Monday, September 04, 2006

Authentication - Who Are You? Can You Prove It?

The following article was written by one of Compuhsare's top Security Gurus for our monthly newsletter. It is a great introduction to the concepts of authentication.

BY ANDREW VESAY, CISSP

When we use the term authentication, we are referring to the process of identifying a person, confirming their identity, and securing access to that person’s accounts.

Up until recently, this has been done by employing the standard username and password. As the power of today’s PC has increased, the ability to break even well-selected passwords, becomes easier each day. This weakness is further reinforced by the FDIC guidance issued in October of this year.

The FFIEC agencies consider single-factor authentication, when used as the only control mechanism, to be inadequate for high-risk transactions involving access to customer information or the movement of funds to other parties.

The basic premise of this guidance is that simple username and passwords are not effective authentication. Our discussion of authentication focuses on three areas:
  • Identification – Who are you?
  • Multifactor Authentication – Can we verify your identity in more than one way?
  • Non-Repudiation – Can we prove a valid transaction has occurred?
First, we will look at the problems with simply using usernames and passwords. In the traditional method, our user ID is the key that the system will use to look up our password information and enable the services that we are permitted to use. The weakness in this is a very simple one, if I know that my user ID is my first initial and last name, I can make a pretty good guess that your user ID follows the same convention. I’ve guessed your user ID, now I just have to get your password.

Traditional systems rely on your password to verify that you are who you say you are. These days however, even well picked passwords are susceptible to breaking. Precompiled tables of every letter and number combination called “rainbow” tables, let an attacker run through every password combination in a matter of minutes.

If I have guessed your user ID and password, I have assumed your online identity and can perform transactions as you. This presents the problem of non-repudiation, which means, can we prove that a valid transaction was performed between valid parties? We have to verify that the transaction and parties involved in it cannot be contested. If I have guessed your username and password, how can you prove that it wasn’t you that transferred all of your funds to a numbered Swiss bank account?

Now let’s look at some of the components of strong authentication. To prove someone’s identity we can use the following simple formula. We need to have two of the three following components.
  • Something you have – a physical device of some sort, such as a card or security token
  • Something you are – a biometric identifier, such as fingerprint scan, or retinal scan of your eye
  • Something you know – a passcode that only you would know such as password or phrase, or answers to personal security questions
These three components are found in most of the emerging methods for identification or authentication and together provide the foundation for non-repudiation. Authentication utilizing two or more of these components is called “multifactor” authentication.
A good example of multifactor authentication is your ATM card. You have your card, something you have, and your PIN, something you know.

Completing a successful, secure online transaction requires several steps. First, we must validate that the site we are communicating with is the actual merchant’s site. Next, we must identify ourselves and successfully authenticate our identity. Finally, we must be able to prove that the transaction was successfully completed by both parties.

When we start our online session, we need to verify that we have a authentic connection to the web server of the institution with whom we want to do business. This is commonly accomplished using a digital certificate. A website would register with a trusted third party that validates its identity. When you connect to the website, you can view the digital certificate and verify that it is valid. In most web browsers, you can click on the lock icon in the lower right of the browser window to view the digital certificate for the site with whom you are communicating.

An additional technique that some institutions are using to further validate that a user has reached their site, is requiring that the user answer some personal security questions and identify a picture with a caption they have selected.

Next, we must identify ourselves to the web server and validate our identity. This is one of the problems in the current online banking environment. We have something we know in our username and password. However, we do not have either of the other components of multifactor authentication, something we have or something we are.

A technique that is becoming more prevalent is the use of digital signatures, which uses a technology called public/private key pairs. A key pair has two interrelated parts. The key pair is generated as a single key and then split into a public and private key. The public key is made available to anyone who wants it, while the private key is kept in secret on your PC. Your private key becomes “something you have.”

The only way to complete a secure transaction would be to use your password, something you know, and use your private key, something you have, to authorize the session. The basis for non-repudiation of this transaction is that we have used multifactor authentication to ensure that you are who you say you are.

Another technique frequently used, also incorporates “something we have.” A “token” is a physical device that constantly updates a complex algorithm. Your complete password is calculated using your PIN and the constantly changing key generated by your security token. This technique is called one-time passwords.

Using a security token allows us to incorporate something I have, my token, and something I know, my PIN, which then increases the security by making my password a constantly changing value. Again, non-repudiation of a transaction has its basis in the use of multifactor authentication to verify our identity.

In response to the FDIC guidance, Internet banking and authentication vendors are quickly developing potential solutions to this authentication challenge. No clear-cut methodology has yet emerged. The two methods we have discussed are widely used in other areas of enterprise security and we can expect some form of these techniques to start showing up in our online banking systems very soon.

Technorati Tags:

1 comment:

Jason Mayoff said...

I wish my bank would get on this bandwagon pretty soon. I'm starting to get a little worried about my privacy when I do my banking online.