SecurityProNews Home PageAbout iEntryArticle ArchiveNewsWebProWorld ForumsJaydeiEntryContactAdvertiseDownloadsiEntry
01.21.04

Strong Authentication Alternatives Report For Customer X

By Waheed Warden, MCIM

Customer X has a requirement for remote users to use strong authentication when accessing Customer X networks and systems. The use of username and passwords does not constitute strong authentication.

The requirement extends to allowing users to access the Customer X internal network from any computer around the world irrespective of whether it is a Customer X owned computer or not.

It is important that the solution is capable of authenticating users with or without requiring the installation of client software on PCs.
Purpose

The purpose of this document is to investigate other strong authentication solutions. The solution should be suitable for role out globally and provide a common standard.

Scope

The scope of this investigation is limited to the following technologies that offer strong authentication:
  • Hardware Tokens
  • Software Tokens
  • USB Token
  • SMS one time password
  • Smart Cards
  • Digital Certificates
  • Biometrics
Requirement

Customer X has a requirement to provide remote access from the following devices:
  • Non Customer X PC’s (i.e. Internet Café)
  • Laptops
  • Desktops at home
  • Personal Digital Assistants (PDA)

Strong Authentication Methods

Hardware Tokens


Get ITmanagementNews Newsletter Free
">Click Here


Token-based authentication is an example of two-factor authentication (often referred to as strong authentication), incorporating a PIN and a hardware token device. The technology used in this method of authentication is based on using either synchronous or asynchronous (challenge/response) authentication. The asynchronous method requires that the authentication server send the token device an encrypted message. The token device uses a preset algorithm and a shared secret to decrypt the message and respond with the correct password encrypted using the same shared secret.

The synchronous method requires that both the authentication server and the token device simultaneously calculate a challenge message using the same parameters (i.e. event counter or time counter) if the calculated messages between the two matches, then authentication is successful.


Software Tokens

A Software token works in an identical fashion to the hardware token apart from they require a host system. The software token is installed onto a host system such as a desktop, laptop, PDA or mobile phone. The requirement of a host system limits their use to Customer X systems or pre-defined systems i.e. software tokens are not suitable for access from an Internet cafe. The advantages of software tokens are:
  • No token to carry
  • No token to loose or forget
  • Token does not expire (no batteries)
  • They are cheaper than hardware tokens

USB Tokens

USB (universal serial bus) tokens are typically the size of a house key and plug into a USB port in order to verify a user's identity. The tokens, also known as dongles, are intended for individual laptop users and for employees accessing company networks. The chief advantage of USB tokens over smart-card-based network login systems is the lack of a requirement for a card reader. PC’s or laptops purchased in the last 18months will have been shipped with at least one USB port.

The USB token is similar to a smart card in that it typically requires a digital certificate to be stored in the token. This then requires a Certificate Authority to issue, manage and verify certificates. The use of digital certificates will require the deployment of additional hardware and software. Since the USB token requires the system to have host software installed, it limits their use to Customer X or pre-defined host systems.


SMS one time passwords

This approach requires the user to carry a mobile phone and have network coverage at the time of authentication. When a user attempts to log into a Customer X site, they are automatically delivered a secure, one-time passcode by SMS. By combining this passcode with their secret PIN you have strong authentication.

The user gets the benefit that if they already carry a phone, they don't need anything extra. You don't have any hardware costs, so your costs are kept low, and you get greatly improved security compared to passwords, because the user uses a different password every time they log into Customer X systems. There are a number of issues with this approach:
  • Delay in receiving the SMS (20 seconds)
  • No guarantee they will receive it at all
  • They need network coverage
  • Not supported in all countries

Smart Cards

Smart cards are similar in size to a standard credit card. These cards are inserted into a card reader as part of the authentication process. They often contain a digital certificate and are usually presented in combination with a password or Personal Identification Number (PIN).


Cryptographic smart cards provide very high security for users logging into computer system/networks because of their ability to store digital certificates, perform authentication and provide nonrepudiation. A smart card solution would require all systems to be equipped with a smart card reader. This would restrict their access to Customer X or pre-defined systems.

Typically, the smart cards store a digital certificate for authentication purposes. The use of digital certificates will require the deployment of additional hardware and software.


Digital Certificates

A Digital Certificate can be presented electronically to prove an individuals identity.

A Digital Certificate binds a public key to an individual or organisation. The binding of a public key to an individual or organisation is certified by a trusted source, a certificate authority (CA).

Digital Certificates contain the owner's public key, the owner's name, an expiration date, the name of the Certification Authority that issued the Digital Certificate, a serial, and perhaps some other information. This method would require the use either of an external CA or Customer X to deploy and manage their own CA. Digital Certificates would be required to be installed upon a host system. This would restrict their access to Customer X or pre-defined systems.

Biometrics

The only biometric system that would be suitable for Customer X requirements would be finger print scanners as these are portable. Finger print scanners once programmed with your unique fingerprint will use this as a basis for identification and authentication. These types of systems do suffer from accuracy issues and are subject to false negatives.

Each PC and laptop would have to be fitted with a finger print reader of some description. This would restrict their access to Customer X or pre-defined systems. Furthermore an authentication system would have to be put in place to support biometrics authentication, this at the very least would require additional software.

Solutions

The fundamental issue in selecting a strong authentication method for Customer X is the requirement to have remote access from “non Customer X PC’s”. These PC’s could be anywhere in the world and under management control of any individual or organisation.

This means that Customer X is unable to install any software or peripherals to these devices to aid authentication.

The following tables shows which solutions meet which requirements:


Solution Options

Due to the drawbacks with the SMS one time password solution, it is probably not suitable for day-to-day use by Customer X employees. This leaves hardware tokens as the only solution that meets all Customer X requirements.

However, a combination solution could be deployed to meet the requirements.

About the Author:
Waheed Warden, MCIM, Channel Marketing Manager, Trinity Security Services
Waheed.Warden@trinitysecurity.com
http://www.trinitysecurity.com
M +44 (0) 7879 647 497
T +44 (0) 870 350 1284
F +44 (0) 845 280 2712

We don't compromise on your security

Read this newsletter at: http://www.securitypronews.com/2004/0121.html

Free Newsletters
Part of the iEntry Network
over 4 million subscribers
SecurityProNews
LinuxProNews
SysAdminNews


Send me relevant info on products and services.


 

 

 

 

From the Forum:
Identity theft, Protect yourself

An illegal activity called "Phishing" involve the mass distribution of 'spoofed' e-mail messages which appear to come from banks, insurance agencies, retailers or credit card companies.

These fraudulent messages are designed to fool the recipients into divulging personal authentication data such as account usernames and passwords, credit card numbers,social security numbers, etc. Because these emails look "official", recipients may respond to them, resulting in financial losses, identity theft,and other fraudulent activity.

Those messages that appear to be sent from a legitimate company?s website or domain address, but in fact are not. In reality, spammers are hijacking the company?s brand to attract the attention of customers and potential customers, often to gain personal information. The following article tells you the steps that you can take to help identify and to help protect yourself from deceptive (spoofed) Web sites and malicious hyperlinks.

Click here

 

 

 

 

 

 

 

 

-- SecurityProNews is an iEntry, Inc. publication --
iEntry, Inc. 880 Corporate Drive, Lexington, KY 40503
2004 iEntry, Inc.  All Rights Reserved  Privacy Policy  Legal

archives | advertising info | news headlines | free newsletters | comments/feedback | submit article