The Security Issue
While firewalls and ID/VA solutions are important components of a comprehensive security infrastructure, this infrastructure is not complete without policies and venues for authentication and authorization, or what is industry termed as “access control”. While firewalls attempt to prohibit unauthorized perimeter access to the intranet, it is in effect, an access control point. However, as the firewall focuses on traffic characteristics, it does nothing in the authentication arena. With the advent of the Internet, companies are increasing rather than decreasing access to information assets. Subsequently, the importance of validating who is actually accessing your offerings becomes more and more critical.
In fact, the threat from the inside rivals that from external sources. For example, those who venture in the VPN technology are now faced with even a higher risk factor than those who don’t. The predominate reason is that the false sense of security accompanied with encrypting your traffic in the internet, leads one to become more comfortable with exposing valuable assets, which you would never even consider otherwise, on this public venue. Hence, with a breach of security (basically a slip of a password), what would normally be a minor issue now becomes a company event, for the assets compromised are of critical nature.
Nothing illustrates this better than the recent annual Computer Crime and Security survey conducted by the Computer Security Institute (CSI), an association for security professionals, along with the FBI, which indicates a growing trend of security breaches within organizations.
The CSI/FBI Study: A New Perspective
Security Breach is on the Rise
Companies continue to experience a significant amount of unauthorized use of computer systems. 64% of respondents reported unauthorized use of computer systems in the last 12 months. While the number has been volatile over the past four years, we believe the trend is clear.
Origins and Source of Attacks Are Shifting
Looking at the data, we find that the internal threats are declining in comparison to external. We consider this very interesting, particularly since it has often been stated that the potential for threats and computer abuse from someone inside an enterprise was greater than from someone external to the enterprise. There are two data points from the survey that demonstrate the increasing amount of threats occurring from the outside.
Internal threats remain comparable to external. In fact, only last year did the hacker rise above that of the former employee. Overall, we think these data validate our position that the threat is comparable whether employee/contractor or inside or outside your network.
Authentication: Who is Doing What From Where
Passwords
Passwords, although the most popular method, are notorious for being the weakest form of authentication (via stolen, guessed, or shared). As security consciousness increases in this nation, we would not be surprised if legislation will become the business driver for two-factor authentication.
While passwords (single-factor authentication) are and will continue to be the basis for authenticating users, we expect that over time, most companies will migrate to stronger forms of authentication, i.e., two-factor authentication, e.g., tokens, dongles, and PKI.
Two Factor Authentication
It is important to note that two-factor authentication requires two forms of authentication, which may consist of “something you have”, and “something you know”. Two Factor Authentication, in its most popular form is the Magnetic Strip Card, is your ATM Card. On a smaller scale, but growing in popularity is the small hardware devices known as Tokens.
Form Factors
Two Factor Authentication also is beginning to appear on applets on PCs, cell phones, or PDAs. A recent IDC study indicates that approximately 20% of 982 respondents had implemented tokens prior to 1999, and 7.1% and 6% for the respondents were implementing tokens in 1999 and 2000, respectively. Token formats vary. The most popular type is the synchronous passcode type, e.g.,
These tokens work by generating a six-digit value every 60 or 30 seconds. The token works in concert with a pin number (user created) to provide two-factor. The appeal here is no software to load on the desktop, centrally managed from a non-intrusive server, and easy to use.
Soft Tokens
Another form is software tokens – but as they are imbedded in the software, if the device is stolen, one can easily gain unauthorized access to the network.
Dongle
Another form factor that is emerging as a popular token is the Universal Serial Bus (USB) tokens. This is a smaller form factor that can store a certificate or algorithm in its chip that takes advantage of the USB ports of PCs. This is most popular among laptops, for some deployments include encryption of content as part of the solution – which adds significant value to a laptop user. Laptops are the number one choice for commercial espionage, i.e., if one were to breach company secrets – stealing a laptop at a convention, seminar, or even parking lot, masks it as a regular asset theft – so the breach doesn’t tip off your target. The USB token with content encryption thwarts this effort for it makes the content of the stolen laptop useless without the token.
Biometrics: Doomed from the Start
Why didn’t I mention Biometrics? Biometrics, although a great marketing angle and nice for Hollywood - has several fatal flaws. I won’t go into them in detail, but just to name a few:
1) Using body parts? What do you do when there is a breach of your thumbprint, or an eye? Fire the employee because you don’t want to rip out your 10,000-user infrastructure? Or perhaps re-issue a new thumb/eye?
2) Using eyes? Does your solution include your optometrist as part of the security policy?
3) No matter what the body parameter, it will be compared to a digital representation of that item. Hence, what is digitally stored can be digitally compromised.
4) Downstream liability, you think that having your customer’s credit card numbers compromised on the web had legal ramifications, try a breach that compromises your customer’s finger prints. For your customers, the legal arguments are endless. Identity theft is the least of their worries - if thumbprint access is adopted ubiquitously - you may have just contributed to your customer’s inability to purchase goods, apply for services, or even get a new job.
Token Authentication Methods
What is Challenge Response Authentication?
Challenge Response authentication involves simultaneous calculations on the token and the server. In traditional challenge response systems, the authentication server generates a challenge that is presented to the end user. The end user enters this challenge into their token. The token takes the challenge and encrypts it, which generates a response. At the same time, the authentication server is completing the same process. The end user then inputs the response, presents it to the server, and the server authenticates the users. For the specific steps, please refer to Table 1, A Comparison of Authentication Methods.
Challenge-Response Advantages
• Alphanumeric Codes: Challenge response utilizes numbers and letters for its calculations whereas time synchronous only uses numbers. This makes cracking a challenge response code statistically more difficult, because a hacker has to deal with hacking all possible combinations of 0-9 and A-Z.
• Synchronization: As long as each authentication server has the token seed record stored in its database, you do not need to worry too much about server synchronization problems since each server will generate a unique challenge. Note that this requires some configuration that also makes this a possible disadvantage (see below).
Challenge-Response Disadvantages
• Poor Ease of Use: Challenge response involves multiple steps for the end-user, which increases the possibility of data entry error and failed authentications.
• Synchronization Problems: Challenge response tokens introduce possible problems when multiple authentication servers are used because these servers must maintain proper synchronization to ensure that the proper challenges are generated. The workaround is to have each token seed value stored in each database. With time synchronous authentication in a multiple server environment, server synchronization is not a significant problem because time is the dependent variable, not some value generated at the server.
• Networking Protocol Support: Some networking protocols (such as XTACAS and TACACS) do not support challenge response authentication.
Vendors Using Challenge Response Authentication
• ActivCard
• PassGo Technologies Limited
• CryptoCard
• Secure Computing Safeword
• Vasco Digipass 300 & 500
What is Event Synchronous Authentication?
Event synchronous authentication improves the ease of use difficulties associated with challenge response authentication, but exposes serious security issues.
An event-synchronous token functions in challenge response mode ONLY for the first time it is used. During the token’s initial usage, the authentication server’s challenge is stored in the memory of the token and the memory of the authentication server. For all future authentications, the user does not have to wait for the challenge from the server to authenticate; instead the token automatically calculates a response based on that initial challenge. The server conducts an identical calculation so that the codes match and authentication is successful. In this manner, event synchronous makes it easier to users to authenticate since they do not have to wait for the server’s challenge to generate a response. For the specific steps, please refer to Table 1, A Comparison of Authentication Methods.
Event Synchronous Advantages
• Ease of Use: Event synchronous tokens are easier to use than challenge response because users do not have to wait for the server’s challenge to authenticate. This reduces some of the steps associated with challenge response authentication.
Event-Synchronous Disadvantages
Event-synchronous reduces the steps associated with authentication in a traditional challenge/response mode. This improves ease of use, but introduces some potentially serious security problems. These security issues make event synchronous the least secure authentication method. Here’s why.
Event-Synchronous authentication circumvents traditional challenge/response systems by making the “challenge” a known (rather than random and spontaneous) factor.
• Timeliness. Challenge response tokens, in their classical use, are as time dependent as a RSA SecurID. Because they need the random challenge from the server, they cannot pre-calculate the response (and the server can require that the response be given within some finite period of time.) The Event-synchronous token is no longer so constrained: valid Event-synchronous passcodes can be precalculated. Unlike challenge response challenges, which are random, event synchronous codes are not random, but based on a sequencing that could be hacked.
• No Physical Proof. Unlike a classical challenge/response exchange, an event synchronous countdown can not be taken as proof that the user has the physical token in-hand, since one (or many) “responses” can be successively pre-calculated (by the user or someone else) and written down or shared. For example, users can generate 5 responses by pressing the button on the token five times. Users could then write these responses down a piece of paper and they will be able to successfully authenticate Monday through Friday without even having physical possession of the token!
• No True Two-Factor Authentication. The “strong” evidence of authentication is reduced to a piece of information that can be memorized, written down, or passed along.
• Weak Audit Evidence and Accountability. Because of the second point, an event-synchronous token merely becomes a piece of salesmanship and theatre, with none of the traditional audit-assurance that a physical token offers. The integrity of the audit and/or authentication mechanism is no longer self-policing in the way a classical challenge response or time synchronous token is.
• Elicit Access. With or without the cooperation or corruption of the legitimate user of the token, illicit access to an Event-Synch token can allow anyone to get a valid access-code (i.e. a future event-synch “response,” or a series of future Event-Synch responses — all valid if used in series.) An irresponsible user, for his own purposes, can always share future Event-Synch passcodes with fellow-workers, subordinates, partners, or co-conspirators — and they can all use them to gain access, from wherever, with no requirements that they physically hold the
Event-Synch.
Vendors Using Event Synchronous Authentication
• ActivCard X9.9, Plus, and One Tokens
• PassGo Technologies Limited
• CryptoCard
• Secure Computing Safeword
• Vasco Digipass
Two Factor Authentication Market
IDC estimate that the overall token market will reach approximately $1.5 billion by 2004, that up from 150 million in ’99.
The lion’s share of this activity will be in the mid to small company market. For years, the only participants that considered, or could even afford token technology was the business behemoths; however, today with security consciousness at an all time high – we find that the mid-range company are gaining a new appreciation of this technology. What was formerly termed “an insurance policy” has now become a “utility”. Suppliers are no longer challenged with selling the significance or value of their solution, only the effectiveness.
Summary
Everyone is in agreement that a good Security Policy includes a firm position on Authentication. However, remember why you are using Authentication. It is not just an administrative obstacle to overcome, but also a vehicle to confirm that the people accessing your valued assets are in fact who they say they are.
Passwords are the favoured authentication method. The good news is that for the owner, passwords are cheap and easy. The bad news is that for the attacker, passwords are cheap and easy. As far as biometrics is concerned, forget it – never use anything static, least of all a body part, as your authentication ID. A dynamic password is more preferable. This way even the user does not know his password until he needs it. For simplicity, flexibility, replacibility, and security, Two Factor Authentication is you ticket.
The Internet’s charter is clear – assets are offered so people can access them – security will begin and end with these people. It makes sense that the security’s charter be equally clear. In any comprehensive security solution, there must be a mechanism that ensures the identities of your people are not compromised.