Security supplement: strong user authentication: solving security's weakest link.Why strong user authentication See authentication. (SUA See Subsystem for UNIX-based Applications. )? Security isn't complicated, it can be defined very simply as: WHO can be granted access to WHAT. Any security system, whether for a small business or for a large multinational organization, must solve that equation. There is very little doubt about the content or accuracy of the WHAT portion, because this is usually determined by the organisation itself (and thus by the security system in place). The WHO, however, is another matter entirely, and lies at the heart of the effectiveness of any security system. The only means to validate the WHO is through User Authentication. This is why during Logon See login. 1. (jargon) logon - login. 2. (networking) logon - In ACF/VTAM, an unformatted session-initiation request for a session between two logical units. , the system prompts An on-screen symbol that indicates the operating system is ready for a command. See DOS prompt. the User to first get the electronic identity (often called the User ID) of the WHO that will be used during the session, but also tries to verify if the legitimate owner of this identity is really beyond the workstation. This last phase, authentication (1) Verifying the integrity of a transmitted message. See message integrity, e-mail authentication and MAC. (2) Verifying the identity of a user logging into a network. , is the concern of this article. The most popular way of performing user authentication is through a static piece of information shared between the user and the security system: the password. There are a few well-known problems associated with these static passwords A static password is a password that does not change, or is rarely altered. Static passwords are also called weak authentication. Example Your password to access your computer is by default a static password. : Users are often given the opportunity to choose passwords by themselves, thus leading to an easy to guess "secrets." Being static by nature, passwords are reusable re·use tr.v. re·used, re·us·ing, re·us·es To use again, especially after salvaging or special treatment or processing. re·us , so any network exposure--or mere looking over a user's shoulder--can lead to illegal use of a user's identity. A user may share his/her password with someone else for any good or bad reason, but once shared it cannot be suppressed from the other party's use. Because they are not "user-friendly" and are costly to IT departments in terms of time and effort, strong password A password that is hard to detect both by humans and by the computer. Two things make a password stronger: (1) a larger number of characters, and (2) mixing numeric digits, upper and lower case letters and special characters ($, #, etc.). See password. management policies are rarely enforced enough to be effective. Because of these issues, it is widely accepted among security experts that incorrect authentication is the single largest threat to any computer system, and that user-managed passwords are the single largest cause of incorrect authentication. Static passwords are known as an extremely weak form of authentication. This explanation reveals the importance of implementing Strong User Authentication in order to guarantee that only legitimate owners will be able to make use of a User ID. Strong User Authentication naturally strengthens authorization, because access rights will be granted to the right person, and not to someone getting illegal benefit of a weak authentication system The combination of authentication server and authenticator, which may be separate devices or both reside in the same unit such as an access point or network access server. The authentication server contains a database of user names, passwords and policies, and the authenticator physically Strong User Authentication also eliminates the false sense of security that a sophisticated but password-protected authorization system may provide. Without SUA, how do you really know WHO is accessing your confidential database remotely..? Authentication factors An authentication factor is a piece of information used to authenticate or verify a person's identity for security purposes. The three most commonly recognized factors are:
Let's detail how a security system may perform user authentication. The proof of identity that a user will give will be based on one of the following factors: Knowledge: a piece of information shared between the user and the system, typically a PIN or a static password. Ownership: a physical object, like a badge or a key, specifically assigned to the user and that a system peripheral will recognize. Biometrics: a measurable biological characteristic of the user, previously recorded on the system that the user win present to a specific "biometric" device, such as voice, fingerprint fingerprint, an impression of the underside of the end of a finger or thumb, used for identification because the arrangement of ridges in any fingerprint is thought to be unique and permanent with each person (no two persons having the same prints have ever been , retina scan, etc. Each of these three factors taken separately has a unique set of issues and concerns. For example, knowledge is difficult to control, easy to replicate rep·li·cate v. 1. To duplicate, copy, reproduce, or repeat. 2. To reproduce or make an exact copy or copies of genetic material, a cell, or an organism. n. A repetition of an experiment or a procedure. , often easy to guess or to illegally obtain. Users may forget their password, creating help-desk costs. Ownership of the object may be easy to duplicate or can be stolen, and implementation of ownership-based authentication very often leads to static data sent over the network. In addition, maintenance and renewal of the object can be expensive. Biometrics, while seemingly seem·ing adj. Apparent; ostensible. n. Outward appearance; semblance. seem  ing·ly adv. the best authentication method,
is very expensive to implement and deploy, and compatibility with
existing systems is extremely low. What is more, biometrics creates
difficulties with user acceptance: people may not want to present their
eye to a scanning device See scanner. , or put their finger on a reader that is being
used by other people
Strong User Authentication methods First, some definitions: Authentication means verifying that people are who they say they are, before you can trust them with your sensitive data and before they can do harm to that data. Strong means preventing people from simulating other users identities. In a face-to-face conversation, your speaking partners can see and verify who you are. If they want to strongly identify you they will ask you for your passport or any other positive ID. So, how to obtain truly strong user authentication during verification of an electronic identity.? You can see that authentication is significantly strengthened by combining at least two of the previously defined authentication factors. This is the system used by banks for their e-wallet smart card or ATM bank card system. By combining a PIN that must be remembered with a card that the authorized user authorized user Radiation physics A person who, having satisfied the applicable training and experience requirements, is granted authority to order radioactive material and accepts responsibility for its safe receipt, storage, use, transfer and disposal has in his or her possession, the barrier to unauthorized access is much higher, while ease of use is maintained. For remote access security to a corporate network or Internet banking application, for example, token devices or smart cards Example of widely used contactless smart cards are Hong Kong's Octopus card, Paris' Calypso/Navigo card and Lisbon' LisboaViva card, which predate the ISO/IEC 14443 standard. The following tables list smart cards used for public transportation and other electronic purse applications. combine the two factors of Knowledge and Ownership. A user must own a unique token or smart card, and this "intelligent" object requires the knowledge of a PIN to be activated. In addition, these objects contain cryptographic cryp·tog·ra·phy n. 1. The process or skill of communicating in or deciphering secret writings or ciphers. 2. Secret writing. cryp processors that will perform complex functions while communicating with the security system. These functions ensure that an authentication exchange cannot be reused or replayed on the same or another system. Digital Certificates, as used in a PKI-based authentication systems, are logical objects that will bring to the security system the proof that a Certificate Authority has already authenticated au·then·ti·cate tr.v. au·then·ti·cat·ed, au·then·ti·cat·ing, au·then·ti·cates To establish the authenticity of; prove genuine: a specialist who authenticated the antique samovar. the user. The strength of PKI-based authentication relies essentially on the quality and safety of Certificate storage and protection. CHART: Comparison of common SUA methods: Comments: Tokens are the most portable solution for strong user authentication. They work unconnected and may be used across any media. Smart cards have a quite good portability for the smart card itself, but they are limited by the need for a smart card reader and client software residing on a PC. PKI (Public Key Infrastructure) A framework for creating a secure method for exchanging information based on public key cryptography. The foundation of a PKI is the certificate authority (CA), which issues digital certificates that authenticate the identity of offers poor portability for pure software implementations. It's improved when the certificate is hosted in a removable device like a smart card, but then you get the other limitations associated with smart cards. PKI also requires the use of applications that have been programmed for PKI, while the two others may be used as a replacement of static passwords. The cost of ownership for tokens depends mostly on hardware reliability, purchase options, and PIN management features. These factors vary dramatically from one manufacturer to another. Smart cards suffer from the cost of smart card readers, and their relative fragility when used intensively for login Signing in and gaining access to a network server, Web server or other computer system. The process (the noun) is a "login" or "logon," while the act of doing it (the verb) is to "log in" or to "log on. . PKI costs vary depending on the type of certificates used: using a company's own CA to build certificates has no comparison to buying certificates from a public CA. Manageability and deployment are the biggest weaknesses of PKI authentication, because it requires the use of PKI infrastructure management software, and PKI enabled applications. How authentication methods are evolving/converging A real challenge for any authentication method is user acceptance. This is the key to a successful security implementation because if the authentication method creates too many constraints CONSTRAINTS - A language for solving constraints using value inference. ["CONSTRAINTS: A Language for Expressing Almost-Hierarchical Descriptions", G.J. Sussman et al, Artif Intell 14(1):1-39 (Aug 1980)]. , or prevent users from working because of a lack of reliability, then it will be rejected. Legitimate users know who they are, and consider that this supposedly "intelligent" workstation should be secure by itself and be smart enough to distinguish hackers from regular users. The best authentication method should make use of a property that a user considers as an extension of him/herself and would never share or give away. This is what biometries try to achieve, but other methods can provide similar success without the limitations of biometrics. For instance, VASCO has found that having tokens personalized per·son·al·ize tr.v. per·son·al·ized, per·son·al·iz·ing, per·son·al·iz·es 1. To take (a general remark or characterization) in a personal manner. 2. To attribute human or personal qualities to; personify. with user-chosen colors or logos reinforces the feeling of ownership a user may have compared to using a standard neutral model. And by offering users to choose their own PIN that no one else knows, as well as changing it whenever they like, gives users the feeling that the token is theirs and not the same as any other. This also helps to prevent the PIN from being written down, since users are free to use their own general PIN, which people protect much more strongly than passwords. Another path to explore to gain user acceptance is to adapt the SUA method to the user's environment. Users are now equipped with mobile phones or PDAS PDAS Public Domain Aeronautical Software PDAS Plant Data Acquisition System PDAS PCS Data Access Service (Telcordia) PDAS Personnel Data Access System , and it's obvious that these intelligent devices are perfect targets to include strong user authentication capabilities. Some applications of SUA Strong user authentication usage is recommended with any remote access, since users cannot be physically controlled before accessing an information system. Another is any use of a public network, like the Interact, or when open ports exist like with dialup connections. Online banking is one of the most demanding applications for strong authentication, but new and emerging activities like online auction, or online gambling Online gambling is a general term for gambling using the Internet. This article provides a brief introduction to some of the forms of online gambling, as well as discussing general issues. now move to this technology. Even for internal corporate use, strong authentication is often used to protect usage of "power" accounts, like security officers, decision makers, or systems programmers (1) In the IT department of a large organization, a technical expert on some or all of the computer's system software (operating systems, networks, DBMSs, etc.). They are responsible for the efficient performance of the computer systems. . Conclusion In fact, as soon as an authorisation system exists and an organisation has spent substantial time and money to implement user-based policies, entitlements or delegation, then this organisation should consider using strong user authentication. If not, the risk of improper use of a user' s identity, thus of this user's rights, is very important and would make the entire system useless. Criteria Tokens Smart Cards PKI Authority Portability high medium low Cost of ownership low to high high low to high Manageability medium medium low Scalability medium low mdium Ease of use and deployment high medium low Mr Daniel Mouly is VASCO's Chief Technology Officer. |
|
||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion