Digital Identity and Strong Authentication
Throughout history business transactions have almost always been face-to-face. The Internet and e-business applications in particular are transforming the fundamentals of trust in business transactions. The identity of the person on the other side of an e-business transaction is hard to determine. It is also not easy to establish the identity of the person on the business side of the transaction. That is a significant challenge.
According to the FBI, identity fraud is one of the fastest-growing crimes in the United States, with reported cases crossing 350,000 a year. The Identity Theft Resource Center reports that an estimated 700,000 consumers were victims of identity theft in 2002 in the United States. Identity theft has reached epidemic proportions. Knowing your customer, partner and employee is becoming a vital issue as businesses look to provide more information over networks and engage in payment transactions online.
Businesses are taking a close look at “strong authentication” solutions to firmly establish the identity of the individual engaged in electronic transaction.
Authentication is about whom the user is—it is the ability to prove or validate the identity of a user or a transaction. Authentication positively identifies and proves the authenticity of those with whom you may be doing business.
Except in the situation where authentication is being performed, authentication must be thought of as a prerequisite for strong encryption. What is the purpose of encrypting data if the identity of individuals involved in the communication is not established and verified? Whether a secured health-care Web page is accessed or a digital signature is included in a message, the identity of the user needs to be determined before information is provided or a transaction is executed.
Perimeter Defense—Not Enough
The deployment of a firewall system at the perimeter of a business is not sufficient. The security of any business today is highly dependent on the successful deployment of multiple layers of security. Each layer makes the organization that much less vulnerable to attacks. Businesses face both internal and external threats to the infrastructure. Also, there is no such thing as 100 percent secure business, hence businesses must carefully examine which security layers will have the most impact in protecting vital business systems and information.
Authentication is typically the first step in gaining access to the system. Typing a username and a password is an example of authenticating yourself as a user on the system.
Problems With Passwords
Passwords are the weakest form of authentication. They are vulnerable to being guessed, stolen or otherwise compromised by password cracker applications. A password cracker application is any program that compromises password security by revealing passwords that have previously been encrypted. For example, a hacker may encrypt every word in the dictionary (spelled forward and backward and other combinations) using DES. The encrypted password is then compared to the target password. If there is a match, there is a very high chance that the password was cracked (higher than 98 percent chance). Password cracker applications are very effective in determining poorly selected passwords.
Examples of password cracker applications include:
- L0phtCrack 2.0 (NT password cracking tool).
- ScanNT, NTCrack, Password NT (other NT password cracker programs).
- Crack (UNIX password cracking program).
- CrackerJack (cracks UNIX passwords).
Each organization needs to define its password policy, and this must require, at a minimum:
- Passwords of a minimum length (six to eight characters).
- Combinations of alphanumeric characters.
- Users to change their passwords every 30 to 60 days.
- Users to be unable to select previously used passwords.
Keep in mind that a basic Web server’s HTTP authentication system does not encrypt the username and password. These unencrypted passwords are susceptible to “sniffing” attacks from hackers.
Option for Authentication: Kerberos
An example of a network authentication protocol that businesses may consider using is Kerberos. Kerberos provides authentication for client/server applications by using secret-key cryptography. In Greek mythology, Kerberos is the name of the three-headed watchdog that guards the entrance to Hades (the underground abode of the dead). In more modern terms, Kerberos is a third-party trusted authentication system that secures access to critical network resources like print servers, file servers and the like. The adjective “third-party” is used because Kerberos is a third party to the client and server.
Kerberos is an authentication protocol used to secure access to critical servers in a networked environment. Originally developed at the Massachusetts Institute of Technology (MIT), Kerberos is widely used today and is a part of the Windows XP operating system environment as the primary protocol for authentication security. Windows XP uses Kerberos version 5. This version allows two parties to exchange private information across an open network, such as the Internet.
Kerberos assigns a unique key–called a ticket–to each user that logs on to the network. This unique ticket is embedded in messages to identify the sender of the message to the message’s recipient.
Businesses should consider some type of a strong authentication solution to address the requirement for identification and verification. Strong authentication is where two or more authentication factors are used. Authentication is closely tied in to non-repudiation, which involves being able to prove someone did something even though they claim they did not. Two-factor authentication is stronger than one-factor authentication because it combines two different authentication factors. The authentication factors may be one or more of the following:
- Something you know (knowledge).
- Something you have (possession).
- Something you are (person).
Fast-emerging authentication solutions include:
- Smart cards.
Authentication tokens are dual-factor or two-factor authenticators. To use an authentication token, you need to have the token (something you have), and you need to know the PIN (something you know). Even if the token were compromised–say you forgot it someplace–it would not do the user any good if they did not know the PIN. It is a significant improvement over just using passwords, which is an example of one-factor authentication.
Think of a smart card as an ATM card on steroids. It is a credit-card-like device with both CPU and memory built-in. It is used to store keys, certificates, credentials and other information. It can be used for authentication purposes.
Biometrics is about verification and identification. It is about verifying the identity of an individual based on measurable physiological and/or behavioral characteristics. A key security service that addresses the threat of impersonation is authentication. Authentication verifies a user’s identity. An individual can be identified and authenticated by what he knows (password), by what he owns (smart card) or by his human characteristics (biometrics). Unlike a password or a PIN, a biometric trait can’t be lost, stolen or re-created.
Examples of biometrics technologies are:
- Facial recognition.
- Retina scanning.
- Iris scanning.
- Hand geometry.
- Voice patterns.
Authentication is the process of “proving” your identity. A system needs to authenticate users to a