AuthenticationWho’s There?Nicholas A. DavisInformation Systems 365University of Wisconsin-Madison
Today’s Chocolate Bar• Baby Ruth• Created in 1920 by the CurtissCandy Company, in Chicago, nowmade by Nestle• Originally named Kandy Kake• Named after President GroverCleveland’s daughter, RuthCleveland, not after baseballplayer, Babe Ruth
Passwords – Reading Discussion• Define the root of a password?• Define the appendage of apassword• ! % & $ _zipcode have gotten tooeasy for password crackers• Mix upper and lower case in themiddle of password• Put the appendage in the middle ofyour root
University Networks --Reading• Centralized vs.decentralized• Faculty and Staffdemand freedom• Central datahandling policiesare weak• What shoulduniversities do tomake theirnetwork moresecure?
Overview• Authentication defined• Different types of electronic authentication factors• Username and Password• Dialog Spoofing Authentication Attacks• One Time Password devices (OTP), how they work and don’t work• Biometrics• Digital Certificates• Existing devices which can be used for authentication, Blackberry, Mobile Phone• Shared Secret/Ticket based authentication systems• Knowledge Based Authenticaition• The Initial Credentialing Challenge• Review of Key Concepts• Who is to Blame For This Authentication Mess?• SSO Authentication, the realities• Federated Authentication• Wireless Authentication issues• Remaining Issues With Authentication• What Does the Future Hold?
Authentication Defined“Electronic authentication provides alevel of assurance as to whethersomeone or something is who or what itclaims to be in a digital environment.Thus, electronic authenticationplays a key role in the establishment oftrust relationships for electroniccommerce, electronic government andmany other social interactions. It is alsoan essential component of any strategyto protect information systems andnetworks, financial data, personalinformation and other assets fromunauthorised access or identity theft.Electronic authentication is thereforeessential for establishingaccountability online.”
Authentication Factors• Three types of electronicauthentication• Something you know –username/password• Something you have –One time password device• Something you are –Voiceprint or retinal scan
Single Factor vs. Multifactor vs DualFactor• Single Factor – Using one method toauthenticate.• Dual Factor – Using two different types ofauthentication mechanism to authenticate• Multifactor – Using multiple forms of thesame factor. (Password + identifying animage)• Some people claim multi factor is just away around industry regulations. Goodtest is to ask, could I memorize both ofthese?
Username and Password - Benefits• Most widely usedelectronicauthenticationmechanism in theworld• Low fixed cost toimplement andvirtually no variablecost• Fairly good for lowassuranceapplications• No physical devicerequired
Username and Password - Drawbacks• Can be easily sharedon purpose• Can be easily stolenvia Shoulder Surfing,Keyboard LoggerPacket Sniffer• Can be guessed• Can be hard toremember• Password code iseasy to hack• Video 3
If You Choose to Use Passwords..• Be as long as possible (never shorter than 6characters).• Include mixed-case letters, if possible.• Include digits and punctuation marks, if possible.• Not be based on any personal information.• Not be based on any dictionary word, in anylanguage.• Expire on a regular basis and may not be reused• May not contain any portion of your name,birthday, address or other publicly availableinformation
Dialog Spoofing Authentication Attacks• The biggest threat to authenticationsecurity is users unintentionally givingaway their credentials to a “harvester”• Dialog spoofing attack makes the userthink they are communicating with atrusted source, but actually grabs thecredentials for its own malicious use
One Time Password DevicesDemystified• Have an assignedserial number whichrelates to user-id.For example, ndavis= serial QB43• Device generates anew password every30 seconds• Server on other endknows what to expectfrom serial QB43 atany point in time
One Time PasswordDevices• Time based• Event based• Sold by RSA,Vasco, Verisign,Aladdin, Entrustand others• How can eventbased OTPs bedefeated?
Entrust Identity Guard Can Be BeatenWith a Photocopier!
One Time Passwords - Benefits• Provides true Dual Factorauthentication, making it verydifficult to share• Constantly changing passwordmeans it can’t be stolen, shouldersurfed or sniffed• Coolness factor!
One Time Passwords - Drawbacks• Cost!• Rank very low onthe washabilityindex• Uncomfortable• Expiration• Battery Life• Can be forgottenat home• Video 1
Biometrics• Use a unique partof your body toauthenticate you,such as your voicepattern, yourretina, or yourfingerprint
Biometrics Benefits• Harder to steal than even a OneTime Password since it is part of theuser, not simply in their possessionlike and OTP device• Absolute uniqueness ofauthentication factor• Coolness factor
Biometrics Drawbacks• Cost• Complexity ofAdministration• Highly invasive• Not alwaysreliable – falsenegatives• Not foolproof• The Gummi Bearthief!
Other Biometric Methods andAssociated Issues• comparing the face with that on a passportphotograph• fingerprints• DNA fingerprinting• Iris scan• Retina scan• other biometrics• signature• Birthmarks - May be duplicated cosmetically• Dentition - Identity may be mistaken by lack of orfalsification of dental X-ray records
Today’s Agenda• Collect homework!• Look at a few password crackingtools, demonstrating why usernameand password is weak!• Finish lecture on Authentication!• Class Discussion!• Maybe Start Lecture onCryptography!
Today’s Chocolate Bar! - Twix• Made by Mars• Called “Raider” in Europe until 1991• First produced in the UK in 1967• Introduced to the US in 1979• Twix, Peanut Butter Twix, Cookies –n- Cream Twix, Chocolate FudgeTwix, Triple Chocolate Twix, Choc –n- Orange Twix• Not suitable for strict vegetarians!
Digital Certificates• A digital passport,either contained on asecure device, or ona hard disk• Secured with apassword, makingthem truly a dualfactor solution• Can be used toauthenticatemachines as well ashumans
Digital Certificate Benefits• True Dual Factor Authentication• Low variable cost to produce• Can contain authorization data aswell as authentication data
Digital Certificate Drawbacks• High fixed cost to build initialinfrastructure• Can be copied and shared if notproperly stored• Expiration• Often require access to an interfacesuch as a card reader of USB port,not always available at kiosks
Taking Advantage of ExistingTechnology• Your mobile phone can serve as apowerful dual factor authenticationdevice
Knowledge Based Authentication• Authenticates the user viaverification of life events,usually financial in nature,such as:• Looks great at first!• However, most of this ispublic information andthat which isn’t public canbe easily stolen• The credit reports onwhich this knowledgebased authentication isbased are often containfactual errors• Cost!
Initial Credentialing• The verification of an individual’s ormachine’s identity prior to assignment ofan authentication identifier (DMV,Passport Agency, Library Card, CreditCard Application)• An authentication credential is only astrustworthy as the underlyingcredentialing process• SSN# often serves as base identifier• What do you think about that?• Can you think of a more secure baseidentifier than SSN#? When would It haveto be assigned and by whom?
Key Concepts• Current online authenticationtechniques are weak at best: Mostrely on multiple single factors• Credentials are easily stolen fromconsumers and rarely change• Lack of consistency inauthentication processes confuseconsumers
Who Is to Blame For the State ofDigital Authentication?• No individual contributor is at fault• This is really a failure of multiple parties• OS Providers• Browser Providers• Financial & Commerce• Software Providers• Security Vendors• The Financial and Commerce Institutions
It All Starts With a Better OS• OS Must have security/authservices baked-in• Must not rely on 3rd partyapplications to enforce security/authprocesses• Best position within the consumeraccess stack to enforce consistency
Unified Browser and Web DesignStandards Needed• The Internet access browser mustcontain consistent security/authprocesses and indicators for consumers• Must not try and re-invent the securitywheel continuously• This is usually why users pick weakpasswords – to preserve their sanity andavoid “token necklace” or “fat walletsyndrome”
Single Sign On (SSO), More like RSO• Single Sign On (SSO) (also knownas Enterprise Single Sign On or"ESSO") is the ability for a user toenter the same id and password tologon to multiple applications withinan enterprise.• True SSO is rare, but Reduced SignOn is quite workable
Single Sign On Benefits• Ability to enforce uniform enterpriseauthentication and/or authorizationpolicies across the enterprise• End to end user audit sessions toimprove security reporting and auditing• Removes application developers fromhaving to understand and implementidentity security in their applications• Usually results in significant passwordhelp desk cost savings
Document Authentication• Humans and machines are easy toauthenticate, but what aboutdocuments?• Digital certificates to the rescue• A digital signature, generated by aprivate key can prove who authoredthe document and can verify that thecontents have not been altered fromtheir original form
Authentication Federation• The average user today interacts with allsorts of social, business, financial andgovernment agencies digitally.• Each of these requires their own id andpassword as user authentication.• As a result, the user is increasinglyfrustrated with:• Having to remember multiple user id andpasswords• Providing more identity information thanthey would otherwise chose to each entity
Authentication Federation• Allows transitional trust amonginstitutional membership• For example, If Nick wants to look up ascholarly article at Penn State, UW cantell Penn State that this request comesfrom an authenticated and authorizeduser without giving out my name, etc.• Hard to enforce credentialing standards• Relies a LOT on trusting that the otherinstitution did the right thing
Wireless Authentication• Wiring actually provides an additional layer ofprotection, requiring physical access• Once this goes away, as is the case on awireless network, you need to find anothermethod to make up for the loss of physicalsecurity which best emulates physical access• Authenticate with username/password + MACaddress, for example.• Put the wireless network on a firewalled subnet• WPA is better than WEP, but not the answer toeverything.• “Opportunity to Authenticate” is the principle tokeep in mind here as the most serious threat…
Securing Wireless NetworkAuthentication• All wireless LAN devices need tobe secured, MAC address, staticIP address, secure subnet, etc.• All users of the wireless networkneed to be educated in wirelessnetwork security• All wireless networks need to beactively monitored for weaknessesand breaches
Wireless is Still Too New to Be Trusted• Too many competing protocols,each of which can have its own setof security risks• WEP encryption, WPA, WPA2,802.1X, LEAP, PEAP, TKIP,RADIUS, WAPI…The list goes on!
Remaining Issues With Authentication• Authenticating the originator is as important asauthenticating the receiver, but few people payattention to this issue• Currently, when we send email, we simply trustthat email@example.com really is thePresident…This isn’t sufficient• We need a method to lookup people in atrustworthy manner• Trusted and centralized LDAP to the rescue!• Sadly, inter-organizational trusted LDAP accessisn’t used.
The Best Solution is a Hybrid Solution• No, not that kind ofhybrid! Way overusedterm• Passwords can beguessed or hacked• Physical devices canbe stolen• Biometrics are costlyand unreliable• Use a mix of theabove technologies toachieve the bestauthenticationsecurity• Audit, Audit, Audit!!!
What Does the Future Hold?• Will the federal government get involvedwith **official** electronic credentials suchas a “U.S. Citizen Digital Identity”?• Benefits of a federal digital identitysystem?• Drawbacks of a federal digital identitysystem?• How do you feel about the current stateof electronic authentication systems?