Strong Authentication?

To explain strong authentication, forget about computers for a moment. From the beginning of time there have been three ways to "authenticate" people.

  • The first way is to identify who they are. In other words, from a thumbprint to a retina scan people can verify that they are who they say they are.
  • The second way to authenticate people is by what they have. In the early days that might have been the other piece to a broken pendant; today it might be a token or smart card.
  • The third way to identify people is by what they know. In the banking world it may mean a personal identification number (PIN), and in the computer world it usually means a password.

What strong authentication does is employ more than one of these ways to identify users. Strong Authentication can use tokens or smart cards and a PIN to create a one-time-use password. The individuals never even know their own password because it changes every time they log in and all they need to remember is their PIN. The advantage of using a PIN is that many times a user will use the same one they use for their ATM, almost ensuring that they will never forget it or lose it.

"This increases security on a network because it forces someone to not only know a PIN, but to have something like a token or a smart card,"

Authenticate v To prove or establish as being genuine.
From ancient Roman times, asset protection has been a common theme in society for military, personal or economic reasons. Authentication is the concept for allowing use of those resources, be they weapons, bank accounts or trade secrets. Today, companies have many reasons for protecting assets, from legal requirements to guarding shareholder assets and value. Authentication can not exist in a vacuum, it must be part of a security frame work. One of the models is called the security pyramid;


This model shows the building blocks necessary to create a secure environment. At the bottom are policies and procedures to set security management standards and ways. Next, strong user authentication to control access and give non -repudiation. Authorization allows proper people access. Encryption protects data confidentiality and audit confirms process effectiveness.

If one of the lower layers of the pyramid is not attained, the successive steps cannot be achieved. For example, if your company does not have a policy and procedure for authorizing users for computer access, control procedures for authorizing  users will not work evenly across all areas, and the lack of standards will make audit hard or impossible. There are four security control objectives that address the security framework.

  • Authentication - To prove identity and allow access to assets.
  • Integrity - Ensure that data has changed by the authorized person.
  • confidentiality - Restricting data access to the people authorized to see it.
  • non-repudiation - Conclusively tracing an action to an individual.

Specifically, user authentication can be achieved by three methods.

  • Something you have - This can include a key to a door or a token.
  • Something you know - passwords fall into this category.
  • Something you are - this area includes biometric authentication such as fingerprints, voiceprints or retinal scans.

Each one of the three methods alone have problems. "Something you have" can be stolen. "Something you know" can be guessed, learned, shared or lost to other methods. "Something you are" is the strongest, but generally the most costly and still vulnerable to forgery. Based on these single-factor authentication problems, the next step is two-factor authentication. Combining two methods is two-factor authentication.

For example, ATM teller machines use a combination of a plastic card (something you have) and a four-digit PIN number (something you know). Any one type of authentication may authorize access but using two types moves towards the control  concept of non-repudiation. Not only can you prove your identity to gain access to a resource, but also you can not deny accessing the resource at a later time.

a) Passwords
Passwords are the most common type of computer system authentication. Most multi-user systems in the past relied on password authentication to control access to processor time and to segregate users for charge-back. Today, the main use of passwords is for access control to data. There are two types of passwords:

  • Reusable - a string of letters and numbers used many times for system access.
  • One-time - a string of letters and numbers used for system access and always changing.

Almost all flavours of UNIX, Windows NT, and other operating systems come with a reusable password process by default.  Depending on the value protected, a reusable password may be adequate. However, as technology progresses, reusable passwords have become weak and attacks have been built for one-time passwords.

b) Password Weakness
Each type of password has unique problems to address. Reusable passwords have reached the end of their life cycle for critical business uses and one-time passwords need additional controls to remain effective. Reusable passwords are vulnerable to many attacks, including keystroke monitoring, social engineering, brute force attacks and network monitoring.

c) Key Stroke Monitoring
Key stroke monitoring can be done a few ways. One is to run a program to monitor keys pressed on a keyboard and to store the results in a file for later observation. Even though the password does not echo to the screen, this is not needed for  an attack to occur. A more difficult, yet possible, attack is to monitor the emissions from the screen. This attack is used when physical access to the computer is not possible.

d) Social Engineering
Social engineering is manipulating people for information. This includes the attacker posing as a member of a firm's help desk, calling an executive's assistant and asking for their (or the executive's) password to fix a computer problem. Also, this type includes 'shoulder surfing' which is just as it sounds. A person will casually watch another person's fingers as they enter their password to steal the letters and numbers.

e) Brute Force Attacks
Brute force attacks fall into two categories: internal or external. Internal means a user accesses a system in an authorized or unauthorized fashion. Once the user gains access to a command prompt, he can copy the encrypted passwords and run a 'crack' program to guess the passwords. The 'crack' program takes a text file of words and uses the same encryption  algorithm as the operating system to encrypt each word in the text file. The program compares the encrypted words from the  dictionary to the ones copied from the system and when they match, you know the password. This method is so old, the 'crack' program used for UNIX systems is up to version five! Newer is the 'Lophat Crack' program that does the same process for Windows NT. It is slower, but still possible as an external brute force attack. Manually or using a tool, you guess passwords one at a time until you are able to gain access.

f) Network Monitoring
Network Monitoring (also known as "sniffing") is the most critical concern with reusable passwords. Most networks today are Ethernet based. On Ethernet networks, all messages sent from one machine to another are read by all systems on the network, but only processed by the intended recipient. However, the network cards of any of the computers on the network can be put into 'promiscuous mode' where they read and log all messages that reach the computer. Utilities to perform this include the Sniffer from Network General and the Network Monitor recently released by Microsoft as part of the SMS package.

Using these tools, any user on the network can record all the traffic to collect automatically the network passwords. Once collected, they can be used for unauthorized access. One example of this was a penetration exercise Coopers & Lybrand did for a client. Our goal was to see what an outsider could access by using the phone in the conference room. We were  able to connect and monitor the network for a fifteen minute period. When done, we had collected ten user passwords to internal systems including one administrative password! Monitoring can be done by any user on an Ethernet network with  Windows NT 4.0 and the SMS Network Monitoring tool. The cost of this attack has gone from thousands for a custom hardware and software device to almost nothing for an illegal copy of the software. This is the main reason why reusable passwords have reached the end of their life-cycle.

One-time passwords are a variation of the standard reusable password. The difference, as the name suggests, is that a different code (set of letters and/or numbers) is used each time the user attempts to access data. This is accomplished by  generating a list of passwords which are used successfully, or using a token with a number that regularly changes in step with a process on the server. While one-time passwords are not vulnerable to the above attacks, they do have weaknesses which take much more skill to exploit. These include man-in-the-middle attacks and race attacks.

g) Man-In-The-Middle
A man-in-the-middle attack is just as it sounds. An attacker places a computer between the user and the system using a one-time password. In some way, the attacker must capture the packets as he passes over the wire, resending them as his own. The attacker needs control over the network and a high degree of skill to perform this attack.

h) Race
In a race attack, an attacker monitors the numbers and letters as they pass over the network. But, just before the last digit,  the attacker sends ten login requests to beat the real user and try all the remaining combinations in a attempt to take over  the login process. This attack can only be used with certain protocols as some systems do not pass data byte-by-byte. Again, this attack demands a good deal of luck, time and skill to exploit.

In response to this problem, security vendors have taken measures to compensate by using encryption or by putting logic into their products to address and defend against these types of attacks. Still, a one-time password is one-factor authentication, and not considered strong user authentication.

What is strong authentication?

We define strong user authentication as using two or more of the above methods. For example, "something you know" and "something you have" can be a token response card and a PIN number. This method is resistant to all the reusable and  most one-time password attacks. Therefore, it can be a method of non-repudiation.

There are many types of strong user authentication in use today. These include token response cards and biometric authentication, combined with passwords. These solutions can give a great deal of comfort, but the costs must be considered.

Why is strong user authentication needed?

Authentication usually consists of 'something you know'. We have shown those methods vulnerable to attack. Many vendors  will discuss the adequacy of password protection alone to authenticate users. As shown, some of the attacks, (especially on reusable passwords) can occur at little-to-no cost and without detection. If there is no way to determine that a password has been compromised, it is tough to determine the true security of your data. This is the reason to use a strong user authentication process to protect the data and systems.

The need for strong user authentication has many parts and benefits. Strong user authentication is one of the building  blocks of a security methodology. It also forces user accountability. Finally, it plays a role in the fiduciary responsibilities of many organizations. The benefits vary from liability protection to audit comfort.

a) Security Methodology
In building a security design, one layer rests on another. The "security pyramid" must rest on a base of policies and procedures. Next, user authentication is a critical building block for the entire pyramid. Without the underlying assumption of strong user authentication, the remaining layers of authorization, use of encryption and audit become invalid. With strong  user authentication, you know that the user is authorized, that confidentiality is maintained (with encryption) by passing the information to the proper user, and that the audit trail is keeping track of the actions of the one known person.

b) User Accountability
User accountability has two sides. One view is that companies will know which user performed which action. The other is the user perspective. Strong authentication can cause two results. First, the user would need to go to a greater length to share information with another user, such as sharing a SecurID token and the associated PIN number.

The side effect of this action is the original user is not able to access the system while the other person uses the strong  user authentication method. Second, while a password can be captured in transit, allowing the user deniability, strong user authentication would force the user to be responsible for the actions of any user of the card and PIN. Even if they did not perform the action, it can be proven that the individual was the guardian for the method, hopefully making them very reluctant to share. There is no perfect scheme, but this is one way to make a clear statement to the user as to their level of accountability for the data they are allowed to access.

One example of this method's strength is shown daily in the use of automated teller machines (ATM). People, like companies, need to protect their data. Their data (bank account) is protected by a strong user authentication method, a bank card, and a PIN number. Even though the password (PIN number) is a reusable one, cryptography is used over the PIN as a compensating control. Also a controlled network is used to transmit the data.

How many consumers would use ATMs if only a reusable password scheme allowed access their accounts? Consumers rely on, and gain comfort from, a strong user authentication method to protect their sensitive data. Also, banks can hold  users accountable for controlling their cards and PIN numbers. The combination of two authentication factors is what allows the users and the banks to hold each other accountable for the data protected. Companies should consider this example significant for their data as well.

c) Corporate Liability
Liability has many angles and slants, but two critical ones are protection of assets and downstream liability. Many  companies rely on a strong system of internal controls to prevent and detect fraud. It has been proven in court that a company can be negligent for not putting a system of internal controls in place. Internal controls address the protection of shareholder assets. Strong user authentication is one part of a system of controls that can be highlighted as one example of strong controls.

Downstream liability is a new concept with some large implications. The most common example is that a computer connected to the Internet gets broken into. This computer is then used as a jumping-off point for another attack that causes a large loss to a third party. The third party can not only sue the perpetrator of the act, but also any other parties involved in the loss. This includes the company's computer that was used as the jumping-off point for the attack. The average hacker may not have "deep pockets" to sue to recoup the losses. However, the intermediary company might have deep pockets, and be guilty of not controlling their systems. In this example, strong user authentication is a preventive control.

d) Benefits
Strong user authentication has at least two positive benefits. Strong user authentication helps blunt any breach described above, giving management comfort and allowing a restful night's sleep for corporate officers and MIS directors. Next, one of the most overlooked aspects of security is not stopping unauthorized users from performing unauthorized acts, but stopping authorized users from performing unintentional acts. By stopping a user accidentally getting to others' resources, strong  user authentication can either stop the problem before it starts, or allow the system administrator to trace the problem to a user and correct them so the mistake does not reoccur.

How, when and where to use strong user authentication

There are many security products on the market today. Some address only one part of the security pyramid while others address multiple parts. With so many choices, people get confused about what is accomplished with each technology. Some of the most popular solutions for confidentiality and authentication include:

  • Reusable and One-time Passwords - single-factor authentication
  • SSL-data encryption for confidentiality
  • RADIUS/TACACS - types of password systems
  • PAP/CHAP - machine or process authentication but not user authentication
  • Digital Signatures (without smartcards) digital keys, but protected by single-factor authentication password
  • Virtual Private Networking (session encryption) - data encryption for confidentiality
  • Firewalls - used to limit access, andtends to use single-factor authentication
  • Single Sign On - password-based and possibly less secure than multiple passwords
  • Kerberos - encryption for confidentiality but still a one-factor authentication method

None of these provide strong user authentication. To repeat, strong user authentication consists of at least two methods of identifying a user to prove his identity. All the above provide other functions such as confidentiality (Kerberos or SSL) or integrity (Digital Signature) but will not strongly authenticate a user.

Please call 0870 421 4023 to find out how your company can benefit from strong user authentication, or e-mail requesting more information.


Strong Authentication
WhiteHelm End to End Network Security

Copyright ©2004-2011 Whitehelm Network Security Ltd
Copyrights, Trademarks & Disclaimers Terms & Conditions