute and all you have to do is type in your name and PIN as the user ID and enter the password displayed on the calculator at the time of the authentication attempt. Millions of such calculators are currently in use throughout the world by large enterprises, banks, government agencies, etc. These solutions are easy to use but they do not solve the issue of the ever increasing number of passwords required nowadays. This is why "Single Sign On" solutions bare gaining popularity: one single password automatically unlocks all the other doors as you knock on them. Some still consider Single Sign On (SSO) a "Holy Grail" of security, because SSO requires that the solution house, protect and automatically (and securely) forward your passwords when they are requested, transparently to the user. There are two basic kinds of SSO solutions: all the user credentials are either kept on a server that applications can query when an SSO user tries to log in, or all such credentials can be carried around by the user in a secure container. Such containers have been available for over 20 years but have only recently made their appearance in the US: they are called Smart Cards. A smart card is a credit card size device with a small computer chip on it that contains user information and secrets that can only be accessed with a unique PIN. All the credentials are encrypted and compartmentalized on the card and can be queried by multiple, independent systems depending on the confidentiality level of the information requested. For example you can carry a digital representation of your thumbprint (a.k.a. a biometric value: something you uniquely are), a password (something you know), and a password calculator (something you have) and be required to use all three to access sensitive protected information - this process is sometimes referred to as "graded authentication". What is the future of user authentication? Biometrics will most likely win in the end, because they are the easiest authentication method: all you need to do is… be yourself, and the computer will recognize you. Unfortunately, today, such technologies are expensive to deploy and require more intensive computing power than all the other forms of user authentication. The state of the art solutions currently still generate too many "false positives" to be truly effective. Undoubtedly, biometrics will become cheaper and more reliable within the next five to ten years. So don't get rid of your passwords just yet. One more thing about biometrics: they may be user friendly, but they are also more dangerous if compromised. Unlike a password or PIN which, if compromised, can be easily invalidated and replaced with a brand new arbitrary value, you cannot change your biometrics measurements; something to think about… until next month's column on encryption technologies. Is this article interesting to
you? Want to know more about information security? Please send your
comments, questions and suggestions to the author via email at frederic@workingarts.com Sales tools|Marketing tools|Public relations|Partner development | Home
Contact
information | |
