Guaranteed Genuine Users
by Stephen Cobb and David Brussin
(Originally appeared in Security Advisor, Summer, 2000)
In this article we consider emerging standards for authentication, the relative merits of different authentication technologies, and the relationship between authentication and the vital e-commerce ingredient known as location transparency.
The Authentication Factor
Today’s consumers know the drill by heart. To get what we want we have to prove who we are. We sign for packages and credit card charges. We enter our personal identification number to get cash from our accounts. We present photo ID at airline check-in counters. We sign in to our online bank account with user name and password. These are just a few of the many instances of authentication that we encounter in our daily lives.
In many ways, authentication is the cornerstone of commerce, so it is somewhat ironic that personal computers, the cornerstone of electronic commerce, are still not doing a very good job when it comes to authentication. In previous columns we have discussed some of the technical specifications behind attempts to achieve secure transactions through reliable authentication, such as X.509 Digital Certificates and Transport Layer Security (the successor to Secure Sockets Layer). But the mere availability of security technology does little to create secure systems. Furthermore, some attempts to provide security for web transactions impose serious limitations on the realization of a major web benefit: location transparency -- the ability to access web services, such as online banking, via any web-enabled device, whether it is the computer in my office, the computer in your office, or a web kiosk in an airport.
To understand the problems with the current situation, consider what happens during a typical ecommerce transaction today, such as looking up a bank account balance, making an online purchase, or placing a stock trade. The web server (for example, the fictional stocks&bonds.com) asks the web client (for example, the customer of Stock & Bonds, Inc.) for a user name and password. If these two items of information are supplied, access is granted and trades can be executed. This is known as single factor authentication. It only uses one of the three possible factors, something you know (the other factors being something you have and something you are -- see sidebar).
This type of authentication, currently relied upon by everyone from Ameritrade to Yahoo, is also referred to as weak authentication, because it is relatively insecure. When security relies on something known, anyone sitting at any computer anywhere can pretend to be me, as long as they know that something. Anyone who supplies my user name and password to stocks&bonds.com is me, at least in the eyes of my online broker. When you bear in mind that some commercial sites use social security numbers as user names, with passwords as trivial as 4 digits, then you can see that the potential for compromise is significant (getting someone’s social security numbers is hardly rocket science).
At this point you might ask, “What about encryption, isn’t that supposed to provide stronger security?” Well, encryption has the potential to provide robust “things you know,” such as complex strings that are well protected or hard to guess. Traditional encryption can also guard the exchange of data between user and host, preventing anyone who intercepts the data from either reading it or altering it, unless they also intercept the key that is used to encrypt and decrypt the data. But that still leaves two problems: the need to convey the key securely, and the need to verify the recipient of the key.
Unfortunately, traditional or symmetric encryption, where the same key is used for encryption and decryption, is susceptible to several types of attack. In addition to brute force, in which decryption is attempted with every possible key until the right key is found, there are replay and hijacking attacks. In a replay attack, the attacker captures input from a legitimate user and later replays it to the system to impersonate or spoof the identity of the legitimate user. A hijack attack is when the attacker inserts herself between the legitimate user and the part of the system that performs the authentication.
Does PKI = Strong Authentication?
Public key encryption, which uses two keys, one of which may be made public, is a way to address the key exchange and key management problems associated with traditional encryption (given that N public keys for N users is much better than N(N-1) shared keys for N users). Also, the hierarchical trust model developed for public key encryption, based on signing operations by trusted Certificate Authorities who verify the identity of key holders, makes key exchange much easier. Compromise of key material in transit is not an issue since only public keys are exchanged, and integrity of key material in transit is guaranteed by trusted signatures.
Unfortunately, Public Key Infrastructure, or PKI, the technology which supports this type of encryption, is not equal to strong authentication. PKI only provides a mechanism for performing the authentication, and then goes on to facilitate addressing security requirements after authentication. In order to use this mechanism, each client must have a public/private key pair, and have trusted public keys from the root Certificate Authority. In order to authenticate herself to a remote host, the client must present some non-reputable hijack/replay resistant information to the host. In a textbook system, this might consist of returning a unique challenge, generated by the remote host and encrypted using its own public key, after signing with the client's private key. Providing that private key is where the three “factors” come back into the picture. Only if the user has an incredible memory, able to remember all 1024, 2048, 4096 or more bits of the private key, would this type of authentication be based on something the user knows. For those of us with lesser mental powers, the private key becomes something we posses and present at the time of authentication. It also becomes something that has to be stored somewhere, which creates additional security issues.
Client-stored Keys
So what are the key storage options? Anyone who has used PGP or experimented with digital certificates from places like Verisign.com or Thawte.com knows that the private key can be stored on the PC (in the case of PGP, this is where the key is created). The main advantage is simplicity, with nothing required of the user, other than possibly a password (see next paragraph). But the disadvantages are significant.
First, there is little or no protection of the private key or certificate. In other words, anyone who sits down at my computer has a chance at being me, which is not a big improvement over the weak authentication we described earlier at stocks&bonds.com (this vulnerability would not be so worrying if PC users not collectively turned their back on the physical PC key, introduced on the IBM PC AT back in 1984 -- until “locking your computer” is as normal as locking your car, client workstations are not going to be a safe place to store things).
The normal PC client protects private keys from an unauthorized user or interloper by encrypting them with something you know, a password or phrase, in other words, single factor authentication. Transactions authenticated by the key can either be single factor, the mere presence of the key, or two-factor, the key plus passphrase. But the ability of the key to resist compromise is reduced to a single factor. The tendency of users to write down passwords, or store them in plain text, taken together with the now legendary vulnerability of client software, does not inspire confidence in the client-stored private key. Indeed, you could argue that stocks&bonds.com is taking a serious risk if it decides to rely on a client-based private key for authentication, given that, as authenticator, it has little to no control over the security posture or configuration of the client machine.
Second, this type of key storage is location dependent, whereas one of the biggest selling points of web-based ecommerce is location transparency (the ability to access data and services from anywhere the web can be accessed, on the road, from your phone, in your car, and so on). If the key or certificate is on your PC at home, it is not on your laptop or your cell phone. You can duplicate the key, but not only does this raise additional security concerns, the access to services or data which that key provides is still only available from those locations to which you have copied your key.
Networked Key Storage
You could address the issue of location transparency by storing the key on one or more networked systems, then recomposing and transmitting the key to the “active” workstation upon authentication. Attackers may be limited in their use of brute force attacks (guessing the password that protects the key) by the security configuration of networked systems. But this still leaves authentication as strictly single factor, and still leaves trust of client authentication dependent upon a security posture that is not under the authenticator’s control (unless the authentication is merely within a single known and trusted network).
Token-stored Keys
A more promising option is to store the key on a tamper-resistant token which can be inserted into, and read by, a wide range of web client machines. This has three obvious benefits. First, the security of the key is no longer provided by, or dependent upon, the security of the web client, the control and verification of which is clearly problematic. Second, an additional authentication factor, something you have, has been added to the security equation. In fact, the implementation of the token can either be single factor -- the token alone, or two factor -- the token plus something known, such as a UserID, PIN, or password (you could even extend this to three factors if a biometric was added, such as a fingerprint stored on the token and verified by a reader on the token itself).
An important third benefit of the token is location transparency. If readers for the token are widely deployed, any reader-equipped device can authenticate the bearer of the token. A web site can authenticate you to a relatively high level of certainty even though you are using someone else’s computer. If the token is crypto-capable, able to perform some cryptographic functions and protect its contents with encryption, the level of assurance is further increased, while the burden on the client/reader is reduced. There have been commercial product offerings in this area for some time, including PCMCIA cards, smart cards, and various devices with proprietary form factors and readers. A newer category is USB-based tokens, which require no readers, just an available USB-port.
Conclusions
Clearly, there are different cost, strength, and functionality factors associated with each of the three different approaches to key storage. When your organization is considering the question of how much security is enough, it is necessary to weigh the value of assets against the cost of mitigating risks to those assets. This is true with respect to everything from physical access to your office building to authentication of user access to your systems.
A vital part of this process is something we refer to as a Standard of Due Care. Typically, this is a document which presents a considered valuation of assets, current and anticipated threat levels with respect to those assets, and the appropriate amounts of protection and risk mitigation, based on the organization’s stated level of risk tolerance (given the risks inherent in any information system, with respect to compromise of confidentiality, theft of intellectual property, lack of availability, and loss of productivity, there should be, ideally, a Standard of Due Care for each system).
Risk tolerance is determined by a variety of factors, which include regulatory requirements, legal obligations, corporate culture and public sentiment. For example, it is clearly relevant that 85% of online users in a recent poll said the privacy of information transmitted online was the most important issue on the Internet (@plan Internet Poll, March, 2000). Risk tolerance, and the level of risk mitigation which is necessary to meet legal obligations, such as liability avoidance, are also impacted by developments in technology. Note that we say developments, not adoption. Historically, the availability of mitigating technology, rather than its deployment, has been held as the key factor is determining whether or not an organization has taken “all reasonable measures” to safeguard its assets. This should be the same as, but is sometimes quite different from, doing only “as much as everyone else does.”
When it comes to authentication, current practices clearly lag behind desirable best practices and the available technology. Too many systems still rely on passwords and it shows in the statistics. Seven out of ten respondents to this year’s Computer Crime and Security Survey, conducted by the Computer Security Institute, which primarily canvases large corporations and government agencies, said they had detected security breaches classified as serious (such as theft of proprietary information, financial fraud, system penetration from outsiders, denial of service attacks and sabotage of data or networks). Almost all respondents, nine out of ten, said they had suffered breaches of some kind when that term was expanded to include such things as computer viruses, laptop theft, and employee abuse of Internet access.
February’s rash of distributed denial of service attacks against high profile web sites, executed from poorly protected Internet-connected systems, are just one indication that the current state of affairs is unacceptable. The next time this type of attack occurs, look for victims to seek damages from organizations whose systems were used as attack platforms. How much will those damages be? A commercial web site can easily lose $100,000 per hour of down time. The 273 respondents who revealed the amount their computer security-related losses to CSI reported a total of $265,589,940 -- almost $100,000 per respondent over a 12 month period. Until a relevant case goes to the jury, we probably won’t get a good sense of how expensive a loss of privacy due to a reasonably preventable security violation can be. But you can bet that if financial institutions are sued by customers who have lost money due to online security breaches, the disclaimers currently used by such companies will probably do little to protect them from either the jury or the court of public opinion.
We see three implications here for the standard of authentication which organizations should be adopting today: If you have not yet upgraded from passwords to digital certificates for authentication on mission critical systems, you should. If you have started using digital certificates but have not yet moved them off the client or the network to some sort of token, you should. And if you have not classified your ecommerce systems as mission critical, you should.
Sidebar: Three Factors for Authentication
1. Something you know -- a piece of information that you alone hold, like a PIN.
Strengths: something you know can be difficult to steal for an attacker unwilling to do physical harm.
Weaknesses: humans have trouble choosing and remembering arbitrary, unguessable secrets. There is very little entropy in human language, dramatically reducing the keyspace of any password or passphase, and increasing the chances of successful bruteforce attack. Most humans will choose secrets that can be 'dictionary attacked' or 'social engineered,' such as word or common phrases in human language or data of personal importance. For very intense environments (military secrets, etc) the human is vulnerable to such key-stealing techniques as torture and mind-altering drugs. Also, some systems are weak in that they don't protect the conveyance of the 'secret' during system use. For example, many cipher locks require a user to enter a PIN in full view of other individuals. Even typing on a keyboard can be intercepted, including by non-technical means such as binoculars. Finally, when 'something you know' is stolen in this way, the user is completely unaware that their secret has been stolen. The same is true of theft via compromised equipment, such as a fake ATM or Trojanized client workstation.
2. Something you have -- a physical device that you alone possess, like a door key.
Strengths: can be difficult to steal when handled properly by users. Theft can be detected. Physical devices can have virtually limitless keyspace and entropy when compared to human-stored data. Physical devices are not prone to theft in the course of use (as PINs could be observed by 'shoulder surfers'). Physical devices can be made tamper resistant through less expensive and more reliable means than those necessary for making the human mind 'tamper resistant.' They can also be many resistant to compromise of equipment, since 'one time' passwords or encrypted/signed responses are all that is transmitted to workstations.
Weaknesses: physical devices, once in the hands of an attacker, can be attacked in a variety of ways. Unlike the human mind, which has its own weaknesses but is complex enough to present a unique challenge to each attacker, the physical key as a product of the human mind can be attacked successfully as technology advances. Good examples of this weakness are the use of x-rays to introduce single bit errors in 'tamper proof' physical keys, or the use of power consumption analysis to determine what operations a 'tamper proof' crypto processor is engaged in.
3. Something you are -- a physical characteristic that is unique to you, like a fingerprint.
Strengths: Very unique information. Very difficult to brute force when represented and collected properly. No physical devices for humans to control, no secrets to remember.
Weaknesses: Dependent on sampling technology for anti-replay protection, for example infrared sampling to ensure that the finger, hand or eye being scanned is alive and still part of the body of the person seeking authentication. Dependent on sampling and representation technology to ensure that sufficient entropy is represented in sample to protect against brute force. Vulnerable to compromise of equipment, since biometrics can be 'stolen' and 'stolen' representations of biometrics can be introduced 'on the wire.'
Stephen Cobb