Authentication devices

Authentication devices are used to support authentication systems by pro-viding the user with some object that is required to successfully complete the authentication process. Currently, most authentication devices fall into one of the following categories:

◗ Smart cards;

◗ Biometric devices;

◗ Tokens.

Smart cards were discussed in the previous section. As the applicability of this discussion to authentication scenarios is obvious, we will not cover these devices here.

Biometric devices verify identity on the basis of one or more physical attributes. Obviously, the attribute or combination of attributes selected as the basis for identification must be unique to the individual. Current meth-ods use a variety of techniques, including fingerprint recognition, retinal and iris scanning, keystroke analysis (based on the fact that the way people use the keyboard is highly specific to themselves), voice recognition, and facial scanning.

Although the idea of authenticating users based on physical attributes is certainly appealing, there are a number of problems associated with the use of biometrics:

◗ It is very expensive, due to the requirement for specialized material.

◗ Psychological factors constitute an important barrier to the introduc-tion of certain techniques (such as retinal and iris scanning).

◗ Measuring physical characteristics is difficult and subject to errors. The percentage success rate may not be acceptable.

◗ Biometrics cannot be used to authenticate nonhuman entities, such as automated processes.

In addition to these issues, there are serious doubts as to the ability of several of these systems to withstand a deliberate attack [47–49].

Tokens fall into two categories: those that act as secure storage devices for cryptographic information and those that serve as handheld devices. The former can be considered an alternative to smart-card technology, and simi-lar considerations apply to these devices.

Handheld devices are equipped with a small display and keyboard and do not in general need to be connected to the user’s workstation. The device is configured with the authentication server before being issued to the user, which enables the server and token to share a secret as a basis for

3.5 Supporting infrastructure 79

authentication. In a typical logon scenario, the target system will interact with the authentication server and present the user with a request to authenticate himself or herself. The user accesses the handheld token by entering a password or PIN, and the token displays the authentication infor-mation required by the server. This inforinfor-mation is entered at the workstation prompt, thereby enabling the user to complete the authentication process.

Although the details of the authentication protocol itself vary from device to device, a distinction can be made between time-synchronized approaches and approaches that do not rely on such methods. Time-synchronized authentication methods rely on the synchronization of the clock in the device with the clock on the authentication server. Most sys-tems can tolerate a certain clock drift and will correct this each time the user makes use of the token. However, tokens that are not used for long periods can result in desynchronization and necessitate special procedures to revali-date the user.

Asynchronous devices usually use challenge-response protocols to authenticate the user (see Section 3.4.1.1) and are therefore not sensitive to clock drift within the device. As for all challenge-response systems, the security of the solution depends on the ability of the authentication server to generate sufficiently random challenges.

3.6 Summary

Technical tools play an essential role in securing information in electronic form. These tools support the core processes by providing scalability and reducing complexity. However, tools alone do not achieve anything, and successful approaches to securing information will ensure that procedures and tools are viewed as two aspects of the same solution.

A simple classification scheme for security tools has been presented.

According to this scheme, a distinction is made between host-oriented and network-oriented tools due to the different focus of these tools. Whereas host-oriented tools are geared towards securing layers of software, network-oriented tools either secure network data flows by working at the protocol level or secure objects visible on the network. Despite this distinc-tion, both host-oriented and network-oriented tools can be further classified according to the type of security service they offer:

◗ Authentication and authorization;

◗ Integrity protection;

◗ Access control;

◗ Monitoring;

◗ Data protection services—confidentiality, integrity, and non-repudiation.

This area will be revisited in Chapter 8, which is concerned with building security architectures.

References

[1] ISO/IEC 7498-1: Information Technology—Open Systems Interconnection—Basic Reference Model: The Basic Model,1994.

[2] ISO/IEC 7498-2: Information Technology—Open Systems Interconnection—Basic Reference Model—Part 2: Security Architecture,1989.

[3] “Common Object Request Broker Architecture: Core Specification,” version 3.0.2, December 2002.

[4] Miller, T. C., “A Brief History of Sudo,” August 2003, http://www.courtesan.

com/sudo/history.html.

[5] Garfinkel, S., and G. Spafford,Practical Unix and Internet Security, Sebastopol, CA:

O’ Reilly and Associates, 1996, pp. 118–128.

[6] Grimes, R. A.,Malicious Mobile Code: Virus Protection For Windows,Sebastopol, CA:

O’ Reilly and Associates, 2001, pp. 447–455.

[7] Axelsson, S., “Intrusion Detection Systems: A Taxonomy and Survey,”

Technical Report 99-15, Dept. of Computer Engineering, Chalmers University of Technology, Sweden.

[8] “COAST: Audit Trail Reduction,” August 2003, http://www.cerias.purdue.edu/

coast/projects/audit-trails-reduce.html.

[9] Mills, D. L., “Network Time Protocol (Version 3): Specification, Implementation and Analysis (RFC 1305),” August 2003, http://www.ietf.org/rfc/rfc1305.txt.

[10] Schneier, B.,Applied Cryptography: Protocols, Algorithms and Source Code in C,2nd Ed., New York: John Wiley and Sons, 1995.

[11] “Internet Security Systems: Session Hijacking,” August 2003, http://www.iss.

net/security_center/advice/Exploits/TCP/session_hijacking/default.htm.

[12] Needham, R. M., and M. Schroeder, “Using Encryption for Authentication in Large Networks of Computers,”Communications of the ACM, Vol. 21, No. 12, 1978, pp. 993–999.

[13] Denning, D. E., and G. M. Sacco, “Timestamps in Key Distribution Protocols,”

Communications of the ACM,Vol. 24, No. 8, 1981, pp. 198–208.

[14] Wenstrom, M.,Managing Cisco Network Security,Indianapolis, IN: Cisco Press, 2001, pp. 127–151.

[15] Rigney, C., et al., “Remote Authentication Dial In User Service (RADIUS)(RFC 2138),”August 2003, http://www.ietf.org/rfc/rfc2138.txt.

[16] Carrel, D., and L. Grant, “The TACACS+ Protocol (draft-grant-tacacs-02.txt),”

August 2003, http://casl.csa.iisc.ernet.in/Standards/internet-drafts/draft-grant-tacacs-02.txt.

[17] Garfinkel, S. L., “Advanced Telephone Auditing with PhoneSweep: A Better Alternative to Underground ‘War Dialers,’”Matrix News,Vol. 8, No. 12, 1998.

[18] “SATAN (Security Administrator Tool For Administering Networks),” August 2003, http://www.porcupine.org/satan.

[19] Curtin, M., and M. J. Ranum, “Internet Firewalls: Frequently Asked Questions,”

August 2003, http://www.interhack.net/pubs/fwfaq.

3.6 Summary 81

[20] Ranum, M. J., “Thinking About Firewalls,” Proceedings of Second International Conference on Systems and Network Security and Management (SANS-II), 1993.

[21] Zwicky, E. D., S. Cooper, and D. B. Chapman, Building Internet Firewalls, Sebastopol, CA: O’Reilly and Associates, Inc, 2000.

[22] Cheswick, W. R., S. M. Bellovin, and A. D. Rubin,Firewalls and Internet Security:

Repelling The Wily Hacker,Reading, MA: Addison Wesley, 2003.

[23] “Stateful Inspection Technology,” August 2003, http://www.checkpoint.com/

products/downloads/Stateful_Inspection.pdf.

[24] Luotonen, A.,Web Proxy Servers,Englewood Cliffs, NJ: Prentice Hall PTR, 1997.

[25] Tanenbaum, A. S.,Computer Networks,Englewood Cliffs, NJ: Prentice Hall PTR, 2002.

[26] Tanase, M., “Sniffers: What They Are and How to Protect Yourself,” August 2003, http://www.securityfocus.com/infocus/1549.

[27] Bandy, P., M. Money, and K. Worstell, “Intrusion Detection FAQ—Can the Volume of Network Traffic Get High Enough to Exceed the Capability of the Detectors?” August 2003, http://www.sans.org/resources/idfaq/network_

traffic.php.

[28] Rescorla, E., “Diffie-Hellmann Key Agreement Method (RFC 2631),” August 2003, http://www.ietf.org/rfc/rfc2631.txt.

[29] Sirbu, M. A., and J. Chung-I Chuang, “Distributed Authentication in Kerberos Using Public Key Cryptography,” Symposium on Network and Distributed System Security, San Diego, CA, February 10–11, 1997.

[30] Thomas, S.,SSL and TLS Essentials: Securing The Web,New York: John Wiley and Sons Inc., 2000.

[31] Doraswamy, N., and D. Harkins,IPSec: The New Security Standard for the Internet, Intranets, and Virtual Private Networks,Englewood Cliffs, NJ: Prentice Hall PTR, 1999.

[32] Kelm, S., “The PKI Page,” August 2003, http://www.pki-page.org.

[33] Housley, R., et al., “Internet X509 Public Key Infrastructure: Certificate and CRL Profile (RFC 2459),” August 2003, http://www.ietf.org/rfc/rfc2459.txt.

[34] Adams, C., and S. Farrell, “Internet X509 Public Key Infrastructure: Certificate Management Protocols (RFC 2510),” August 2003, http://www.ietf.org/rfc/

rfc2510.txt.

[35] Chokhani, S., and W. Ford, “Internet X509 Public Key Infrastructure: Certificate Policy and Certificate Practices Framework (RFC 2527),” August 2003, http://www.ietf.org/rfc/rfc2527.txt.

[36] Ferrari, J., et al., “Smart Cards: A Case Study,” August 2003, http://www.

redbooks.ibm.com/redbooks/pdfs/sg245239.pdf.

[37] ISO/IEC 7810:Identification Cards, Physical Characteristics.

[38] ISO/IEC 7811: Parts 1–6:Identification Cards, Recording Techniques.

[39] ISO/IEC 7816: Parts 1–10: Identification cards, Integrated Circuit(s) Cards with Contacts.

[40] ISO/IEC 10536: Parts 1–4:Identification Cards, Contactless Integrated Circuit(s) Cards, Close-Coupled Cards.

[41] ISO/IEC 14443: Parts 1–4:Identification Cards, Contactless Integrated Circuit(s) Cards, Proximity Cards.

[42] Kocher, P., J. Jaffe, and B. Jun, “Differential Power Analysis,” August 2003, http://www.cryptography.com/resources/whitepapers/DPA.pdf.

[43] Skorobogatov, S., and R. Anderson, “Optical Fault Induction Attacks,” August 2003, http://www.ftp.cl.cam.ac.uk/ftp/users/rja14/faultpap3.pdf.

[44] “Electronic Jacks-of-All-Trades,” Smart Computing, Vol. 4, No. 3, 2000, pp. 181–186.

[45] Grimes, R.A.,Malicious Mobile Code: Virus Protection For Windows,Sebastopol, CA:

O’ Reilly and Associates, Inc., 2001, pp. 184–186.

[46] “FIPS PUB 140-2: Security Requirements for Cryptographic Modules,” August 2003, http://csrc.nist.gov/cryptval/140-2.htm.

[47] Matsumoto, T., et al., “Impact of Artificial Gummy Fingers on Fingerprint Systems,”Proceedings of SPIE, Optical Security and Counterfeit Deterrence Techniques IV,Vol. 4677, 2002, pp. 275–289.

[48] Schultz, Dr. E., “Security Views: Tests of Biometric Devices Show Numerous Problems,”Computers & Security,Vol. 21, No. 5, 2002, pp. 385–396.

[49] Schneier, B., “Biometrics: Truths and Fictions,” August 2003, http://www.

counterpane.com/crypto-gram-9808.html.

3.6 Summary 83