Authentication?

To explain strong authentication, forget about computers for a moment. From the beginning of time there  have been three ways to  "authenticate" people.

• The  first way is to identify  who they are. In other  words, from a thumbprint  to a retina scan people can verify that they are who they say they  are.
• The  second way to authenticate  people is by what they  have. In the early days that might have been the other piece to a broken pendant; today  it might be a token or  smart card.
• The  third way to identify people is by what they know. In the banking world it may mean a personal identification number  (PIN), and in the computer world it usually means a password.

What strong authentication does is employ more than one  of these ways to identify users. Strong Authentication can use tokens or smart  cards and a PIN to create a one-time-use password. The individuals never even know their own password because it changes every time they log in and all they need to remember is their PIN. The advantage of using a PIN is that  many times a user will  use the same one they use for their ATM, almost ensuring that they will never forget it or lose it.

"This  increases security on a network because it forces  someone to not only know  a PIN, but to have something  like a token or a smart card,"

Authenticate v To prove or establish as being  genuine.
From ancient Roman times,  asset protection has been a common theme in society  for military, personal  or economic reasons. Authentication  is the concept for allowing use of those resources,  be they weapons, bank accounts  or trade secrets. Today,  companies have many reasons for protecting assets, from legal requirements  to guarding shareholder assets and value. Authentication can not exist in a vacuum, it must be part of a security  frame work. One of the  models is called the security pyramid;

This model shows the building blocks necessary to create a secure environment. At the bottom are policies  and procedures to set security management standards and ways. Next, strong user  authentication to control access and give non-repudiation.  Authorization allows proper people access. Encryption  protects data confidentiality and audit confirms process effectiveness.

If one of the lower layers  of the pyramid is not attained, the successive steps cannot  be achieved. For example, if your company does not have a policy and procedure  for authorizing users for computer access, control procedures for authorizing  users will not work evenly  across all areas, and the lack of standards will make audit hard or impossible. There are four security  control objectives that address the security framework.

• Authentication - To prove identity and  allow access to assets.
• Integrity  - Ensure that data has changed by the authorized  person.
• confidentiality  - Restricting data access  to the people authorized  to see it.
• non-repudiation - Conclusively tracing  an action to an individual.

Specifically,  user authentication can be achieved by three methods.

• Something  you have - This can include  a key to a door or a  token.
• Something  you know - passwords fall into this category.
• Something  you are - this area includes  biometric authentication  such as fingerprints, voiceprints or retinal scans.

Each one of the three methods alone have problems. "Something  you have" can be stolen.  "Something you know" can  be guessed, learned, shared  or lost to other methods. "Something you are" is the strongest, but generally the most costly and still vulnerable to forgery. Based on these single-factor authentication problems, the next step is two-factor  authentication. Combining  two methods is two-factor authentication.

For  example, ATM teller machines  use a combination of a  plastic card (something you have) and a four-digit PIN number (something you  know). Any one type of  authentication may authorize  access but using two types  moves towards the control  concept of non-repudiation. Not only can you prove your identity to gain access to a resource, but also you can not deny accessing the resource at a later  time.

a) Passwords
Passwords  are the most common type  of computer system authentication.  Most multi-user systems in the past relied on password  authentication to control access to processor time and to segregate users for charge-back. Today,  the main use of passwords  is for access control to  data. There are two types of passwords:

• Reusable - a string of letters  and numbers used many times for system access.
• One-time - a string of letters  and numbers used for  system access and always  changing.

Almost all flavours of UNIX, Windows  NT, and other operating systems come with a reusable password process by default. Depending on the value protected, a reusable password may be adequate. However,  as technology progresses, reusable passwords have  become weak and attacks have been built for one-time passwords.

b) Password Weakness
Each type of password has unique  problems to address. Reusable passwords have reached the end of their life cycle  for critical business uses and one-time passwords need additional controls to remain effective. Reusable  passwords are vulnerable to many attacks, including keystroke monitoring, social engineering, brute force attacks and network monitoring.

c) Key Stroke Monitoring
Key  stroke monitoring can be  done a few ways. One is to run a program to monitor  keys pressed on a keyboard  and to store the results in a file for later observation. Even though the password does not echo to the screen, this is not needed for an attack to occur. A more difficult, yet possible, attack is to monitor the emissions from the screen. This attack is used when  physical access to the  computer is not possible.

d) Social Engineering
Social engineering is manipulating  people for information. This includes the attacker posing as a member of a  firm's help desk, calling an executive's assistant and asking for their (or the executive's) password  to fix a computer problem.  Also, this type includes 'shoulder surfing' which is just as it sounds. A  person will casually watch  another person's fingers  as they enter their password  to steal the letters and  numbers.

e) Brute Force Attacks
Brute  force attacks fall into two categories: internal or external. Internal means  a user accesses a system  in an authorized or unauthorized fashion. Once the user gains access to a command  prompt, he can copy the encrypted passwords and  run a 'crack' program to  guess the passwords. The  'crack' program takes a text file of words and uses the same encryption  algorithm as the operating  system to encrypt each  word in the text file.  The program compares the  encrypted words from the  dictionary to the ones  copied from the system  and when they match, you  know the password. This method is so old, the 'crack'  program used for UNIX systems is up to version five! Newer is the 'Lophat Crack' program that does the same process for Windows NT.  It is slower, but still possible as an external  brute force attack. Manually or using a tool, you guess passwords one at a time  until you are able to gain  access.

f) Network Monitoring
Network  Monitoring (also known  as "sniffing") is the most  critical concern with reusable  passwords. Most networks  today are Ethernet based.  On Ethernet networks, all messages sent from one machine to another are read by all systems on the network, but only processed  by the intended recipient.  However, the network cards  of any of the computers  on the network can be put into 'promiscuous mode'  where they read and log all messages that reach  the computer. Utilities  to perform this include the Sniffer from Network General and the Network  Monitor recently released by Microsoft as part of  the SMS package.

Using  these tools, any user on  the network can record  all the traffic to collect  automatically the network passwords. Once collected,  they can be used for unauthorized access. One example of this was a penetration exercise Coopers & Lybrand did for a client.  Our goal was to see what  an outsider could access  by using the phone in the conference room. We were  able to connect and monitor the network for a fifteen  minute period. When done, we had collected ten user passwords to internal systems  including one administrative  password! Monitoring can  be done by any user on  an Ethernet network with  Windows NT 4.0 and the  SMS Network Monitoring  tool. The cost of this  attack has gone from thousands  for a custom hardware and software device to almost  nothing for an illegal  copy of the software. This  is the main reason why  reusable passwords have reached the end of their life-cycle.

One-time passwords are a variation  of the standard reusable  password. The difference, as the name suggests, is that a different code (set  of letters and/or numbers)  is used each time the user  attempts to access data.  This is accomplished by  generating a list of passwords  which are used successfully,  or using a token with a number that regularly changes  in step with a process  on the server. While one-time passwords are not vulnerable to the above attacks, they  do have weaknesses which  take much more skill to exploit. These include man-in-the-middle attacks  and race attacks.

g) Man-In-The-Middle
A  man-in-the-middle attack  is just as it sounds. An  attacker places a computer  between the user and the  system using a one-time password. In some way, the attacker must capture  the packets as he passes  over the wire, resending  them as his own. The attacker  needs control over the  network and a high degree of skill to perform this attack.

h) Race
In a race attack, an attacker  monitors the numbers and  letters as they pass over the network. But, just before the last digit, the attacker sends ten login requests to beat the real user and try all  the remaining combinations  in a attempt to take over  the login process. This attack can only be used  with certain protocols  as some systems do not  pass data byte-by-byte.  Again, this attack demands  a good deal of luck, time and skill to exploit.

In response to this problem,  security vendors have taken measures to compensate by using encryption or by putting logic into their products to address and  defend against these types  of attacks. Still, a one-time password is one-factor authentication, and not  considered strong user  authentication.

What is strong authentication?

We define strong user authentication  as using two or more of the above methods. For example, "something you  know" and "something you have" can be a token response  card and a PIN number.  This method is resistant  to all the reusable and  most one-time password  attacks. Therefore, it  can be a method of non-repudiation.

There  are many types of strong  user authentication in  use today. These include  token response cards and  biometric authentication,  combined with passwords.  These solutions can give  a great deal of comfort,  but the costs must be considered.

Why  is strong user authentication needed?

Authentication usually consists of 'something you know'. We have shown those methods vulnerable to attack. Many vendors  will discuss the adequacy of password protection alone to authenticate users. As shown, some of the attacks, (especially on reusable  passwords) can occur at little-to-no cost and without  detection. If there is  no way to determine that a password has been compromised, it is tough to determine the true security of your  data. This is the reason  to use a strong user authentication process to protect the data and systems.

The  need for strong user authentication has many parts and benefits. Strong user authentication is one of the building blocks of a security methodology.  It also forces user accountability. Finally, it plays a role in the fiduciary responsibilities of many organizations. The benefits vary from liability protection to  audit comfort.

a) Security Methodology
In building a security design,  one layer rests on another. The "security pyramid" must rest on a base of policies and procedures. Next, user authentication  is a critical building  block for the entire pyramid. Without the underlying assumption of strong user  authentication, the remaining layers of authorization, use of encryption and audit  become invalid. With strong user authentication, you know that the user is authorized,  that confidentiality is maintained (with encryption)  by passing the information  to the proper user, and that the audit trail is  keeping track of the actions  of the one known person.

b) User Accountability
User accountability has two sides. One view is that  companies will know which user performed which action. The other is the user perspective. Strong authentication can  cause two results. First, the user would need to go to a greater length to share information with  another user, such as sharing a SecurID token and the  associated PIN number.

The  side effect of this action  is the original user is not able to access the system while the other person uses the strong user authentication method.  Second, while a password  can be captured in transit, allowing the user deniability, strong user authentication would force the user to  be responsible for the  actions of any user of  the card and PIN. Even  if they did not perform  the action, it can be proven  that the individual was the guardian for the method, hopefully making them very  reluctant to share. There is no perfect scheme, but  this is one way to make a clear statement to the user as to their level of accountability for the  data they are allowed to  access.

One  example of this method's  strength is shown daily in the use of automated  teller machines (ATM).  People, like companies, need to protect their data.  Their data (bank account) is protected by a strong user authentication method,  a bank card, and a PIN number. Even though the  password (PIN number) is  a reusable one, cryptography  is used over the PIN as a compensating control.  Also a controlled network is used to transmit the  data.

How  many consumers would use  ATMs if only a reusable password scheme allowed  access their accounts?  Consumers rely on, and gain comfort from, a strong  user authentication method  to protect their sensitive  data. Also, banks can hold users accountable for controlling  their cards and PIN numbers.  The combination of two  authentication factors  is what allows the users  and the banks to hold each  other accountable for the data protected. Companies  should consider this example significant for their data as well.

c) Corporate Liability
Liability  has many angles and slants, but two critical ones are  protection of assets and  downstream liability. Many  companies rely on a strong system of internal controls  to prevent and detect fraud.  It has been proven in court that a company can be negligent for not putting a system of internal controls in  place. Internal controls  address the protection  of shareholder assets. Strong user authentication is one part of a system  of controls that can be highlighted as one example  of strong controls.

Downstream liability is a new concept with some large implications.  The most common example is that a computer connected  to the Internet gets broken into. This computer is then used as a jumping-off point for another attack that causes a large loss  to a third party. The third party can not only sue the perpetrator of the act, but also any other  parties involved in the  loss. This includes the company's computer that  was used as the jumping-off point for the attack. The  average hacker may not  have "deep pockets" to  sue to recoup the losses. However, the intermediary  company might have deep  pockets, and be guilty  of not controlling their  systems. In this example, strong user authentication is a preventive control.

d) Benefits
Strong user authentication has  at least two positive benefits. Strong user authentication helps blunt any breach described above, giving  management comfort and  allowing a restful night's  sleep for corporate officers  and MIS directors. Next, one of the most overlooked aspects of security is not stopping unauthorized  users from performing unauthorized acts, but stopping authorized  users from performing unintentional acts. By stopping a user accidentally getting to others' resources, strong  user authentication can either stop the problem  before it starts, or allow  the system administrator to trace the problem to  a user and correct them so the mistake does not  reoccur.

How, when and where to use strong user authentication

There  are many security products  on the market today. Some address only one part of the security pyramid while others address multiple  parts. With so many choices,  people get confused about what is accomplished with  each technology. Some of  the most popular solutions  for confidentiality and authentication include:

• Reusable and One-time Passwords - single-factor authentication
• SSL-data encryption for confidentiality
• RADIUS/TACACS  - types of password systems
• PAP/CHAP - machine or process authentication but not user authentication
• Digital  Signatures (without smartcards) digital keys, but protected  by single-factor authentication password
• Virtual  Private Networking (session encryption) - data encryption  for confidentiality
• Firewalls  - used to limit access, andtends to use single-factor  authentication
• Single Sign On - password-based and possibly less secure than multiple passwords
• Kerberos - encryption for confidentiality but still a one-factor authentication method

None of these provide strong  user authentication. To repeat, strong user authentication consists of at least two methods of identifying a user to prove his identity.  All the above provide other functions such as confidentiality  (Kerberos or SSL) or integrity (Digital Signature) but  will not strongly authenticate  a user.

Please call 0870 421 4023 to find out how your company  can benefit from strong user authentication, or  e-mail strong.auth.team@Whitehelm.com requesting more information.