The Need for Strong Authentication

Computer networks and systems have been accessed for many years by passwords. Why now is there a need to have stronger factors of authentication? To understand this, you need to understand the history of network computing.

Network Convergence Role in Password Proliferation

When computing was hitting it big in the enterprise world, everyone who needed computing resources shared a central mainframe. This gigantic piece of equipment acted as the central processing point for all data. Users were connected to it through cryptic-sounding protocols such as SNA, ENA, and BSC. The connection was proprietary and allowed only equipment of the same make to share the network. Thus, if the finance department of a company wanted computing resources, it would jack into the mainframe. All that changed, however, with the advent of the PC. The PC gave every user a dedicated processing unit. The user could decide what applications to run and never had to worry about time-sharing or queuing up with punch cards. The user was untethered from the mainframe.

A funny thing happened after this. Users realized they had lost the ability to collaborate, or share files and data. People were running "sneaker nets " from one PC to another with 5.25-inch floppies. This was not an effective way to share data. So, these new PC users took a page from the mainframe and networked their PCs locally. Thus, local area networks, or LANs, were born.

Most early LANs used a central server for storage and authentication. Some also had peer-to-peer networking. LANs were connected using, at times, proprietary protocols like IPX/SPX, NetBeui, and ArcNet. A department's being able to share and store data centrally and share printers made a lot of sense. As the personal computing revolution continued , more and more departments were getting LANs. It was not long before an enterprise would have between five and seven LANs in operation, and quite possibly a mainframe as well. It became clear that disjointed networking was not generating economies of scale. Sure, most of the major LAN providers created gateways to the mainframe, but still, the LANs remained separate. LANs of the same networking provider could share a common network, but what if users needed to have everything connected? This is where the Transmission Control Protocol/Internet Protocol (TCP/IP) came in.

TCP/IP was the saving grace of the enterprise IT department. One network was set up, over which a user could access any resource connected to it. This system then saw a rush of corporate resources to the masses. The IT managers had brought economies of scale to the corporate computing world. What they had also done was create a multi-headed monster. Now an attacker could get access to any system in the network that was connected. Earlier, the attacker had to go from LAN to LAN and physically from department to department. Now, all the attacker needed was a LAN drop somewhere on the inside and an IP address conveniently provided to him/her by the enterprise Dynamic Host Configuration Protocol (DHCP) server. To make matters worse , TCP/IP provided the enterprise with the ability to connect to the Internet. Now that "the little LAN that could" was connected to the Internet, an intruder no longer needed to breach the physical security of the company; he/she could carry out all attacks from the comfort of home.

Passwords in the best of times are weak and, in general, easy to guess. With an enterprise connected to the Internet, the entire computing effort of many connected computers can be used to guess a password with brute force. In brute-forcing a password, every possible password combination is tried. This method exhaustively searches all possible solution sets for a password. What would have taken weeks, months, or even years in the isolated LAN environment can now take hours, minutes, or even seconds to gain access by using the combined computing power of the Internet. It seems that in the rush to bring the corporate LAN to the world and into the twenty-first century, password authentication was made dated and stale.

Mitigating Public Risk through Government Regulation

Because enterprise corporations connect to everyone, everywhere, at any time, the results of any network compromise could be catastrophic. Many important vertical industries are connected today to public networks and are thus being regulated by the government. These include:

Financial institutions

The risks of a breach to the public or an individual could be tremendous. If open market operations are compromised, the cascading effect on the economy could be catastrophic. For example, the malicious buying or selling of currencies on the open market could cause a country's economy to collapse. The theft of private individual data already leads to identity fraud or monetary loss. Thus, many governments are enacting legislation to require financial institutions to implement strong authentication for access to customer data and for many types of financial transactions.

Healthcare industries

The risks of personal data being changed or disclosed for an individual could be catastrophic. If a patient's record was maliciously altered to remove an allergy to a medication or to change a procedure, it could have life- threatening ramifications . The personal medical data about an individual could be used to deny health or insurance coverage, or it could be used for blackmail. Since the healthcare industry contains the most sensitive data about an individual, many governments are enacting legislation to protect access to this data and to mandate the use of strong factors of authentication.

Pharmaceutical companies

For a pharmaceutical company, time to market is money. Finding a process that can be streamlined means that new drugs get approved faster. To accomplish this, many governments are enacting legislation that allows the electronic submission and sign-off of drug testing data. With this streamlining of the process, the possibility of electronic fraud is higher. To mitigate this risk, the government is also mandating the use of graded authentication. Based on the sensitivity of the electronic sign-off, different factors of authentication could be used, including the use of public key infrastructure (PKI) certificates for electronic signature, password protection, smart cards, and biometrics.

Governmental entities

With the majority of world governments using computers, it is not surprising to see the networks they are on under constant surveillance. The public and private information stored in these systems could give an intruder access to the most critical government information, or the opportunity to manipulate the data in the intruder's favor. The personal data of the citizens of a country could be used for identity fraud, changing the government benefits a citizen receives, or tampering with legal matters. In the post-September 11th era, governments around the world are much more vigilante about network and data access. As such, governments are implementing strong authentication for most systems that are deemed sensitive or essential. For example, routers that used to be protected with static passwords are now using challenge and response tokens, or one-time passwords. Network access to sensitive data is now controlled with multifactor authentication.

Military organizations

The Internet was originally created by the military and other U.S. government organizations to make it easier to share data. With the whole world now connected, it is very easy for enemies of the state to attack and try to compromise this connected infrastructure. As such, the military is implementing strong authentication for computer networks. In the U.S., the Department of Defense (DoD) has undertaken an ambitious program of issuing millions of smart cards for both physical and logical access. It has also created internal organizations to investigate biometrics and their use in network security. The DoD continues to lead the rest of the computing world in the use of strong authentication.

With the possibility of personal data being released, the risk of tampering with corporate data, or the malicious use of connected resources, the government has seen fit to regulate many of these verticals. These regulations mostly deal with how the data is to be used, stored, transmitted, and, most importantly, accessed. The regulations being put into place do recognize the need for stronger authentication. This recognition is normally tied to a specific set of data, or the access to sensitive information. The regulations will list, in order of increasing assurance, what factors of authentication are acceptable. For example, a common listing may look something like this:

• Password

• Password and token

• Biometric

• Biometric and token

• Biometric, token, and password

It is interesting to see that one factor of authentication, a password, is considered weaker than another factor of authentication, namely a biometric. It is generally accepted that a biometric is a stronger means of authentication than a password. As we saw earlier, biometrics in general cannot be stolen, loaned, or guessed. The spoofing of biometrics will be covered in more detail later. For the purpose of our discussion, it is certis paribus that there are more successful methods of attacks on passwords than on biometrics. It has been shown that passwords are susceptible to dictionary attacks and also brute-force attacks. A biometric, on the other hand, by its very nature is hard to subject to brute force. For the ultimate in assurance, three-factor authentication should be used. The probability that combination of something you have, something you are, and something you know will be compromised is very low. Still, this high level of assurance does lessen user convenience.

To summarize, if a vertical industry itself does not self-regulate, the government is prepared to do it.

Mitigating the Risks from an Inside Threat

To avoid government regulation, industries need a strong authentication plan. It may be not only to appease the government watchdogs , but also internal ones as well. Corporate risk management is flexing its corporate muscle more and more each day. Tasked with minimizing risk in the operations of the business, corporations are now looking closely at the risks associated with information technology (IT). They need to protect the enterprise from:

• Internal threats

  - Rogue employees conducting unauthorized transactions

  - Corporate espionage

  - Data tampering

  - Compromise of client data

• External threats

  - Network intrusion

  - Corporate espionage

  - Data tampering

Most of these threats can be mitigated through other means like intrusion detection systems, auditing, trace files, and forced employee holidays. Most internal threats come down to authentication and non-repudiation. The need for non- repudiation in business is not new. For decades, business was done face-to-face or via paper agreements. Now, in the age of email and the Internet, business is conducted faster and with a larger group of partners and suppliers. For example, when an agreement is made or a letter sent, I affix my signature to it. If I could do the same in the electronic world, I would have my non-repudiation, or would I? In the real world, all those involved normally sign an important document, and those signatures are witnessed. We could use this same methodology electronically and have people witness my electronic signature with theirs. This could give a stronger assurance that the desired person really did sign the electronic document in question. But, if electronic signatures are not strongly authenticated, how can we be sure, as the recipient of such a document, that all signatures are legitimate ?

Corporate IT can provide end-users with the infrastructure and tools to certify the authenticity of electronic signatures. The recipient of an electronic signature could check the certificate revocation list to see if the electronic signature is still valid. However, once we know that a signature is valid, we are still not assured that the owner of the electronic signature was the one to actually use the electronic signature. To be sure that the owner was the one to affix the electronic signature, we first need a strong way to authenticate the user. If we rely on passwords, then our digital identity can be loaned, stolen, and, in general, compromised. If we tie that digital identity to a smart card, the card and password can be compromised. So, as the recipient of a signature, I still cannot be sure if the owner of the digital identity, or someone who has the card and password, signed it. But what if we put the digital identity on the smart card and protect it with a biometric? Now, as the recipient of a digital signature from an individual, I can be sure that the individual was present. This assurance comes from the electronic binding of the smart card containing the digital signature to the owner's biometric. The digital signature can be affixed to the document only if the owner presents his/her biometric to release the signature from the smart card.