Link to the home page.
Print from PDF version
Wireless Security Practices PDF Document
 

Security Disciplines for Objective 2: Prevention

2-1. Identification and Authentication

Description

Identification and Authentication (I&A) are the first line of defense in many information systems. I&A mechanisms provide a basic security function: they ensure that those wishing to gain access to information resources are indeed who they represent themselves to be. There is increasing focus on authentication protocols and technology. Today, the most common form of authentication is password control. In general, technologies for authenticating a potential user of an information system are organized into three identification factors: something you know, something you have, and something about yourself. An example of something you know is a password or a personal identification number (PIN). Something you have might be a smart card. Something about yourself can be a biometric such as a fingerprint, iris pattern, facial pattern, handwriting, or voice pattern. Highly secure systems can use multiple factors. For example, a biometric authentication system may also require the entry of a password to mitigate the risk of false-positive matches.

Purpose

I&A describes the methods and technology that users engage to identify themselves to an information system. There is a wide range of alternatives available in both method and technology. These alternatives vary in rigor (i.e., the security assurance level or the degree of protection that they provide) and cost. In general, rigor and cost are directly proportional—the more rigorous a method/technology, the more it costs. The information system owner/designer should look to methods that provide as high a level of assurance as possible within cost constraints.

Principles

  • The level of assurance of the I&A mechanism employed should be balanced against the cost of the mechanism and the risk associated with incorrectly identifying an individual trying to gain access to the information system.
  • Users should be properly registered. Proper registration requires that users provide a consistent and reliable means to identify themselves to a registration authority before receiving the credentials used in I&A. For example, the user may be required to produce a driver’s license and a work identification to receive a smart card used to gain access to an information system.
  • There should be a unique set of identification credentials for each individual user. For example, two users should not share a username and password when accessing an information system.
  • There should be a procedure in place to efficiently grant and revoke I&A credentials.
  • There should be mechanisms in place to allow audits and reviews of the identities of users that have valid or revoked I&A credentials.

Policies

Once an organization decides on an approach for authentication, the policies related to that approach should be documented so there is a written guideline specifying the consistent and comprehensive application of authentication throughout the information enterprise. The policy should identify scope, methods, standards, and organizational and individual responsibilities.

Reference the following documents for examples of I&A policy statements:

Best Practices

Most authentication techniques follow the “challenge-response” model, in which an individual is prompted (the challenge) to provide some private information (the response). The complexity of this interaction is governed, in part, by the number of I&A factors included in the response.

Both cost and level of protection increase as the number of factors increase. Generally, the factors are added in the following order: (1) something you know, (2) something you have, and (3) something about yourself. For example, system designers may start with a something-you-know factor and add a something-you-have factor to get the next increment of protection. The following paragraphs provide background on the three factors and summarize best practices under each. This overview is concluded with a discussion of authentication servers-systems that are added to an information network for the sole purpose of completing the authentication process.

Something You Know: Passwords—Passwords remain the most common form of I&A. Unfortunately, passwords can be easily misapplied and provide a weak level of security. One reason is that users tend to pick simple passwords that are easy to remember. For example, there are approximately 50,000 words in the English dictionary. If a dictionary word is used as a password, it is a fairly quick and easy task for a computer program to try each one of the 50,000 and guess the password. System administrators should use software that enforces the selection of strong passwords (eight characters or more with a mix of lowercase, uppercase, and special characters with no simple words or names.) Furthermore, system administrators should periodically run security software utilities that scan for weak passwords. Password security mechanisms can be strengthened further through the use of “one-time passwords.” One-time passwords can be implemented through either software or hardware. Hardware implementations, typically dependent on the use of a token device, are described in the next section.

New products are currently available that apply to the something-you-know factor in a slightly different way. These products use information that is available about individuals from large, public data sources to “test” the individual and confirm identity. For example, someone claiming to be John Ashcroft might be asked to enter John Ashcroft’s social security number and the address of his last three residences. This type of authentication may be appropriate in situations where the authentication subject is from the general public. Because data sources for personal information are generally accessible databases, it may be inappropriate to rely solely on knowledge of this information to verify identity. For example, to improve the assurance level of the process, the individual may be asked to produce some form of formal identification in addition to correctly responding to questions on personal background. As in all I&A approaches, care must be taken to match the level of assurance of the method to the risk of a false-positive or negative authentication.

Something You Have: Token Devices and Smart Cards—Probably the simplest and least costly hardware token device is one that is used to implement a one-time password. The security limitations of passwords can be summarized briefly: easy passwords are easy to “crack”; complex passwords are hard to remember. Passwords that are hard to remember are often written down somewhere. In some cases, they are written down in dangerous places, such as Post-it notes attached to a workstation. A one-time password token provides a code that can be appended to the user’s password. This code changes on each use so that the password is different each time it is entered. This addition makes simple passwords more complex. Even if the password is “sniffed” (inappropriately intercepted and stolen), there is little harm since the compromised password cannot be used again.

A one-time password token device often resembles a credit card-size pager. Many token devices work by displaying a code that the user can append to his/her password. The code is calculated by encrypting the time of day with a secret encryption key stored on the device. The authentication server (i.e., the computer system with which the user interacts for the purposes of I&A) knows what encryption key is assigned to the holder of the token and applies the same calculation to the time of day. The user reads the number currently displayed on the token and enters it along with his/her password. This type of system is much easier and less costly to administer than smart cards that depend on public key cryptography. Furthermore, this approach does not require reader devices to be installed on the laptop or workstation being used to gain access to the information system or network.

Smart cards are an expensive and more complex way to implement I&A. They can also provide more flexibility and functionality. A smart card is a credit card-size device that contains a computer processor chip and solid-state storage. In many I&A applications, the smart card will store the user’s digital certificate. The digital certificate is a data file that contains the user’s private key. (Please refer to Section 2-3 for a more detailed description of digital certificates and private keys.) To authenticate to an information system or network, the user will insert his/her smart card into a hardware reader connected to a workstation or laptop computer. The processor on the smart card will encrypt a text string with the user’s private key. The authentication server can confirm the authenticity of the smart card by decrypting the text string with the user’s public key—if the text correctly decrypts with the user’s public key, it could only have been encrypted with the user’s private key. In this approach, the user’s private key never has to be communicated outside of the smart card—it never “leaves” the smart card’s circuitry. This helps preserve the integrity of the private key.

Whoever holds the smart card also holds all of the access privileges associated with the user. To minimize the risk associated with lost or stolen smart cards, another identification factor is often required with each smart card use. The user may have to enter a password or a PIN whenever the smart card is placed in a reader. The password or PIN is said to “unlock” the private key for use in I&A. An even more rigorous approach would be to require biometrics to unlock the private key stored on the smart card. Several smart card vendors are currently developing technology that will place a fingerprint reader directly on the smart card. The result will be a very secure and easy-to-use I&A mechanism.

There are several reasons why smart card-based I&A systems can be costly to implement and operate. The cost associated with the smart cards and the readers can be significant when considering a system that supports a large community of users. In addition, the administrative burdens of issuing and managing smart cards increase the cost of using a workstation or laptop computer.

Something About Yourself: Biometrics—Biometrics can offer a rigorous means of authentication by requiring physical identification in addition to something you know or something you have. Biometric methods take several different forms, and they result in varying levels of cost and complexity, depending on the type of information being accessed.

When evaluating different biometric devices and alternatives, it is important to consider the “false rejection rate” (FRR), or type I error, and the “false acceptance rate” (FAR), or type II error. The FRR measures the percentage of rejections that should have been accepted (a valid user who used the device but was not properly identified); the FAR measures the percentage of accepted or validated logins that should have been rejected (an invalid user who was improperly identified as a valid one). These two ratings are closely related. On average, today’s biometric devices typically have a 4 to 5 percent error rate. The correlation between the two rates can be expressed in the following manner: for a highly secure solution, the FAR would be zero percent and the FRR would be 5 percent. If the FAR were to increase to 3 percent, the FRR would need to lower to 2 percent. All manufacturers provide their average FRR and FAR ratings. Other factors to consider are cost, environmental conditions (weather, dust, humidity), and intrusiveness to users.

The different types of biometrics can be grouped into two categories: physical and behavioral. Examples of physical biometrics are a fingerprint or iris pattern; examples of behavioral biometrics are a voice or keystroke pattern. The following paragraphs summarize physical and behavioral biometrics.

  • Fingerprints—This is perhaps the most well-known and accepted form of physical biometrics in use today. The uniqueness of fingerprints has been recognized for a long time, and fingerprints are the de facto standard identifier in the justice and public safety communities. It is not surprising that this is also the most common form of electronic biometrics identification currently in use. The unique patterns of a given finger are analyzed and stored in a database and compared against a user attempting to gain entry into a system. If a matching pattern is found in the database, the user is granted access. The particular methods of validating a given pattern may differ (for example, minutiae or moiré fringe), but the end result is the same. Some newer scanners detect the temperature or electrical impulses of the digit being scanned, thereby confirming that the finger is currently attached to a living being. Fingerprints are very easy to obtain through scanning, and the technology is nonintrusive.
  • Hand Geometry—This physical biometric method involves measuring and analyzing the shape of the hand. Different individual characteristics, such as length or width of a certain digit, are combined to ensure a unique pattern. This method can be quite accurate. It is relatively easy to implement and fairly nonintrusive.
  • Retina Scanning—The retina of each eye is as unique as a fingerprint and relatively easy to scan. Scanning maps the layers of blood vessels on the retinal surface at the back of the eye. This physical biometric method requires that the person stand completely still for a period of time while focusing on a given object. While highly accurate, this method is not widely used due to its intrusive nature and the necessity to remove eyeglasses and, in some cases, contact lenses.
  • Iris Scanning—Iris scanning is relatively new and very accurate. It works by comparing the color patterns in the iris with a sample or template stored in the database. This physical biometric method is somewhat intrusive but not nearly as much as retina scans. Although it is not necessary to remove eyeglasses, the method may not work on a person wearing colored contact lenses. This method is very easy and inexpensive to implement; a simple electronic camera device can be used to perform the scan.
  • Facial Recognition—This area of physical biometrics has received much attention lately due to the widespread appeal of its variety of methods. Facial recognition works by combining many different characteristics of the face, such as size, shape, width, color, and even heat patterns. It is nonintrusive and fairly easy to implement, although its overall accuracy is not as good as fingerprints or retina and iris scans.
  • Voice Recognition—Voice recognition is not simply a matter of recognizing a person’s voice but rather an overall analysis of several different factors, such as inflection, gait, and volume. Voice recognition is inexpensive in most applications because it requires little additional hardware beyond the microphones that are standard on most workstations. This behavioral biometrics method is nonintrusive and easy to install but is not necessarily the most accurate.
  • Signature Analysis—Signature analysis captures and monitors several different aspects of a live signature. Users sign their name as usual on a device such as a touch screen or digitizing tablet, and the system monitors the creation of the signature. Characteristics such as velocity, pressure, and pattern are compared to a known sample. This behavioral biometric method is widely accepted as nonintrusive because all users frequently sign their name as a form of identification. The method is neither expensive nor difficult to implement, but its overall accuracy has yet to be proven.

The overall strategy for deploying and implementing biometrics in an information system is perhaps more important than the type of biometric methods and devices. Biometric methods are typically a very good way to identify an individual, but they should be used in conjunction with another method of verification. If a fingerprint scanner is the sole method of verification, a user with an injured or bandaged hand may not be able to log on. This type of problem exists with many biometrics: a user with a cold sounds different; certain drugs affect the eyes; and heat, cold, dust, and other environmental elements can affect the accuracy of many biometric devices. For these reasons, it is important to consider the operating location of the measuring device—whether it is a laptop installed in a police patrol cruiser or a desktop at the precinct. It may also be appropriate to provide different authentication methods for different levels of information sensitivity.

The National Institute of Standards and Technology (NIST) is currently evaluating biometric technology and products for the United States Congress, as mandated by the USA PATRIOT Act of 2001. The Act calls for biometric identifiers on noncitizens’ travel documents by October 2004. NIST has come to four preliminary conclusions:

  • Iris scans rely on proprietary technology that makes evaluation of their accuracy difficult.
  • Fingerprints work well, but accuracy needs to be better for wide-scale use.
  • Facial recognition technologies are not mature yet.
  • No biometric technology works well enough to be relied on by itself.

One of the NIST researchers commented that biometric identifiers "always look stronger and easier in theory than they are in practice. Effective enrollment is difficult, and physical spoofing is a lot easier than we would like.” While it must be noted that the NIST study is being conducted for a very specific application of biometrics, some of its preliminary conclusions are relevant to I&A for information system access. With the exception of fingerprint systems, there are very few examples of production biometrics authentication. In contrast, the law enforcement, justice, and public safety communities have relied on fingerprints for investigative and positive identification purposes for decades. As biometric technology matures, the full range of physical and behavioral features described in this section will become more important as means of positive I&A. In the meantime, the majority of production I&A systems will continue to focus on fingerprints when adding biometrics as an additional factor for increased levels of assurance.

Authentication Servers and Single Logon—Frequently, in justice applications, a user will first authenticate to a network and then require access to several systems and information repositories connected to that network. For example, a corrections officer may need to access the jail information system as well as the courts’ case management system to coordinate the transportation of an inmate to a trial. One way to reduce the number of authentications required and to manage user privileges is to incorporate an authentication server into the network. The authentication server can be used to implement a security service called “single sign-on.” The sole function of the authentication server is to validate the credentials of a user prior to granting access to network resources. To accomplish this, there must be electronic trust relationships between the authentication server and the other servers in the enterprise—in our example, between the authentication server, jail information system, and court case management servers.

The authentication server is a single point of access to many of the enterprise resources. For this reason, additional system management attention must be focused on the authentication server to maintain the integrity of the network. However, it is often easier to focus on one server and make sure it is protected and well managed, to ensure the authentication process is not compromised, than to divide efforts over every server in the network. There are several advantages in using a central authentication server:

  • All user IDs and passwords (or other I&A credentials) can be managed from one location. This simplifies the task of adding and deleting users.
  • The user needs to only go through the authentication process once—even if he/she needs to access multiple servers to complete a job function (single logon). In a password-based network, the user would not need to remember multiple passwords, and it is easier to maintain a strong password.
  • A consistent, secure authentication process can be maintained throughout the enterprise.

While these are strong advantages, it must be reiterated that the authentication server places all of the authentication “eggs in one basket.” If the security of the authentication server is compromised, all of the information systems that rely on it for access control can also be compromised. For this reason, it is imperative that considerable attention be paid to the management and monitoring of the authentication server.

If all of the servers in a network use the same operating system (e.g., UNIX, Windows 2000, Netware, or OS390), centralized authentication service may be a native feature of the enterprise network design. For example, in a homogenous Windows 2000 network, the user can authenticate to the “primary domain controller” and use trust relationships between the servers to access information anywhere in the network where the proper authorization exists. However, many networks are heterogeneous and include several types of servers and operating systems. Heterogeneous server networks are almost a fact of life in larger networks where information systems are owned and operated by different organizations. The court case management system may operate on a central mainframe. The sheriff’s jail system may operate on a UNIX server housed in its facilities. Police files may reside on Netware file servers. An authentication server can be used to help manage user I&A in this type of environment.

References

For a listing of applicable biometrics standards, see: